While there are some good uses of a Virtual Private Network, they are not the magic privacy blanket that you may think they are.
Early on in my privacy journey, I had been using a VPN in an attempt to increase the security and privacy of my internet activity. I was drawn in by the marketing hype that surrounds such products, and worried that using the internet without one would expose my IP address and location. The truth is, exposing your IP address is not the end of the world, and it can’t easily be traced directly to your home address.
IP Address and Physical Address
An IP address alone is not a particularly identifying piece of information, as they are frequently rotated for most users. Tracing an IP can get an estimate of a location within a few kilometers, which may be enough to get general information about a user. Companies like Google will instead use WiFi and Bluetooth to discover devices that are nearby and use their combined locations for a more accurate location on their customers.
The ISP who assigned the IP address to a customer will also have logged that the address belonged to a specific person at a specific time along with all the details for that customer. Without a warrant or court order, most Western Democracies will not allow the ISP to give that information away. That is quite a lot of trust to be putting into a single company.
The Virtual Private Network is a piece of technology that allows encryption from one network to another, allowing a secure connection to a private network. This is useful when an employee or student wants to connect to their organisation’s network from home in order to access resources stored there. This was the original purpose of the VPN.
More recently, there has been a massive marketing push by VPN providers trying to get a piece of the recent trend towards security and privacy. They promise all sorts of wild claims about protecting yourself online, when in reality they are little more than a go-between, or “proxy server”.
VPNs when used in the traditional sense are effective, but that’s because it only needs to facilitate the communication between the user and the organisation. In the modern sense, VPNs then send that secure traffic on to wherever the user is trying to go. For this to be possible, the VPN provider must decrypt the traffic before sending it, so that the receiving website can understand what is being requested.
What Does This Mean?
1. The VPN provider sees everything you do
They can log your traffic or alter it on the way to its destination, and you must trust they aren’t doing this.
2. Limited Encryption
Only the connection between you and the VPN provider is “end-to-end” encrypted; beyond that, it is as if you were not using a VPN.
3. Hide From Your Telco
Your Internet Service Provider can’t see what you’re connecting to, so if you don’t trust them, you can be happy knowing they aren’t getting any data.
Appear To Be Somewhere Else
You can appear to be accessing from a specific place in the world, depending on your provider, you can choose a server in another country.
In terms of security, if you are only visiting HTTPS enabled sites like you should (There will be a little lock symbol in the address bar if the site is HTTPS enabled: ), your traffic is encrypted from source to destination. Not to say that HTTPS encryption is a perfect solution; perfection rarely appears in life, and this is especially apparent when it comes to privacy and security online. What this means though, is the extra encryption provided by the VPN is unnecessary unless you are concerned with some specific use cases.
Cases For a VPN:
Besides the traditional use, VPNs in the modern, consumer sense are still very useful if:
1. You don’t trust your ISP
2. You are accessing the internet from a network that you know to be untrustworthy (like public WiFi, or mobile networks)
3. You want to access region-locked content
These benefits do require that the user trust the VPN provider, but luckily there are some good options out there. We use ProtonVPN for securing our traffic on untrustworthy networks. However, when it comes to online privacy, there are better tools for the job.
The Real Privacy Solution:
Tor, or The Onion Router, is a completely free service that offers most of the benefits of a VPN, while also adding the ability to be as close to anonymous online as possible right now. Basically, Tor uses three separate servers to route your traffic, each with its own layer of encryption, and each only knowing the bare minimum about the data being processed.
The first server, or “hop”, knows your IP, but not where you’re going. The second hop knows the first hop, and the third hop. The third hop knows the final destination and the second server, but not where the traffic originated from. In this design, there is no way to de-anonymise the user, as at every step along the way, the servers only get what is necessary for them to function.
Does using Tor make you completely anonymous and secure? No, but when combined with some operational security practices, you will give yourself the best chance currently possible, and make attempts to track you far more difficult and expensive than otherwise. This will limit the number of potential adversaries to those with very deep pockets and a keen interest in you.