VPN or No VPN, That is the Question
With the recent news on internet privacy, I’ve had some friends ask if they should be using a VPN service to help protect their privacy. My short answer: probably not, and almost certainly not the ones advertising themselves in that way.
Some brief background
The primary purpose of a VPN is to connect two private networks together over a connection that is running on a public network; hence, Virtual Private Network. A VPN takes the network traffic from one place, wraps it up in some nice encryption, sends it across a public network (e.g., the internet), unwraps it on the other side and sends it back on its merry way to its intended destination (normally within the network on the other side of the VPN).
This is most commonly used by companies in two ways:
- To allow employees who are not in the office to access web sites or services that are too important and/or too risky to put on the public internet.
- To connect two or more offices together across a standard internet connection instead of a significantly more expensive private circuit.
But what about all of these VPN services that are out there for end users to buy? Well, they do basically the same thing; however, the “other end” of the VPN is just an internet connection originating on a connection owned by the VPN provider.
What is the benefit of this?
The original selling point was that this helps protect you when you can’t trust the network that you are directly connected to. For example, if you are browsing the web in a coffee shop and you don’t want to risk other patrons or the owner of the coffee seeing what you are browsing, this adds a layer of protection because the data is encrypted before it leaves your laptop or phone and is decrypted at the VPN endpoint. (For what it’s worth, most of this risk can be mitigated by making sure that you are only browsing on secure HTTPS sites.)
Now, the newer selling point is that your own home network provider can’t see what you are browsing, and therefore can’t sell that information. Though this is true, you have to keep in mind that you are now putting that information into the hands of the VPN provider and their ISP. You aren’t completely hiding the information, you’re just moving it.
With all of this, you are also adding several possible downsides.
- Your connection will almost certainly be slower because you are adding more connections between you and the sites you are accessing and a connection is only as fast as its slowest link.
- Automatic location services that may estimate your location based on your connection information will most likely incorrectly place you in the location of the VPN provider’s internet connection.
- Security will actually be worse if you can’t trust your VPN provider. Make sure you do your research and chose a reliable provider if you do end up using one. Many options out there are either completely fake (don’t do anything at all), or are more likely to do nefarious things with your data than your ISP. Remember, everything your ISP could see, a VPN provider will also see.
So, what can you do?
First and foremost, you should be using HTTPS connections for everything possible. Though HTTPS doesn’t hide what sites you are connecting to, it does hide and encrypt the actual content of those sites. To help make sure this is happening, you can use a great browser add-on from the EFF called HTTPS Everywhere. This won’t add HTTPS to sites that don’t support it, but it will do its best to connect you securely when both a secure and insecure site are available and can also be configured to disallow any connection that isn’t secure. As an aside, if you are responsible for hosting a website and not using HTTPS, shame on you — go look up Let’s Encrypt and put it in place.
If you want to go for even stronger anonymity, check out the Tor Project. Instead of single routed connection like a VPN, Tor works on an open and distributed network to make your connections more anonymous and harder to trace. It still has many of the downsides of a VPN (including slower connections) and it is far from an impregnable solution, but if anonymity is your goal, it’s likely your best option.
Don’t fall for the quick fixes that are now going to be pushed. A VPN may help in some ways, but you need to understand the limitations and other risks that that entails. Also, ignore all the advice telling you to “clear your browser history” or use incognito mode; that’s great for keeping your history away from other users of your phone or computer, but it does absolutely nothing to hide the traffic from your ISP.
The fate of your browsing data is in the hands of any connection your data passes through; encrypting that data helps limit that exposure. It was nice to have rules in place to keep your ISP from selling your data because they have the most complete view of what your activities are. Now that that is gone, don’t be tricked into handing your data to someone else.