VPNs Are No Privacy Panacea, And Finding An Ethical Operator Is A Comical Shitshow
from the ain't-no-magic-bullet dept
Given the seemingly endless privacy scandals that now engulf the tech and telecom sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to protect data in the wake of scandals, breaches, and hacks that historically, neither industry nor government seem particularly interested in seriously addressing.
Usually, consumers are flocking to VPNs under the mistaken belief that such tools are a near-mystical panacea, acting as a sort of bullet-proof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs they're trying to flee from:
I don't use a VPN because I'd rather Comcast aggregate my data than some dude wearing a dolphin onesie in his basement in Zurich.
— SwiftOnSecurity (@SwiftOnSecurity) April 18, 2017
Facebook, for example, spent the last year marketing a "privacy protecting VPN" that was little more than spyware in its own right. Verizon was so eager to cash in on the trend it launched a VPN but forgot to even include a privacy policy. Most existing VPNs promise not to store your data, then go right ahead and do so anyway. And studies perpetually find that a huge array of such offerings are little more than scams, hoovering up your money and private data while promising you the moon, sea, and sky.
Case in point: Will Oremus wrote a really wonderful piece for Slate about trying to find a respected VPN and discovered that the market is, for lack of a more technical term, a complete and total shitshow:
"The search for a VPN I could rely on led me on a convoluted journey through accusations and counteraccusations, companies with shadowy leadership and those with conflicts of interest, and VPN ratings sites that might be even shadier than the companies they’re reviewing. Many VPNs appear to be outright scams. Others make internet browsing sluggish. Free versions bombard you with ads. It’s a world so thicketed that the leading firms and experts can’t agree on the basic criteria for what counts as “reputable,” let alone which companies best meet that description."
The article does provide some very useful tips for finding a decent VPN, and is well worth a read. That said, it also makes it abundantly clear that VPN review sites are often inconsistent, downright terrible, or financially conflicted. And even many well-reviewed VPN operators can raise flags if they try to hide the identity of who actually owns them:
"ExpressVPN, for its part, nearly won the coveted recommendation of Wirecutter in its extensive, highly detailed VPN review. There are hints throughout Wirecutter’s report that ExpressVPN would have taken the top spot if not for one pesky concern: its refusal to publicly disclose who owns it. Wirecutter editor Mark Smirniotis notes near the end of his review that ExpressVPN offered to arrange a confidential call with its owners, but he decided that wouldn’t be enough to change his recommendation and declined."
The terribleness of the VPN sector is decidedly ironic, given that giant broadband providers, who routinely hoover up your data in an ocean of creative and non-transparent ways, have long tried to claim that the United States doesn't need meaningful privacy guidelines because users can always use a VPN. That was one of the cornerstones of the telecom lobby logic as the successfully convinced Congress to eliminate modest FCC privacy rules in 2017 that could have prevented many of the location data scandals currently plaguing the sector.
But if it's not clear yet, a VPN is not a magic bullet to the problems that are plaguing the modern internet. Users are running from one platform to the next, dribbling their private data in a long trail behind them thanks to shoddy and nonexistent standards. Meanwhile a lack of competition leaves them stuck on the network of giant ISPs that not only refuse to respect their privacy, but routinely lobby against any and every legislative solution, no matter how well crafted. Several ISPs have then tried to charge users a surcharge to opt out of data collection and monetization, effectively making privacy a luxury option.
Something has to break in this broken and idiotic equation, and "just go use a VPN" is not an adequate answer to the problem.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: privacy, security, trasnparency, vpns
Reader Comments
Subscribe: RSS
View by: Time | Thread
Unlike SwiftOnSecurity, I think I would prefer the onsie-wearing-basement-dweller having my data then Comcast.
[ link to this | view in chronology ]
Re:
The onsie-wearing basement dweller has few motives to collate and use your metadata.
Comcast, otoh, have a mission statement of finding out just in how many ways they can use, sell, or lease said metadata. Some of those ways will no doubt annoy or harm you or your personal integrity.
[ link to this | view in chronology ]
Re: Re:
But they could sell it to Comcast.
[ link to this | view in chronology ]
Re:
Ditto
[ link to this | view in chronology ]
I personally use a VPN and ignore the warning that the VPN operator can potentially see my traffic. On the other hand I am the operator of my VPN and don't have a good reason to snoop on my own traffic.
For me having the feature of an encrypted tunnel back to my home is more important than being able to virtually travel to different locations to evade geoblocking.
[ link to this | view in chronology ]
Re: tunneling home
99 "For me having the feature of an encrypted tunnel back to my home is more important"
... but how do you then access the general internet ?
Tunneling to your home PC only gets you to your home PC... unless it is connected to the internet ... thru some 3rd party ISP that you must trust.
[ link to this | view in chronology ]
Re: Re: tunneling home
Seems the best bet is to rent some serverspace, get an open source VPN server/client and install it. But this just transfers the trust from the VPN to your serverspace host.
[ link to this | view in chronology ]
Re: Re: Re: tunneling home
Or Tor.
[ link to this | view in chronology ]
Re: Re: Re: Re: tunneling home
Tor has two protections going for it:
1: all data is encrypted between you and the first hop, meaning your ISP is cut out of the loop. All data (including DNS) is supposed to go through that tunnel.
2: Tor can provide an end-to-end fully encrypted tunnel between the user and a service provider if the provider creates a tor service within the network. This means that from network analysis alone, a third party (or Tor router operator) cannot determine the destination or content of the traffic.
Beyond that, Tor provides no protections, and does provide significant data lag. I like the fact that my Tor exit traffic is theoretically being spread among many different exit node operators, so if they're logging my connections to the Internet-at-large, each one is only getting a fraction of my usage content, unlike a VPN or ISP.
But anyone can set up an exit node and log the content, and eventually, you're likely to be rotated through a node run by one of: The NSA, the German government, the Israeli government, the Chinese government, or a Russian crime syndicate. Because of the way Tor works, they have the ability to Man-In-The-Middle your HTTPS connections such that what you think is a secure connection to TechDirt via Tor is really a secure connection to some data analytics engine, which then submits requests to TechDirt on your behalf.
Essentially, at some point for ANY VPN, you have to trust the exit node. The best solution I've found so far is for AWS to be the exit node and you to be your own VPN operator. Amazon could still be gathering all the exit analytics, but they've generally got better things to do with their time, and a reputation to uphold in data hosting.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: tunneling home
Technically right, but the data analytics engine cannot decrypt the HTTPS traffic (assuming no general flaws; Tor does nothing to degrade HTTPS security) nor deanonymize users. So, what you think is a secure connection to TechDirt would in fact be a secure connection to TechDirt, via an extra hop that can log packet statistics.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: tunneling home
A man in the middle of a HTTPS connection would theoretically be able to decrypt HTTPS traffic, spy on it, possibly change things, and re-encrypt it with its own certificates before sending it on to you, but your browser would notice that the certificate is not valid.
If they can manage to get your computer to install a rogue root certificate, then they can get away with this and your browser won't complain. But that's a pretty involved process and (probably!) not something that can happen without you noticing simply by you visiting a malicious website or using a compromised TOR node.
[ link to this | view in chronology ]
Re: Re: tunneling home
If he is only using the VPN to get home, he really isn't even in the market for a VPN service at all and kinda off topic.
[ link to this | view in chronology ]
Re: Re: Re: tunneling home
"If he is only using the VPN to get home, he really isn't even in the market for a VPN service at all and kinda off topic."
VPN == Virtual Private Network.
Building a tunnel to securely access his own router is actually the first example of what a VPN is.
The VPN service commonly associated with the name where you use such a tunnel to access a 3rd party server is an expansion on the core definition.
[ link to this | view in chronology ]
Re:
The best idea is to use an offshore VPN. In addition to my own private VPN, I also use an offshore VPN when travelling,
That is so I do not run into any state laws regarding regarding unsecured VPNS.
When I go to my favourite campground for stargazing, I have to drive 65 miles to the nearest town to get any Internet, I sit in the gas station parking lot and connect to the WiFi at one motel a couple of blocks away.
While I am not breaking any Federal laws doing that (because the connection is not password protected), some state laws are not as forgiving on that, so I use a VPN server outside the United States, so that my activity cannot be monitored, and I cannot be identified by where I go.
This keeps me from getting into trouble under Nevada laws I may not know about.
Both California law, and the CFAA require the open connection to be password protected, and that you hacked the password. The laws of other states are not as forgiving, so using an offshore VPN, that cannot be subpoenaed by US authorities, keeps me out trouble when travelling outside of California.
A VPN in Cuernavaca, Mexico is not subject to U.S. laws.
[ link to this | view in chronology ]
Re: Re:
Which of these sections of the CFAA require that? And what section of California law?
18 U.S.C. § 1030(a)(1): Computer espionage. This section takes much of its language from the Espionage Act of 1917, with the notable addition being that it also covers information related to "Foreign Relations", not simply "National Defense" like the Espionage Act.
18 U.S.C. § 1030(a)(2): Computer trespassing, and taking government, financial, or commerce info
18 U.S.C. § 1030(a)(3): Computer trespassing in a government computer
18 U.S.C. § 1030(a)(4): Committing fraud with computer
18 U.S.C. § 1030(a)(5): Damaging a protected computer (including viruses, worms)
18 U.S.C. § 1030(a)(6): Trafficking in passwords of a government or commerce computer
18 U.S.C. § 1030(a)(7): Threatening to damage a protected computer
[ link to this | view in chronology ]
I have to agree with first AC- basement dolphin onsie guy is definitely more trustworthy then comcast.
[ link to this | view in chronology ]
Re: Basement Guy
I have to agree with first AC- basement dolphin onsie guy is definitely more trustworthy then comcast.
While it's fun to hate on Comcast, you are missing the point. Onsie Guy is (could be) selling your data to Comcast and Sprint and hackers.
[ link to this | view in chronology ]
Re: Re: Basement Guy
Actually, I don't miss that point at all.
Comcast is a proven sociopathic entity, who will be certain to collect/sell my data.
Dolphin guy is just suspect and sketchy- but it's pretty easy to imagine why he might value privacy for the sake of privacy.
I'll take dolphin guy. seriously.
Comcast can do my banking stuff though.
that's a different sort of trust.
[ link to this | view in chronology ]
Re:
how do people choose medical doctors or car mechanics ?
Reputation
There must be at least some honest and trustworhy VPN-providers on this plane.
[ link to this | view in chronology ]
Re: Re:
what?
why must they exist?
[ link to this | view in chronology ]
Re: Re:
There are some. Private Internet Access, for example, does not keep logs by policy, and the FBI has tested this. I am not affiliated with the company, but have been a satisfied customer for a number of years. They have 3329+ Servers in 33 Countries so getting around geo blocks is possible, though I don't use it that way. I did try to call my bank via Skype once and had difficulty communicating with the costumer service rep, but got them to tell me they were in the Philippines. I reconnected via a server in Hong Kong and had a nice conversation with those folks.
In my case the VPN is generated on a router that is then connected to my ISP's router, so the encryption happens before the ISP sees the packets. You could also use one of their apps, available for several operating systems, and get the encryption done on your computer. I opted for the router method to off load the encrypt/decrypt process to a different CPU.
There are some websites that block connections from VPN's, and when I need to connect to them I just turn the VPN off, do what I need to, then turn it back on again.
[ link to this | view in chronology ]
Re: Re: Re:
Using a VPN to bypass geo blocking does not break any laws.
I do that when I take road trips to Mexico, so that I can listen to iHeart while I am driving.
Connecting to the VPN server on my home computer, and using that to bypass geoblocking and listen to iHeart while in Mexico does not break any laws either in Mexico or the United States.
[ link to this | view in chronology ]
Re: Re: Re: Re:
The US government has argued that breaking a service provider's terms of service is a violation of the CFAA. I'm not sure that's ever been held up in court, but it's not as settled a situation as it ought to be.
[ link to this | view in chronology ]
due diligence, find one you "trust" and walk on
[ link to this | view in chronology ]
Re:
"Trust, but verify" is a good watchword.
A VPN is a bit like any other messenger service - if they get caught toeing the line they're shot.
What one truly wants to watch out for are those actors who believe your metadata are saleables. Any VPN not incorporating fraud in their business model is heavily motivated NOT to log customer data to begin with, like any other messenger who knows "messenger immunity" relies on the messenger not knowing the message or memorizing who it was carried to.
[ link to this | view in chronology ]
TOR + tails > VPN
[ link to this | view in chronology ]
I'd like clarification of something: Don't VPNs have to buy their net access from an ISP somewhere?
Whenever website blocking comes up, the standard answer is "Who cares? Just get a VPN!" The prevailing attitude seems to be that the "internet" exists as an untouchable, stand-alone entity, kind of like the sun, and that all ISPs just tap into it. And that VPNs bypass ISP blocking by tapping directly into the autonomous internet, so they therefore can't be blocked and will be able to access any blocked site.
However if VPNs do need to buy net access from an ISP, that puts them at the same risk of being blocked as the average user, doesn't it? And if they can indeed bypass ISPs and tap directly into the internet backbone, doesn't that make them ISPs, subject to the same website blocking regulations?
[ link to this | view in chronology ]
Re:
Sadly the only sane (I'm totally laugh as I'm typing this) option left for us it to do something like crowd fund a company to lay new network backbone and put enough conntect stuff on that, that other backbone providers are salivating at connecting.
I mean I'm not sure that getting past the fact that laying that sort of cable maybe defacto illegal in some parts of the state. Or that getting enough momentum to make legacy backbone holders capitulate, would be more difficult than actually passing (and enforcing) regulation on the internet.
It's not a happy place.
[ link to this | view in chronology ]
Re:
A VPN uses your existing internet connection. It creates a supposedly secure encrypted connection to a server they own, through which they route your traffic. From the outside, your computer looks like it is connecting from the IP address of the VPN server. Your ISP in theory does not know where you go, your traffic is an encrypted channel to a single IP address. So the theory is a VPN with no tracking records would hide your traffic from both your ISP and prevent external tracking from IDing you, and there would be no way to get the VPN to cough up who you are. They get around website blocks by the VPN server being somewhere other than the area the website is blocked. In no way is a VPN a replacement for an ISP.
In practice, as expressed by the article, few VPNs actually adhere to a no data retention policy, and ISPs have developed ways to continue to track you despite the efforts of a VPN.
[ link to this | view in chronology ]
Re:
Not if they are offshore. That is why Britain's plan to block all porn and social media, without verfiable ID, will not work. A VPN outside of Britain is subject to British laws
[ link to this | view in chronology ]
Re:
"I'd like clarification of something: Don't VPNs have to buy their net access from an ISP somewhere?"
Of course. more usually the VPN services do like ISP's do and purchase bandwidth straight off the network trunk.
The key portion of the VPN service is in how it handles the message though - essentially it fills the role of putting the mail in envelopes and sending them off, being the digital versions of an analogue secondary mail handling service.
VPN's can certainly be blocked by an ISP - but by all of them? The key difference here is that VPN's operate by using thousands of exit nodes, either of which might be carrying any one of their customers. And these exit nodes may not only be dynamic (thus hard to track and match) but use stealth traffic configuration, basically wrapping it all in a TLS shell which makes deep-packet inspection see the traffic as ordinary https web surfing/streaming.
Add a choice of CDN's to the mix on the web server side and what ought to be an ordinary 1:1 link from start-->end turns into a big ball of yarn you need extensive resources in three countries to unravel.
If you use a VPN you normally do so assuming that it will secure you from any entity which has representation and influence in the nation of origin and/or the nation of exit. The extra options add layers to this, enabling security even when both ends can be considered compromised (China, for example).
[ link to this | view in chronology ]
When I travel, I prefer to roll my own VPN by setting up a VPN on my home computer.
Some public wifis that block commercial VPNs often do not block private ones.
This lets me use VPN in hotels that mighr block commercial VPN usage
[ link to this | view in chronology ]
Streisand
This seems like a particularly appropriate place to mention Streisand (https://github.com/StreisandEffect/streisand)--a script that provisions a small VPS (free on Google, free for a year on Amazon, minimal cost elsewhere) to serve as your own private VPN host.
[ link to this | view in chronology ]
Re: Streisand
It is better, if possible, to have a VPN one your home broadband connection. This is just in case you are at a public WiFi that blocks commercial VPNs and proxies.
I run the Open Source SoftEther VPN software on my machine
[ link to this | view in chronology ]
Re: Re: Streisand
That solves a different problem. It gives you a safe connection when on public WiFi, but doesn't do so much when you're actually at home. And even when away from home, your connection is going to be limited by your connection speed at home. And if you're concerned about your home ISP snooping on your connection, this doesn't help you at all. OTOH, if your goal is to get into your home network, that's exactly the right answer.
Now, if public WiFi providers are blocking connections to AWS/GCE/DigitalOcean/Vultr IP blocks, then a Streisand host might not help you. But that's going to block an awful lot more than just VPNs.
Personally, I do both--I run an OpenVPN server on my home router, and a Streisand node (actually, two--one on AWS and one on GCE, but once my free year on AWS is up I'll cancel that one).
[ link to this | view in chronology ]
Re: Re: Re: Streisand
I use my own home VPN in case the public Wifi is blocking commercial VPNs.
The previous owner of Taco Bell wold block all VPNs, but I got around that by connecting, first, to the SSL VPN on my computer, and then connecting to the main VPN by using the Internal IP address on my home network, and that allowed the connection.
I exploited a flaw in Taco Bell's firewall to get onto my home VPN, using that method and totally bypassing their filters.
Exploiting that flaw did not break either California law, or Federal laws.
[ link to this | view in chronology ]
Top 3 Likely Owners
If a VPN won't provide ownership info, my guess is it's one of these three:
[ link to this | view in chronology ]
People think VPNs "...are a near-mystical panacea..." because that's how they are marketed.
You should see a VPN ad doing the rounds on Australian TV. Everything it says is false! It begins by claiming a ridiculously high percentage of Australians are affected by cyber attacks, which I suspect is a massaged statistic that includes things like trolling or viruses.
It continues to say it'll magically shield your kids from online predators and somehow protect your credit card number (from everyone, including the business you're paying). I am pretty sure most Techdirt commenters are technical and so I won't need to explain why the claims are a load of rubbish.
Some of these products and ads need to be referred to the ACCC, FTC, et al, but I suspect VPNs are "too technical" for any real action to result. So VPN operators will continue to peddle their lies.
[ link to this | view in chronology ]
Re:
All too true.
That said as long as it brings to the public awareness that running traffic through SOME sort of obfuscation is a good thing, I'm in two minds about it.
I can imagine it's the same reaction a conscientious doctor would have on observing how a crowd of raging anti-vaxxers go on board with an inoculation program as soon as some unscrupulous clergyman/fraud manages to persuade them the "sanctified needle" with its holy water would safeguard their immortal souls...grateful that people immunize themselves from diseases, but appalled at the method employed.
The hype around VPN's and 95% of the reasons given are sheer bullshit. The real reason why everyone should use some sort of VPN regularly is both simpler and far more obscure in the minds of most people. The VPN serves to put messages visible to all into enveloped communication only readable by sender and transmitter, which is the core criteria needed for freedom of speech and a cornerstone requirement of democracy.
All the right results for all the wrong reasons.
[ link to this | view in chronology ]
At what point have ISPs ever allowed users to opt out of data collection? I thought they, just like every other gold-toothed polyester-jacket-wearing scam artist out there out there, say opt outs are exclusively for preventing the data they persistently collect from being used for ad targeting.
The promise of an ISP using your personal data for ad-targeting says nothing about them selling the data to third parties to have, say, advertisers on Twitter target your account for shilling products to.
[ link to this | view in chronology ]
Re:
*not using
[ link to this | view in chronology ]
Well, you could just use Facebook
Who better to guard the hen house than a fox?
I'll show myself out now.
[ link to this | view in chronology ]
Re: Well, you could just use Facebook
slams the door on David
And stay out!
[ link to this | view in chronology ]
This is true. All your traffic goes through your local operator and only then trough VPN. But here is https://vpnwelt.com/vpn-fuer-kodi/ the most secure vpn!
[ link to this | view in chronology ]