The Importance Of Trust With VPNs
And why placing your trust in the wrong VPN can be detrimental to your privacy.
There are a lot of reasons you might be considering and/or looking for a VPN service. Maybe you want to access a few websites that your school blocks on their Wi-Fi, or you want to access TV shows and movies only available in other countries. Regardless of the reason you want to use a VPN, it’s important that you trust the VPN provider you choose with your privacy, because that is what’s on the line.
How A VPN Works
VPNs were actually created a while back as a way for businesses to securely send data between remote locations. For example, if a business had two offices and only one had a storage server, the other office could use a VPN to securely connect to the first office’s network, and access their storage server without opening either network up to the internet. Fast forward to today, and VPNs are advertised as a consumer product to enhance your internet’s privacy and security. However, in essence, modern consumer-oriented VPNs still work in the same way; they securely connect your device to a remote network.
The difference is that consumer-oriented VPN services usually won’t allow you to communicate to other devices also connected to the VPN, and consumer-oriented VPNs put an emphasis on access to the internet. When using a VPN to connect offices, for example, there isn’t always a way to access the internet through the VPN connection because the primary purpose of the connection was to access devices on the remote network. Either way, VPNs still provide an encrypted tunnel* between your device and the VPN server, which is what VPN services advertise with terms like “military-grade encryption”.
*Although it’s technically possible to set up a VPN with no encryption, I doubt that’s actually done in the real world. This is only really useful if you know that all data that will be sent over the VPN is already encrypted (e.g. an SSH connection), but even then it probably makes sense to leave encryption on just in case.
Where Trust Comes In
As previously mentioned, a VPN will create an encrypted tunnel between your device and the VPN server. In the case of consumer VPNs, your device will route internet traffic through this tunnel, which is where many of a VPNs benefits stem from. For example, because your internet traffic is getting routed through another server, websites can’t see your IP address and only see the server’s IP address. Additionally, since the connection is encrypted, this allows you to browse the internet without the fear that your local network is tracking you, and you can access websites that are blocked by your local network.
However, the important thing to keep in mind is that this encryption ends once your connection reaches the VPN server. If your data was already encrypted before entering the tunnel, then it will still be encrypted once it reaches the VPN server. However, if the data wasn’t encrypted before entering the tunnel, it also won’t be encrypted once it reaches the VPN server.
One way to think of using a VPN is that you’re pushing your trust away from your local network and to the VPN service. In the event of using a public Wi-Fi network, such as at a coffee shop, then you almost certainly trust a reputable VPN service over everyone with access to that Wi-Fi network (anyone with access to a public Wi-Fi network can see certain information about your internet traffic, while a VPN’s encrypted tunnel masks this). However, if you’re at home and using a less-known VPN service, you might actually be making things worse.
You see, because you’re sending all of your internet traffic through a VPN server, that VPN server needs to know certain information about your request. For example, it needs to know where to send the request (i.e. the IP address of the website you want to visit) and where to forward the response to (i.e your IP address). In the case of a reputable VPN service that doesn’t log this information, it’s not much of a problem. But, if a VPN service wanted to, they could build a pretty complete profile of your browsing habits (e.g. which websites you visit most often). They could then sell that information to advertisers, who can use your information to serve more effective ads, or to anyone willing to pay them for it.
A really malicious VPN server can even inject malware into web pages not encrypted with HTTPS, and even your emails if you’re not using an encrypted protocol when you check your inbox. If a VPN service did this, they’d probably lose all of their customers as soon as someone realized what they were doing. The problem is that, although dishonest, a company can claim to not keep logs even if they do; there’s really no way for people to verify a company’s no-log claims.
It’s important to note that even in the case of HTTPS, which provides encryption between your browser and the web server, still leaves some information left in the open, such as the domain name you’re visiting. You can learn more about this in our post about DNS over HTTPS.
The VPN Service’s ISP
Even if the VPN provider itself isn’t doing anything wrong, the ISP that VPN provider uses could be. Although the information their ISP can collect about you is rather limited*, it is still information. All their ISP can really keep of track of is who’s connecting to their servers (your IP address) and where the VPN servers are sending requests to (the IP addresses of the websites visiting).
*This assumes that the VPN service (or any of the websites you visit) isn’t cooperating with the ISP, knowingly or unknowingly.
Why Free VPNs Are Generally A Bad Idea
The most enticing price for a product or service is free, but that can be especially dangerous when it comes to VPNs. In order for a VPN service to be competitive, they need to have access to a wide variety of servers around the world, which isn’t cheap. And that’s before you factor in the cost of actually managing the servers, and software to keep track of who is connected to which server (e.g. if a limit is imposed on the number of devices you can connect), how much bandwidth you use, and a lot more.
In order to offer that for free, they need to make money some other way. In the case of free trials or freemium VPN service, they simply hope that you’ll have some reason to upgrade down the road. Some VPN services also offer bandwidth in exchange for viewing ads, which could also be a way to cover their costs. But, if it’s a free for life VPN run by a company with no other products, then you can make a pretty good guess about what they’re doing with your data.
There will obviously be exceptions, but regardless of which VPN service you choose, be sure you can trust them with your data.