Don’t Use a VPN For Online Privacy

In 2018, After Skool published a video about how the vital right to privacy is being eroded.[1] When I saw the title of this video, I thought “this is exactly the sort of video I’ll probably agree with”. And it was, until after the 5-minute mark. I picked out this video to share here because it’s the epitome of an increasingly common marketing lie about VPNs.

Lately, there’s been an epidemic of sponsored videos where VPNs are promoted as an online privacy/security solution by people who don’t know the first thing about online privacy/security. The After Skool video seems to say “just use NordVPN and you’ll have privacy”, as if it’s the be all and end all of online privacy. After Skool deserves credit for raising awareness of surveillance, but VPNs are not the solution. To say that they are is to tout a simple non-solution to an extremely complex problem.

If you want real privacy advice, check out TheHatedOne’s videos[2] for well-researched information and tips. In the meantime, I’d like to set the record straight on what VPNs are and aren’t good for. Before we get into that, let’s quickly summarize what a VPN is.

What is a VPN?

VPN stands for virtual private network. The type of VPN that you see ads for are remote access VPNs. They give you remote access to the VPN provider’s network. Unlike enterprise remote access VPNs, you don’t get access to any private network tools or resources. All the VPN does is forward traffic on your behalf. The connection between you and the VPN is encrypted, so your internet service provider (ISP) can’t see what you’re sending across the internet or who it goes to.

What VPNs Aren’t Good For

Online Privacy

Even with a VPN, websites can uniquely identify you through browser fingerprinting, cookies, tracking pixels, and other means. So even though your ISP is in the dark, every website you visit can still figure out who’s visiting. VPNs only hide your IP address. They cannot protect you from application layer surveillance.

If you’re the average person, the vast majority of data collected about you is only able to be collected because of decisions you made. You bought a Windows or Mac machine for your main personal computer. You installed proprietary programs. You bought a spyware-laden vendor spin-off of Android. VPNs can’t stop you from making bad choices.

VPNs are useful for certain things. They’re just not the magic bullet for privacy they’re made out to be. In fact, if I made a list of the top five things one can do to increase their online privacy, using a VPN wouldn’t even make the list.

Digital Security

VPNs also aren’t a magic bullet for digital security. Some common ways people get hacked are social engineering, data breaches, weak/reused passwords with no two-factor authentication, and downloading things they shouldn’t. VPNs don’t stop any of those attacks.

VPNs do prevent a relatively common attack vector which is the man in the middle attack (MITM) over Wi-Fi. However, most of the time, people are using the Web and nearly all websites support secure connections. Any halfway decent browser will tell you when you’re connecting over an insecure connection and not to enter any login credentials. That thwarts Wi-Fi MITM attacks and even with a VPN, you ought to heed that warning. You don’t need a VPN to prevent MITM attacks.

What VPNs Are Good For

VPNs are still good for a number of other things. I live in the United States, a country heavily engaged in the War on Sharing[3]. I use a VPN to torrent and prevent my ISP from throttling my connection. VPNs can also be used to get around region-locked content and bypass censorship.

VPNs have some limited use for security. Hackers can’t geolocate you via IP address. They can’t bring down your home network with a distributed denial of service (DDoS) attack. They can’t hack your router, MITM attack your network, or work their way into other devices on the network. VPNs aren’t necessary for preventing these types of attacks though. The same protections can be had by connecting over Tor[4] and flashing your router with secure custom firmware like OpenWrt[5].

How to Promote VPNs

There’s nothing wrong with promoting VPNs, but let’s not give people the idea that using a VPN cancels out the need to follow online privacy and security best practices. Let’s not tell people to use a VPN before we tell them to stop using Windows and Mac and to use free software instead of proprietary software and to use secure messengers.

Let’s vote with our money and not fund VPN companies’ false marketing and promises about privacy and security. If you want to see what a VPN company that doesn’t make false promises looks like, look at IVPN’s homepage[6]. They didn’t pay me to sponsor them and I’m not saying you should go use them, just that they have non-misleading marketing, unlike many of the other VPNs out there. Other VPN companies should follow suit and we should stop paying for the ones that don’t.

Link(s):
1: Privacy is NO LONGER a Social Norm
2: TheHatedOne
3: War on Sharing
4: Always Use Tor
5: OpenWrt
6: IVPN