Be Careful With VPNs

By | April 1, 2017

Be Careful With VPNs

We’ve been getting dozens of emails in light of the U.S. government’s recent decision to allow ISPs to sell users’ browsing data without getting users’ permission first.

Well, apparently some tech newsletters are advising readers to use a VPN service – to “protect their privacy”.  We’ve done some research into VPN services and we see a lot we don’t like. It’s amazing that people don’t trust Microsoft, don’t trust Google, don’t trust their ISP, but they will trust VPN services whose advertising promises internet anonymity and freedom from ISP data collection and subsequent selling of that data, but who offer no proof to back up these claims.

All of you who’ve written us about buying into a VPN service – or even using a free VPN service – should read this article written by Sven Slootweg who’s done his homework on VPN services.

If you’re considering a VPN service or if you’re just concerned about online privacy issues. the following article will certainly enlighten you:

Don’t use VPN services.

No, seriously, don’t. You’re probably reading this because you’ve asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party “VPN provider” does.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want – including logging.

But my provider doesn’t log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider’s best interest to log their users – it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you’re paying for your VPN service doesn’t even pay for the lawyer’s coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I’ll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn’t matter. You’re still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don’t provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don’t provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so – they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can’t magically encrypt your traffic – it’s simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn’t a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.

You want to hide your IP from a very specific set of non-government-sanctioned adversaries – for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you’d probably just want a regular proxy specifically for that traffic – sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don’t use a VPN provider at all, even for these cases.

So, then… what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own. I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndBox.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it’s easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don’t even have to know what you’re doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose – it’s just one that benefits the provider, not you.

You can read the original article and more posts by this author here.

9 thoughts on “Be Careful With VPNs

  1. Dawn Campbell

    I just got sucked into this because I wanted to get American Netflix programming on my Canadian TV. Yup, clicked the monthly and got the yearly. Now I am waiting to see if PayPal gives me my money back like Strong VPN/Strongdns.com promised. And I am supposed to be a responsible computer person. And besides my provider has locked us out of trying to change our DNS settings so couldn’t use it anyhow. Unfortunately your article came about 8 days to late but I am very grateful that you have made us more aware of things like this. Cheers.

    Reply
  2. Joseph Lukas

    I used a VPN when I lived in Ecuador, South America for the same reason as Dawn, but I used it to continue using my Hulu account I had set up before moving from the States.

    It worked very good, and did not have any problems. Every once in a while, I would get some buffering of the movies, but that was because of the slow ISP download speed. But at least I could watch my TV programs and movies from the States.
    Regardless of this article, I am getting a VPN once again here in the States.

    Reply
    1. infoave Post author

      There are legit purposes to VPNs such as accessing sites you can’t access otherwise due to country or company restrictions. However, trusting a VPN service to offer you more privacy is questionable. Other than a VPN telling you that they don’t sell your browsing data or that they don’t keep logs, you have no way of verifying what they actually do. Most VPNs are located outside of the USA and therefore subject to the laws of the country in which their company is located.

      We’re merely pointing out that blindly trusting a VPN to provide you with all this extra privacy might not be a good idea. It is surprising that a great many people question Microsoft, Google, and their own ISPs, while giving a pass to small VPN services, many located in other countries and subject to those countries’ laws. Simply believing a VPN service is going to protect your privacy because they say they will is something we think everyone ought to think about. How would you know that a VPN service who claims they do not log users and claims they do not keep or sell users’ browsing data, is actually doing what they claim?

      Reply
  3. patrick

    This article was written by one ” Sven Slootweg”. Who is this person and why should we believe his opinions, cause that’s all they are, opinions. Did a search on this guy and he is definitely not squeaky clean. Check this site:
    http://www.ripoffreport.com/reports/sven-slootweg-organized-crime-sven-slootweg-sven-slootweg-ak-927641
    It just comes down to whom you choose to believe. His credentials don’t impress me very much.

    This opinion is one against VPN’s but there are much more in favor of using a VPN by persons with better credentials. Articles written by PC World and other tech publications. For every nay on VPN’s there are thousands aye’s.
    I use a VPN and this article is not going to sway my trust in this technology. I value my privacy.

    Reply
    1. infoave Post author

      Patrick if all you’re going to do is troll this site and disagree then we’re just going to delete your comments. You’re the same person who claimed LastPass was breached – that was totally untrue because exploits are not breaches. And now you’re using the site “ripoffreport” which is hardly a credible. And you offer nothing to explain what you think your VPN service is trustworthy. Next comment where it appears you’re trolling will be your last one. You’re free to disagree but when you use Ripoff reports a source, and you don’t know exploits from breaches, you’re not well informed.

      If your 100% sure of your VPN – bravo. But tell us how you know you can trust them beside them saying you can.

      Reply
  4. Don

    Is privacy better protected by using browsers like DuckDuckGo, Iquick or Tor?

    Reply
    1. infoave Post author

      Hi Don. Tor short for The Onion Router – the name of the project that created Tor. The browser it uses is a modified version of Firefox. Onion is supposed to be a secure network but the owner of the Silk Road (a site on the dark web accessible only by Tor where people could by drugs and other illegal things) was caught and convicted. If you use Tor, your ISP would see you connecting to Tor but any browsing you did after you connected, your ISP would not see. Supposedly everything you do using Tor is not logged or tracked. My personal guess is that Tor is probably a lot more private than many of the available VPNs. I’m not picking on VPN services, but most VPNs services are in it for the money (even the free VPNs usually charge for bandwidth beyond a set limit). I’ve yet to see any proof provided by any independent third-party that proves a VPN service is keeping all its promises to users.

      DuckDuckGo is well known and has a good reputation. According to DuckDuckGo they don’t keep any browser data or track your searches and I’ve seen nothing that repudiates that. I suppose somewhere on the Web you could dig up someone writing negative reviews of DuckDuckGo. But I have never seen any credible articles that show DuckDuckGo does anything other than what it claims. That being said, your ISP would still see everything you’re doing on the regardless of what search engine you used. Your ISP may not see the exact search you did on DuckDuckGo, but they would see all the sites you visited.

      Privacy is a multi-fanged dragon isn’t it? There are no absolutes when it comes to privacy.

      Reply
  5. Diane

    What about the VPN provided by Lookout that comes as a feature provided by Tmobile or the VPN provided by Samsung as a part of My Knox ; also for my cell phone? Thanks in advance for your answer.?

    Reply
    1. infoave Post author

      We’re not anti-VPN… but what we don’t want people doing is assuming the company offering the VPN service is going to keep their information any more private than their ISP. If you trust Samsung or T-Mobile not to sell your info and to keep everything you do anonymous, that’s fine, ,but do your homework.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *