Will VPNs Protect Your Privacy? It's Complicated

From a CNET report: A VPN redirects your internet traffic, disguising where your computer, phone or other device is when it makes contact with websites. It also encrypts information you send across the internet, making it unreadable to anyone who intercepts your traffic. That includes your internet service provider. Ha! Problem solved -- right? Well, sort of. The big catch is, now the VPN has your internet traffic and browsing history, instead of your ISP. What's to stop the VPN from selling your information to the highest bidder? Of course, there are reputable VPN services out there, but it's incumbent on you the user to "do your homework," Ajay Arora, CEO of cybersecurity company Vera said. In addition to making sure the VPN will actually keep your data private, you'll want to make sure there's nothing shady in the terms and conditions. Shady how? Well, in 2015, a group of security-minded coders discovered that free VPN service Hola was selling its users' bandwidth to the paying customers of its Luminati service. That meant some random person could have been using your internet connection to do something illegal. So, shady like that. "I would recommend you do some cursory level research in terms of reputation [and] how long they've been around," Arora said, "And when you sign up, read the fine print." From a report on Wired: Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady." Haschek found that the other 79 percent of surveyed proxy services forbid secure, HTTPS traffic.

"analyzed 443 open proxies"

[Anonymous Coward]

You are aware March has got 31 days, not 30?

Re:

[Anonymous Coward]

Dude, Donald Trump is president. April 1st started more than 2 months ago.

Re:

[suso]

You are aware March has got 31 days, not 30?

There is a bill going through Congress right now to change that.

Because you can choose your VPN...

[ctilsie242]

With ISPs, you can't really choose who gives you the pipe to your home or school. You may have a telco, and a cable company, if that.

With VPNs, if one is found to be selling data, you can switch in a heartbeat.

Then, there are the privacy policies. A VPN having a privacy policy of not handing your traffic over will get in a lot more trouble if they sell that data than an ISP that has a privacy policy of "if it goes through our fiber, we can do what we please with it."

VPNs are not perfect... but they do help significantly. It is sad that things have come down to this, as it makes police work a lot harder once the bad guys "go dark", but people are tired of having their data sold, or advertising IDs added to non-encrypted traffic.

Re:

[ctilsie242]

Very true. However, for a lot of items, that isn't a big issue. I'm not running P2P clients, but oftentimes doing web browsing and such, where it doesn't take that much bandwidth.

There is always the option of creating a VPN server on AWS, but I'd just rather use a known good service which can be cheaper.

Re:

[Anonymous Coward]

True, but there aren't a ton of sites that will stream data to you faster than what a VPN allows. If you're mass torrenting, yeah, it might slow you down, but if the most strenuous thing you do is watch videos on website, it'll be fine.

Re:

[amxcoder]

Depends on how much bandwidth you have natively. I have 240Mb/s when testing just through my router. However, if startup a VPN, and try another speedtest (same day, similar time frame, trying to see side by side comparisons), I get at best less than 1/2 that, and many times way less than that. Granted, you can still do quite a lot with 50Mb/s but it isn't even consistent, because it depends on what node you connect to, and where they are located. One time you connect and you might get 50, another time,

Re:

[DuckDodgers]

This is my concern. There are six people living at my house, we use between 600-900GB of data per month (mostly on Youtube and Netflix). It does no good for me to get a VPN if we can't use it.

Has that ever happened, even once?

[raymorris]

> A VPN having a privacy policy of not handing your traffic over will get in a lot more trouble if they sell that data

I'm not so sure. Has ANY VPN provider EVER been busted for that, or anything like it? Can and do the owners of the VPN services hide their identity? It seems to me the big ISPs are very slightly more accountable - they are regulated and we all know exactly who they are.

Re:

[EndlessNameless]

they are regulated and we all know exactly who they are.

Except Congress just voted to eliminate privacy protections, and corporate officers aren't liable for business decisions anyway.

So the company just writes another check (and probably for less than what they gave to the Congressmen).

Re:

[bheerssen]

Eh, Congressweasels can be bought for shockingly little. Even a slap on the wrist fine is likely to be much larger than what the ISPs pay in political contributions.

Re:

[Altrag]

There's not really anyone who would "bust" them. That would be essentially a breach of contract which is a civil matter and their customers would have to bring the suit -- the same customers who are concerned about people knowing what they do online.

Of course if any VPN provider was caught selling data, the media would likely be all over it. The bad PR would probably be worse than any fine given that the entire reason people use them is to avoid exactly things like that.

That said, if VPNs do end up going

Why Not

[Anonymous Coward]

Just spin up your own VPN server on one of the cloud providers? The cost of a low resource machine is negligible, even better, you can spin up a new machine (with a new external facing IP) each time you need to use it.

Re:Why Not

[MightyYar]

Can one pay for a cloud service anonymously?

Re:

[JoeMerchant]

One can "borrow" a credit card to sign up for the free tier service, theoretically.

Re:

[MightyYar]

I'll borrow my wife's.

Re:

[mridoni]

No, and BTW they can possibly seize your server, but we are not talking about perfect anonymity, just improving privacy, and a "home-made" VPN goes a long(er) way towards that.

Re:

[whoever57]

You can pay for services with pre-paid credit cards (AKA gift cards).

Re:

[dmt0]

Some VPNs accept Bitcoin as payment

Re:

[Anonymous Coward]

Bitcoin isn't anonymous.

Re:

[MightyYar]

That looks like just a VPN service.

Re:

[Alumoi]

Sir, may I interest you in this bridge I have to sell?

Re: It's very simple

[Anonymous Coward]

He's somewhat on the right track... most EU countries have extensive data privacy laws and a responsible regulatory body. The USA has mostly nothing and places the "burden" of privacy on the consumer, hence it is generally lacking. However, it's not clear cut as some EU CL countries are moving toward excessive data retention.

Proxies vs. VPN

[110010001000]

What does a VPN have to do with web proxies? I'm so confused by this website.

Re:

[b0bby]

That was my thought too. And the "free VPN service Hola" turns out not to be a peer-to-peer "VPN" service, routing users' connections through each other's devices.

In other words, if you actually get a VPN (which means you'll have to pay for it), from a provider who will not sell your information, then yes, it will protect your privacy.

Re:

[sexconker]

A VPN is a type of proxy.

Re:

[parkinglot777]

If you only think about connecting your computer to a remote server, then their functionality is the same. However, there are differences [quora.com]...

Re:

[110010001000]

It isn't a type of web proxy, which is the confusion. It really isn't a proxy either.

Competition

[Fire_Wraith]

Sure, a VPN proxy could monitor my traffic as much as my ISP can. Using https they might see where I'm going, but not the contents. The thing is, I can easily switch VPNs if I don't like the service, whereas in the US, I don't have that choice so much with my ISP, short of physically moving to another location. If I'm lucky, I might live in an area with two viable choices. In my current case, I can choose between Verizon and Comcast, which is like being asked to choose between gonorrhea and syphilis.*

And now thanks to the f*ckwit Republicans in control of Congress, my ISP can now sell everything it knows about me to anyone they like, without any recourse on my part, short of using some sort of proxy. At least with VPN proxies, there's no real barrier to entry, save for bandwidth capacity, and I can choose from any number of options, that I'm going to now have to start looking at.

*Apologies to gonorrhea and syphilis for comparing them to the likes of Verizon and Comcast.

Re:

[110010001000]

"Using https they might see where I'm going, but not the contents."

That part may or may not be true. You really don't know. That is a risk you take no matter who is in charge of your network traffic.

Re:

[sexconker]

Oh look, the binary guy being wrong again.

They can't see the content unless:

A: They're providing fake certs for the domains you're accessing and you trust those certs for some reason.

B: The client you use injects legit certs for the proxy into your OS's or browser's cert store for every site you visit. Many corporate network management systems do this. They inject bullshit certs into your machine as trusted for everything. You're fucked unless yo do something the client isn't aware of (like cert pinnin

Re:

[110010001000]

You are wrong of course. But everyone knows that except apparently you.

Re:

[turp182]

You could get both Verizon and Comcast at the same time.

I did this with Charter and AT&T when my wife worked from home.

Of course, with regards to your analogy, this doesn't sound like a comfortable solution.

Re:

[Tablizer]

I can easily switch VPNs if I don't like the service

AFTER the damage is done.

Re:

[interkin3tic]

My head hurts at your comment. Privacy is not like life. If you die, the damage is done. If you lose your online privacy, you can be private again the next day by switching. Furthermore, the exact same thing is true of ISPs, except again, you can't switch quite as easily.

Re:

[david_thornley]

Privacy isn't easy to regain nowadays. If someone publishes your connections to midget furry porn sites, that information is almost impossible to remove, and everyone from then on will be able to find out about your midget furry porn fetish. Your browsing history can hurt you even if it's all legal.

shady

[fluffernutter]

So he analyzed free proxies and some were shady? Is it a revelation that there are shady things on the internet?

Re:

[ctilsie242]

This. I wonder what he would get if he analyzed for pay services like HMA, VyprVPN, SwissVPN, ipredator, and other commercial offerings.

$10/month VM + SOCKS5

[Anonymous Coward]

n/t

Seems like it's somewhat worse than that...

[lazlo]

If you don't use a VPN, your data is vulnerable to your ISP. If you do use a VPN, your data is vulnerable to your VPN provider *and* to *their* ISP.

Maybe they've got a better (in terms of privacy) ISP than you do. But be aware that that is also a concern.

Re:

[ctilsie242]

How would the data be vulnerable to the VPN provider's ISP? The ISP I am using, their ISP, and everyone in between the endpoints sees a stream of encrypted traffic on port 1194. The ISPs can throttle or delay the traffic, but they can't really do much else.

Re:Seems like it's somewhat worse than that...

[sexconker]

Once the traffic reaches the endpoint (the other end of your VPN tunnel) its decrypted. The VPN provider and their bandwidth suppliers (The VPN providers ISP)can then see all your traffic :-)

The VPN encapsulation layer is decrypted. If you've got HTTPS inside there it's still HTTPS.
Further, you typically have many users connecting to one VPN. The VPN's ISP will have a harder time tracking any individual, and will not be able to associate traffic with a user at an address, a user of a certain age or sex, etc. The VPN provider could track in more detail, however, as they manage the individual connections, know who's paying for service (unless you're using fake info when signing up, paying with pre-paid gift card you bought for cash and NOT from a retailer, etc.).

Re:Seems like it's somewhat worse than that...

[Asgard]

If you don't use a VPN, *your* ISP can correlate all your traffic to your billing information (which is necessarily very detailed as they often have a physical cable to your location). If use a VPN, *their* ISP can only correlate that traffic to the VPN's billing info and not your own. Of course, the VPN provider can make this correlation but there are more options for VPN providers than ISPs in a given location.

Re:

[Asgard]

Responding to legal requests is significantly different than treating the data as a good to be sold though.

Re:

[thegarbz]

Maybe they've got a better (in terms of privacy) ISP than you do. But be aware that that is also a concern.

Their ISP would see the occasional packet of yours mixed in with a sea of other stuff pouring through continuously at high rates. Sure they may be able to identify the occasional packet of yours but tying it back to you would be incredibly difficult to you.

Your own ISP on the other hand sees "lazlo visits fetlife.com 10 times per week, mostly on Saturday at 6:50pm"

They can, but they likely won't

[Anonymous Coward]

You want a VPN service that totally respects and protects your privacy? Find the one that charges the most money and use them, because everything is about money now, and selling your paying customers like so much chattel to the highest bidders, so how can you trust anyone anymore? I don't even trust companies to live up to their printed agreements, because they know they can't be effectively sued by individuals.

Stop using the Internet for everything you can, and encourage others to do the same. When nobo

Re:

[DuckDodgers]

Nice thinking, but the most expensive VPN service might still be selling your data. They could just be the most greedy.

My VPN has no information.

[snarfies]

What's to stop the VPN from selling your information to the highest bidder? The fact that my VPN of choice, Mullvad, collects no information.

You click "create account," they give you an account number, and that's the end. They don't ask for your name, address, phone number, or anything. I pay via Bitcoin, so they don't even have my credit card info.

Re:

[Anonymous Coward]

The fact that my VPN of choice, Mullvad, collects no information.

all your browsing history and times, your IP address

I pay via Bitcoin, so they don't even have my credit card info.

oh look, extra value for this one. they can sell your data to curious state agencies

Re:My VPN has no information.

[amiga3D]

You know, nothing is perfect. You do the best you can. If you're actively breaking the law I'd suggest not doing it over the internet.

Re:

[thomn8r]

The fact that my VPN of choice, Mullvad, collects no information.

That you know of. And you don't. All you have to back this up is their ephemeral TOS, which they may or may not adhere to, and could change at a moment's notice.

Re:

[myrdos2]

I wonder... they have your IP address, and could possibly have your browsing history. So your ISP analyzes your history, and sees a bunch of connections to Mullvad and not much else. And they ring up Mullvad and say, we'd like the browsing history for IP XXX.XXX.XXX.XXX. Where is the guarantee of privacy here?

Check the log policy

[evolutionary]

Many VPN services have a no log policy. Always review the policies of a VPN when you join. Here is a fairly good list to start from: I'm rather fond of VPN services in Sweden and Italy myself. https://torrentfreak.com/anony... [torrentfreak.com]

Guarantees.

[Anonymous Coward]

There are none.

"Log policies" are about as meaningless as "uptime guarantees" and "we do backups". How, exactly, do you verify this?

Chances are, you'll be fine. But only a fool is going to be shocked when the shit hits the fan with some random VPN provider.

Re:

[DuckDodgers]

Seconded. VPN providers can write whatever they want in their public policy, but unless you work for the provider you have no way to know if they're telling the truth. And even if they're being honest today, a shady executive or a national security letter from Uncle Sam can change their policy tomorrow.

And further, as others discussed earlier there is the risk that the VPN provider's ISP is collecting the information. Traffic from your home IP goes to the VPN, and then the VPN ISP logs all traffic from

Re:

[DuckDodgers]

I admit, this kind of thing is outside my expertise. I'm sure some fancy Cisco, Juniper, or maybe SuckPoint gadget might handle 10,000 simultaneous connections for one IP address. That makes tracking difficult.

But if I was going to run a VPN service out of my house, I'd just pick a cheap VPS provider, rent VMs with fast network connections but low resources otherwise, assign maybe 5-10 customers per VM, and run OpenSSL on the VMs. Nowhere near as cost-efficient as the "enterprise" route, but the init

Re:

[DuckDodgers]

I've been trying to figure out the cheapest VPS provider that has the bandwidth I want for VPNs. I want to use a US VPN provider because we might have problems with my kids' multiplayer gaming if we're bouncing our traffic across continents. Our biggest month for data is 900GB, so unrestricted bandwidth or very high bandwidth caps are essential.

So the US requirement eliminates Scaleway (dammit). I'm looking at OVH, Kaiju Hosting https://kaijuhosting.com/vps.p... [kaijuhosting.com], DigitalOcean, Linode, Codero. Any go

Re:

[DuckDodgers]

Thanks! I'll check it out.

Re:

[david_thornley]

I could run a VPN service on AWS, true. At that point, Amazon is effectively my endpoint ISP, and they can observe my web traffic out of my EC2 instance and tie it in with my billing information. I don't see how this is a win.

Google doesn't care about VPN

[yuvcifjt]

VPN's may only protect you from your own ISP, but what about the biggest spyware organisations, such as Google [softpedia.com]/Facebook?
They all rely on browser fingerprinting [mozilla.org] more than anything else these days, and subtly transmitting information back in an encoded form, including mouse movement patterns [slashdot.org] to learn about the individual.

Cookies/HTML5 storage are so last decade, as I've seen a growing number of companies (Cyberfend [pastebin.com] / iovation / iesnare [iesnare.com] / "cformanalytics" [cformanalytics.com], browser.id [browser.id] (navigator.io [navigator.io]), etc [011235813.ga]) provide services specialising in tracking and individually identifying users - even surprisingly across devices [seerinteractive.com], somehow [duckduckgo.com].

As far as I can tell, only Mozilla is attempting to reduce/fight this with their browser, especially as they recently removed the Battery status API [mozilla.org], added disconnect.me to blacklist known trackers in v43 [mozilla.org], Font fingerprinting [winbuzzer.com], etc.

Sure, you can use addons like adblockplus, noscript, decentraleyes, etc to some degree, but many times they break websites as more and more sites are utilising javascript exclusively for a website to function, including third-party scripts, such as GoogleTagManager, etc.
Just recently discovered that the popular London travel website TfL also contains a third-party tracker, without which their journey planner doesn't work, thus the website doesn't work with Firefox's disconnect.me privacy list.

Re:

[thegarbz]

If you're searching for a site using Google, or going to a site that has embedded Facebook shit chances are you're not trying to hide something.

In any case the privacy aspects of Google and Facebook are different again. It's one thing to be lumped in with Google's anonymised analytics and sold to a third party, or Facebook's "here's a list of everyone who lives in {insert here} and is gay", but it's quite another to be identified as "Firstname, Lastname, SSN, living in address {insert address}, spent all la

Re:

[chihowa]

If you're searching for a site using Google, or going to a site that has embedded Facebook shit chances are you're not trying to hide something.

Tired old, "if you have nothing to hide" line coupled with "Google/Facebook are the good guys" bootlicking.

In any case the privacy aspects of Google and Facebook are different again. It's one thing to be lumped in with Google's anonymised analytics and sold to a third party, or Facebook's "here's a list of everyone who lives in {insert here} and is gay", but it's quite another to be identified as "Firstname, Lastname, SSN, living in address {insert address}, spent all last night browsing fetlife.com"

The ISP

Re:

[yuvcifjt]

Thanks, good reply :)

By the way, try using the <quote> tag next time when quoting the parent ;)

Re:

[thegarbz]

Tired old, "if you have nothing to hide" line coupled with "Google/Facebook are the good guys" bootlicking.

Then you misread what I was saying. I didn't say "if you have nothing to hide then you don't have to worry" like you instantly assumed.

I said : "If you're searching for a site using Google, or going to a site that has embedded Facebook shit chances are you're not trying to hide something."

Or to paraphrase: The vast majority of tracking performed by Google and Facebook is on innocuous websites or basic commerce sites which are of little concern to people in general. Quite a bit different in scope to the ISP

Re:

[Beezlebub33]

Try the TrackMeNot plugin: https://cs.nyu.edu/trackmenot/ [nyu.edu] and source at: https://github.com/vtoubiana/T... [github.com]

It doesn't hide anything that you are doing, so the signal is still there, but it sure puts up a lot of noise. If you are technically minded, please consider improving the software / forking and trying different things.

Independent VPN Comparison

[Foresto]

ThatOnePrivacyGuy on /r/privacy [reddit.com] manages That One Privacy Site, including a handy VPN section [thatoneprivacysite.net]. Unlike the vast majority of VPN provider reviews you'll find in web searches, this one encourages community discussion [reddit.com] and appears to be impartial [reddit.com]. Next time I need a new VPN provider, I expect I'll be turning to that site.

Regular Use of VPN

[WillRobinson]

Using a self setup vpn in a data server that does not gather you data is what I am doing. Its not that I care that the government gets it, its I don't need Comcast, Verizon, Tmobile or other service provider that I am SURE will sell my browser data. I do quite a bit of research on our products, and even at work they use comcast! I do not know if management realizes the trove of data that comes from this. Maybe someday they will wake up.

I also use my server for transferring large files to my customers using

Seven Proxies

[sexconker]

Everyone knows you have to go behind seven proxies.

Eh.

[Dupedupeshakur]

It's worth the price of admission just to give me ISP the middle finger. You're won't profit from pilfering all my data. Sure, others do, but I as an informed consumer opt in to those services, knowingly.

Opera browser VPN

[mspohr]

I've installed Opera browser on my computers which has a free VPN provided by SurfEasy which is a Canadian company they own.
Privacy Policy includes "no logs"
https://www.surfeasy.com/priva... [surfeasy.com]
https://www.opera.com/privacy [opera.com]
This should give good protection from my local ISP. Hopefully I will be able to trust SurfEasy and Opera to adhere to their policy.
(BTW, the browser seems much faster than Chrome or Firefox on my old MacBook.)

Re: Opera browser VPN

[cunina]

How does that "free VPN" make money? Or even just cover their costs? I'd be suspicious of them.

Re:

[Beezlebub33]

I'm sorry to have to worry about this, but the fact that a chinese security firm bought Opera sets off lots of red flags to me. What, if anything, is it sending back to the mothership?

VPNs kinda sorta ... they will help, a little.

[m.dillon]

I've been running an openvpn link from my home to our colo for years. I also have it set up on all my devices so I can use it while traveling. Some of our DFly devs also use it when they are traveling. Here's my cumulative wisdom on the matter:

Generally speaking it works quite well. I use a medium-numbered port but I also have a server running on port 443 because the many weird networks one runs through when traveling often block most parts, but usually leave the https port open.

* Use UDP for the transport when running openvpn over a broadband link. This provides the most consistent experience.

* Use TCP for the transport for connections from mobile devices. This provides the most consistent experience. There are several reasons for this not the least of which being that the telco infrastructure seems to devalue UDP by a lot verses other traffic. TCP is also a lot easier to run on the server-side if you potentially have many devices connecting in, because you can run one server instance.

* Configure a smaller mss, I use 1300, so the encapsulation doesn't get fragmented by the transport. This is very important.

* Configure a relatively frequent keepalive in openvpn over a WAN link (I use 1sec/10sec), but a less frequent one over mobile (I use 20sec/120sec). This is particularly important on mobile because cell tower switches can cause long disruptions. You don't want to drop the VPN link in such circumstances if you can help it. DO NOT DISABLE THE KEEPALIVE. Always have an openvpn keepalive setup, particularly over TCP, because the TCP connection backoff can prevent your sessions from recovering or cause them to take a long time to recover if one or the other direction is not actively sending data (such as with most web connections, downloads, streaming, etc).

I personally like 'OpenVPN Connect' on IOS (which I use to connect to our project colo). And of course I run openvpn on all the DragonFly boxes including my laptop.

--

Reliability of the VPN depends entirely on the path between your location and the VPN server. The packet must travel this path in addition to the path from the VPN server to the nominal destination, and even in the best of circumstances it will double the chances of something going wrong.

I've had a number outages at home where my cable link is still operational but the cable company's path to the VPN server is having problems. Also, recovery times are longer because not only does the dead network have to revive, but the openvpn setup has to reconnect and renegotiate.

--

Commercial services are going to be hit or miss. VPN'ing your broadband link might be problematic and you have no real visibility into what the commercial service is doing with your data. That said, they are probably going to be a lot better than trusting your data to the telco and wifi hot-spots you connect from when you are mobile.

Netflix and other video streaming providers will often block-out commercial VPN IPs from the service. Generally speaking, using a commercial service for high-bandwidth connections is really hit-or-miss. You are using their bandwidth as well as your own.

When using a VPN, you are bypassing any special deals your broadband provider has made with the likes of YouTube, Netflix, etc. Remember that if the cell bandwidth is supposed to be free, because it won't be over the VPN.

--

In terms of security, its a mixed bag. The VPN will secure your traffic from your immediately ISP/Telco (aka Comcast, AT&T), and that's actually very important. However, you are not anonymous and once your traffic reaches the egress point its up for grabs by any network it flows through and, in particular, the target web page or whatever might be doing its own data collection.

But the telco data collection is MUCH more valuable to third parties than target data collection, and the VPN link at least protects you from that.

The VPN will not do a whole lot for your internal network security. If someone bre

The good old public library

[TheStickBoy]

Me?
I'm going to go back to the good old days.....head over to the public library for an anonymous connection :)

Unfortunately VPNs are likely only a temporary fix

[ubrgeek]

I'm amazed ISPs don't have acceptable use language against using VPNs, under some BS guise of claiming they can negatively affect the network. Regardless, next up will be legislation saying that using a VPN robs ISPs of potential revenue and so are no longer legal. Oh, and the children. Somethingsomethingsomething VPN's and children.

Much ado over nothing again.

[ebvwfbw]

This is so stupid. Does anyone really think this even matters? The vast majority of people use cookies, other tech so they know who we all are, our credit cards, etc. Google/bing/duck duck go, etc... all keep track of the searches. How you search, what you search. What you buy.

As Scott McNealy said years ago - you have no privacy. Get over it.

Re:

[amiga3D]

What? The fire plan thing? That's kind of a joke. The fact that DC is destroying America? I see evidence of that every day.