diff --git a/main.c b/main.c
index 2dcfe38e..32823586 100644
--- a/main.c
+++ b/main.c
@@ -844,7 +844,7 @@ static void usage(void)
 #endif
 	printf("      --reconnect-timeout         %s\n", _("Connection retry timeout in seconds"));
 	printf("      --resolve=HOST:IP           %s\n", _("Use IP when connecting to HOST"));
-	printf("      --passtos                   %s\n", _("copy TOS / TCLASS when using DTLS"));
+	printf("      --passtos                   %s\n", _("Copy TOS / TCLASS field into DTLS and ESP packets"));
 	printf("      --dtls-local-port=PORT      %s\n", _("Set local port for DTLS and ESP datagrams"));
 
 	printf("\n%s:\n", _("Authentication (two-phase)"));
diff --git a/openconnect.8.in b/openconnect.8.in
index c5a15bf8..dad0f6fc 100644
--- a/openconnect.8.in
+++ b/openconnect.8.in
@@ -222,7 +222,9 @@ Use syslog for progress messages
 Prepend a timestamp to each progress message
 .TP
 .B \-\-passtos
-Copy TOS / TCLASS of payload packet into DTLS packets.
+Copy TOS / TCLASS of payload packet into DTLS and ESP packets. This is
+not set by default because it may leak information about the payload
+(for example, by differentiating voice/video traffic).
 .TP
 .B \-U,\-\-setuid=USER
 Drop privileges after connecting, to become user