VPNs Are No Privacy Panacea, And Finding An Ethical Operator Is A Comical Shitshow

from the ain't-no-magic-bullet dept

Given the seemingly endless privacy scandals that now engulf the tech and telecom sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to protect data in the wake of scandals, breaches, and hacks that historically, neither industry nor government seem particularly interested in seriously addressing.

Usually, consumers are flocking to VPNs under the mistaken belief that such tools are a near-mystical panacea, acting as a sort of bullet-proof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs they’re trying to flee from:

Facebook, for example, spent the last year marketing a “privacy protecting VPN” that was little more than spyware in its own right. Verizon was so eager to cash in on the trend it launched a VPN but forgot to even include a privacy policy. Most existing VPNs promise not to store your data, then go right ahead and do so anyway. And studies perpetually find that a huge array of such offerings are little more than scams, hoovering up your money and private data while promising you the moon, sea, and sky.

Case in point: Will Oremus wrote a really wonderful piece for Slate about trying to find a respected VPN and discovered that the market is, for lack of a more technical term, a complete and total shitshow:

“The search for a VPN I could rely on led me on a convoluted journey through accusations and counteraccusations, companies with shadowy leadership and those with conflicts of interest, and VPN ratings sites that might be even shadier than the companies they?re reviewing. Many VPNs appear to be outright scams. Others make internet browsing sluggish. Free versions bombard you with ads. It?s a world so thicketed that the leading firms and experts can?t agree on the basic criteria for what counts as ?reputable,? let alone which companies best meet that description.”

The article does provide some very useful tips for finding a decent VPN, and is well worth a read. That said, it also makes it abundantly clear that VPN review sites are often inconsistent, downright terrible, or financially conflicted. And even many well-reviewed VPN operators can raise flags if they try to hide the identity of who actually owns them:

“ExpressVPN, for its part, nearly won the coveted recommendation of Wirecutter in its extensive, highly detailed VPN review. There are hints throughout Wirecutter?s report that ExpressVPN would have taken the top spot if not for one pesky concern: its refusal to publicly disclose who owns it. Wirecutter editor Mark Smirniotis notes near the end of his review that ExpressVPN offered to arrange a confidential call with its owners, but he decided that wouldn?t be enough to change his recommendation and declined.”

The terribleness of the VPN sector is decidedly ironic, given that giant broadband providers, who routinely hoover up your data in an ocean of creative and non-transparent ways, have long tried to claim that the United States doesn’t need meaningful privacy guidelines because users can always use a VPN. That was one of the cornerstones of the telecom lobby logic as the successfully convinced Congress to eliminate modest FCC privacy rules in 2017 that could have prevented many of the location data scandals currently plaguing the sector.

But if it’s not clear yet, a VPN is not a magic bullet to the problems that are plaguing the modern internet. Users are running from one platform to the next, dribbling their private data in a long trail behind them thanks to shoddy and nonexistent standards. Meanwhile a lack of competition leaves them stuck on the network of giant ISPs that not only refuse to respect their privacy, but routinely lobby against any and every legislative solution, no matter how well crafted. Several ISPs have then tried to charge users a surcharge to opt out of data collection and monetization, effectively making privacy a luxury option.

Something has to break in this broken and idiotic equation, and “just go use a VPN” is not an adequate answer to the problem.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “VPNs Are No Privacy Panacea, And Finding An Ethical Operator Is A Comical Shitshow”

Subscribe: RSS Leave a comment
Anonymous Coward says:

I personally use a VPN and ignore the warning that the VPN operator can potentially see my traffic. On the other hand I am the operator of my VPN and don’t have a good reason to snoop on my own traffic.

For me having the feature of an encrypted tunnel back to my home is more important than being able to virtually travel to different locations to evade geoblocking.

Anonymous Coward says:

Re: tunneling home

99 "For me having the feature of an encrypted tunnel back to my home is more important"

… but how do you then access the general internet ?

Tunneling to your home PC only gets you to your home PC… unless it is connected to the internet … thru some 3rd party ISP that you must trust.

Anonymous Coward says:

Re: Re: Re:2 tunneling home

Tor has two protections going for it:

1: all data is encrypted between you and the first hop, meaning your ISP is cut out of the loop. All data (including DNS) is supposed to go through that tunnel.

2: Tor can provide an end-to-end fully encrypted tunnel between the user and a service provider if the provider creates a tor service within the network. This means that from network analysis alone, a third party (or Tor router operator) cannot determine the destination or content of the traffic.

Beyond that, Tor provides no protections, and does provide significant data lag. I like the fact that my Tor exit traffic is theoretically being spread among many different exit node operators, so if they’re logging my connections to the Internet-at-large, each one is only getting a fraction of my usage content, unlike a VPN or ISP.

But anyone can set up an exit node and log the content, and eventually, you’re likely to be rotated through a node run by one of: The NSA, the German government, the Israeli government, the Chinese government, or a Russian crime syndicate. Because of the way Tor works, they have the ability to Man-In-The-Middle your HTTPS connections such that what you think is a secure connection to TechDirt via Tor is really a secure connection to some data analytics engine, which then submits requests to TechDirt on your behalf.

Essentially, at some point for ANY VPN, you have to trust the exit node. The best solution I’ve found so far is for AWS to be the exit node and you to be your own VPN operator. Amazon could still be gathering all the exit analytics, but they’ve generally got better things to do with their time, and a reputation to uphold in data hosting.

Anonymous Coward says:

Re: Re: Re:3 tunneling home

Because of the way Tor works, they have the ability to Man-In-The-Middle your HTTPS connections such that what you think is a secure connection to TechDirt via Tor is really a secure connection to some data analytics engine, which then submits requests to TechDirt on your behalf.

Technically right, but the data analytics engine cannot decrypt the HTTPS traffic (assuming no general flaws; Tor does nothing to degrade HTTPS security) nor deanonymize users. So, what you think is a secure connection to TechDirt would in fact be a secure connection to TechDirt, via an extra hop that can log packet statistics.

Mason Wheeler (profile) says:

Re: Re: Re:4 tunneling home

A man in the middle of a HTTPS connection would theoretically be able to decrypt HTTPS traffic, spy on it, possibly change things, and re-encrypt it with its own certificates before sending it on to you, but your browser would notice that the certificate is not valid.

If they can manage to get your computer to install a rogue root certificate, then they can get away with this and your browser won’t complain. But that’s a pretty involved process and (probably!) not something that can happen without you noticing simply by you visiting a malicious website or using a compromised TOR node.

Scary Devil Monastery (profile) says:

Re: Re: Re: tunneling home

"If he is only using the VPN to get home, he really isn’t even in the market for a VPN service at all and kinda off topic."

VPN == Virtual Private Network.

Building a tunnel to securely access his own router is actually the first example of what a VPN is.

The VPN service commonly associated with the name where you use such a tunnel to access a 3rd party server is an expansion on the core definition.

Anonymous Coward says:

Re: Re:

The best idea is to use an offshore VPN. In addition to my own private VPN, I also use an offshore VPN when travelling,

That is so I do not run into any state laws regarding regarding unsecured VPNS.

When I go to my favourite campground for stargazing, I have to drive 65 miles to the nearest town to get any Internet, I sit in the gas station parking lot and connect to the WiFi at one motel a couple of blocks away.

While I am not breaking any Federal laws doing that (because the connection is not password protected), some state laws are not as forgiving on that, so I use a VPN server outside the United States, so that my activity cannot be monitored, and I cannot be identified by where I go.

This keeps me from getting into trouble under Nevada laws I may not know about.

Both California law, and the CFAA require the open connection to be password protected, and that you hacked the password. The laws of other states are not as forgiving, so using an offshore VPN, that cannot be subpoenaed by US authorities, keeps me out trouble when travelling outside of California.

A VPN in Cuernavaca, Mexico is not subject to U.S. laws.

nasch (profile) says:

Re: Re: Re:

Both California law, and the CFAA require the open connection to be password protected, and that you hacked the password.

Which of these sections of the CFAA require that? And what section of California law?

18 U.S.C. § 1030(a)(1): Computer espionage. This section takes much of its language from the Espionage Act of 1917, with the notable addition being that it also covers information related to "Foreign Relations", not simply "National Defense" like the Espionage Act.
18 U.S.C. § 1030(a)(2): Computer trespassing, and taking government, financial, or commerce info
18 U.S.C. § 1030(a)(3): Computer trespassing in a government computer
18 U.S.C. § 1030(a)(4): Committing fraud with computer
18 U.S.C. § 1030(a)(5): Damaging a protected computer (including viruses, worms)
18 U.S.C. § 1030(a)(6): Trafficking in passwords of a government or commerce computer
18 U.S.C. § 1030(a)(7): Threatening to damage a protected computer

Anonymous Coward says:

Re: Re: Basement Guy

Actually, I don’t miss that point at all.

Comcast is a proven sociopathic entity, who will be certain to collect/sell my data.
Dolphin guy is just suspect and sketchy- but it’s pretty easy to imagine why he might value privacy for the sake of privacy.

I’ll take dolphin guy. seriously.
Comcast can do my banking stuff though.
that’s a different sort of trust.

Anonymous Anonymous Coward (profile) says:

Re: Re: Re:

There are some. Private Internet Access, for example, does not keep logs by policy, and the FBI has tested this. I am not affiliated with the company, but have been a satisfied customer for a number of years. They have 3329+ Servers in 33 Countries so getting around geo blocks is possible, though I don’t use it that way. I did try to call my bank via Skype once and had difficulty communicating with the costumer service rep, but got them to tell me they were in the Philippines. I reconnected via a server in Hong Kong and had a nice conversation with those folks.

In my case the VPN is generated on a router that is then connected to my ISP’s router, so the encryption happens before the ISP sees the packets. You could also use one of their apps, available for several operating systems, and get the encryption done on your computer. I opted for the router method to off load the encrypt/decrypt process to a different CPU.

There are some websites that block connections from VPN’s, and when I need to connect to them I just turn the VPN off, do what I need to, then turn it back on again.

Anonymous Coward says:

Re: Re: Re: Re:

Using a VPN to bypass geo blocking does not break any laws.

I do that when I take road trips to Mexico, so that I can listen to iHeart while I am driving.

Connecting to the VPN server on my home computer, and using that to bypass geoblocking and listen to iHeart while in Mexico does not break any laws either in Mexico or the United States.

Scary Devil Monastery (profile) says:

Re: Re:

"Trust, but verify" is a good watchword.

A VPN is a bit like any other messenger service – if they get caught toeing the line they’re shot.

What one truly wants to watch out for are those actors who believe your metadata are saleables. Any VPN not incorporating fraud in their business model is heavily motivated NOT to log customer data to begin with, like any other messenger who knows "messenger immunity" relies on the messenger not knowing the message or memorizing who it was carried to.

Rekrul says:

I’d like clarification of something: Don’t VPNs have to buy their net access from an ISP somewhere?

Whenever website blocking comes up, the standard answer is "Who cares? Just get a VPN!" The prevailing attitude seems to be that the "internet" exists as an untouchable, stand-alone entity, kind of like the sun, and that all ISPs just tap into it. And that VPNs bypass ISP blocking by tapping directly into the autonomous internet, so they therefore can’t be blocked and will be able to access any blocked site.

However if VPNs do need to buy net access from an ISP, that puts them at the same risk of being blocked as the average user, doesn’t it? And if they can indeed bypass ISPs and tap directly into the internet backbone, doesn’t that make them ISPs, subject to the same website blocking regulations?

Anonymous Coward says:

Re: Re:

Sadly the only sane (I’m totally laugh as I’m typing this) option left for us it to do something like crowd fund a company to lay new network backbone and put enough conntect stuff on that, that other backbone providers are salivating at connecting.

I mean I’m not sure that getting past the fact that laying that sort of cable maybe defacto illegal in some parts of the state. Or that getting enough momentum to make legacy backbone holders capitulate, would be more difficult than actually passing (and enforcing) regulation on the internet.

It’s not a happy place.

James Burkhardt (profile) says:

Re: Re:

A VPN uses your existing internet connection. It creates a supposedly secure encrypted connection to a server they own, through which they route your traffic. From the outside, your computer looks like it is connecting from the IP address of the VPN server. Your ISP in theory does not know where you go, your traffic is an encrypted channel to a single IP address. So the theory is a VPN with no tracking records would hide your traffic from both your ISP and prevent external tracking from IDing you, and there would be no way to get the VPN to cough up who you are. They get around website blocks by the VPN server being somewhere other than the area the website is blocked. In no way is a VPN a replacement for an ISP.

In practice, as expressed by the article, few VPNs actually adhere to a no data retention policy, and ISPs have developed ways to continue to track you despite the efforts of a VPN.

Scary Devil Monastery (profile) says:

Re: Re:

"I’d like clarification of something: Don’t VPNs have to buy their net access from an ISP somewhere?"

Of course. more usually the VPN services do like ISP’s do and purchase bandwidth straight off the network trunk.

The key portion of the VPN service is in how it handles the message though – essentially it fills the role of putting the mail in envelopes and sending them off, being the digital versions of an analogue secondary mail handling service.

VPN’s can certainly be blocked by an ISP – but by all of them? The key difference here is that VPN’s operate by using thousands of exit nodes, either of which might be carrying any one of their customers. And these exit nodes may not only be dynamic (thus hard to track and match) but use stealth traffic configuration, basically wrapping it all in a TLS shell which makes deep-packet inspection see the traffic as ordinary https web surfing/streaming.

Add a choice of CDN’s to the mix on the web server side and what ought to be an ordinary 1:1 link from start–>end turns into a big ball of yarn you need extensive resources in three countries to unravel.

If you use a VPN you normally do so assuming that it will secure you from any entity which has representation and influence in the nation of origin and/or the nation of exit. The extra options add layers to this, enabling security even when both ends can be considered compromised (China, for example).

Dan (profile) says:

Re: Re: Streisand

That solves a different problem. It gives you a safe connection when on public WiFi, but doesn’t do so much when you’re actually at home. And even when away from home, your connection is going to be limited by your connection speed at home. And if you’re concerned about your home ISP snooping on your connection, this doesn’t help you at all. OTOH, if your goal is to get into your home network, that’s exactly the right answer.

Now, if public WiFi providers are blocking connections to AWS/GCE/DigitalOcean/Vultr IP blocks, then a Streisand host might not help you. But that’s going to block an awful lot more than just VPNs.

Personally, I do both–I run an OpenVPN server on my home router, and a Streisand node (actually, two–one on AWS and one on GCE, but once my free year on AWS is up I’ll cancel that one).

Anonymous Coward says:

Re: Re: Re: Streisand

I use my own home VPN in case the public Wifi is blocking commercial VPNs.

The previous owner of Taco Bell wold block all VPNs, but I got around that by connecting, first, to the SSL VPN on my computer, and then connecting to the main VPN by using the Internal IP address on my home network, and that allowed the connection.

I exploited a flaw in Taco Bell’s firewall to get onto my home VPN, using that method and totally bypassing their filters.

Exploiting that flaw did not break either California law, or Federal laws.

Anonymous Coward says:

People think VPNs "…are a near-mystical panacea…" because that’s how they are marketed.
You should see a VPN ad doing the rounds on Australian TV. Everything it says is false! It begins by claiming a ridiculously high percentage of Australians are affected by cyber attacks, which I suspect is a massaged statistic that includes things like trolling or viruses.
It continues to say it’ll magically shield your kids from online predators and somehow protect your credit card number (from everyone, including the business you’re paying). I am pretty sure most Techdirt commenters are technical and so I won’t need to explain why the claims are a load of rubbish.

Some of these products and ads need to be referred to the ACCC, FTC, et al, but I suspect VPNs are "too technical" for any real action to result. So VPN operators will continue to peddle their lies.

Scary Devil Monastery (profile) says:

Re: Re:

All too true.

That said as long as it brings to the public awareness that running traffic through SOME sort of obfuscation is a good thing, I’m in two minds about it.

I can imagine it’s the same reaction a conscientious doctor would have on observing how a crowd of raging anti-vaxxers go on board with an inoculation program as soon as some unscrupulous clergyman/fraud manages to persuade them the "sanctified needle" with its holy water would safeguard their immortal souls…grateful that people immunize themselves from diseases, but appalled at the method employed.

The hype around VPN’s and 95% of the reasons given are sheer bullshit. The real reason why everyone should use some sort of VPN regularly is both simpler and far more obscure in the minds of most people. The VPN serves to put messages visible to all into enveloped communication only readable by sender and transmitter, which is the core criteria needed for freedom of speech and a cornerstone requirement of democracy.

All the right results for all the wrong reasons.

Anonymous Coward says:

At what point have ISPs ever allowed users to opt out of data collection? I thought they, just like every other gold-toothed polyester-jacket-wearing scam artist out there out there, say opt outs are exclusively for preventing the data they persistently collect from being used for ad targeting.

The promise of an ISP using your personal data for ad-targeting says nothing about them selling the data to third parties to have, say, advertisers on Twitter target your account for shilling products to.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...