Reddit user @ThatOnePrivacyGuy has analyzed 150+ VPNs on the web and posted an excellent guide on how to choose the best VPN. Trust.Zone reposts the guide here - part 2 - Fourteen eyes countries, No Logging, Anonymous Payments. Read the beginning of the guide: part 1 (How To Choose The Best VPN - Trust, Affiliates, Privacy) here.
In the main section at the beginning of this guide, I talked about affiliate practices, so I will only briefly mention it here. If you choose a company with an affiliate program, choose one that expects and enforces good behavior from their reselling partners. You can usually read their affiliate terms on their site. If they are not publicly visible, they should respond with this information when asked. If not, or if they play games with you, look elsewhere. More information on affiliate policies and behavior can be found on my VPN Comparison Chart.
In the last few years, certain revelations have been made manifest regarding the mass surveillance programs of various countries around the globe. These countries are known as the five, nine, and fourteen eyes. These countries not only spy on their own citizens where they can get away with it, but they spy on each others, and swap notes to bypass governmental restrictions on power. If a service is based in one of these countries, it's not unreasonable to expect that they may be susceptible to unlawful searches and compromises made in the name of national security. If your threat model includes protection from such actions, you may want to consider a VPN that isn't based in one of these countries. Note that even if a VPN isn't based in one of these countries, the servers physically located in them are still susceptible to such interference. If you require privacy from government mass-surveillance programs, be sure that you are connecting to servers located in secure locations owned by countries not susceptible to such governmental overreach.
Other countries are not part of the spy collaboration mentioned above, but still have issues with government limitations on internet freedom and free speech. Avoid countries with limited internet freedom. The degree of internet freedom a country has can also be found under "jurisdiction" on my sheet.
When you connect to a VPN service, you are essentially just adding one more stop along your route to the open internet. The VPN is a "man in the middle" who you are trusting with the traffic and connection data that is being generated in the background as you use the internet. Some VPN companies choose to log this data. There are many reasons for doing so, some more legitimate than others. Some services record this to protect themselves legally in the case they are approached by authorities. Some companies keep minimal connection logs to aid them in maintaining servers. Some will even sell your data to third parties as part of their business model. If your concern is privacy, you most likely do not want your browsing habits and connection data being recorded. Choose a service that specifically states that they do not keep logs, AND which types they do not keep. Make sure they do not keep ANY kind of activity or connection log Many services claim to not keep logs, but are vague, and upon closer inspection actually do keep certain types, so be wary of such promises until you've confirmed it for yourself in their respective terms and privacy policies.
Assuming privacy is your priority, when you go to pay for your VPN service, there are many methods available, but only a few worth consideration. Services that offer the ability to pay by Bitcoin, cash, or misc gift cards are the best way to ensure that you are kept as anonymous as possible. if these services require more personal information than an email address, look the other direction - this is information they're recording about you that may be used at best to sell to third parties, at worst to later identify you.
Some services offer a PGP key for additional privacy. This is a nice thing to have if you want to be able to communicate with them using encryption.
There are many different kinds of VPN protocols that allow you to establish a tunnel with your service provider - some more secure than others. Certain protocols are documented to have been compromised. Others are free and open source, and as such are freely available for security experts to audit and improve. The free availability of the source code helps to ensure that vulnerabilities are patched quickly and that individuals so inclined can see exactly how their software is working. Choose a VPN that supports OpenVPN and use it to connect to your VPN server. Avoid using other protocols, specifically PPTP as its not suited for privacy.
Throughout the course of using the internet, your computer sends and receives a lot of data that isn't visible to you, the user. When you type in a web address, a request is sent to a server that is usually operated by your ISP. When you connect to the internet using a VPN, this responsibility is now on them. If they don't take certain actions, this request containing info for the site your want to visit is being sent to THEIR ISP instead. This may not be as bad as it going through yours, but as I mentioned logging above - if the company in question even keeps certain logs, there is a chance that the sites you try to visit can be correlated with the timestamps of when such a request is sent. As an alternative, some use public DNS servers, such as google's, which is not ideal for privacy. Choose a VPN service that maintains their own first party DNS server that won't leak - then TEST IT TO MAKE SURE.
.. to be continued. Read Part 3: How To Choose The Best VPN - IPv6, Encryption Strength, P2P support, SSL Certificates soon.