Andrew Harrison
efore you even start looking for the best VPN to suit your needs, you should consider if it is a Virtual Private Network service that you actually require. The term VPN is today frequently bandied around as a means to geolocate oneself elsewhere, usually to counter businesses that restrict their online services to users from within a particular region.
Many people use such countermeasures in order to enjoy the BBC’s iPlayer streaming services while outside the UK; or to make use of the expanded catalogue of film and television offered by US Netflix, in contrast to the more limited selection in the UK.
However, for simple virtual geographical relocation to gain an IP address in the required region, a proxy server is all that is required. Proxy servers can be found more readily and cheaply from various free and commercial providers, sometimes using as little as a basic web browser plug-in.
But it’s the ‘P’ in VPN that is of most benefit to those that really need it. VPN was originally devised for enterprise businesses to allow communications beyond the company firewall that could not be easily eavesdropped while traversing the public internet. As well as connecting various outposts of the company based in different cities or countries, it allowed staff to work remotely away from the office, whether from home or while on the road. Yet they could still connect securely to the company intranet transparently as if they were within the same physical building.
Now VPN is becoming increasingly useful for anyone that wishes to surf the internet with an element of anonymity, by helping to disguise their originating home IP address. VPN connections are also put to use for political safety; for example, in order to avoid state censorship and persecution, busting through filtering and logging at the ISP or state firewall level.
Another application may be to help sidestep the relentless tracking by commercial corporations such as social media and online advertising brokers. They now consider every net user fair game for tracking and profiling, collecting
Bpersonal data and targeting advertising at us for profit. Or a VPN link may be used to minimise surveillance by the US and UK intelligence agencies that we now know record all of our online activities and personal communications.
There is the darker side of VPN use too, associated with criminals and others who try to stay off the radar of law enforcement.
In between the two opposite ends of political and criminal applications of VPN is the greyer area of peer-to-peer file sharing, for which some users prefer to avoid any possible retribution from big-media trade associations such as the MPAA by using encrypted VPN connections.
Free services
Everyone likes good value, and nothing looks quite as invitingly good as free. But as with any online service that is billed as free, beware that you’re as likely to be selling your soul as getting a good deal. Offers that promise free VPN connections may have dangerous strings attached.
An example is HotSpot Shield, a popular free VPN service that installs unwanted toolbars, third-party applications, corrupts your default search provider settings and then bombards the hapless user with in-line, pop-up and pop-under ads. Depending on your viewpoint, such weaponised ‘free’ software will be classed as unwanted applications at best, or malware at worst.
It pays to read carefully the terms of service. AnchorFree, the developer of HotSpot Shield is good enough to warn you in its terms of service: “AnchorFree may deliver third-party Advertisements within the content of any web page accessed… You hereby acknowledge and consent that AnchorFree may alter the content of any web page accessed for the purpose of displaying advertisements.”
Trust and state surveillance
The use of any VPN service entails some degree of trust, since the provider is in a privileged position to see all your online activity, and you only have their word that they won’t sell you out to third-party marketers, other malefactors, or worse.
If your use of a VPN service is to thwart mass surveillance by the UK and US governments’ intelligence collectors at GCHQ and NSA, you need to be sure that the level and application of encryption your VPN service employs has not been compromised by said agencies.
While publicly known protocols such as AES, TLS, SSH and the IPsec suite are officially believed to be secure, the exposure of the Bullrun and Edgehill programs illustrate that back doors and crackable protocols have been deliberately introduced in some security protocols. RC4, part of SSL, is likely wide open to FVEYS eyes.
The current problem is that we don’t know exactly which protocols are compromised, and how badly.
The New York Times discussed the crucial revelations made in Edward Snowden’s documents. “By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300. A 2010 document calls for ‘a new approach for opportunistic decryption, rather than targeted’. By that year, a Bullrun briefing document claims that the agency had developed ‘groundbreaking capabilities’ against encrypted web chats and phone calls. Its successes against Secure Sockets Layer and virtual private networks were gaining momentum.”
Even if the core crypto is still secure, you must also rely on the developer of proprietary VPN software for your Windows, Mac or Linux PC, or your mobile device. If your VPN provider is based in the US or UK, they may have been ordered to introduce a backdoor, and be subject to a secret court order that forbids them from warning their customers.
There is also the issue of logging. Many overseas VPN providers make a strong statement about not logging their users’ connections, which could be turned over to state intelligence or law enforcement agencies on request. In the UK, for instance, logging was once at the discretion of the provider but since last summer’s DRIP Act