What Is a VPN?
I have previously written to explain what an IP address is, and explored what my Internet Service Provider, or ISP, can see when I connect to the Internet.
In today's post, I want to look at how Virtual Private Networks, or VPNs, can be used as a tool for online privacy.
A quick review of ISPs
When we connect to the Internet at home, we normally do so via a modem that belongs to your Internet Service Provider. We connect from our home laptop or PC to the servers of our Internet Service Provider, and then on to the rest of the web. Your ISP functions as a middle man, which enables this company to have unique insights into your online behaviour. The level of documentation of this will depend on what privacy settings you have chosen on your profile. The SIM card in your mobile phone also connects first to the server of a company. Many of us will have opted for a package deal, where one ISP manages both our Wi-Fi and our mobile Internet surfing.
ISPs record user data for commercial reasons. Additionally, as a legal company, they are beholden to the laws of the government where they are based, and may need to be able to provide information about you on request.
Screenshot PowerCert Animated Videos "VPN (Virtual Private Network) Explained" (See bottom article for link.)
A VPN bypasses the middle man
A Virtual Private Network bypasses the middle man. With a VPN, your computer or smartphone will connect to one of the servers owned by the VPN company, instead of your ISP. A VPN provider runs multiple servers in different locations around the world. In the app's interface, you can select and switch to any one of these. This can make you appear to be surfing from another city or another country, depending where the specific VPN server you selected is located. It also means your ISP can no longer track your data and online behaviour.
Additionally, VPN companies promise to create a virtual 'tunnel' for your data, protecting it from being investigated in transit.
Where in the world is Carmen Sandiego?1
VPNs are useful when you need to connect a public or free Wi-Fi system. We may need to do this on trains, in hotels, restaurants, libraries and other locations. The problem is that you have no idea how strong the security of the public Wi-Fi system is, or if it really even belongs to the hotel or library you are in. Using a VPN is a good idea in this scenario; you can take advantage of the public or free Wi-Fi without jeopardising your data.
In countries where governments try to censor Internet access, a VPN can provide a way to circumnavigate the barriers set up by the government in order to block access to certain websites. However, governments can try to block known VPN IP addresses, which can lead to a cat-and-mouse game between the government and the VPN company.
You can use a VPN to obfuscate your location. Remember that your normal public facing IP address, assigned by your Internet Service Provider, is tied to geographical location. You can use a VPN on a day-to-day basis as an extra form of data protection. Just like Carmen Sandiego, you could be surfing from Rome tonight, São Paulo tomorrow morning.
The latter is also the feature that have made VPNs very popular. If you live in Germany and want to view US Netflix content, you can use a VPN to position yourself somewhere in the States and start a subscription from that virtual location. This type of use of a VPN is not usually motivated by privacy concerns, but will provide privacy nonetheless.
Lastly, companies sometimes use VPNs to secure traffic between the office and remote workers, without having to pay for expensive closed connections.
There are articles and videos online that address common misconceptions about VPNs, like this one. I find the tone click-baity, but the video does contain relevant reminders: no security or privacy tool can replace common sense; and, much of our online traffic is already encrypted by default through the HTTPS protocol.
Your ISP may be bound by law or by its own company ethical code to hide most of your traffic from themselves. This may mean that your data is already quite secure without the use of a VPN. It is important to take some time to look into this yourself, as I did here. You may find you can opt out of most data tracking, though in the end you do still have to trust that your ISP will really do this, and not keep a record of your online activities on a contained server, which can then later be viewed by government request. A key difference here is whether data is stored but off limits, or just not stored at all.2 GDPR rules in the EU should raise the stakes for companies in terms of accountability to their users regarding their data.
An older (2016) piece of research suggests ISPs don't have as much oversight as non-ISP online companies do:
In short, ISPs have far less than a comprehensive view of any user’s Internet activity, and the rich information available to non-ISPs mean that ISPs do not have unique visibility into users’ online activity. (p 10, source below)
In the end, a VPN provider is also a third party, one you will need to trust your data with. This is why it is key to choose a trustworthy VPN company.
Choosing a trustworthy VPN
There are a handful of VPN providers that are willing to be transparent about how they handle customer data.
The Center for Democracy and Technology (CDT) provides a page where VPN companies can show full transparency by answering the same set of questions, which ask for information about ownership, the business model, and how customer privacy is handled. You can access that page here.
At the time of writing, the following six companies have answered the CDT's questions openly:
Invincibull VPN(can't find them online)
Additionally, Seth for Privacy and The New Oil both also recommend IVPN and Mullvad, as well as:
As a general rule, you'll want to be careful trusting any free VPN service, though some of the companies listed above may provide a free demo tier.
I believe objective audits are a good step towards trustworthiness. However, as I am reviewing the CDT site now, I can't help but notice that most of these reviews are 4 or 5 years old. An update could be a good idea.
Problems with using VPNs
Turning a VPN on by default can lead to annoying daily problems.
Some sites don't work when I try to access them via my VPN. In particular, my ISP won't let me access my account information with them via a VPN, which does make sense, as they are probably using the IP address assigned to you as an identifier for extra security. I have had similar problems with bank applications and government sites.
I have an Outlook email address which I use for gaming and shopping. I currently use an open source app called Thunderbird to access my Outlook inbox. With a VPN active, I get warnings from Microsoft stating that my account is blocked until further verification. I don't know if the cause is the combination of Thunderbird and VPN, or if it is Outlook's general response to VPNs.
Finally, be prepared for a lot of verification emails and warnings. With a VPN, you generally access your regular accounts from different (virtual) locations in the world. Most companies have a verification system in place as a security check against hacking, so this is a little bit of extra hassle.
Current use and looking ahead
I have been using Mullvad. It is promoted by people whose recommendations I value. I find the subscription affordable, and they have a simple, user-friendly interface. You can pay for Mullvad with Monero, a privacy crypto currency. It feels neat to purchase a product for privacy with complete anonymity.
My go-to point for information about VPNs is Mullvad's own What is a VPN? information page.
VPN (Virtual Private Network) Explained by PowerCert Animated Videos (the narrator of which sounds uncannily like the guy from Learn Linux TV!)
The click-baity video with misconceptions about VPNs
Can Government Block VPNs? and information about the site and its writers here
"Online Privacy and ISPs", published by The Institute for Information Security & Privacy at Georgia Tech, is the research paper I cited above - see page 10
"Use a non-logging and trustworthy VPN provider" - article on Seth for Privacy's blog
Techlore's VPN Toolkit
"The VPN You Use Probably Sucks - Here's Why..." also by Techlore
Privacy: VPNs by The New Oil
Thunderbird email application
-----Discuss on Reddit-----
Subscribe to my blog via email or RSS feed.
Find me on Mastodon and Twitter.
Back to Blog
This is a reference to an ancient education video game from 1985 titled Where in the World is Carmen Sandiego? https://en.wikipedia.org/wiki/Carmen_Sandiego↩
One of the most famous precedents for this is when it was revealed by whistleblower Edward Snowden in 2013 that the US government was using exactly this kind of loophole of storing all data, so that specific user data could be accessed later with a warrant.↩