Deutsche Welle (English edition)
Bypassing censorship with VPNs ― is that really safe?
Virtual Private Networks are a quick emergency solution when regimes block critical websites. With VPNs, you can still access the free internet through a tunnel. But can you trust the provider?
More and more countries are blocking undesired websites on their networks or specifically searching internet traffic for critical and opposition voices.
When the internet becomes a state-controlled intranet, users run into problems: They can then no longer access the website of Deutsche Welle or other free media, for example. Social media platforms on which opposition activists had arranged to protest just a short time before are suddenly offline.
Read more: Tor, Psiphon, Signal and Co.: How to move unrecognized on the internet
A quick solution: VPN
Whenever a regime censors the internet in a crisis, many users in their helplessness resort to the simplest solutions. These are often virtual private networks (VPNs).
VPNs were developed to allow companies in different locations to connect their internal networks (intranets) via encrypted channels through the internet. But VPNs can also be used to connect a private computer from within a non-free governmentcontrolled network to a server on the free internet, using exactly the same principle.
Read more: OONI: An app for detecting Internet censorship
Providers make big promises
VPNs are now readily available to everyone. Corresponding programs are available free of charge. VPN apps even top some charts. But users usually don't think about the risks in this situation.
VPN apps are plentiful, and the providers' promises are great. If you install their software on your cell phone, you can go online particularly securely, they say. And they promise that your personal data can no longer be accessed by potentially malevolent forces. What is clear: If the VPN works, you can use streaming services from other countries, bypass government censorship and access blocked websites.
How do VPNs work?
A VPN establishes an encrypted tunnel from your smartphone or computer to a remote VPN server. From this endpoint, you enter the public internet. When you surf the web, it looks to the operators of the websites you're visiting as if your computer was the VPN server.
If, for example, you are using a computer or smartphone in Germany but your VPN server is located in Japan, then the operators of websites you visit will think you're in Japan. This game of hide-and-seek is based on the fact that you do not appear with your own IP address, but with that of the VPN server.
Can you be detected while using VPN?
Basically, regimes that control internet traffic are able to detect when someone is using a VPN. However, they cannot detect what someone is doing with it, i.e. what data is flowing back and forth in the VPN tunnel.
Some dictatorships have banned VPN use for this reason. Such regimes then block access to VPN servers abroad or, in rare cases, even persecute the users individually. But governments usually cannot take blanket action against every VPN, because many foreign companies also rely on VPNs for their internal company communications.
So as long as governments do not list the IP addresses of foreign VPN servers in their firewalls, and thus block them, it is possible to use them to circumvent censorship.
How secure is my data in the VPN?
Here lies the second weak point: All your data make a detour via the VPN provider. But do you really know the company and what it's about? Essentially, you will have to trust your provider to maintain data privacy.
Because the provider operates the tunnel, the company can also see which websites you access, when and how often. The provider may also be able to see the non-encrypted content of your communications, such as simple e-mails.
This data can be stored, and especially the data about surfing behavior can also be sold for marketing purposes. For VPN providers, this can be a successful business model. They take money from the customer for VPN use in a subscription model. At the same time, they sell data about web usage to the advertising industry.
In the worst case, however, they also sell or supply data to government authorities. Even if the provider promises not to sell the data, it is already a risk that the data is stored at all. Not a day goes by without a new data leak being reported, whether due to poor security or criminal hacker attacks.