Yes the narrative around VPNs is misleading and maliciously deceptive. Non-technical people know enough to know they might benefit from a VPN, but not enough to know how to pick a good one—out of the frying pan and into the fire! In some cases I know people who use free VPNs!
In my case, I live in an authoritarian country and don't trust the government so I VPN somewhere else. I used to roll my own WireGuard setup with Algo, but found that common VPS providers are on some kind of lists that make them subject to CAPTCHAs or even outright blocked, so now I use a commercial VPN provider (Mullvad).
If your government is that bad, wouldn't it make sense for them to go after people simply for using VPNs? If I was trying to control information in a country, I would be throwing people in jail if I see they're connecting to known VPN services or Tor.
If you're using a VPN to hide from the government, then no.
Governments have government-level resources, and I think a lot of people really don't understand what that means in 2021. They can and do track everything you do online, and analyze every phone call you make.
But they only really care about threats to their own gravy train.
That's why an entire year of riots and looting garnered bent knees, but a single incident of trespass a had the Capitol under full military occupation for months, not to mention the incredible propaganda campaign, and that was just the start of the fun.
The message is clear: do whatever you want in the Districts, but don't mess with the Capitol or its supply of champagne.
Perhaps the most interesting point, which I hadn't considered in all of this, is the amount of advertising and discounts offered by VPN companies. Bandwidth is relatively expensive for a fixed price service. If a VPN is expecting you to slurp down gigabytes of data overseas each day, surely that transit has a cost, right?
Why is it that some services offer astounding 93% off discounts [0]? Why is that they almost always have capital to sponsor seemingly all sorts of random assorted content?
Tom Scott has a bit of a point: it's really odd that there are just so many of these companies, and they offer very suspiciously good prices. Is that the byproduct of everyone buying and not using VPNs? Or something else?
Commercial bandwidth is pretty cheap. You can get servers for a few hundred bucks a month that have one gbps unmetered bandwidth. Then just oversubscribe as much as possible, and the end result is a few bucks a month per user. The discounts are arguably a bit of deceptive marketing, as I've seen some of those services run the same 90% discount campaigns for years. At that point it's the base price, not a discount. The number of options is easily explained by the low barriers to entry, as virtually all of these services just stick a GUI on top of OpenVPN.
You have a point about oversubscribing, but you can't really run a VPN service on just any cheap server hosting you can find. That will basically ensure you're on every blocklist under the sun and that defeats the main use most people have for VPNs.
Your can get bare metal servers with unmetered bandwidth from Hetzner for way less then $100 per month. These ips aren't in the ranges that are usually blocked by cloudflare etc.
Those get you two countries, finland and germany. Most VPN countries advertise dozens or up to a hundred countries. Add in OVH who also have unmetered and you also get canada, france, UK and poland. A good start, but I don't think that is what these VPN providers are doing.
Those ranges are also often blocked by sites like netflix, which wouldn't play well with the VPN customers.
The offers for ridiculously long term (2+ years or lifetime) discounted service seem like bets that most users are not going to be long term VPN users. If the objective is to make a user pay $60 for a product they’ll use for a week or two and forget about, just extend the term out as far as you want to make it seem like a better deal.
The main reason I started using a (paid) VPN is because I legitimately don't trust my phone company to not track what websites I go to. I trust a company I pay to not do that much more.
I absolutely expect a typical phone company to do this regularly since they have the required access, their customers mostly aren't saavy enough to realize it's possible, and they don't get paid to not do it. I realize you're merely shifting who you trust but I would trust a company I pay to keep my browsing private much more than a phone company that wants to make every possible penny off of me.
The way I understand it is that if you don’t trust your ISP then a VPN is a suitable choice, if you don’t trust your government then much more serious technological measures are required and even then it’s fairly unlikely you’re winning against a state organisation that’s decided it specifically doesn’t like you.
I don’t trust either my government or my phone company to be honest, but I’m not doing anything that would offend my government so I’m not enormously worried about them while my ISP and phone company have a strong incentive to abuse my privacy and monetise my traffic further. Even if they didn’t, VPNs offer protection when using public WiFi which can often be badly set up. Having said that using a free VPN is asking to get mugged off in my opinion, paid VPN providers at least have an incentive not to compromise your privacy as it’d be bad for their business.
>it’s fairly unlikely you’re winning against a state organisation that’s decided it specifically doesn’t like you.
My threat model isnt that the government has 11 people dedicated to tracking my every move each with license to use zero days to get access to my deepest secrets.
It's that they're engaged in dragnet surveillance with all domestic ISPs and someone somewhere will one day either run a search on my name looking for something specific or look for a name linked to something specific (people who visit X website).
If that happens I'd like what pops up to say "oh, he used a foreign VPN for 6 years" while others will have every nook and cranny of their lives on full display.
I tunnel everything through an overseas server for the same reason, but it's waived away in the blog as "not gaining anything" and "shifting the trust from one ISP to another" - Well, yes. That's the point.
>In those cases, using a VPN which allows you to select the country you would like to be in can be beneficial. Again, unless you expect your data to be magically protected, this is an awesome use-case for a commercial VPN!
Sure, the VPN websites are full of dark patterns and tout non-existent benefits, but in reality I don't really know anyone who uses a VPN except for this exact use case.
It's the only reason I've used a VPN occasionally. Watching the soccer world cup etc. Unfortunately, streaming sites seem to have figured out how to detect VPNs so it was no longer useful when I wanted to watch The Great British Bake-Off in 2020.
Are you trying to torrent without being banned by your ISP, or even to do some mildly illegal stuff such as buying drugs, hate speech or hacking some irrelevant company? The VPN is probably fine. NSA aren't going to risk giving up their backdoor for something trivial
Planning to run an international terrorism ring aimed at taking down western governments? I certainly wouldn't trust a VPN for that.
If that were the case, shouldn't they target their advertising a little... better? If you sponsor random youtubers you're just going to mostly gather cat picture and/or torrenting activity, which isn't too valuable. If it was really a front they'd advertise to criminals, like how FBI's anom app was targeted towards criminals, not the general public, otherwise they'd get a lot of sexts and very little drug deals.
Starting a VPN is super easy so I’d imagine it’s mostly people who want a easy cloud based revenue maker. You probably don’t even need to program anything these days to start one. Low barrier of entry and decent(?) margins, low initial investment. Maybe I should start one
The advantage of using a commercial VPN is that it only might be a front, and if it is, it could be a front of a government of a country that you aren't in, whereas my ISP for sure does the bidding of the government that has direct influence over my life.
It's a sad state of affair, but seems unavoidable. Being truly anonymous is extremely difficult. Being anonymous to a selective set of entities is easier, if you aren't a targeted subject of their interest.
You assumption being that the government is after you specifically? That's unlikely. What's a lot more realistic is that autocratic and totalitarian governments collect all these data to analyze trends and find out how to better influence people or shut certain developments down before they reach critical mass. That is assuming they are a government front, because they could also just be private individuals snooping through and selling your data.
How is it less likely? We're living in an ever more globalized world, there's ample evidence that for example the Chinese government collects tons of data on foreigners. Depending on which country you live in foreign governments may be collecting more data than your own.
Telling people to use a VPN as an easy fix for privacy makes their privacy worse. They need to look into and understand how to make their traffic secure, how DNS works, how to use proper encryption, etc. There sadly isn't a simple fix, just like with most things in life. What you do with a commercial VPN is give control over your traffic into the hands of some completely unknown and often very dodgy looking business. One that, like you and others noted, might not even be a business at all.
I much prefer DNS unblocking to VPN. It's not foolproof, but when it works, you get your connection's full speed and latency instead of having a VPN all the way to India and back for all your traffic. This is for 1 specific use-case.
For coffee shops and other free wifi places, as the author mentioned, VPN is better.
DNS-only VPN connections are also useful for when you don't want to use the DNS of the connection provider which blocks your DNS of choice but not VPN. E.g. mobile phone.
It all comes down to the right tool for what you need to do. The author is correct when they say that most people don't know what they're getting, but generally, a VPN is not more harmful than their home connection.
Even the free ones.. and you know what.. you can use your own DNS server of choice with the free VPNs instead of theirs if you configure it correctly. So they log that IP address connected to IP address. Have fun with that info, it's really not very useful. Big downside to the free ones is that they are known IPs and already blocked from connecting by the service.
DNS geoblocking doesn't exist.
If you have issues resolving domains with your ISPs DNS then just switch to googles public DNS 8.8.8.8 and 8.8.4.4
Geoblocking is a different thing entirely where the (web) server refuses to offer content because of your IP address. This can't be circumvented without some kind of proxy or vpn
Using a smart DNS to masquerade as being in a different country to have it route differently to you does work often. I'm not talking about entering in some new address in Windows, by itself that won't work at all.
> Providers claim that your IP address leaks tons of private information, even your physical location, and they also claim that IP addresses are used for tracking. I call that fearmongering and deliberate misinformation.
Well heck, I guess we can tell the TOR project to shut down then.
Everybody can go home, IP addresses don't leak private information and they aren't used as a fingerprinting vector. Apple's going to be so embarrassed when they find out that their private relay service is completely useless. Egg is gonna be on their face for launching such a misguided privacy initiative.
I don't mean to be too dismissive or sarcastic, but I don't understand why people are still linking to this article. It is such a wildly dismissive, deceptive claim to say that IP addresses don't matter. We're coming out of a controversy where the OS community literally called Audacity spyware because it uploaded user's IP addresses as part of telemetry. But in your web browser, suddenly that doesn't matter? Be serious.
> Generally speaking, DNS is unencrypted, which means that everyone between you and the DNS server can read your DNS queries. There is nothing too private in there, as the query is basically a simple “Hey, can you tell me the IP for overengineer.dev?”
Ugh. The domains I visit are private information. Obviously they are. And on public networks, DNS sniffing isn't restricted to just an ISP, there are lots of ways you can get your DNS compromised before Comcast gets involved. And while DoH is a very good idea and it is good that it is being rolled out by default in multiple browsers, at the time this article was written it had not been widely rolled out, and in fact it still is not universally rolled out today, and even when it is rolled out to everyone we still will have a long way to go on eSNI and TLSv1.3.
So minimizing the domains you visit as if they aren't personal information, and telling people not to worry about DNS leaking because of a technology that might mitigate the problem in the future -- I feel like that is just a very irresponsible thing to write. It doesn't accurately describe the state of security for browsers today.
> With a VPN, all you end up doing is shifting the trust from one party to another. You are not gaining anything.
The entire "shifting trust" argument is probably doing more harm than good at this point. People have gone from saying "a trustless system should be preferred" to saying that all systems that involve trust are equally insecure, a gross misinterpretation of how trust works.
In the real world, 90% of my security is "moving trust". I choose who has a key to my house. I choose which payment services I'm willing to give my credit card number to. I choose which programs to install on my computer based on which authors I trust. I choose which email host to use. I choose what search engine to use.
Some people and things are more trustworthy than other people and things, and it is beneficial to make educated decisions about which entities you trust with your data.
The big problem with VPNs is not moving trust, the problem is that it is fundamentally difficult to determine whether any given VPN provider is trustworthy. Yes, the better solution here is stuff like relays, we are starting to see from companies like Apple that at least semi-trustless IP address masking is possible in some contexts. And we should move in that direction. But "shifting trust" is not the slam-dunk argument that people think it is, shifting trust is a completely normal way to increase security.
----
The author starts with some legitimate, accurate points: that many VPN companies are scuzzy, that ordinary users attribute more privacy to VPNs than they should, that VPNs are not a protection against Javascript fingerprinting, and that many VPN companies misrepresent their products. But the author undermines those points by being extremely cavalier about privacy and security risks that we generally understand are real threats.
In doing so, the author robs themself of their credibility.
It is actually really important to talk about the harm that misinformation about VPNs can do to ordinary users, and to talk about alternatives that people can use depending on their situation and threat model. So acting like IP addresses aren't personal information, making these kinds of dismissive claims that are trivially provable as false -- it does the the author no favors; it makes it harder to have conversations about real flaws in the VPN ecosystem. We know that DNS leaks matter because otherwise we wouldn't be building DoH. We know that IP addresses matter, because otherwise Tor wouldn't have onion routing. We know that public networks are not trustworthy, otherwise we wouldn't be talking about stuff like router security and regulation for ISPs if they were.
So what's the value in acting like the problems VPNs solve aren't real? They are real. That doesn't mean VPNs don't have problems, that doesn't mean they're not deceptive, but downplaying real privacy problems is not the way to talk about that.
For all the projects Mozilla has done that seemed to stray from their core mission, I'm glad they have a paid VPN. For those times it's needed, I really like having one from an ethical organization.
I do worry that some of Mozilla's "projects" -- especially the ones that try to stop things like "disinformation" and "online hate" -- will eventually come into conflict with the core mission of privacy. We've already seen this to a degree with Firefox telemetry (where collecting more data for the product team was deemed more important than users' privacy) and the Mozilla Manifesto Addendum (which replaced the vision of an Internet controlled/shaped by individuals with a set of specific goals Mozilla has for the entire Internet).
>I just happened to use ProtonVPN for this example, so I should be protected very well, right? How come they claim I am unprotected?
That
I am surprised of that considering that photo shows ip from contabo (cheap vps/dedicated servers german provider). I run a wireguard server of a vps server. Seems like a surprise because of Protonvpn choices.
No need to get upset over this marketing - the kids know what's up and the real use of VPN which is safely pulling torrents of copyrighted material. Of course marketing that would get the VPN companies into trouble fast, so lacking a better message, the security angle is what they got.
VPNs are unnecessary for most "normal people" and scaring them with false claims about security is immoral.
"Quick research" is also not even close to enough to ensure a provider is trustworthy. I work in IT and still I'm not even close to certain I could be sure that a provider is good without quite extensive research. I can't imagine a "normal person" could do much better.
Normal people watch porn and get torrents too. So, necessary, at times. Having it always on helps cloak your browsing history, and searches in incognito tabs, which is always good too, these days.
> a provider is good without quite extensive research
No need to be extensive, you’re not hacking banks, do you? And you do research only once.
In my case, I live in an authoritarian country and don't trust the government so I VPN somewhere else. I used to roll my own WireGuard setup with Algo, but found that common VPS providers are on some kind of lists that make them subject to CAPTCHAs or even outright blocked, so now I use a commercial VPN provider (Mullvad).