
VPN – Very Precarious Narrative - denschub
https://schub.io/blog/2019/04/08/very-precarious-narrative.html
======
cantrevealname
> _If you are using your device on a public network, VPNs can help you protect
> your data. I have a ProtonVPN subscription myself, just for those instances
> where I am sitting in an airport waiting for my plane_

Seems like a contradictory message. He just got through telling us how most of
the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at
the airport? Is he checking his email? I can't imagine that he's using an
email service that doesn't use HTTPS. Is he logging into his bank account? I
doubt any bank nowadays still uses plain old unencrypted HTTP. Is he watching
cat videos on YouTube? Well, even that's encrypted.

Remember, his argument is that VPNs don't provide privacy--so that's not the
reason. And this is the section where he's talking about public networks, not
about other rationales for VPNs like geolocking or ISP blocking. It weakens
the argument of his essay to say that he needs a VPN at the airport or cafe.

~~~
jsight
I felt exactly the same way. I've run into people who have the idea that
public wifi is insecure, as in don't hit your bank's website over that
insecure channel. But in reality, the services that really need security are
going over TLS, where at least the connection itself is secure (presuming that
you are taking the same safeguards that you'd take on a "secure" network). In
reality, no internet network is naturally secure and the only security are
these transport level encryptions.

But, of course, there is more to it than that. What about the unencrypted
connections? DNS access and logging? Ironically these are what people tend to
worry the least about but are the most likely to be compromised. A VPN can be
very helpful here.

The article brushed across this distinction in a way that I think may have
just been confusing to anyone that didn't already understand it. The net
effect is that they might see these two pieces of advice as contradictory.

~~~
ridgewell
>But in reality, the services that really need security are going over TLS,
where at least the connection itself is secure.

I think other considerations include whether or not the sites that you visit
implement HSTS. While many sites do support HTTPS-only logins, several
webservices are actually quite vulnerable to software such as SSLstrip[1],
which redirects hijacked users to plaintext HTTP pages whenever feasible.

While many sites implement TLS, several sites don't implement HSTS. I am not
sure about the HSTS policies of the top 3000 sites so I will not comment on
that.

[1][https://moxie.org/software/sslstrip/](https://moxie.org/software/sslstrip/)

------
tyingq
Seems to ignore two things...

a) Your ISP is almost always in the same legal jurisdiction as you are. A VPN
need not be.

b) A VPN has some incentive to deliver on privacy. Your ISP does not.

It's fair to call out that a VPN isn't perfect for either privacy or
anonymity. But it clearly _can_ be better than your ISP.

~~~
rtpg
> b) A VPN has some incentive to deliver on privacy. Your ISP does not.

Regarding this point, I think a good strategy here is to acknowledge that
ISPs, like most organizations, don’t want to add to their workloads. Of course
they aren’t privacy centric, but appeals to them oriented around _not_ having
to store a bunch of logs or set up a bunch of processes can help to unite more
people around initiatives to make things better for everyone

If everyone has the same ideals then it’s easy to team up. But even if
everyone has different ideals, you might all still be wanting 90% of the same
result and can still team up!

~~~
mosselman
Yes, VPNs might be unjustly talked about as a set-it-and-forget-it way to gain
privacy online a bit, but what I find far more harmful is the blind trust
people seem to have in their ISP. I often see the argument "You are just
shifting trust from one company (ISP) to another (VPN).", yes, that might
actually be the whole point.

ISPs can't be blindly trusted. I switched ISPs lately because my previous one
started offering personalised TV-ads. This is a very scary topic and in
Belgium it has already lead to some fishy things:

[https://www.nieuwsblad.be/cnt/dmf20160913_02466535](https://www.nieuwsblad.be/cnt/dmf20160913_02466535)

Nice quote with regards to personalised tv-ads:

"Er komt ook een nog verdergaande versie waarbij ook het surfgedrag zal leiden
tot gerichte tv-reclame. Daarbij wordt gemonitord naar welk type websites er
in een gezin vaak wordt gesurfd, om zo interessepatronen te ontwaren die
lucratief kunnen zijn voor adverteerders."

"There will be a far-reaching version in which browsing behaviour will also
lead to personalised tv-ads. The websites visisted by families will be
analysed in order to discover interest patterns that could be lucerative for
advertisers."

Add this to the many cases where ISPs have fought for being allowed to use
deep packet inspection to monitor what we do and you start to see that ISPs in
fact think they have a right to collect and sell our data. Am I not already
paying for internet and TV?

~~~
ignoramous
What's happening is the service providers are realising that a lot of
lucrative billion dollar businesses have been built by selling ads on top of
their last-mile services, they might as well do the same. In India, the
companies that are ISPs are also Cable Providers and Mobile Network Providers.
They have been caught MiTMing Https to inject ads. They do it cause they want
their share of the internet ad revenue cake.

What's strange is that Belgium, in the post-GDPR world, has businesses with
regressive behaviour wrt user profiling. What gives?

------
mirimir
Damn. I don't even know where to begin.

It's true that VPN services at best provide less anonymity than Tor does. And
that some, such as HideMyAss (which pwned that LulzSec dude) provide none. But
PIA clearly does, as demonstrated now in two criminal investigations.[0]

Of course, in both cases, defendants pwned themselves through poor OPSEC. But
at least PIA didn't give them up.

And the Facebook example. Nobody paying attention expects a VPN service (or
even Tor) to hide their identity if they login using their real name. That's
just stupid.

0) [https://torrentfreak.com/private-internet-access-no-
logging-...](https://torrentfreak.com/private-internet-access-no-logging-
claims-proven-true-again-in-court-180606/)

~~~
everdrive
> And the Facebook example. Nobody paying attention expects a VPN service (or
> even Tor) to hide their identity if they login using their real name. That's
> just stupid.

A lot of users care about privacy, but have no idea how computer networking
works. It's hard for these users to understand whether they're private or not.
If you don't believe me, check out the tech support and recommendations over
at old.reddit.com/r/vpn -- there's clearly a lack of knowledge about VPNs and
computer networking. Probably once a week, someone will ask "How did [paid
video streaming service) know I was using a VPN?" Or "X country can only spy
on me if I have a VPN in that country, right?"

~~~
mirimir
Users are all too clueless, sadly enough. And too lazy, as well. I do what I
can, but it's a drop in the bucket.

------
mattnewport
I have a pretty limited selection of ISPs available to me in my area and they
make no effort to promise any kind of anonymity or privacy. Indeed here in
Canada ISPs have frequently given subscriber contact information to copyright
holders to issue warnings based on bittorrent usage without being legally
required to. When visiting the UK certain IPs are blocked by ISPs. I can
choose from a wide variety of VPN providers in other jurisdictions whose
entire business model is based around respecting my digital rights in ways
that most ISPs explicitly don't care about. Some of these providers accept
bitcoin and other relatively anonymized forms of payment, including VISA gift
cards.

The article makes some valid points but overstates the case. I continue to be
happier with trusting my VPN providers than any of the ISPs available to me.

~~~
msbarnett
> Indeed here in Canada ISPs have frequently given subscriber contact
> information to copyright holders to issue warnings based on bittorrent usage
> without being legally required to.

Citation needed?

The “Notice and Notice” regime legally requires the ISP to pass along a notice
from a copyright holder that believes your IP infringed their copyright by
uploading their material. It does not permit the ISP to give subscriber
information to the copyright holder directly unless ordered to do so by a
court.

Here’s Michael Geist, Canadian lawyer, explaining the system and recent
developments regarding _ISPs seeking to make such information disclosures more
difficult for copyright holders, not less_

[http://www.michaelgeist.ca/2018/09/notice-the-difference-
sup...](http://www.michaelgeist.ca/2018/09/notice-the-difference-supreme-
court-rules-isps-can-be-compensated-for-copyright-costs/)

> My Globe and Mail op-ed notes that the Canadian system for online
> infringement was formally established in 2012 and came into effect in 2015.
> The so-called “notice-and-notice” approach grants rights holders the ability
> to send notifications of alleged infringement to Internet providers, who are
> required by law to forward the notices to the relevant subscriber and to
> preserve the data in the event of future legal action. The system does not
> prevent rights holders from pursuing additional legal remedies, but Internet
> providers cannot reveal the identity of their subscribers without a court
> order.

> While the system has proven helpful in educating users on the boundaries of
> copyright, some rights holders have used it as a launching pad for further
> lawsuits. In fact, thousands of lawsuits have now been filed, with rights
> holders seeking to piggyback on the notice-and-notice system by obtaining
> the necessary subscriber information directly from Internet providers at no
> further cost.

> The question of costs lies at the heart of an important Supreme Court of
> Canada copyright ruling released on Friday. Voltage Pictures sought
> subscriber information from Rogers Communications for the purposes of
> pursuing individual lawsuits. When Rogers advised that it wanted
> compensation of $100 per hour for the costs associated with fulfilling the
> request, Voltage responded that Internet providers could not pass along
> their costs since the notice-and-notice system already required them to
> identify subscribers and preserve the data without compensation.

> The particular incident may have involved only a few hundred dollars, but
> the broader principle had the potential to dramatically alter the Canadian
> approach. If Internet providers were required to disclose subscriber
> information without passing along the costs, Canadian courts faced the
> prospect of an avalanche of lawsuits and Internet providers might be
> dissuaded from carefully ensuring that the privacy of their subscribers was
> properly protected.

> The Supreme Court understood the broader implications of the case, ruling
> that Internet providers can pass along the specific costs associated with
> subscriber disclosures beyond those required for the notice-and-notice
> system. Indeed, the court recognized the importance of accurate data to
> safeguard against reputational harm and wrongful lawsuits.

~~~
mirimir
> It does not permit the ISP to give subscriber information to the copyright
> holder directly unless ordered to do so by a court.

With honest VPNs, court orders won't yield anything.

~~~
msbarnett
Sure. OP is still pulling that claim out of his nether regions, though

~~~
mattnewport
You've researched this topic more than me. My citation is just knowing lots of
people who have received the warning notices and concluded (quite reasonably
IMO) that their ISP and/or government is more interested in the rights of
copyright holders than those of their customers / citizens and sought
solutions to that problem through VPN services.

The point of my post was not about this particular legal issue but about the
general fact that ISP choice being largely limited by physical location means
that it is easier to choose VPN providers that have interests more aligned
with mine than ISPs. Whether ISPs are forwarding threatening letters from
copyright holders or giving them contact information directly is not
particularly germane to this point.

------
0xADEADBEE
There's a couple of bad faith arguments in this article that I didn't care
for:

\- Regarding user identification, rolling my IP address is trivial with a VPN.
Less so on my static IP.

\- The Facebook example without cookie deletion is a low-effort Straw Man

\- I reject the leap that "we have figured out that they [VPNs] do not add
much to your online privacy". In the very narrow terms defined, yes of course,
but either the author has willfully missed out why people use them, or doesn't
understand why.

I did enjoy this note though: "Somehow, VPNs have turned them not failing to
do their job into something they can market as a special feature."; I think
there's some truth to that.

I tunnel my traffic over a VPN to avoid my ISP building a profile on me. I
change my IP every-so-often to mess with trackers at large. I accept that
browser fingerprinting is probably thwarting my overall effort somewhat, but
I'm reducing the vectors that I can. I firmly believe that VPN companies are
capitalising on fear but I respect the hustle. I don't think any of those
points are particularly niche (niche subject notwithstanding!) so I find it
interesting to see this take on it. Perhaps this isn't an article
representative of the position of the wider HN crowd?

~~~
tylerl
What you see as bad faith is actually a direct reflection of the benefits
these VPN providers are claiming to provide -- if not explicitly on their own
site (publishing false claims in writing often leads to bad outcomes) then at
least in the ad copy they give to the Youtube hosts to read.

In ~100% of cases, you're safer SSH-tunneling your traffic to a cheap server
at a cloud hosting provider.

------
dguido
The slimy marketing around centralized VPN services is why I consider it a
point of pride to include the following as a "feature" in the AlgoVPN readme (

> Anti-features

> * Does not support legacy cipher suites or protocols like L2TP, IKEv1, or
> RSA

> * Does not install Tor, OpenVPN, or other risky servers

> * Does not depend on the security of TLS

> * Does not require client software on most platforms

> * Does not claim to provide anonymity or censorship avoidance

> * Does not claim to protect you from the FSB, MSS, DGSE, or FSM

It's incredible how quickly services that massively centralize bulk consumer
web traffic were normalized. This is not ok. Further, most of these services
are located in "exotic" locales with uncertain legal protections, anonymous or
psuedo-anonymous owners, and make barely enough revenue to hire more than 3 or
4 staff members to maintain and secure their own infrastructure. This whole
industry is a slow motion disaster.

~~~
simias
> * Does not install Tor, OpenVPN, or other risky servers

What do you mean by "risky servers" here? I run OpenVPN on a few servers, is
there something I should know?

~~~
dguido
There's an FAQ in the AlgoVPN documentation that addresses this question
([https://github.com/trailofbits/algo/blob/master/docs/faq.md#...](https://github.com/trailofbits/algo/blob/master/docs/faq.md#why-
arent-you-using-openvpn)):

> Why aren't you using OpenVPN?

> OpenVPN does not have out-of-the-box client support on any major desktop or
> mobile operating system. This introduces user experience issues and requires
> the user to update[1] and maintain[2] the software themselves. OpenVPN
> depends on the security of TLS[3], both the protocol[4] and its
> implementations[5], and we simply trust the server less due to past[6]
> security[7] incidents[8].

[1] [https://www.exploit-db.com/exploits/34037/](https://www.exploit-
db.com/exploits/34037/)

[2] [https://www.exploit-db.com/exploits/20485/](https://www.exploit-
db.com/exploits/20485/)

[3] [https://tools.ietf.org/html/rfc7457](https://tools.ietf.org/html/rfc7457)

[4] [https://arstechnica.com/security/2016/08/new-attack-can-
pluc...](https://arstechnica.com/security/2016/08/new-attack-can-pluck-
secrets-from-1-of-https-traffic-affects-top-sites/)

[5] [https://arstechnica.com/security/2014/04/confirmed-nasty-
hea...](https://arstechnica.com/security/2014/04/confirmed-nasty-heartbleed-
bug-exposes-openvpn-private-keys-too/)

[6] [https://sweet32.info/](https://sweet32.info/)

[7] [https://github.com/ValdikSS/openvpn-fix-dns-leak-
plugin/blob...](https://github.com/ValdikSS/openvpn-fix-dns-leak-
plugin/blob/master/README.md)

[8] [https://www.exploit-db.com/exploits/34879/](https://www.exploit-
db.com/exploits/34879/)

------
brobinson
>However, the sad reality is, there is no such thing as a “no logs” VPN.
Because running it would technically be impossible.

PIA has told the feds in the US to fuck off multiple times when asked for
logs. You can't provide what you don't have, and lying to the feds is a fast
track to PMITA prison (PIA is based in the US). I feel pretty confident
they're not risking prison to cover for Joe Blow subscriber. Other "no log"
providers have been caught with logs, though.

I do agree with overall message about VPN advertising. It's presented as a
panacea when it's really a single step you can take.

~~~
tptacek
Who cares if they log now? They can be forced to log --- and are in fact
running businesses the practically _beg_ the DOJ to force them to log.

~~~
rasengan
> They can be forced to log

There is no legislation in the US that can be used to do this [1]. Some very
misguided companies may voluntarily log, but those that care about privacy or,
at the least, realize that holding people's data is a liability, won't make
poor decisions like that.

[1]
[https://en.wikipedia.org/wiki/Data_retention#Failed_mandator...](https://en.wikipedia.org/wiki/Data_retention#Failed_mandatory_ISP_retention_legislation_attempts)

~~~
bitreality
Oh come on now. The US Government forces tech companies to share information
all the time.

[http://www.msnbc.com/msnbc/us-government-threatened-yahoo-
bi...](http://www.msnbc.com/msnbc/us-government-threatened-yahoo-big-fine-
provide-data)

They certainly can, and will, go after any company they want to, without
referencing any specific US legislation.

~~~
rasengan
ISPs and VPNs have different laws then, for example, email providers. Further,
Yahoo Mail, would be storing data (thus "voluntary" logging, or in their case,
there's few ways around it to deliver their services in any kind of usable
way).

I repeat, after having evaluated this quite deeply, that there are no
mandatory data retention laws in the US, period, for ISPs and VPNs. This is
contrast to quite a few jurisdictions, and the poor actions taken by ISPs and
VPNs in said areas seem to speak louder than words.

That being said, I can relate to the author. Trusting a random service without
any reason to trust is definitely blind. However, trust can be earned, over
time, and validated, but should never be absolute. Trust is earned, daily,
forever.

That being said, at the end of the day, the best bet is to remove trust from
the equation - to get closer to a zero knowledge state, thus creating zero
trust.

We're working toward that, every single day, and I would love to hear from
anyone that's interested in helping or has thoughts.

~~~
bitreality
You're saying that organizations can avoid being subject to providing data if
their service does not store the data. But I am not convinced. If the NSA or
whatever 3 letter agency demanded the data be made available in a secret
court, the company would have no choice but to comply.

They could require this in several ways. They could store the data directly on
government servers, or set up a third party server and store the data on
there, where both parties could access it. Either way, there is no technical
reason the data can NOT be collected, so if the big boys want it, they will
get it.

------
john_minsk
The articles like this are disastrous. So many people are using VPN to bypass
government restrictions, protect themselves from ISPs, which are no longer run
by idealists dreaming about uncensored access to information, but by managers,
that will share your information with any agency the minute request shows up
in their inbox. And these people don't always have good knowledge of how
security works, and who this article can greatly mislead.

I subscribed to a small VPN service 5 years ago for one reason: I needed
static IP address for work, but my ISP at the time wasn't selling them to
private individuals (freelance).

And I couldn't be happier! Wherever I go I don't have any issues with access
to my resources or worries that local government will fine me for watching
porn (check out UAE or Saudi laws).

Hell, even Skype is blocked by a lot of telecoms around the world since you
don't pay roaming fees when calling through it. How ridiculous is that? On VPN
it worked everytime.

HTTPS is great, but it is by no means private enough. ISP knows which service
you are requesting, they can do SSL inspection and all kind of shady bullshit
without your consent. With VPN they only see that I talk to 1 IP address
somewhere in Netherlands and that is it!

~~~
lornemalvo
a) The unproven assumption you are making is that VPN providers are run by
idealists, not by managers. There is no indication for this. b) The article
outlines that using a VPN to bypass national censoring measures is perfectly
valid. c) Your argument about the ISP knowing everything vs. the VPN provider
knowing everything is exactly what the article is about. There is no
indication to trust a VPN provider more than your ISP, for a number of
reasons.

~~~
RinTohsaka
> a) The unproven assumption you are making is that VPN providers are run by
> idealists, not by managers. There is no indication for this.

Maybe you misread? I think he was saying the reverse.

------
oedmarap
It seems that the author's target audience is highly non-technical readers.
I'm not sure if the article does more harm than good by just citing existing
technologies that aren't used by privacy-minded power users without pointing
towards proven solutions as well, even if they may require effort to
implement. All is not lost.

The article touches on the OpenVPN protocol, "commercial" VPN providers
(ExpressVPN in the screencap), but just glosses over the availability of
better protocols, good providers, useful browser extensions, and democratized
DNS encryption.

A combination of a WireGuard VPN provider (Mullvad comes to mind), using only
the Firefox browser with a few extensions (such as Multi-Account Containers,
HTTPS Everywhere, Privacy Badger, Decentraleyes, etc.), and using DNS over
HTTPS (can be enabled in FF as well) will solve most of the problems the
article posits. Running AdGuard as a local DNS server with upstream DoH is
also something relatively easy to do.

Sure, overall security posture calls for a bit more but a good [VPN + DoH + FF
+ AdBlocking] setup should be the norm and not the exception; and will
definitely pay off dividends rather than just letting a green padlock give
users peace of mind.

I'll actually write a how-to on this, since I don't want to seem like I'm just
mentioning a solution without actually providing the steps to get there.

~~~
OrwellianChild
I'd very much appreciate the write-up... I've not been able to find a very
coherent (and current) best-practice document. Where can we find it when it's
up?

------
ikeboy
> Just like you have to trust your ISP that they do not collect data, you have
> to trust that your VPN provider is not storing the same data.

Bull. Shit.

Find me a major ISP that publicly claims they don't log any data.

Anyone making a claim remotely similar to those made in
[https://torrentfreak.com/which-vpn-services-keep-you-
anonymo...](https://torrentfreak.com/which-vpn-services-keep-you-anonymous-
in-2019/)

If it was the norm for ISPs to claim this, maybe this argument would work. For
now, we have many documented cases of ISPs selling your information, and they
don't even try to claim that they don't keep logs, while many major VPN
services (see link above) explicitly claim to never store logs.

~~~
denschub
We also have multiple documented cases of "no-log VPNs" submitting their logs
to law enforcement. I even linked to one case in my post. What's your point
here, exactly? Because my point was you have to trust either party.

Oh, and btw, here in Europe, it is actually illegal for ISPs to give
connection data away for non-law-enforcement purposes. It's sad that there are
some US-American ISPs that have a record of selling some information, but the
world does not evolve around the USA.

~~~
ikeboy
Which case are you talking about? You have no links in the "no-log" section.

Other fatal flaws in that section, fwiw

>Starting with the obvious, if you pay for a VPN service, they have to keep
your user account and associated payment information and your payment history.
So, unless you are using a fake identity and an anonymous credit card (is that
even possible these days?), your VPN account will be linked to your actual
identity.

Plenty of VPNs accept bitcoin, and prepaid anonymous debit cards are widely
available.

>Most VPNs limit the number of devices that can be connected at the same time.
For that to work, well, they have to store a piece of information stating
which device is connected, and what VPN account it is associated with. They
have to associate your VPN session with your VPN account, as counting the
number of sessions per account would be impossible otherwise.

This is addressed in the link above. Besides, it's possible to limit
simultaneous connections without storing anything to disk.

>What's your point here, exactly? Because my point was you have to trust
either party.

The difference is that no major ISPs are claiming not to log.

~~~
kmonsen
Bitcoin has very little anonymity as well BTW. Probably less than credit
cards.

~~~
mirimir
Sure. And that's why people who want anonymous Bitcoin use mixing services.
Such as Bitcoin Fog:[0]

> In December 2013 the site was used to launder a part of the 96,000 BTC from
> the robbery of Sheep Marketplace.

> In February 2015, a total of 7,170 bitcoin was stolen from the Chinese
> exchange Bter.com and traced back to cryptocurrency-tumblers like Bitcoin
> Fog.

0)
[https://en.wikipedia.org/wiki/Bitcoin_Fog](https://en.wikipedia.org/wiki/Bitcoin_Fog)

------
jwr
I use VPNs for one main reason: so that my ISP does not build a complete
profile of me based on the sites I'm visiting. This can be mitigated to a
certain extent by using a VPN. I do not expect to become anonymous or
invisible on the internet all of a sudden, I just do not want the guy
listening next to my front door to know everything about me.

In the US, where personal data is a free-for-all and everybody and their dog
sells data about me to everyone else, this is important.

I agree with the author that VPNs should not be advertised as a complete
security and privacy solution, but I disagree with his statement that they can
actually do more harm than good.

~~~
AstralStorm
The ISP can easily build a reasonably reliable profile based just on packet
size and timing. TLS and most VPNs do nothing to these.

If they actually wanted to. You could sure them under wiretapping laws if they
did.

If you cannot trust your ISP, you cannot really have any privacy without truly
extensive measures. Not even Tor is enough, it does not pad and change timing
enough.

The real problem is cookies, requirement for email backed login and phone home
downloads. (E.g. images such as social buttons, JavaScript. They can also leak
cookies or make them live longer.)

The last one is combatted to an extent by mix networks like Tor, or better
yet, by aggressively caching and/or predownloading.

~~~
crooked-v
> You could sure them under wiretapping laws of they did.

I assume you meant "sue", but, no, that's not actually a guarantee, because
companies can require that you "voluntarily" agree to mandatory arbitration in
order to get any service at all.

~~~
AstralStorm
Those clauses are illegal, much like indemnification by you of a big ISP. Even
clauses of choice of law are very suspect.

Relying on such a clause to attempt to prevent a civil suit is stupidity, if
only because people are not properly informed of what the clause meant, making
it void. (I could quote a few cases. But I am not a lawyer. Microsoft and EULA
comes to mind.)

And by EU law, they are completely null and void by just being illegal.

That said, most of those suits do not reach court by means of settlement, not
arbitration.

~~~
crooked-v
> Those clauses are illegal

Not in the US!

[https://en.wikipedia.org/wiki/AT%26T_Mobility_LLC_v._Concepc...](https://en.wikipedia.org/wiki/AT%26T_Mobility_LLC_v._Concepcion)

------
mindslight
While there is plenty of nuance that VPN advertisements gloss over, this
article is also simply verbose FUD. It shamelessly does the same exact thing
that VPN ads do - attempt to replace one uninformed default option with
another.

> _The reality here is that your IP address is only a tiny piece of your
> trackable profile_

Yes, a tiny piece you can never shake off _besides with a tunnel_ ("VPN"). On
this front, OP is effectively making the argument that surveillance by IP
address is simply never done, even if all the other tracking signals are
removed. This is doubtful.

> _the location of a piece of large network equipment of your ISP, and not
> your location_

Yeah which is still pretty damn indicative of _my location_ , despite the
"streams coming together" narrative. One less signal available to the
surveillance advertisers is a good thing. One more feeling of "otherness" to
an ad you're being forced to see is a great thing.

> _The only secured [encrypted] channel here is the route between your machine
> and the VPN server_

Yes, simply hiding your traffic from your ISP is itself a huge win. They don't
spend millions on DPI gear without clear ROI.

Given that a vibrant market for VPNs provides for copious tunnel endpoints,
and that common people imperfectly using VPNs still frustrates bad actors like
banks and geofencers, I'll forgive the messaging. They're certainly more
legitimate than pharmaceutical or political ads.

------
alphabettsy
They are some valid points in the post, but ISPs collect and will market your
data, including browsing data. They recently changed positions and claim they
won’t anymore, but there’s no reason to trust them and they’re still using
your data for targeted ads meaning they still retain the data.

[https://arstechnica.com/tech-policy/2017/03/comcast-we-
wont-...](https://arstechnica.com/tech-policy/2017/03/comcast-we-wont-sell-
browser-history-and-you-can-opt-out-of-targeted-ads/)

~~~
tptacek
The point of the post isn't that you should trust your ISP.

~~~
comex
Indeed. Instead it falsely implies that you don’t need to, by glossing over
the limits of what HTTPS encrypts and what it doesn’t. And it encourages users
to avoid VPNs, making them subject to data collection by their ISP whether
they know it or not.

------
blackflame7000
All I know is that since I got a VPN my ISP no longer sends me letters warning
me that I have 7 more warnings until I'll be admonished for archiving movies.

~~~
sdan
Which VPN?

~~~
blackflame7000
PIA. It's cheap and used to be fast but a lot of people have started using it
so they are now having to raise price / regulate bandwidth. However, they let
you log on 5 or 10 devices simultaneously on different servers all over the
globe,

------
ylere
> Starting with the obvious, if you pay for a VPN service, they have to keep
> your user account and associated payment information and your payment
> history. So, unless you are using a fake identity and an anonymous credit
> card (is that even possible these days?), your VPN account will be linked to
> your actual identity.

Check out [https://mullvad.net](https://mullvad.net) if you want a VPN that
takes anonymity serious. They don't even have real accounts, you just pay
(preferably via BTC or even cash via postal mail) towards an account number
that is also used as an identifier to authenticate towards the service. While
there is no 100% guarantee, I would trust their claim that they do not log.

------
yason
The article seems to talk about all kinds of things VPNs are _not_ about, and
criticises them for those, and give a thin touch, if any, to the actual
reasons VPNs are useful and why they were designed in the first place. Weird.

------
auslander
Very misleading, factually wrong post.

"Log in to your Facebook account. Connect VPN. Did Facebook forget who you
are?" He forgot step to open new private window to clear login cookie.

VPN is a must for everybody in there days of data harvesting. We will be sorry
tomorrow, seeing many new ways it can be used by global corporations and
governments.

------
iandev
This seems to be the YouTube video in question if anyone was curious

[https://youtu.be/1PGm8LslEb4](https://youtu.be/1PGm8LslEb4)

------
zaarn
>In most circumstances, VPNs do absolutely nothing to enhance your data
security or privacy.

>Acting as they do, and promoting commercial VPN providers as a solution to
potential issues does more harm than good.

I think this ignores the fact that some users have different threatmodels,
sometimes the privacy threat model of a user does include their ISP for
various reasons (think China).

>

Starting with the obvious, if you pay for a VPN service, they have to keep
your user account and associated payment information and your payment history.
So, unless you are using a fake identity and an anonymous credit card (is that
even possible these days?), your VPN account will be linked to your actual
identity.

Depends on the VPN, some VPN providers actually don't keep that kind of
history or provide options to operate and pay an account anonymously.

~~~
jeltz
As far as I know you can still get anonymous credit cards, and if not most
VPNs accept mailed cash. I doubt that your VPN will try to collect DNA from
all mailed in cash.

------
chii
Some of them are valid concerns.

But the article should have touched on _how_ one would actually achieve the
privacy levels that the VPNs claims to offer. For example, using TOR rather
than a VPN is a much better guarantee of privacy against IP based tracking
(and what the draw-backs of TOR is - such as accidental real-ip leaks via
javascript).

A lot of users simply trust the marketing of VPN providers - because it's
cheap, and it doesn't look like it'd do harm. Like how multi-vitamin pills are
marketed as a cheap silver bullet for a complicated problem.

~~~
john_minsk
4K video: possible on VPN, impossible on TOR. Agree?

------
peterwwillis
What you really want for privacy & anonymity are anonymizing proxies, which
are not mutually inclusive with VPNs. Proxies work best at the app level, not
network level. Proxies can also be located anywhere and hide your request
origin, and your browser can even forward DNS requests through them. But to
strip every inch of personal information out of HTTPS traffic you may need to
accept a custom CA, which reduces your security. So use a VPN for security,
and proxies for privacy & anonymity.

------
m3nu
The real problem with VPNs is that they are sold as a full privacy and
security solution to people who don't understand what's going on technically.

There are some legitimate reasons to use a VPN. Those are far fewer than the
marketing claims of those companies. What I've seen over time:

* hide your IP from the service you're using (related to geoblocking)

* get around limitations of your ISP (blocked ports or throttling, torrenting)

* hide traffic/service you use from your ISP/government (China, UAE, Iran)

* get around bad routing of your ISP

~~~
mr_toad
A large number of free VPN users seem to be students, using them to get around
their schools blocking access to Facebook etc.

------
el_cujo
I'm surprised he doesn't mention torrenting directly. I have no stats to back
this up, but I would assume the vast majority of people who get VPNs do so for
torrenting. I agree that the current advertising riding the wave of the
facebook hate/privacy "awareness" is scummy, but nothing in the article seems
to say VPNs aren't effective from hiding your TPB traffic from your ISP, which
if I had to guess is the real most popular use-case.

------
__HYde
These past few months I have noticed several popular posts dissuading people
from using VPNs. What do these people have to gain from people _not_ using
VPNs?

------
Causality1
Author has a computer science understanding of VPNs but is breathtakingly
ignorant as to the actual use cases of commercial VPNs. They're used for
getting around geoocming and media throttling sure, but the biggest use is
piracy.

Also, his disbelief of anonymous payment methods is incredibly stupid. I can
walk into a store right now and get a prepaid visa using cash, no crypto
currency shenanigans required.

~~~
droithomme
> I can walk into a store right now and get a prepaid visa using cash

WalMart, Target, and many other large retailers retain photographic records of
all purchasers. Many cases have been broken by police claiming to have found a
match at a WalMart for the purchase of items committed in some crime.

So cash purchases of cards is not always a completely anonymous choice.

~~~
kmonsen
Sure, if you are doing illegal stuff very little of what you can find online
will protect you. But if you are hiding from non-law enforcement it is easy to
get pretty anonymous.

~~~
droithomme
I guess since I have nothing to hide I have nothing to fear! Thanks friend! We
are definitely _not_ living in a surveillance state and we have nothing to
worry about as long as we do our jobs cheerfully, obey authority, and conform.
I love my life, my job, and my government. There is nothing to see here,
everything is normative and fine.

Those engaging in crimes though, such as watching region locked content
outside the region in violation of copyright law, rightly should fear. But
that is OK since they are criminals subverting the establishment of course.
Along with those such as gays in regions where being gay is illegal. Or
apostates where apostasy and heresy are death penalty crimes. And numerous
other examples of despicable criminal behavior in violation of local laws.

~~~
kmonsen
I'm not trying to imply this is ethically or morally right. I am trying to say
that if you want to hide from the law using a VPN or anything that is easy to
find on the internet is not going to help you and believing so is harmful in
that you will choose a technology that you think helps you but does not and
take too large risks.

------
throw2016
The only way to get on a network is via an ISP or mobile provider and this
step itself gives up your identity and credit card/financial details and your
browsing history, location data and other metadata is available to any state
entity and the private surveillance economy. If you use a VPN you paid for
that is the same thing.

There is no way to get absolute privacy in this context for the average user.
Journalists and activists should be aware there is no technology solution to
protect them from spying by any sufficiently committed actor, with state
actors all bets are off.

It's false self empowerment by some technical folks to presume there is a
technical solution against state actors who are well staffed, have near
endless resources and are working 24/7 to thwart any localized technical
solutions.

If there is a way to get online truly anonymously ie public wifi points, mesh
networks these will immediately be subverted by state actors with things like
illegal porn, terrorism and made illegal or compromised and used as honey
pots. There is no winning here.

------
scoutt
Regarding "no logs", it is true that the VPN has to check if your account is
valid, or maybe how many devices you can connect. But one thing is monitoring
and another, different thing is to log that information.

Also, this doesn't mean that the traffic or destination addresses are also
logged at the VPN (the most important data).

But, is also true that you'll never know.

------
sbr464
Just a thought—Couldn’t there be a service In front of ~5-1,000 different vpn
services that would locally (depending on your subscription level) send each
request to a random list of vpn providers (like a random dns provider?
Somewhat complicating/obscuring the issue that arises with centralizing your
traffic to single endpoint?

~~~
denschub
It's called Tor. And you don't even need a subscription for that.

~~~
sbr464
Although I’m familiar with Tor, my thinking was packaging that concept in a
better way, similar to how vpn services market themselves.

~~~
discordance
You want to sell TOR? - please don't.

------
Angostura
The main problem I have with all the VPN services I see springing up is that
you’re basically paying to be man-in-the-middled.

I see people commenting ‘I use company X, they are great’ seemingly ignoring
the fact that they have no real clue as to what Company X is _actually_ doing.

------
thinkloop
It all comes down to this:

> With a VPN, all you end up doing is shifting the trust from one party to
> another. You are not gaining anything.

This is where a lot of people would disagree. A known, reputable, audited,
privacy-focused vpn provider, for example, could be more trustworthy than an
ISP.

------
harrumph
Has anybody evaluated whole-network hardware filter+VPN solutions that filter
cookies ( such as Winston
[https://winstonprivacy.com/](https://winstonprivacy.com/) ) in the context of
this article? I was planning on testing Winston at some point at my home, but
Winston requires a separated modem and router as opposed to the combo box I
have.

I think the declarations in the article do confuse the issue a bit - some of
the benefits of a VPN such protecting against DNS logging are real but are
probably not as useful to VPN marketing people as a "pitch", because they're a
bit tougher to explain to laypersons.

------
t0astbread
I still have a few questions after reading that text:

1) I'm not entirely convinced on the IP address tracking thing yet. Sure, you
probably sit behind a NAT device on your home internet connection. But what
about mobile? Are cellular networks NATed? Also, do trackers really not use IP
addresses for tracking? It seems like a stable identifier as long as the
"victim" is not obscuring it and as long as you can somehow link it to the
victim's next IP address (unless it's static).

2) How are DNS queries not sensitive information? They tell what services you
use on the web. It's how you use the internet. I don't really want any
untrusted party to see that.

------
codexon
VPNs still give you some protection especially for illegal activities.

I was recently a victim of a password cracking attempt from someone using a
vpn. I tried reporting the incident by sending the logs to the vpn abuse
email, and they ignored it. I looked into VPN company itself, and it was owned
by some Russian in Panama. I tried emailing a lawyer there and he said that he
couldn't help me because he did work for that person.

I have no doubt that most of the major vpn providers are similarly structured
so that they can just ignore all complaints except from the largest
corporations.

------
terrycody
I got a question:

So lets say you visit a website p0rn.xxx without a VPN, but this target
website indeed gets HTTPS version of encryption, in such case, does your ISP
know which website u visit?

Another case, when you connect to a VPN, your ISP indeed know you connected to
an IP right?

Any more similar cases to let me learn more about what data gets encrypted and
whats not?

------
bni
The reason people pay for these "VPN services" is trying to hide from the
extortionists and even the law in some countries, when using BitTorrent to
download the latest GoT episode?

All other problems aside, how successful defence against that is this? Article
doesn't adress that as far as I could see.

------
OrgNet
VPNs can certainly be useful to hide your identity from a specific host and
probably to hide your browsing habits from your ISP but does probably nothing
against the Government (ie: if the NSA logs all packets worldwide, it should
be trivial to connect the dots). But I prefer to use tor in my case.

------
shellthen
The short story about the green padlock stating your connection is ‘secure’ is
also not true. It depends on the encryption type they use. I don’t have time
to go in detail, though for outdated browsers ssl 3.0 is still stated as
green...

------
Cypher
People advertise these because of the nice kickbacks. They make good money and
spend all day on social media downvote the truth and promoting VPN's with the
other paid affiliates pointing to random articles that cause fear.

------
danShumway
I have kind of a lot of issues.

First, the downplaying of IP location lookups. If you do a lookup on my home
IP address, it'll get you within 5 miles of my house. From there, the only
other information you need is my name and potentially one or two more details
like a birthday (easy, I use my real name online) and you can get access to my
voting data -- and that'll give you an actual address, not just a zip code.

OP is correct that your IP address doesn't directly leak your home address,
but in many cases it can be a pretty helpful clue. In a small town, a zip code
and a name can be good enough on its own for a stalker to find someone even
without voting data or public records to pull from.

OP is also correct in that there are plenty of other ways to get this data,
but I fail to see how opening yet another trivial hole in my identity helps
with that.

Second, the downplaying of encryption concerns. We've come a long way on SSL,
but it's frankly irresponsible to say that users should just assume all of
their browsing will automatically be covered, regardless of what the top sites
are doing. I am primarily visiting tech sites nowadays and I _still_
occasionally run into sites that aren't encrypted. And that's nothing to say
to the fact that there are multiple ways of configuring SSL and not all of
them are equally secure.

This is just in my browser, which punishes sites with insecure warnings if
they're not encrypted. How many native apps are sending unencrypted data given
that there's no punishment and that the user gets zero indication of the SSL
status? We know from the IOT industry that a lot of these products and apps
are regularly getting rushed out the door.

Of course, VPNs only encrypts the data between you and the provider. But we
don't live in a world where people are primarily using desktop computers. Most
users are going to be on tablets, phones, and laptops, and they travel. And
no, public networks are not the only risks -- even if a network forces you to
put in a password you still don't know how that network is configured, you
still don't know what vulnerabilities exist on it.

If you don't know who set up the network, you should treat it as if any
unencrypted data could be intercepted before it reaches the router. And you
should be suspicious of the router/provider itself, particularly if it's wifi
being offered by a store/hotel/airport, or other commercial entity.

And that leads to the final, big objection -- the idea that VPNs are harmful
because all they do is shift the trust model. If you're in the US, unless you
are very, very lucky, you can not trust your ISP. Shifting the trust model is
not a fatal flaw, it is literally the entire point.

Yes, needing to trust someone is not ideal. But my VPN provider has more of an
incentive to take care of my data than my ISP does. If you're using something
like Proton or PIA, then I feel very confident saying that I trust both of
them more than Verizon or Comcast.

So I agree that bulletproof claims that come from VPNs are often inaccurate. I
agree that there are problems. I don't see this article as any less
sensationalist and inaccurate than the provider claims though. VPNs are just a
kind crappy solution we're stuck with, and absent everyone moving to Tor, I
have yet to see anyone propose a better solution.

~~~
AstralStorm
Why would everyone have to move to Tor? It already works, and the are good
solutions for securely running it, like whonix. (Much better than just Tor
browser alone, which is still necessary.)

Compare that to random commercial VPN app...

~~~
danShumway
You may have misinterpreted what I meant by that, or maybe I didn't phrase it
clearly.

I don't mean that Tor will work better if everyone uses it. Quite the
opposite, it will slow down considerably.

I mean that anyone who isn't using Tor needs a different solution. We have two
solutions being proposed to the problem of leaking IP addresses: VPNs and Tor.
Unless our plan is to move literally everyone onto Tor, we need a non-Tor
solution for the people we don't move over.

------
bee-boop-19
So if VPNs are basically no good for keeping yourself anonymous, how do you?

Or is the solution multifaceted and you should use a combo of VPN, don't logon
to services connected to first party data etc.?

~~~
jaimex2
Yep. And use Tor instead.

------
tylerl
I remember specifically the same video the author was talking about
([http://youtu.be/1PGm8LslEb4](http://youtu.be/1PGm8LslEb4)), and I also
cringed when Destin read the ad copy for ExpressVPN.

Commercial VPNs are the homeopathy of the Internet.

They're selling snake oil. For all but the most impossibly pathological
customer scenario, nothing that a commercial VPN can give you will actually
protect you in any meaningful way. But they can hurt you. Since there's no
quality control of any sort, and since their customers are self-selecting for
dangerous behavior, it's a horrible environment to go mixing your traffic
into.

------
firexcy
Each time a podcast praises the credibility of a VPN sponsor, it reduces the
credibility of the very show in my mind.

------
nij4uyr
What VPN provider would you guys recommend?

~~~
mirimir
For several years, I've been recommending AirVPN, Insorg, IVPN, Mullvad and
PIA. So at this point, I can say that they've all been around for several
years, and I've heard nothing bad about them.

Ones I have heard bad things about are EarthVPN, HideMyAss, Proxy.sh and
PureVPN. And although I've heard nothing bad about ExpressVPN or NordVPN, the
fact that they've bribed so many review sites to recommend them annoys me.

And yes, I have written stuff for IVPN.

~~~
kmonsen
I signed up for ExpressVPN before visiting China due to all sites recommending
this (I badly wanted Google maps and Google to work). ExpressVPN does not work
in China so either something changed very recently or a lot of people have
been bribed to lie.

I would not trust ExpressVPN anymore for anything.

~~~
atr_gz
ExpressVPN works well in China, although there was a week in March where it
was very spotty. I'm using it right now.

I agree that it's annoying how many review sites are getting paid to recommend
them, but the service actually has been good for the last year.

I've tested several VPNs here, including Mullvad and Nord. ExpressVPN has the
fastest speeds by a quite a bit.

However, self-hosted is much faster still. Unfortunately, it's less reliable.

~~~
11430C3E
"Works in China" as an unqualified statement is useless, equally "ExpressVPN
does not work in China."

Are you in Beijing or Shanghai? Are you on China Telecom or China Mobile? Are
you using the Sweden 2 or the Hongkong 3 server? Every permutation of those
variables can have a different answer, and that answer can change from day-to-
day.

My experience is that in southern provinces and bigger cities it is _more
likely_ to work at any given time. But things change.

> However, self-hosted is much faster still. Unfortunately, it's less
> reliable.

Using a CN2 VPS is definitely a :racecar: in my experience. I primarily use
shadowsocks instead of a proper VPN because moving to a different port when
the interference starts is usually sufficient.

~~~
atr_gz
I disagree that the statement is useless, but here's some more info for you. I
use China Telecom and China Mobile. Haven't tried China Unicom.

ExpressVPN has a message on most of their apps saying to use Tokyo 1, HK 4 or
5, Los Angeles 5, or UK Wembley when in China. I have used all of those
servers, although HK 4 and 5 are the fastest.

I've used Shadowsocks and ShadowsocksR for my VPS. Switching ports will work
for a while, but I've always found the server will get blocked eventually,
possibly due to "active probing" as defined in this paper[1].

This person[2] suggests hosting a website from your Shadowsocks server as a
cover, but I haven't tried it yet.

[1][https://conferences.sigcomm.org/imc/2015/papers/p445.pdf](https://conferences.sigcomm.org/imc/2015/papers/p445.pdf)

[2][https://medium.com/@phoebecross/bypass-gfw-
china-2019-dc5959...](https://medium.com/@phoebecross/bypass-gfw-
china-2019-dc5959658c3b)

------
pulketo
Lethean VPN is the answer to that question... as there is no credit card, just
pay with cryptocoins ;)

------
kevingrahl
Great article for bringing across the basics and I do wholeheartedly agree
that just because a VPN promises to do X it doesn’t necessarily have to do
that and that the advertising is sometimes deceiving, but I don’t agree with
everything OP said.

> in theory, your ISP could keep a list of all domains you requested and based
> on that, they would have a pretty good understanding of what you were doing
> online

I would argue that this is not theory but reality. In the EU you have the Data
Retention Directive forcing telecoms to store metadata for a period of between
6 months and 2 years for example. [1]

> With a VPN, all you end up doing is shifting the trust from one party to
> another. You are not gaining anything.

I know this article is about commercial VPN’s but what if I run my own VPN?
Then I do gain some privacy. I’m not saying to use a self hosted VPN and
you’re good to go; a VPN in my opinion is a vital part to improve privacy but
it’s just that, a single part.

> what is your reasoning behind trusting an anonymous company [..] more than
> you trust your ISP, which is a big company with [..] something to lose?

I’d argue that a VPN, even a commercial one is more trustworthy than my ISP,
who doesn’t need to care if I trust them. It’s in the interest of my VPN to
protect/delete my data if they say they do so. My ISP does not make that
promise, quite the contrary actually.

> if you pay for a VPN service, [..] your VPN account will be linked to your
> actual identity

It’s entirely possible to pay for a commercial VPN anonymously, Mullvad for
example offers the option of paying via cash that you physically mail them.
[2] Many offer payment with crypto currencies.

> Large commercial VPNs [..] make governmental surveillance easier.

That’s not true and it’s what bothers me the most about this article. Why
wouldn’t my government just get the data from my ISP? There are far less ISP’s
than there are VPN’s. In Germany for example Telekom alone had around 18
Million customers in 2017 and Vodafone had another 10 Million. I’d assume
strongly that you’d have to get to a lot of VPN providers to reach nearly 20
Million people. Personally I just assume that every request I make with my
ISP’s DNS is known to my government.

Another thing: a VPN can protect it’s user. In Germany for example it should
be expected that when you torrent copyrighted content, like a movie, you’ll
get a letter from a law agency like “Waldorf Frommer”. Those law agencies only
purpose is to go after copyright infringement by connecting to the torrent
swarm and logging IP’s. They then ask your ISP to hand over your address and a
week later they’ll send you a letter asking for fines in the realm of €1k. [3]
They sometimes go to court to collect those fines. Regardless of how you might
feel about copyright infringement that is a valid use case where a VPN will
protect it’s user.

[1] -
[https://en.m.wikipedia.org/wiki/Data_retention](https://en.m.wikipedia.org/wiki/Data_retention)

[2] - [https://mullvad.net/en/](https://mullvad.net/en/)

[3] - [https://www.heise.de/ct/artikel/Ignorance-isn-t-Bliss-
Rights...](https://www.heise.de/ct/artikel/Ignorance-isn-t-Bliss-Rights-
Holders-Threatening-Lawsuits-against-Refugees-in-Germany-3127309.html)

------
ysw0
Run PiVPN on an t2.nano on AWS. Takes 15 minutes to set up. $5 / month for the
instance and 9 cents / GB. Turn off logging. Will cost you a bit more than
real VPN services but is completely private.

~~~
deno
How is this private? You literally get a private IP directly tied to your AWS
account, and by extension your CC.

An actual attempt at privacy would involve chaining at least two VPNs and
paying anonymously. Starts to look a lot like TOR, doesn’t it?

This issue with VPNs is, as the article states, people will just use them to
log in to Facebook. It’s like putting on fake nose and glasses while at the
same time wearing a t-shirt with your name and social security number.

However VPNs are brilliant for getting around horrible ISP, e.g. to
participate in P2P networks. In that case, paying for GB is not very ideal.

------
ddtaylor
Likewise, if you're "tired of getting your passwords stolen" sign up for XYZ
where all your passwords are stored on their servers!

------
akaij
just a small correction: it's Wikipedia that's blocked in Turkey, not YouTube
(anymore).

------
paultopia
A charming piece of evidence for the IP addresses aren't actually all that
useful for tracking point is just how easy it is to evade volume-limitation
paywalls on sites like medium: open a clean browser, oh hey, the website has
no idea I've already read 3 of your crappy clickbait articles this month!
Clearly wouldn't work if they bothered to keep track of IP addresses in
addition to cookies or whatever.

------
ignoramous
Any claim reg anonymity is hard to uphold. The tor project makes it clear that
using tor-as-a-proxy is suicide for anonymity [0], so there's nothing VPNs
could do that tor doesn't do better. Also, anything stupid one might do at the
application layer can absolutely make tor useless in protecting your identity
let alone the VPNs (like updating OS over tor, or accessing email, WebRTC apps
and the like). So, the author is right on all accounts, but one needs VPN for
similar reason one needs IPSec _and_ TLS-- there are multiple levels to it.

Here's why I think using a VPN makes sense:

1\. ISPs cannot track and mitm you. ISPs have MiTMd https [1].

2\. Circumvent censorship, esp DNS manipulation attacks.

3\. Prevent use profiling: traffic meta-data analysis (what IPs you connect
to, what protocols you're using and so on) [2].

4\. A lot of propaganda is targeted at a demography in a particular location.
Tunneling traffic through a VPN might mask your location unless the app or
website had access to it prior, and fingerprinted you already [3].

Sophisticated actors can still do all of the above VPNs or not.

The trackers have it too easy and use IP addresses as a signal. Masking IP
address is one signal less. Then, up the stack at the application layer, it's
up to the end user to make saner choices. That isn't on a VPN provider or Tor.

VPNs could def do better:

1\. Firewall known trackers server-side. Similar to how how browsers today
block known rouge websites that have been caught phishing or spreading
malware.

2\. Stripe traffic over multiple exit IPs. Much like Firefox's multi-account
containers.

3\. Let the end user analyse their traffic client-side, and help them take
control over what the client should send and not send.

4\. Open-source their stack, and provide ability to inspect what's running on
the servers.

5\. Provide technically better internet experience by accelerating traffic
over uncongested paths, provide better connectivity over lossy networks
[4][5].

If VPNs aren't improving the experience and if IP masking is all you need,
then remember, Tor is free [6], and is pretty decent in terms of speed and
latency these days.

\--

[0]
[https://trac.torproject.org/projects/tor/wiki/doc/Transparen...](https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks)

[1]
[https://news.ycombinator.com/item?id=495830](https://news.ycombinator.com/item?id=495830)

[2]
[https://news.ycombinator.com/item?id=11278784](https://news.ycombinator.com/item?id=11278784)

[3] [https://panopticlick.eff.org](https://panopticlick.eff.org)

[4] [https://blog.cloudflare.com/1111-warp-better-
vpn/](https://blog.cloudflare.com/1111-warp-better-vpn/)

[5]
[https://news.ycombinator.com/item?id=19543085](https://news.ycombinator.com/item?id=19543085)

[6]
[https://guardianproject.info/apps/orbot/](https://guardianproject.info/apps/orbot/)

------
GlitchMr
> “Your IP is used for tracking and leaks private information. You should hide
> it.”

There is a lot of marketing, agreed. However, those messages do serve a
purpose - they make it clear you configured that particular VPN correctly and
that it works.

> IP addresses for user identification

Yes, there are more factors than just IP. Clear cookies, use uBlock Origin and
HTTPS Everywhere, and know you can be tracked anyways, especially if you log
in to the sites you have ever used without a VPN. For stronger privacy
protections, use Tor Browser over Tor - Tor is better in terms of privacy, but
due to Tor being heavily abused, a lot of services outright block Tor IPs or
put you into reCAPTCHA hell, so it's not really suitable for day-to-day
browsing, unlike a VPN you can set up and leave it turned on all the time.

> Location leaking

It's not always the case that the IP provides inaccurate information. Out of
curiosity, I disabled the VPN, and went to
[https://www.privateinternetaccess.com/pages/whats-my-
ip/](https://www.privateinternetaccess.com/pages/whats-my-ip/). The guessed
location was within 120 meters of an actual location, on the same street, in a
big city. Sure, it doesn't point to an actual building, but it is dangerously
close.

Just to be clear here, I don't use PIA as my VPN, they have a good
demonstration of an issue however.

> “Network Encryption”

This is accurate. Part of why having HTTPS everywhere improves the security.
Keep in mind however that SNI and the IP you are connecting to is not
encrypted. This may change however soon (while you cannot really "encrypt" IP,
a lot of websites are using services like Cloudflare, essentially preventing
anyone on a path from guessing the website you are connecting to).

> What about “DNS leakage”?

The thing about DNS is that if you are using your ISP DNS while using a VPN,
you are leaking an information about your ISP. To prevent DNS leaks, you
should be using a DNS provider not provided by your ISP, and if you don't have
any idea which DNS to pick, many VPNs provide their own DNS.

> The “no logs” thing

The article is arguing that paying with a payment card will leak your
identity. This is true. Pay with cash, gift cards, or cryptocurrency (although
this is a complicated subject, Bitcoin is tricky to pay privately with, I use
Monero myself for VPN payments).

About logging, this is a complicated subject. The answer is: you have to trust
the VPN. Read the privacy policy to tell how serious they are about "not
logging anything". Generally, avoid any VPN that over-promises what it can do,
a VPN is not "100% effective" whatever that means. Look out for conflicting
messages in privacy policy, anything that goes "we don't log" and then later
"except we log" should be avoided.

As for trusting your ISP - look, most ISPs don't promise "not logging", and in
fact, where I live, they have an obligation to log.

In the end, don't rely on "no log" policy. It should be here, but assume the
VPN is actually logging.

> Using a VPN does not make you anonymous.

Yes. If you violate the law, unless you are really careful, the law
enforcement will find you. The police may be able to ask Google to provide
details of an e-mail account using this IP address (from your VPN). VPN will
however protect you people finding your IP address, contacting your ISP
claiming to be a copyright owner needing user's details for a lawsuit - most
ISPs will just give the details with this simple attack, and it doesn't matter
whether you have downloaded or not, "no logs" VPNs won't.

In short, a VPN won't magically protect your address if you send it over the
Internet. It cannot do that.

> Security issues in VPNs and their clients

Yes. All software can have vulnerabilities, this is nothing new. To improve
your security, don't use the official VPN client but use an OpenVPN/WireGuard
configuration file - if a VPN doesn't provide it, then don't use it.

> VPNs are a central point for attackers

So is your ISP. All software can have vulnerabilities.

------
dosy
aside: bandwidth is super expensive in all cloud services, how do VPN make
money?

~~~
profmonocle
Cloud services aren’t the only way to run a server. They could just set up
servers in a collocation facility and pay for bandwidth by the Mb/s.

