This is probably slightly overdue. I think friends and acquaintances have been asking me about VPN’s and if they should get one for about the last 3 years.
The phenomena that has really triggered this post however, is the sheer avalanche of advertising targeted at non-technical people that these services are purchasing. 50% of the podcasts I have heard in the last week have had at least one advertisement for a VPN (legitimate non-peer reviewed statistics collected by me). They typically offer to increase your security by hiding your activity from your ISP or “cybercriminals”. “Hide your pixel trail” is probably the most egregious one I have heard thus far.
Most of this isn’t entirely incorrect (apart from the pixel trail, good luck working that one out), but how it applies to you is really the part that matters.
First, let’s talk about what a VPN is as opposed to what it isn’t.
A VPN or Virtual Private Network is exactly that. A means of virtually extending a private network over the public internet.
This original definition is misleading in the modern use of the word, but VPN’s were originally conceived as a means of allowing two offices to share resources or allowing remote workers to use company resources securely. They are still used this way and you may have used them in the form of a Cisco, Fortinet or Palo Alto Networks app on your work laptop.
The services that are being sold by VPN vendors are not this. They are more akin to a Proxy. What a proxy does is pretty much in its name, it acts as a proxy for you on the internet. Everything you do is sent to this proxy and they then forward it on to its intended destination. It’s like getting someone else to send a message on your behalf and relay the response back.
This can afford the following benefits:
- Your traffic doesn’t appear to be coming from your IP address, rather it comes from the proxies IP. This can be useful to some degree for privacy as well as allowing you to pretend you are in different countries for the purpose of bypassing geo-restrictions.
- Your traffic is theoretically encrypted as it flows through your ISP’s routers and servers thus protecting them from seeing your data.
- You might get some additional security/network performance services as a bonus. The quality and usefulness of these is pretty dubious.
The name VPN although a misnomer is used because the services use the same underlying tech (read tunnelling protocols) as VPN’s to deliver the proxy service.
So that’s what a VPN service is. What about the things these services aren’t?
I am going to say it upfront. They aren’t privacy or security tools. A key part of this is exactly what I mentioned before:
Using a VPN is like getting a someone else to send a message on your behalf and relay the response back.
You are asking a company that you may not even have a financial relationship with to afford you privacy.
This doesn’t even begin to delve into the frequently dubious/shadowy ownership of various VPN services. At best you’re asking a random company, at worst you’re asking an advertising company, former malware distributor or criminal adjacent enterprise to securely take your data and forward it on.
Now, to give credit where credit is due, the argument that you are hiding from your ISP and potentially “the government” is a somewhat valid point. Is that actually true though? VPN services like every other product aren’t that secure and may still leak data to your ISP and the big scary gov', these apps frequently aren’t developed by experts and run on a shoestring budget with profit the primary aim. Plus, threat modelling matters; I’d argue the risk of you being slipped malware, scammed or otherwise harmed is likely higher from a shadowy company than your own ISP or the gov.
To really put the icing on the cake, it turns out companies lie all the time? Weird right. So a company telling you they aren’t logging your traffic doesn’t mean anything and independent audits also mean nothing. If privacy actually matters to you steer clear. You’re probably making more footprints should your traffic actually get attention. You have clear evidence of a service you have paid for, being logged into from your home IP address using credentials unique to you. Do the math.
But I want to use a VPN! Is there a reason I should?
If despite the above warnings you want to use a VPN there is perhaps one valid reason: avoiding Geo-restriction.
Sure if you want to get a discount on a product, or perhaps watch foreign Netflix spin up your VPN and then turn if off when you’re done!
I’m not going to recommend any particular product here, because to be honest I wouldn’t use any seriously. But here are a few things you need to know when selecting:
- Pay for it, this shifts the incentive slightly. Free services are never free
- No logging doesn’t mean anything, Saying it doesn’t mean anything and laws in various jurisdictions mean that logging can be turned on as required and requested by law enforcement agencies.
- Audits don’t mean anything, as above.
- Turn if off if you’re done doing whatever it is you feel you need to do.
- If you’re technically inclined you can roll your own. BEWARE OF DRAGONS.