I’d like to talk about VPNs today and the marketing behind them. A VPN can be a valuable tool in a privacy strategy. It can help hide your traffic from your ISP, circumvent censorship, and get around regional blocks. The problem is their marketing likes to make you think it goes far beyond that.
VPN marketing tends to claim that using their VPN will make you secure and private. Lets take a look at the secure aspect. The large majority of sites today use https, and assuming trust in the strength of TLS that means communication while browsing is already encrypted. Many guest wifi networks today are also password protected, helping to reduce the attack surface that was available back in the day when VPNs were widely used to protect your public wifi browsing. Some VPN providers will offer DNS-level blocking of ad domains and known malicious domains, but many don’t. That may be the only protection a VPN offers you in the way of browsing to a malicious site, getting phishing, or downloading malware to your machine. So when you look at your actual browsing today, a VPN likely isn’t doing much in the way of security for you.
Lets take a look at the privacy aspect now. Most marketing is going to make you believe that you’re totally private once you pay them and click that slider to turn the VPN on. While a VPN can help mask your true identity in combination with good opsec, and hide your internet activity from your ISP, it isn’t doing a ton to prevent third parties from tracking your activity. Many ad networks don’t care if your name is Alex Smith or John Jacob Jingleheimer Schmidt. They care about your activity, your interests, and how they can target you with ads. In that regard, they can still toss cookies on your machine, and fingerprint your browser in order to uniquely identify you from other users. So if you’re using a VPN to be private from the ad system and online trackers, it may not be covering you for what you want (some do offer the DNS-level protection as mentioned earlier).
Another aspect of using a VPN provider in your privacy strategy is picking a provider. You’ll likely start off by searching something like “best private VPN” and checking out some review sites. The issue there is that some VPN sites are owned by VPN companies. Kape technologies for example, own CyberGhost VPN, Zenmate VPN, Private Internet Access, and ExpressVPN also own vpnmonitor & wizcase. So if you happened to find yourself on one of those “review” sites, you’ll likely find quite positive things said about PIA/ExpressVPN/CyberGhost. Though it would be difficult to call those reviews unbiased for obvious reasons. On the note of questionable practices to keep an eye out for, many VPN sites include analytics and trackers. Another thing to take notice of are the providers that claim to be “no-logs” VPN, despite having a device limit as part of their plans. Ask yourself, how can they track and enforce a device limit if they aren’t logging which devices are connecting.
What I would suggest when researching a VPN provider are the following:
* paid (avoid free VPNs because they often sell your browsing habits to make money)
* killswitch that disables connectivity when the VPN connection fails
* trustworthy history
* research their logging (ideally finding legal requests coming up empty)
* check what jurisdiction they fall under
Bryan's Blog 