Seems like a contradictory message. He just got through telling us how most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport? Is he checking his email? I can't imagine that he's using an email service that doesn't use HTTPS. Is he logging into his bank account? I doubt any bank nowadays still uses plain old unencrypted HTTP. Is he watching cat videos on YouTube? Well, even that's encrypted.
Remember, his argument is that VPNs don't provide privacy--so that's not the reason. And this is the section where he's talking about public networks, not about other rationales for VPNs like geolocking or ISP blocking. It weakens the argument of his essay to say that he needs a VPN at the airport or cafe.
But, of course, there is more to it than that. What about the unencrypted connections? DNS access and logging? Ironically these are what people tend to worry the least about but are the most likely to be compromised. A VPN can be very helpful here.
The article brushed across this distinction in a way that I think may have just been confusing to anyone that didn't already understand it. The net effect is that they might see these two pieces of advice as contradictory.
I think other considerations include whether or not the sites that you visit implement HSTS. While many sites do support HTTPS-only logins, several webservices are actually quite vulnerable to software such as SSLstrip[1], which redirects hijacked users to plaintext HTTP pages whenever feasible.
While many sites implement TLS, several sites don't implement HSTS. I am not sure about the HSTS policies of the top 3000 sites so I will not comment on that.
Because the airport made a shitty choice in designing it's wifi, and people who connect to such networks are making shitty choices.
HTTPS is nothing more than a content protocol wrapped in a transport encryption layer used for a subset of your overall traffic.
When you connect to an open wifi network your device is literally screaming 1s and 0s into the air like a maniac. A subset of these 1s and 0s are the things you're actively telling the computer to do. Most of this stuff is things like ARP, Name resolution services and other stuff that isn't encrypted for perfectly understandable reasons.
Instead, when connecting to an open airport wifi network, a personal decision is made that the connectivity is more important than encryption. Airport wifi connections could and should be encrypted with AP client isolation, but they aren't.
This hasn't been possible until WPA3, which has barely started rolling out.
Because the Internet is more than the stuff that lives on port 443?
What does the author do about UDP packets?
It’s interesting that you mention email. SMTP can use TLS of course but I know of plenty of POP3 email providers that still send unencrypted and even if it were, it’s not using HTTPS.
What about DNS requests too? Those are still often sent in cleartext.
Even with actual HTTPS with a browser, the domain itself is visible.
In short - the Internet is not just the web.
> Networks like these make it easy for attackers to get a copy of your network data, and if you send something unencrypted, the results can be quite harmful.
The web should be ideally end-to-end encrypted with HTTPS. But in case this assumption breaks down, VPN gives an additional headroom for security. Not much (as explained in the article, and thus should not be advertised so), but still useful.
No. People designing public access networks should use encryption and AP client isolation.
What percentage of (typically rushed) people at an airport will notice that a website is loading over http instead of https? SSLsplit is pretty useful.
For literally years I've been telling people that a VPN run by a third party does not enhance privacy or security, but because the consensus is "VPN = secure" it's a losing battle, and I sound like a tinfoil-hat-wearing loon.
Most VPN services are not designed to provide privacy or security, and if you have a subscription to one, that's probably not the reason you bought it either. They're designed to provide the minimal amount of traffic hiding required to allow you to pirate TV/movies/video games without getting in trouble or hitting blocked URLs. And it works, or you wouldn't still have the subscription.
Now, as both the buyer and the seller need a non-shady cover story, they describe hiding your suspect downloads as "security and privacy" - it's not utterly inaccurate, but it implies far more than what's happening.
The problem with the narrative is that it makes laypeople think they are "more secure" when using a VPN, when in reality, the opposite is true.
As an example, when I perform a Google search, my traffic is encrypted over SSL, so my ISP can't see that. My ISP can see the domain name of the result I click, and a VPN would mask that from them. But now a new third party (the VPN provider) can see that instead. This makes sense if you're downloading pirated media (as the VPN service doesn't care), but the buyer is in effect trading:
1) An ISP, which is in most western countries heavily regulated, with legal commitments to auditing and your privacy (just not from law enforcement).
for:
2) Some computer somewhere that is run by an utterly unregulated company or individual that may or may not know how to configure OpenVPN correctly and that you don't know anything about, other than they run a shady business based on allowing you to download pirate files on the internet. Also they're not at all regulated or audited, and may not even be in a jurisdiction that requires them to protect your data at all.
Given this trade-off, trusting a VPN to do a better job of protected your privacy than an ISP seems like madness to me, given that they could easily sell whatever information they have on you on and there's nothing you can do about it (and you'd likely never find out). It may not even be a crime depending on where they're located.
There's arguments for VPN in preference to unsecured Wi-Fi, but in reality, how often is that an issue? How many scenarios are there where you can't use mobile data instead? (And even where/when you can't, you still have all the downsides above which may or may not be better).
Most VPN's raison d'être is providing privacy. If it's publicly known that they don't then that kills their business.
An ISP is tasked with connecting prior to the internet, they don't make claims about privacy, they can reveal information about clients without necessarily putting anyone off, most of the clients for large ISPs have probably never heard of a VPN.
If a VPN wanted to they could get audits by pen-testers to warrant their ability to provide secrecy.
A VPN provider that's been around a while and claims to offer a high level of privacy probably does.
Slight aside:
>My ISP can see the domain name of the result I click, and a VPN would mask that from them. //
There was a paper a little while ago, they directly identified pages by mitm-ing HTTPS by using meta-data (page size alone IIRC). Success was something like 80%.
A vpn is not a cure-all. It is only as private as you're willing to make it. If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.
Payment information - some prefer to use cryptocurrency, which in their minds, is private. Again, once metadata connects you, there's no denying that that's you.
A third party consultant takes your payment? Maybe. Especially if you've got some anonymizing layer to your credit card info that has earned a similar trust. This will of course add to the cost of the transaction.
Even the way you type can connect you. Sufficient amounts of text - such as this reply - are usually enough.
This is probably not going to work with public vpn services because many users share one server, and the server you use changes every connection. Thus facebook can’t really correlate your torrent traffic with your session because it could be anyone else on that server.
Not really. There's not a single documented case of a major VPN user ever receiving a copyright infringement notice. Despite the fact that millions use this exact same use case.
In security it's always important to understand the threat model. If I know I'm being personally targeted by Mossad, that's a very different story than if I'm trying to avoid getting identified in a mass copyright notice from the MPAA.
Facebook would never ever ever in a million years voluntarily give the MPAA unrestricted root access to their IP level user tracking data. If they tried to subpoena it, Facebook can afford much much better lawyers than Warner Brothers.
And I guarantee that at least in the American judicial system, any judge is going to be extremely skeptical against such a sweeping request.
Exactly, and it's usually a cookie or some sort of persistent storage. I use a VPN, but I use it at the router level. https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...
I know my ISP logs my metadata (by law), whereas I trust that my VPN provider does not.
Essentially VLAN2 all traffic is routed direct to my ISP, and VLAN3 all traffic is routed to VPN. My machine normally sits in VLAN3. I make sure not to log into anything social media related or tied to my real identity.
If I need to do banking, Facebook or something like that I'll use a device in VLAN2 (a separate computer).
All phones and devices like that are broadcasting information anyway so those are in VLAN2 as well, unless they are devices with LineageOS and no Google Apps.
> A vpn is not a cure-all. It is only as private as you're willing to make it. If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.
See in this scenario I would have a system in VLAN3 that I use for my downloading, and another computer in VLAN2 that is used for the facebooking. I use a hardened browser with https://github.com/ghacksuserjs/ghacks-user.js that hardens the browser and helps against fingerprinting.
I also use a number of addons, for various purposes
That requires hardening. Currently I use
* CleanURLs https://addons.mozilla.org/addon/clearurls/ (remove UTM and parameter tracking)
* CSS Exfil Protection https://addons.mozilla.org/addon/css-exfil-protection/
* Decentraleyes https://addons.mozilla.org/addon/decentraleyes/ (prevent tracking via CDN)
* Firefox Multi-Account Containers https://addons.mozilla.org/addon/multi-account-containers/ (used for sites to keep me logged in)
* HTTPS Everywhere https://addons.mozilla.org/addon/https-everywhere/
* Redirect AMP to HTML https://addons.mozilla.org/addon/amp2html/ (no to AMP)
* Temporary Containers https://addons.mozilla.org/addon/temporary-containers/ (Prevents tracking via ETags and other things like IndexDB)
* uBlock Origin https://addons.mozilla.org/addon/ublock-origin/ (block adverts)
* uMatrix https://addons.mozilla.org/firefox/addon/umatrix/ (block 1st party JavaScript)
a) Your ISP is almost always in the same legal jurisdiction as you are. A VPN need not be.
b) A VPN has some incentive to deliver on privacy. Your ISP does not.
It's fair to call out that a VPN isn't perfect for either privacy or anonymity. But it clearly can be better than your ISP.
They are by law in the tinpot jurisdiction I live in, required to retain all "meta data" about my internet connection, and provide it to "law enforcement" which has turned out to include not just terrorist and serious drug crime divisions of the police, but also local council garbage services and the taxi commission.
All I need from a VPN service is for it to be slightly more difficult to request all the data invading my privacy than the mandatory legal disclosure of it that I'm subject to anyway. Anything beyond time-zone slowness and paperwork incompetence is just a bonus. I prefer VPN providers based in France or Finland or Iceland - on the perhaps vaguely over reliant on bad stereotypes theory that they'll put English language requests at the bottom of the pile, and that the Sydney Taxi Commission won't have an Icelandic speaker on hand to ask them for my internet date records...
Even if they keep all traffic logs, and even if they happily turn it over without a fight to anyone who can fake a plausible looking LEO email address from Australia, I'm still ahead in at least some important waays privacy-wise over not running a VPN at all... If they really don't keep logs, or really will push back against LEO requests without proper warrants, even better. But not doing that doesn't;t make them useless...
There's no barrier like international bureaucracy and language barriers. Good luck navigating the courts of 3 countries within the time period that any logs might have to be saved for at the last hop.
Also this censoring is poorly executed by some ISPs via simple DNS hijacking. As a result your connection is slow and with terrible jitter.
As for the proverbial airport/cafe WiFi - using VPN is not about not beeing tracked - it is about blocking easy access to your laptops filesystem by attacker on the same network.
Also if you do not trust commercial VPN provider just set up your own.
https://www.indiewire.com/2017/06/great-dictator-blocked-tha...
Regarding this point, I think a good strategy here is to acknowledge that ISPs, like most organizations, don’t want to add to their workloads. Of course they aren’t privacy centric, but appeals to them oriented around _not_ having to store a bunch of logs or set up a bunch of processes can help to unite more people around initiatives to make things better for everyone
If everyone has the same ideals then it’s easy to team up. But even if everyone has different ideals, you might all still be wanting 90% of the same result and can still team up!
ISPs can't be blindly trusted. I switched ISPs lately because my previous one started offering personalised TV-ads. This is a very scary topic and in Belgium it has already lead to some fishy things:
https://www.nieuwsblad.be/cnt/dmf20160913_02466535
Nice quote with regards to personalised tv-ads:
"Er komt ook een nog verdergaande versie waarbij ook het surfgedrag zal leiden tot gerichte tv-reclame. Daarbij wordt gemonitord naar welk type websites er in een gezin vaak wordt gesurfd, om zo interessepatronen te ontwaren die lucratief kunnen zijn voor adverteerders."
"There will be a far-reaching version in which browsing behaviour will also lead to personalised tv-ads. The websites visisted by families will be analysed in order to discover interest patterns that could be lucerative for advertisers."
Add this to the many cases where ISPs have fought for being allowed to use deep packet inspection to monitor what we do and you start to see that ISPs in fact think they have a right to collect and sell our data. Am I not already paying for internet and TV?
Most of them are registered in five eyes countries, or twelve eyes. If they have anything in the US even if its just a single server they will claim jurisdiction over the lot.
There are too many agreements and loopholes to rely on the whole jurisdiction thing. Unless you use a 100% Estonia VPN company and server with no other locations you are not safe, even then its not enough. 5 years ago Sweeden was the safest country for privacy, things change.
> A VPN has some incentive to deliver on privacy. Your ISP does not.
While they generally don't an ISP can give you better privacy than a VPN, no worries about dns leaks, they can route every one through a low latency mixer etc.
I would rather pay an extra £20 a month to my ISP for real privacy than pay a VPN £5 a month for fake peace of mind.
In my circle, VPN use starts to be requested by non-technical users that just want to minimize their digital footprint.
Seems amazing to me, since people spend 200$+ on a service for a year, so it seems rather important to them.
No reason not to use globalization to your own advantage.
Users trusted PureVPN claims for protecting their privacy but all it took was an FBI investigation and through court documents to find out that they actually were keeping logs, despite all their claims.
False
>Just because they claim that they protect your privacy that's just a blind faith.
Even if this is the case, it does not make your previous statement true
It's true that VPN services at best provide less anonymity than Tor does. And that some, such as HideMyAss (which pwned that LulzSec dude) provide none. But PIA clearly does, as demonstrated now in two criminal investigations.[0]
Of course, in both cases, defendants pwned themselves through poor OPSEC. But at least PIA didn't give them up.
And the Facebook example. Nobody paying attention expects a VPN service (or even Tor) to hide their identity if they login using their real name. That's just stupid.
0) https://torrentfreak.com/private-internet-access-no-logging-...
A lot of users care about privacy, but have no idea how computer networking works. It's hard for these users to understand whether they're private or not. If you don't believe me, check out the tech support and recommendations over at old.reddit.com/r/vpn -- there's clearly a lack of knowledge about VPNs and computer networking. Probably once a week, someone will ask "How did [paid video streaming service) know I was using a VPN?" Or "X country can only spy on me if I have a VPN in that country, right?"
No VPN service has my "payment info". Or at least, not any meaningful payment info. As you say, I use email accounts created through Tor, and pay with Bitcoin that's been mixed at least three times through Tor, using a different Whonix instance and a different mixer for each mix.
The FBI having access to an NSA-provided tool that takes some IP addresses and returns other "associated" IP addresses (from trivial packet correlation on PIA's upstream) would produce a pattern of investigation that essentially looks the same.
If your threat model includes the NSA or the like, VPN services are at best a minor hindrance. Possible options include Tor and "anonymously" using WiFi hotspots.
I only know of one fundamental fail for Tor: the relay-early bug that CMU exploited. The others have involved Firefox and Windows bugs. People using Whonix in Linux hosts, and hitting Tor through nested VPN chains, would have been safe from any attack that I've heard of. But then, maybe I just haven't heard of the juicy ones.
I've tried the "anonymously using WiFi hotspots" approach. It's a pain in the ass. And in today's high-surveillance environment, I believe that it's a dumb idea.
It's true that VPN leakage is a serious risk. But you can use firewall rules to prevent DNS and traffic leaks. Or you can use VPN services whose client apps do that for you.
Also, I'm talking about desktop use. Doing any of this on mobile devices is a lot harder, I think. I'm not sure that I'd even bother.
The article makes some valid points but overstates the case. I continue to be happier with trusting my VPN providers than any of the ISPs available to me.
This is false. ISPs do not disclose your personal information for copyright complaints.
Industry, Science and Economic Development Canada explicitly states that subscriber information is only disclosed "if ordered to do so by a court ... as part of a copyright infringement lawsuit." [1]
Copyright infringement suits are known to have happened, but they are rare because the limit for non-commercial infringement is $5,000, which is generally not worth pursuing through the courts.
[1] http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/ca02920.html
Citation needed?
The “Notice and Notice” regime legally requires the ISP to pass along a notice from a copyright holder that believes your IP infringed their copyright by uploading their material. It does not permit the ISP to give subscriber information to the copyright holder directly unless ordered to do so by a court.
Here’s Michael Geist, Canadian lawyer, explaining the system and recent developments regarding ISPs seeking to make such information disclosures more difficult for copyright holders, not less
http://www.michaelgeist.ca/2018/09/notice-the-difference-sup...
> My Globe and Mail op-ed notes that the Canadian system for online infringement was formally established in 2012 and came into effect in 2015. The so-called “notice-and-notice” approach grants rights holders the ability to send notifications of alleged infringement to Internet providers, who are required by law to forward the notices to the relevant subscriber and to preserve the data in the event of future legal action. The system does not prevent rights holders from pursuing additional legal remedies, but Internet providers cannot reveal the identity of their subscribers without a court order.
> While the system has proven helpful in educating users on the boundaries of copyright, some rights holders have used it as a launching pad for further lawsuits. In fact, thousands of lawsuits have now been filed, with rights holders seeking to piggyback on the notice-and-notice system by obtaining the necessary subscriber information directly from Internet providers at no further cost.
> The question of costs lies at the heart of an important Supreme Court of Canada copyright ruling released on Friday. Voltage Pictures sought subscriber information from Rogers Communications for the purposes of pursuing individual lawsuits. When Rogers advised that it wanted compensation of $100 per hour for the costs associated with fulfilling the request, Voltage responded that Internet providers could not pass along their costs since the notice-and-notice system already required them to identify subscribers and preserve the data without compensation.
> The particular incident may have involved only a few hundred dollars, but the broader principle had the potential to dramatically alter the Canadian approach. If Internet providers were required to disclose subscriber information without passing along the costs, Canadian courts faced the prospect of an avalanche of lawsuits and Internet providers might be dissuaded from carefully ensuring that the privacy of their subscribers was properly protected.
> The Supreme Court understood the broader implications of the case, ruling that Internet providers can pass along the specific costs associated with subscriber disclosures beyond those required for the notice-and-notice system. Indeed, the court recognized the importance of accurate data to safeguard against reputational harm and wrongful lawsuits.
With honest VPNs, court orders won't yield anything.
- Regarding user identification, rolling my IP address is trivial with a VPN. Less so on my static IP.
- The Facebook example without cookie deletion is a low-effort Straw Man
- I reject the leap that "we have figured out that they [VPNs] do not add much to your online privacy". In the very narrow terms defined, yes of course, but either the author has willfully missed out why people use them, or doesn't understand why.
I did enjoy this note though: "Somehow, VPNs have turned them not failing to do their job into something they can market as a special feature."; I think there's some truth to that.
I tunnel my traffic over a VPN to avoid my ISP building a profile on me. I change my IP every-so-often to mess with trackers at large. I accept that browser fingerprinting is probably thwarting my overall effort somewhat, but I'm reducing the vectors that I can. I firmly believe that VPN companies are capitalising on fear but I respect the hustle. I don't think any of those points are particularly niche (niche subject notwithstanding!) so I find it interesting to see this take on it. Perhaps this isn't an article representative of the position of the wider HN crowd?
In ~100% of cases, you're safer SSH-tunneling your traffic to a cheap server at a cloud hosting provider.
What do you believe this profile is made of? I don't mean this sarcastically. Facebook or Equifax's profile of you must be very complete and contextual.
But, your ISP has:
- The domains you visited, but not the specific URLs (via SSL & certificate names)
- The domains you visited, but not the specific URLs (via DNS)
- The IPs you visited.
- The ports of those IPs.
- Any unencrypted traffic, which as noted, is pretty rare these days.
Do you believe that with this information your ISP can build a very meaningful profile? It seems to me that the profile which Amazon, Facebook, and a Bank, (VPN or not) can build is far more damaging. (and, I admit that just because you can't prevent the worse profiling, it doesn't mean you shouldn't mitigate what you can.)
I promise, I don't mean any of this in a negative way. I'm somewhat in your boat -- I tried to do a lot for privacy via blocking and other mitigations, but I often wonder: do Amazon and Gmail effectively defeat my efforts?
> Anti-features
> * Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
> * Does not install Tor, OpenVPN, or other risky servers
> * Does not depend on the security of TLS
> * Does not require client software on most platforms
> * Does not claim to provide anonymity or censorship avoidance
> * Does not claim to protect you from the FSB, MSS, DGSE, or FSM
It's incredible how quickly services that massively centralize bulk consumer web traffic were normalized. This is not ok. Further, most of these services are located in "exotic" locales with uncertain legal protections, anonymous or psuedo-anonymous owners, and make barely enough revenue to hire more than 3 or 4 staff members to maintain and secure their own infrastructure. This whole industry is a slow motion disaster.
What do you mean by "risky servers" here? I run OpenVPN on a few servers, is there something I should know?
> Why aren't you using OpenVPN?
> OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update[1] and maintain[2] the software themselves. OpenVPN depends on the security of TLS[3], both the protocol[4] and its implementations[5], and we simply trust the server less due to past[6] security[7] incidents[8].
[1] https://www.exploit-db.com/exploits/34037/
[2] https://www.exploit-db.com/exploits/20485/
[3] https://tools.ietf.org/html/rfc7457
[4] https://arstechnica.com/security/2016/08/new-attack-can-pluc...
[5] https://arstechnica.com/security/2014/04/confirmed-nasty-hea...
[7] https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin/blob...
It shouldn't be too bad if you keep your server and clients updated, though (depending on your thread model).
PIA has told the feds in the US to fuck off multiple times when asked for logs. You can't provide what you don't have, and lying to the feds is a fast track to PMITA prison (PIA is based in the US). I feel pretty confident they're not risking prison to cover for Joe Blow subscriber. Other "no log" providers have been caught with logs, though.
I do agree with overall message about VPN advertising. It's presented as a panacea when it's really a single step you can take.
There is no legislation in the US that can be used to do this [1]. Some very misguided companies may voluntarily log, but those that care about privacy or, at the least, realize that holding people's data is a liability, won't make poor decisions like that.
[1] https://en.wikipedia.org/wiki/Data_retention#Failed_mandator...
Not if they aren't in US, hence why so many people choose non-US VPNs
White collar criminals typically go to Club Fed, though.
- as an ISP, you're required to retain data for a year that would let LEAs map an IP address you manage to a subscriber. If you're giving out public IP addresses to your customers, this can be just an excerpt from your IPAM.
- as an ISP, you cannot give out this data without a court order, and you will be in violation of data protection laws if you do do.
Source: the Warsaw Hackerspace is an ISP.
I subscribed to a small VPN service 5 years ago for one reason: I needed static IP address for work, but my ISP at the time wasn't selling them to private individuals (freelance).
And I couldn't be happier! Wherever I go I don't have any issues with access to my resources or worries that local government will fine me for watching porn (check out UAE or Saudi laws).
Hell, even Skype is blocked by a lot of telecoms around the world since you don't pay roaming fees when calling through it. How ridiculous is that? On VPN it worked everytime.
HTTPS is great, but it is by no means private enough. ISP knows which service you are requesting, they can do SSL inspection and all kind of shady bullshit without your consent. With VPN they only see that I talk to 1 IP address somewhere in Netherlands and that is it!
Maybe you misread? I think he was saying the reverse.
The article touches on the OpenVPN protocol, "commercial" VPN providers (ExpressVPN in the screencap), but just glosses over the availability of better protocols, good providers, useful browser extensions, and democratized DNS encryption.
A combination of a WireGuard VPN provider (Mullvad comes to mind), using only the Firefox browser with a few extensions (such as Multi-Account Containers, HTTPS Everywhere, Privacy Badger, Decentraleyes, etc.), and using DNS over HTTPS (can be enabled in FF as well) will solve most of the problems the article posits. Running AdGuard as a local DNS server with upstream DoH is also something relatively easy to do.
Sure, overall security posture calls for a bit more but a good [VPN + DoH + FF + AdBlocking] setup should be the norm and not the exception; and will definitely pay off dividends rather than just letting a green padlock give users peace of mind.
I'll actually write a how-to on this, since I don't want to seem like I'm just mentioning a solution without actually providing the steps to get there.
Bull. Shit.
Find me a major ISP that publicly claims they don't log any data.
Anyone making a claim remotely similar to those made in https://torrentfreak.com/which-vpn-services-keep-you-anonymo...
If it was the norm for ISPs to claim this, maybe this argument would work. For now, we have many documented cases of ISPs selling your information, and they don't even try to claim that they don't keep logs, while many major VPN services (see link above) explicitly claim to never store logs.
Oh, and btw, here in Europe, it is actually illegal for ISPs to give connection data away for non-law-enforcement purposes. It's sad that there are some US-American ISPs that have a record of selling some information, but the world does not evolve around the USA.
Other fatal flaws in that section, fwiw
>Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.
Plenty of VPNs accept bitcoin, and prepaid anonymous debit cards are widely available.
>Most VPNs limit the number of devices that can be connected at the same time. For that to work, well, they have to store a piece of information stating which device is connected, and what VPN account it is associated with. They have to associate your VPN session with your VPN account, as counting the number of sessions per account would be impossible otherwise.
This is addressed in the link above. Besides, it's possible to limit simultaneous connections without storing anything to disk.
>What's your point here, exactly? Because my point was you have to trust either party.
The difference is that no major ISPs are claiming not to log.
That's true. And so some of us go out of our way to name names. For example:
EarthVPN - user compromised by datacenter logs
HMA - retained logs, and provided them under UK court order
Proxy.sh - outed someone voluntarily, because they didn't like something he did
PureVPN - retained logs, and shared them with investigators
> Because my point was you have to trust either party.
That's true. Except when it isn't. If you use nested VPN chains, you don't need to trust any of the individual VPNs. It's not as anonymous as Tor, because it's static, and far less complicated to compromise. But it's at least 10x faster. And you can hit Tor through them, which protects you from evil entry guards.
I don't just mean law enforcement, though that's probably a problem too, (though I have less experience with that one) I'm also talking about the normal abuse an ISP gets. Spammers, etc... From experience, your upstream will shut you down if your customers aren't well behaved.
Why couldn't you have a flagging system in real-time that shuts down accounts but doesn't save the data to disk?
In the US, where personal data is a free-for-all and everybody and their dog sells data about me to everyone else, this is important.
I agree with the author that VPNs should not be advertised as a complete security and privacy solution, but I disagree with his statement that they can actually do more harm than good.
If they actually wanted to. You could sure them under wiretapping laws if they did.
If you cannot trust your ISP, you cannot really have any privacy without truly extensive measures. Not even Tor is enough, it does not pad and change timing enough.
The real problem is cookies, requirement for email backed login and phone home downloads. (E.g. images such as social buttons, JavaScript. They can also leak cookies or make them live longer.)
The last one is combatted to an extent by mix networks like Tor, or better yet, by aggressively caching and/or predownloading.
I assume you meant "sue", but, no, that's not actually a guarantee, because companies can require that you "voluntarily" agree to mandatory arbitration in order to get any service at all.
Could you? I was under the impression that (in the US) the main difference between a phone line and an Internet connection is that former is legally protected against wiretapping and the latter not so much.
Has this ever worked though? Cursory searching, I don't see or know of any examples of lawsuits that have actually succeeded on this front. And it's not like ISPs have never given consumers an opportunity before.[0]
[0]: https://www.cnet.com/news/verizon-draws-fire-for-monitoring-...
This kind of argument comes up a lot, and I really don't understand it, at all. Privacy is a process, it's something you improve over time. The alternative is completely circular.
I shouldn't care about switching to Firefox, because my ISP is already getting all this data anyway, and I shouldn't care about using a VPN because Google is getting all of this data anyway...
If you want to go from no privacy to decent privacy, it is inevitable that there is going to be a period where you are only plugging some of the holes.
> The reality here is that your IP address is only a tiny piece of your trackable profile
Yes, a tiny piece you can never shake off besides with a tunnel ("VPN"). On this front, OP is effectively making the argument that surveillance by IP address is simply never done, even if all the other tracking signals are removed. This is doubtful.
> the location of a piece of large network equipment of your ISP, and not your location
Yeah which is still pretty damn indicative of my location, despite the "streams coming together" narrative. One less signal available to the surveillance advertisers is a good thing. One more feeling of "otherness" to an ad you're being forced to see is a great thing.
> The only secured [encrypted] channel here is the route between your machine and the VPN server
Yes, simply hiding your traffic from your ISP is itself a huge win. They don't spend millions on DPI gear without clear ROI.
Given that a vibrant market for VPNs provides for copious tunnel endpoints, and that common people imperfectly using VPNs still frustrates bad actors like banks and geofencers, I'll forgive the messaging. They're certainly more legitimate than pharmaceutical or political ads.
https://arstechnica.com/tech-policy/2017/03/comcast-we-wont-...
Check out https://mullvad.net if you want a VPN that takes anonymity serious. They don't even have real accounts, you just pay (preferably via BTC or even cash via postal mail) towards an account number that is also used as an identifier to authenticate towards the service. While there is no 100% guarantee, I would trust their claim that they do not log.
"Log in to your Facebook account. Connect VPN. Did Facebook forget who you are?" He forgot step to open new private window to clear login cookie.
VPN is a must for everybody in there days of data harvesting. We will be sorry tomorrow, seeing many new ways it can be used by global corporations and governments.
>Acting as they do, and promoting commercial VPN providers as a solution to potential issues does more harm than good.
I think this ignores the fact that some users have different threatmodels, sometimes the privacy threat model of a user does include their ISP for various reasons (think China).
>
Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.
Depends on the VPN, some VPN providers actually don't keep that kind of history or provide options to operate and pay an account anonymously.
But the article should have touched on _how_ one would actually achieve the privacy levels that the VPNs claims to offer. For example, using TOR rather than a VPN is a much better guarantee of privacy against IP based tracking (and what the draw-backs of TOR is - such as accidental real-ip leaks via javascript).
A lot of users simply trust the marketing of VPN providers - because it's cheap, and it doesn't look like it'd do harm. Like how multi-vitamin pills are marketed as a cheap silver bullet for a complicated problem.
There are some legitimate reasons to use a VPN. Those are far fewer than the marketing claims of those companies. What I've seen over time:
* hide your IP from the service you're using (related to geoblocking)
* get around limitations of your ISP (blocked ports or throttling, torrenting)
* hide traffic/service you use from your ISP/government (China, UAE, Iran)
* get around bad routing of your ISP
Also, his disbelief of anonymous payment methods is incredibly stupid. I can walk into a store right now and get a prepaid visa using cash, no crypto currency shenanigans required.
WalMart, Target, and many other large retailers retain photographic records of all purchasers. Many cases have been broken by police claiming to have found a match at a WalMart for the purchase of items committed in some crime.
So cash purchases of cards is not always a completely anonymous choice.
Personally, the only reason I use VPNs is for region-locked content. How are you sure this isn't a bigger use case than you think?
Anonymous credit cards are ruled out by law basically everywhere in the European Union. Assuming that I live in the US, and that everyone on this planets is doing so, is - as you call it - incredibly stupid.
There is no way to get absolute privacy in this context for the average user. Journalists and activists should be aware there is no technology solution to protect them from spying by any sufficiently committed actor, with state actors all bets are off.
It's false self empowerment by some technical folks to presume there is a technical solution against state actors who are well staffed, have near endless resources and are working 24/7 to thwart any localized technical solutions.
If there is a way to get online truly anonymously ie public wifi points, mesh networks these will immediately be subverted by state actors with things like illegal porn, terrorism and made illegal or compromised and used as honey pots. There is no winning here.
Also, this doesn't mean that the traffic or destination addresses are also logged at the VPN (the most important data).
But, is also true that you'll never know.
I see people commenting ‘I use company X, they are great’ seemingly ignoring the fact that they have no real clue as to what Company X is actually doing.
> With a VPN, all you end up doing is shifting the trust from one party to another. You are not gaining anything.
This is where a lot of people would disagree. A known, reputable, audited, privacy-focused vpn provider, for example, could be more trustworthy than an ISP.
I think the declarations in the article do confuse the issue a bit - some of the benefits of a VPN such protecting against DNS logging are real but are probably not as useful to VPN marketing people as a "pitch", because they're a bit tougher to explain to laypersons.
1) I'm not entirely convinced on the IP address tracking thing yet. Sure, you probably sit behind a NAT device on your home internet connection. But what about mobile? Are cellular networks NATed? Also, do trackers really not use IP addresses for tracking? It seems like a stable identifier as long as the "victim" is not obscuring it and as long as you can somehow link it to the victim's next IP address (unless it's static).
2) How are DNS queries not sensitive information? They tell what services you use on the web. It's how you use the internet. I don't really want any untrusted party to see that.
I was recently a victim of a password cracking attempt from someone using a vpn. I tried reporting the incident by sending the logs to the vpn abuse email, and they ignored it. I looked into VPN company itself, and it was owned by some Russian in Panama. I tried emailing a lawyer there and he said that he couldn't help me because he did work for that person.
I have no doubt that most of the major vpn providers are similarly structured so that they can just ignore all complaints except from the largest corporations.
So lets say you visit a website p0rn.xxx without a VPN, but this target website indeed gets HTTPS version of encryption, in such case, does your ISP know which website u visit?
Another case, when you connect to a VPN, your ISP indeed know you connected to an IP right?
Any more similar cases to let me learn more about what data gets encrypted and whats not?
All other problems aside, how successful defence against that is this? Article doesn't adress that as far as I could see.
First, the downplaying of IP location lookups. If you do a lookup on my home IP address, it'll get you within 5 miles of my house. From there, the only other information you need is my name and potentially one or two more details like a birthday (easy, I use my real name online) and you can get access to my voting data -- and that'll give you an actual address, not just a zip code.
OP is correct that your IP address doesn't directly leak your home address, but in many cases it can be a pretty helpful clue. In a small town, a zip code and a name can be good enough on its own for a stalker to find someone even without voting data or public records to pull from.
OP is also correct in that there are plenty of other ways to get this data, but I fail to see how opening yet another trivial hole in my identity helps with that.
Second, the downplaying of encryption concerns. We've come a long way on SSL, but it's frankly irresponsible to say that users should just assume all of their browsing will automatically be covered, regardless of what the top sites are doing. I am primarily visiting tech sites nowadays and I still occasionally run into sites that aren't encrypted. And that's nothing to say to the fact that there are multiple ways of configuring SSL and not all of them are equally secure.
This is just in my browser, which punishes sites with insecure warnings if they're not encrypted. How many native apps are sending unencrypted data given that there's no punishment and that the user gets zero indication of the SSL status? We know from the IOT industry that a lot of these products and apps are regularly getting rushed out the door.
Of course, VPNs only encrypts the data between you and the provider. But we don't live in a world where people are primarily using desktop computers. Most users are going to be on tablets, phones, and laptops, and they travel. And no, public networks are not the only risks -- even if a network forces you to put in a password you still don't know how that network is configured, you still don't know what vulnerabilities exist on it.
If you don't know who set up the network, you should treat it as if any unencrypted data could be intercepted before it reaches the router. And you should be suspicious of the router/provider itself, particularly if it's wifi being offered by a store/hotel/airport, or other commercial entity.
And that leads to the final, big objection -- the idea that VPNs are harmful because all they do is shift the trust model. If you're in the US, unless you are very, very lucky, you can not trust your ISP. Shifting the trust model is not a fatal flaw, it is literally the entire point.
Yes, needing to trust someone is not ideal. But my VPN provider has more of an incentive to take care of my data than my ISP does. If you're using something like Proton or PIA, then I feel very confident saying that I trust both of them more than Verizon or Comcast.
So I agree that bulletproof claims that come from VPNs are often inaccurate. I agree that there are problems. I don't see this article as any less sensationalist and inaccurate than the provider claims though. VPNs are just a kind crappy solution we're stuck with, and absent everyone moving to Tor, I have yet to see anyone propose a better solution.
Compare that to random commercial VPN app...
I don't mean that Tor will work better if everyone uses it. Quite the opposite, it will slow down considerably.
I mean that anyone who isn't using Tor needs a different solution. We have two solutions being proposed to the problem of leaking IP addresses: VPNs and Tor. Unless our plan is to move literally everyone onto Tor, we need a non-Tor solution for the people we don't move over.
Or is the solution multifaceted and you should use a combo of VPN, don't logon to services connected to first party data etc.?
Commercial VPNs are the homeopathy of the Internet.
They're selling snake oil. For all but the most impossibly pathological customer scenario, nothing that a commercial VPN can give you will actually protect you in any meaningful way. But they can hurt you. Since there's no quality control of any sort, and since their customers are self-selecting for dangerous behavior, it's a horrible environment to go mixing your traffic into.
Ones I have heard bad things about are EarthVPN, HideMyAss, Proxy.sh and PureVPN. And although I've heard nothing bad about ExpressVPN or NordVPN, the fact that they've bribed so many review sites to recommend them annoys me.
And yes, I have written stuff for IVPN.
I would not trust ExpressVPN anymore for anything.
(The reason why I'm not with a VPN yet is because it would compromise my speed. Am I overestimating the impact?)
No free lunch :(
> in theory, your ISP could keep a list of all domains you requested and based on that, they would have a pretty good understanding of what you were doing online
I would argue that this is not theory but reality. In the EU you have the Data Retention Directive forcing telecoms to store metadata for a period of between 6 months and 2 years for example. [1]
> With a VPN, all you end up doing is shifting the trust from one party to another. You are not gaining anything.
I know this article is about commercial VPN’s but what if I run my own VPN? Then I do gain some privacy. I’m not saying to use a self hosted VPN and you’re good to go; a VPN in my opinion is a vital part to improve privacy but it’s just that, a single part.
> what is your reasoning behind trusting an anonymous company [..] more than you trust your ISP, which is a big company with [..] something to lose?
I’d argue that a VPN, even a commercial one is more trustworthy than my ISP, who doesn’t need to care if I trust them. It’s in the interest of my VPN to protect/delete my data if they say they do so. My ISP does not make that promise, quite the contrary actually.
> if you pay for a VPN service, [..] your VPN account will be linked to your actual identity
It’s entirely possible to pay for a commercial VPN anonymously, Mullvad for example offers the option of paying via cash that you physically mail them. [2] Many offer payment with crypto currencies.
> Large commercial VPNs [..] make governmental surveillance easier.
That’s not true and it’s what bothers me the most about this article. Why wouldn’t my government just get the data from my ISP? There are far less ISP’s than there are VPN’s. In Germany for example Telekom alone had around 18 Million customers in 2017 and Vodafone had another 10 Million. I’d assume strongly that you’d have to get to a lot of VPN providers to reach nearly 20 Million people. Personally I just assume that every request I make with my ISP’s DNS is known to my government.
Another thing: a VPN can protect it’s user. In Germany for example it should be expected that when you torrent copyrighted content, like a movie, you’ll get a letter from a law agency like “Waldorf Frommer”. Those law agencies only purpose is to go after copyright infringement by connecting to the torrent swarm and logging IP’s. They then ask your ISP to hand over your address and a week later they’ll send you a letter asking for fines in the realm of €1k. [3] They sometimes go to court to collect those fines. Regardless of how you might feel about copyright infringement that is a valid use case where a VPN will protect it’s user.
[1] - https://en.m.wikipedia.org/wiki/Data_retention
[2] - https://mullvad.net/en/
[3] - https://www.heise.de/ct/artikel/Ignorance-isn-t-Bliss-Rights...
An actual attempt at privacy would involve chaining at least two VPNs and paying anonymously. Starts to look a lot like TOR, doesn’t it?
This issue with VPNs is, as the article states, people will just use them to log in to Facebook. It’s like putting on fake nose and glasses while at the same time wearing a t-shirt with your name and social security number.
However VPNs are brilliant for getting around horrible ISP, e.g. to participate in P2P networks. In that case, paying for GB is not very ideal.
Here's why I think using a VPN makes sense:
1. ISPs cannot track and mitm you. ISPs have MiTMd https [1].
2. Circumvent censorship, esp DNS manipulation attacks.
3. Prevent use profiling: traffic meta-data analysis (what IPs you connect to, what protocols you're using and so on) [2].
4. A lot of propaganda is targeted at a demography in a particular location. Tunneling traffic through a VPN might mask your location unless the app or website had access to it prior, and fingerprinted you already [3].
Sophisticated actors can still do all of the above VPNs or not.
The trackers have it too easy and use IP addresses as a signal. Masking IP address is one signal less. Then, up the stack at the application layer, it's up to the end user to make saner choices. That isn't on a VPN provider or Tor.
VPNs could def do better:
1. Firewall known trackers server-side. Similar to how how browsers today block known rouge websites that have been caught phishing or spreading malware.
2. Stripe traffic over multiple exit IPs. Much like Firefox's multi-account containers.
3. Let the end user analyse their traffic client-side, and help them take control over what the client should send and not send.
4. Open-source their stack, and provide ability to inspect what's running on the servers.
5. Provide technically better internet experience by accelerating traffic over uncongested paths, provide better connectivity over lossy networks [4][5].
If VPNs aren't improving the experience and if IP masking is all you need, then remember, Tor is free [6], and is pretty decent in terms of speed and latency these days.
--
[0] https://trac.torproject.org/projects/tor/wiki/doc/Transparen...
[1] https://news.ycombinator.com/item?id=495830
[2] https://news.ycombinator.com/item?id=11278784
[3] https://panopticlick.eff.org
[4] https://blog.cloudflare.com/1111-warp-better-vpn/
There is a lot of marketing, agreed. However, those messages do serve a purpose - they make it clear you configured that particular VPN correctly and that it works.
> IP addresses for user identification
Yes, there are more factors than just IP. Clear cookies, use uBlock Origin and HTTPS Everywhere, and know you can be tracked anyways, especially if you log in to the sites you have ever used without a VPN. For stronger privacy protections, use Tor Browser over Tor - Tor is better in terms of privacy, but due to Tor being heavily abused, a lot of services outright block Tor IPs or put you into reCAPTCHA hell, so it's not really suitable for day-to-day browsing, unlike a VPN you can set up and leave it turned on all the time.
> Location leaking
It's not always the case that the IP provides inaccurate information. Out of curiosity, I disabled the VPN, and went to https://www.privateinternetaccess.com/pages/whats-my-ip/. The guessed location was within 120 meters of an actual location, on the same street, in a big city. Sure, it doesn't point to an actual building, but it is dangerously close.
Just to be clear here, I don't use PIA as my VPN, they have a good demonstration of an issue however.
> “Network Encryption”
This is accurate. Part of why having HTTPS everywhere improves the security. Keep in mind however that SNI and the IP you are connecting to is not encrypted. This may change however soon (while you cannot really "encrypt" IP, a lot of websites are using services like Cloudflare, essentially preventing anyone on a path from guessing the website you are connecting to).
> What about “DNS leakage”?
The thing about DNS is that if you are using your ISP DNS while using a VPN, you are leaking an information about your ISP. To prevent DNS leaks, you should be using a DNS provider not provided by your ISP, and if you don't have any idea which DNS to pick, many VPNs provide their own DNS.
> The “no logs” thing
The article is arguing that paying with a payment card will leak your identity. This is true. Pay with cash, gift cards, or cryptocurrency (although this is a complicated subject, Bitcoin is tricky to pay privately with, I use Monero myself for VPN payments).
About logging, this is a complicated subject. The answer is: you have to trust the VPN. Read the privacy policy to tell how serious they are about "not logging anything". Generally, avoid any VPN that over-promises what it can do, a VPN is not "100% effective" whatever that means. Look out for conflicting messages in privacy policy, anything that goes "we don't log" and then later "except we log" should be avoided.
As for trusting your ISP - look, most ISPs don't promise "not logging", and in fact, where I live, they have an obligation to log.
In the end, don't rely on "no log" policy. It should be here, but assume the VPN is actually logging.
> Using a VPN does not make you anonymous.
Yes. If you violate the law, unless you are really careful, the law enforcement will find you. The police may be able to ask Google to provide details of an e-mail account using this IP address (from your VPN). VPN will however protect you people finding your IP address, contacting your ISP claiming to be a copyright owner needing user's details for a lawsuit - most ISPs will just give the details with this simple attack, and it doesn't matter whether you have downloaded or not, "no logs" VPNs won't.
In short, a VPN won't magically protect your address if you send it over the Internet. It cannot do that.
> Security issues in VPNs and their clients
Yes. All software can have vulnerabilities, this is nothing new. To improve your security, don't use the official VPN client but use an OpenVPN/WireGuard configuration file - if a VPN doesn't provide it, then don't use it.
> VPNs are a central point for attackers
So is your ISP. All software can have vulnerabilities.
