
What privacy does a VPN actually provide? - geophile
I am an American, and dismayed (but not surprised) that the US Congress voted to allow ISPs to cash in on data derived from my usage of the internet. Supposedly VPNs solve this problem. What does this hide other than my IP address? If I, in the USA, visit foobar.com, whose server is also in the USA, then all the HTTP headers are intact, and someone who wants to track me has everything he had before I started using a VPN, except for IP. Or is the IP actually that important to the people who make a living by selling my data?
======
rhz
Home Network

    
    
         |
         |
         v
    
        ISP  <--->  Internet
    
    

Home Network

    
    
         |
         |
         v
    
        ISP  --->  Internet --> VPN <--> Internet
    

Your ISP cannot see what you do on the internet when you use a VPN, except for
the fact that you are connecting to a VPN. The VPN is connecting to the
internet for you, and your ISP cannot see anything beyond your and your VPN
sharing encrypted data.

The point is its more than just an IP. Websites you connect to aren't actually
sites you're connecting to, your VPN is connecting to them for you and sending
you back what it sees, and so your real IP is hidden and, in theory, the
encryption between the VPN and yourself makes it impossible for your ISP to
see what it is you're doing online, it only sees garbled nonsense. But when
your computer receives that garbled nonsense, it turns it into, for instance,
data that will load into your browser and show you a site you don't want your
ISP to know you are visiting.

There is always the danger of your VPN/hosting provider handing over your
actual IP and a list of all your traffic, neatly folded and ironed in a log,
over to a company for money. This is why some people avoid free VPNs and
others set up their own on a server.

~~~
geophile
But "what [I] do on the internet" is available to anyone snooping the internet
between the VPN and whatever website I'm going to. HTTP request headers carry
a lot of information, e.g. [https://bits.blogs.nytimes.com/2015/01/29/with-a-
few-bits-of...](https://bits.blogs.nytimes.com/2015/01/29/with-a-few-bits-of-
data-researchers-identify-anonymous-people/?_r=0).

This is an arms race. If there is value in my data, surely someone is going to
try to obtain it from the data flowing out of the VPN. No?

~~~
rhz
You're not wrong at all. If you had an OpenVPN server running up in Canada
that you set up yourself - you still have to worry about the connection that
the VPN in Canada is making to the internet. _It_ connects to the internet
through an ISP, too.

One point of popular VPNs and overlay networks like Tor is that so many people
do so many different things on the same IP that it becomes impossible to tell
who's who from the thousands of people making outgoing connections from the
same address, and the overlapping traffic is anonymizing in of itself. But yes
no guarantee of privacy.

Take into account that its better to have some security than no security at
all.

The argument you're making rings true, but I can say "Why have a lock on your
door if someone can pick it and enter anyway?"

~~~
geophile
Of course, I will put a lock on my door. I was just trying to understand how
many windows I had wide open.

------
fulafel
Depends on what you mean by VPNs.

Traditionally a VPN was an overlay network, that interconnected a number of
private networks and/or individual hosts over the Internet. For example,
between your friends you could set up IPsec so that peer-to-peer IP traffic
was encrypted between all participants. There's no client or server role in
IPsec so either side can initiate the connection.

Then, it was used as a moniker for corporate PC software that connected the
salaryman on the road to the mothership "intranet". Which was mostly about
selectively punching holes in their own "intranet + firewall" network setup.

Then lately, the term has seen use in home computer use to circumvent their
last mile ISP, to impose a small level of obfuscation in order to BitTorrent
stuff more safely or curb ISP data collection. The traffic is still piped out
to the public Internet at the VPN provider.

It's kind of a full circle and the term VPN does not make any sense for the
latter use. You make a "virtual private" connection to the public internet,
and there is nobody on the VPN that you share privacy with?

