What you Need to Know about using a VPN
This story was originally published on 20/09/2019
Do you have the right to browse the internet without being tracked and monitored by Google, Facebook and Government agencies?
Some people believe that if you have nothing to hide, you have nothing to worry about. But of course, we all have things to hide: credit card information, personal contact details, our home addresses. This isn’t information that you would put on a telephone pole for everyone to see in the street, so why make it public online?
The privacy question is a complicated one. Law enforcement and government agencies will argue that access to internet traffic and data helps foil terrorist plots and keep us safe. Privacy advocates say that it goes too far.
An increasingly popular solution is a Virtual Private Network, or VPN, which is a service that works by encrypting your internet traffic and allowing you to show up as using the internet in almost any other country. They’re supposed to keep your browsing completely anonymous.
We spoke to Tony Grasso, Director of Technology at Cyber Toa in Wellington, New Zealand, (whose background includes working for law enforcement and intelligence agencies) about whether or not VPNs are as safe as advertised and what you need to know before you start using one.
This interview has been edited for length and clarity.
After scandals like the Facebook and Cambridge Analytica and with Firefox, Chrome and Safari promoting more secure browsers, how worried to people need to be about encryption and online privacy?
Look, even porn sites these days have got end-to-end encryption [no one can see into the traffic that travels from your computer to the website you’re looking at or what you see on that website] and an ISP [internet service provider] is going to be very hard pressed to intercept anything.
If you wind back five years, that wasn’t true and lots of places didn’t have encryption, even Google. It only put HTTPS encryption on in the last, I don’t know, five or six years. So there was a lot more ‘need’ to have a VPN.
What’s the biggest consideration for people looking at using a VPN?
Firstly, I’m very pro-law enforcement and intelligence agencies because of my background, so I want to make that caveat up front so you know where my mind set is.
Having come from that background, I’m happy to give up part of my liberty so that you don’t die in a plane crash, because intelligence agencies couldn’t get through an encryption to the people that were really naughty.
But what you need to think about with VPNs is that they are a central point that your data is going through. Additionally, you have no idea who has set that VPN up, what their motivations are, who they’re aligned with, what country they’re aligned with or what crazy organisation they’re aligned with.
What I always try to get people to think about is what they’re putting online. If you’re that worried that you think you need a VPN, you shouldn’t be putting it online. Your credit card, as long as you’re not stupid, is covered by insurance. So you’re not going to personally lose out unless you’re being really dumb.
What are the security risks involved with using VPNs?
My general advice is that if you need a VPN you would go to one of the big firms because it’s the only way to be safe.
But the thing about VPNs is that they’re not end-to-end encrypted. It has to go to a server, which then forwards on the request. Also, it’s all logged. I don’t care what they say, because I don’t trust them. It’s the old chestnut of ‘all these kilometres on the pedometer are absolutely real, except for the ones that I took off that I’m not going to tell you about.’
So I, as a VPN vendor, could tell you anything you like. I’ve seen the terms and conditions that say they don’t log anything but a lot of that is actually contradictory to what the law states, particularly in the UK, USA and New Zealand. If law enforcement issues [the VPN provider] a warrant, they have to have this information. So no matter what they say, they’re legally bound to hold some of that information.
Am I perfectly safe without using a VPN?
My question these days, because everything is end-to-end encrypted is: why would you want to use a VPN?
End-to-end encryption means that I can’t stand in the middle [of point A and B] and pull off your data and digest it. I might get some metadata, so that I know you’re going to Google and I know you’re searching for big boobs or whatever you’re into, but that’s about it. I can’t see the search results or the context. So you’re a lot safer than you used to be.
Taking it to the other extreme, if you’re shopping or looking at porn, it’s all already encrypted. So wrapping a VPN around it would further encrypt it so I couldn’t see what site you were going to- but why is that necessary?
What’s the biggest thing I need to be mindful of with my online privacy, if I don’t need a VPN?
Your biggest problem is the person that you’ve pissed off at the other end [of your communication], or who is manipulating you, all of that happens in that age group of 18–25 year olds.
You’re more likely to be found by the crap you put on Facebook because you haven’t got the right security controls, or because you’ve put up a geo-tagged photo, telling people you’re on holiday.
There are cases where people have gone away on holiday and their house gets burgled because someone in their circle isn’t very nice and knows they’re away, so they smash and grab.
You’re more likely to give away more information about who you are than anyone is going to find by messing around with the data that’s flowing through the internet.
So VPNs are utterly moot. If people are having to go to that extent to find out about you, you’re interesting to someone already and they’re going to find you. It’s your own ego that is going to let you down with the amount you tell people.
