Posted on 16 Oct 2021 by Ray Heffer
The use of VPNs is a hot topic right now. Edward Snowden recently warned people away from ExpressVPN (and rightly so). Just to be clear, I use a VPN all of the time. It’s always-on, running on my pfSense router. In fact I use multiple VPN providers for different reasons.
Recently I’ve also seen some poorly represented information about how VPNs do not provide any privacy. It appears to me that some of this information has good intentions, but doesn’t address the threat models VPNs are great for.
Making a statement like ‘VPNs do not provide privacy’ is too broad, without understanding your threat model.
Threat Model 1: You are an activist that is being targeted by your government. You could face arrest or your life could even be in danger if they tie your internet activity to your real identity.
Threat Model 2: You occasionally like to download media torrents, and want to hide that from your ISP.
My take: Use a VPN and avoid getting a piracy warning from your ISP!
Threat Model 3: You are a gamer and stream live on Twitch or YouTube. Problem is, you’ve had some toxicity in the gaming community. Somehow some wannbe hacker in the community found your real IP address and started a DDoS attack, taking down your stream and game connection.
My take: Use a VPN! For gamers, just make sure you find a VPN provider with locations close to you (to lower the latency).
Threat Model 4: I am fed up with my ISP sharing my internet data and logging everything. I don’t want them knowing my business. It’s not right.
My take: Just use a VPN. While there is still a risk of the VPN provider logging your activity, if setup correctly (careful of DNS leakage), your ISP no longer has any idea what websites you are visiting, limiting what data collection they are sharing about you.
You get the idea. I am not going to list every possible threat model here, but as you can see they can be very different. An activist being targeted by their government has an entirely different threat model to someone that simply wants to hide their web browsing activity from their ISP.
1: The VPN provider is logging ALL of your data which they can collect and sell.
Okay, let’s address this. A good reputable VPN provider shouldn’t be logging your activity, these are what we call no-log VPN providers. However, they could log your internet traffic which is certainly a possibility if they are presented with a court order, or they are simply just a shitty VPN provider. This isn’t anything new, see this news article from 2017, or this more recent example with ProtonMail in 2021. The example with ProtonMail was for email (not VPN) but the court order could, and some day will apply to this I am sure.
Irrespective of logging traffic, when you register a VPN account you should do it using an alias name, alias email, and pay with BTC or other crypto currency. If the VPN provider is collecting your data to sell on for profit (which is why I avoid ExpressVPN), they won’t have your real information anyway (only John Smith that paid with BTC). They will, however, have your real IP address. More on that in a moment.
Either way, I would rather pick a no-log VPN provider.
2: Just use SSL/TLS, HTTPS A VPN encrypts your network traffic (both plain-text and what’s already encrypted) between endpoints. The endpoints being your PC (or router in some cases), and the VPN provider (server).
Using a VPN does NOT encrypt your traffic between your PC and the target website or service (that is what HTTPS does), so I can see why some may be concerned that a VPN provider can see all of your traffic.
Again, what is your threat model? I’d rather find a good VPN provider and have some trust that they are not logging or manipulating my traffic, than simply not using a VPN at all where my ISP sees it all.
Using a VPN will prevent my ISP knowing what sites and other internet traffic I am using. More importantly for me, it also hides my real IP address from every website and internet service I use. This right here! - This is one of the main advantages of using a VPN!
3: Your VPN Provider Can’t Be Trusted Well… probably true! I always like to err on the side of caution, so I am not naive enough to trust my VPN provider 100% Also, while they may be trusted today, that can change overnight as a result of an acquisition (example).
I know that some people have decided to create their own VPN service with a cloud or VPS provider. However, let’s say I decided to install my own VPN server with a VPS provider, they can still monitor the internet traffic, plus I now have a potentially expensive solution due network throughput costs. It’s a good option, but it doesn’t really solve the main issue. All of the above will still apply.
So what to do? Again, refer to your threat model. I don’t trust my VPN providers 100%, but I trust them more than my ISP!
Without using a VPN, your real IP address is being logged every website and internet service you use. While your IP address isn’t the only thing that identifies you (see this NY Times article), it’s a pretty good unique identifier! It also allows websites and services to know your approximate real location.
While I agree that VPNs don’t offer anonymity, they DO offer some privacy against some of the most typical threat models. Above all else, using a VPN hides my real IP address from every website and service I use. That is why I use a VPN.
Finally, don’t search for those ‘Top 10 VPN Providers’ lists, since they’re probably created by the VPN companies themselves. Instead, do your own research and assess your needs carefully. I won’t make any specific VPN provider recommendations here, but if you send me a DM, I’d be happy to share my experiences.
Keep the conversation going on Twitter!Reply with Twitter