The VPN Confusopoly

A virtual private network (VPN) service creates a private, encrypted network between a client’s computer and the VPN service.

Encryption can protect users of public Wi-Fi hotspots from entities that may be intercepting data over sent over the Wi-Fi connection. Additionally, routing web traffic through a VPN prevents a client’s IP address from being revealed to websites. By encrypting web traffic and hiding a client’s IP address, VPN users may have increased privacy from internet service providers, governments, ad agencies, and other entities on the web.

Why it is hard to evaluate VPN services

Lots of companies offer VPN services.[1] Choosing between services is often confusing for consumers.

Reddit has an entire community for the purpose of sharing information about the quality of VPN services. However, members of that community may still find it difficult to select VPN services. As of July 2018, the most upvoted post in the community’s history is a complaint about how hard it is to use the posted reviews to figure out which VPN services are worth using.

Bogus reviews and evaluation

The difficulties are not confined to the Reddit community. If you Google a query along the lines of “best VPN service”, most of the search results will probably lead to websites full of bad suggestions. VPN companies typically have affiliate programs that offer commissions to website owners that refer new customers to their services.

Reviews on many websites appear to be based as much on the size of commissions as the quality of services. In my blog post bogus evaluation websites, I dive into this phenomenon in the VPN industry in more detail.

Dishonest marketing

VPN services often mislead consumers by overstating the degree of security their products offer and understating the level of security internet users have without a VPN.

VPN Unlimited pitches “Total security” and “Absolute privacy”[2] CyberGhost VPN claims its service will make it “impossible for third parties to track you online”[3]

This is not true. No tool will ever guarantee security or anonymity. I’m partial to the Electronic Frontier Foundation’s advice:

No software or hardware is entirely secure. Seek out tools with creators or sellers who are honest about the limitations of their product.[4]

The popular VPN service Hide My Ass misleads consumers by massively overstating how exposed internet users are without a VPN. At the time of writing, their homepage says, “Trust us, you need a VPN service.” That’s followed with this bit:

Whenever you’re online (like right now) and not using VPN software, you’re about as exposed as an evangelical nudist. Anyone can see what you just searched for, your banking details, what you’re typing — you get the picture.
What the hell? No. Nope. Wrong.

Who actually needs a VPN?

IT security folks often talk about “threat modeling”. The idea behind threat modeling is that people should aim to understand what kind of security threats they face and the relative severity of each threat. With a specific threat model in mind, an individual can efficiently distribute efforts to address security risks.[5]

VPNs can be useful for increasing security for individuals with certain kinds of threat models.

What VPNs do and don’t do

VPNs don’t unambiguously enhance security

When using a VPN service, your data will be sent through the VPN provider. This means the VPN service could spy on you—presenting a security risk that you don’t face without a VPN.

Even if a VPN service isn’t actively being intrusive, it may keep logs with some details of what users do while using a service. Logged data may be helpful for providers trying to understand how their services are used and how good performance can be delivered. However, logs also present a liability. Any data that is logged could later be leaked, shared, or subpoenaed.

There are some publicly-known instances where VPN services have shared information with law enforcement officials.[6] For what it’s worth, in the cases I’m aware of, there were allegations that individuals who the VPN services shared data about committed serious crimes.

VPNs don’t encrypt all traffic

When using a VPN, traffic is only encrypted between a user’s computer and a VPN service’s server. Normal traffic will be sent between the VPN server and other entities on the internet.

VPNs can be used to circumvent filters and censorship

When an individual accesses a website over a VPN, traffic will appear to initiate from a VPN server rather than the individual’s device. This can allow VPN users to circumvent some methods used to restrict access to content.

Many websites block traffic from certain countries. Using a VPN server in another country may allow a user to access content he or she otherwise couldn’t. Some use cases are entirely legitimate and legal, some aren’t (i.e., using a VPN to get around parts of a Terms of Service agreement), and others are complicated (i.e., illegally accessing information a tyrannical government censors).

VPNs are great for enhancing security while using public Wi-Fi

When you connect to Wi-Fi, there’s a risk that your data could be intercepted.[7] VPNs are a very effective way to enhance security on public Wi-Fi.[8]

Who can consumers trust?

I strongly recommend ThatOnePrivacySite.net. It publishes data on VPN services along with commentary and reviews. The individual who runs the site is careful, diligent, and refuses to accept compensation from any VPN services.

My only criticism of the website is that it seems to be substantially more privacy-oriented than the typical VPN user.[9] Overall it’s an amazing resource, and it offers some of the highest quality evaluation websites I’ve seen in any industry.

Footnotes

  1. As of 7/19/2018, That One Privacy Site’s VPN comparison list has 185 different service providers and the list is not comprehensive
  2. From VPN Unlimited’s homepage on 10/8/2018 (archived copy).
  3. “Your original IP address will be replaced with one from the CyberGhost network, making it impossible for third parties to track you online.”
    From Cyber Ghost VPN’s homepage on 10/8/2018 (archived copy).
  4. From The Electronic Frontier Foundation’s article “Choosing Your Tools” (archived copy).
  5. The Electronic Frontier Foundation offers a good description of threat modeling:
    “It’s impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. If your biggest threat is physical surveillance from a private investigator with no access to internet surveillance tools, you don’t need to buy some expensive encrypted phone system that claims to be ‘NSA-proof.’ Alternatively, if you face a government that regularly jails dissidents because they use encryption tools, it may make sense to use simpler tactics—like arranging a set of harmless-sounding, pre-arranged codes to convey messages—rather than risk leaving evidence that you use encryption software on your laptop. Coming up with a set of possible attacks you plan to protect against is called threat modeling.”
    From The Electronic Frontier Foundation’s article “Choosing Your Tools” (archived copy).
  6. VPNLeaks.com lists instances where VPN services have shared data in expected ways. PureVPN and Hide My Ass both shared information with government entities.
  7. I recommend this article by Gary Sims at Android Authority for more details (archived copy).
  8. GitHub user joepie91 wrote an interesting (though in my opinion over-the-top) article titled Don’t use VPN services (archived copy). Despite having a very negative view of VPN services, the user acknowledges that staying secure on public Wi-Fi is a valid use case for VPNs.
  9. It’s my impression that most VPN users are mostly interested in safely using public Wi-Fi or avoiding filtering & geographic restrictions. I think avoiding surveillance from ISPs and governments is a rarer—and possibly less appropriate—use case (other tools may be more appropriate for individuals looking for that kind of security).