The why and wherefore of VPNs
It’s not VPNs that are bad, rather people’s unrealistic expectations of privacy. And, in a pay-per-click age, honesty
SEARCH ONLINE FOR “why I need a VPN” and you’ll find flashy websites framing all sorts of shoddy prose on the perils of “unprotected” browsing. Such diatribes should be taken with a pinch of salt. Yes, there are companies that sell your data. Yes, there are brutal regimes that punish anyone caught browsing websites that go against their ideologies. Yes, Google is mostly blocked in China. And yes, a VPN might help you with this. But it’s perhaps not as essential as people think.
Anyway, we’re getting ahead of ourselves. A VPN is an encrypted tunnel between two, generally distant, machines. There are a variety of protocols by which one can achieve this, but they all enable the client machine to access resources (web pages, VOIP services, internal company resources) using the server as a proxy. Furthermore, established public key cryptography and key exchange protocols are leveraged so that anyone eavesdropping on the VPN connection has an extremely small chance of being able to make sense of the data. And anyone looking at the connection from the VPN server to the outside world (if it’s used that way) won’t be able to see the client’s IP address.
That all sounds quite good—and it is, as long as you trust your VPN provider. Ascertaining that trust, however, is hard. In 2016, a free VPN service called Hola breached user trust. It provided a browser plugin that enabled users to switch regions. However, those users were unwittingly becoming rather more involved in the VPN than they would have liked. Hola’s business model at the time was to tunnel traffic between users so that their machines became proxies. This potentially made users vulnerable to all kinds of lawsuits and investigations, since traffic is no longer encrypted after it has left the VPN tunnel. Most of the web is protected by HTTPS now, but that still reveals domain names and IP addresses.
We’d hope that such behavior is a thing of the past, and for the most part, it is. But that doesn’t mean we can trust what these fly-by-night VPNs are telling us. Many of them boast of a ‘no logging’ policy, for example, yet in 2020, seven such services based in Hong Kong accidentally leaked some 1.2TB of user logs. These included cleartext passwords, session keys, domains visited, browser user agent strings, and IP addresses. NordVPN, for a long time considered more reputable than other services, experienced a data breach in 2018, although no customer data was taken.
These may have been isolated incidents, but would you trust such operations to aggregate all your internet traffic? Or, put it another way, do you distrust your ISP enough that giving that information to an unknown entity seems like a good idea?