Will VPNs Protect Your Privacy? It's Complicated 141
From a CNET report: A VPN redirects your internet traffic, disguising where your computer, phone or other device is when it makes contact with websites. It also encrypts information you send across the internet, making it unreadable to anyone who intercepts your traffic. That includes your internet service provider. Ha! Problem solved -- right? Well, sort of. The big catch is, now the VPN has your internet traffic and browsing history, instead of your ISP. What's to stop the VPN from selling your information to the highest bidder? Of course, there are reputable VPN services out there, but it's incumbent on you the user to "do your homework," Ajay Arora, CEO of cybersecurity company Vera said. In addition to making sure the VPN will actually keep your data private, you'll want to make sure there's nothing shady in the terms and conditions. Shady how? Well, in 2015, a group of security-minded coders discovered that free VPN service Hola was selling its users' bandwidth to the paying customers of its Luminati service. That meant some random person could have been using your internet connection to do something illegal. So, shady like that. "I would recommend you do some cursory level research in terms of reputation [and] how long they've been around," Arora said, "And when you sign up, read the fine print." From a report on Wired: Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady." Haschek found that the other 79 percent of surveyed proxy services forbid secure, HTTPS traffic.
"analyzed 443 open proxies" (Score:1)
You are aware March has got 31 days, not 30?
Re: (Score:2, Funny)
Re: (Score:2)
You are aware March has got 31 days, not 30?
There is a bill going through Congress right now to change that.
Because you can choose your VPN... (Score:5, Insightful)
With ISPs, you can't really choose who gives you the pipe to your home or school. You may have a telco, and a cable company, if that.
With VPNs, if one is found to be selling data, you can switch in a heartbeat.
Then, there are the privacy policies. A VPN having a privacy policy of not handing your traffic over will get in a lot more trouble if they sell that data than an ISP that has a privacy policy of "if it goes through our fiber, we can do what we please with it."
VPNs are not perfect... but they do help significantly. It is sad that things have come down to this, as it makes police work a lot harder once the bad guys "go dark", but people are tired of having their data sold, or advertising IDs added to non-encrypted traffic.
Re: (Score:2)
Very true. However, for a lot of items, that isn't a big issue. I'm not running P2P clients, but oftentimes doing web browsing and such, where it doesn't take that much bandwidth.
There is always the option of creating a VPN server on AWS, but I'd just rather use a known good service which can be cheaper.
Re: (Score:1)
True, but there aren't a ton of sites that will stream data to you faster than what a VPN allows. If you're mass torrenting, yeah, it might slow you down, but if the most strenuous thing you do is watch videos on website, it'll be fine.
Re: (Score:2)
Re: (Score:2)
Has that ever happened, even once? (Score:2)
> A VPN having a privacy policy of not handing your traffic over will get in a lot more trouble if they sell that data
I'm not so sure. Has ANY VPN provider EVER been busted for that, or anything like it? Can and do the owners of the VPN services hide their identity? It seems to me the big ISPs are very slightly more accountable - they are regulated and we all know exactly who they are.
Re: (Score:3)
they are regulated and we all know exactly who they are.
Except Congress just voted to eliminate privacy protections, and corporate officers aren't liable for business decisions anyway.
So the company just writes another check (and probably for less than what they gave to the Congressmen).
Re: (Score:2)
Re: (Score:2)
There's not really anyone who would "bust" them. That would be essentially a breach of contract which is a civil matter and their customers would have to bring the suit -- the same customers who are concerned about people knowing what they do online.
Of course if any VPN provider was caught selling data, the media would likely be all over it. The bad PR would probably be worse than any fine given that the entire reason people use them is to avoid exactly things like that.
That said, if VPNs do end up going
Why Not (Score:1)
Just spin up your own VPN server on one of the cloud providers? The cost of a low resource machine is negligible, even better, you can spin up a new machine (with a new external facing IP) each time you need to use it.
Re:Why Not (Score:4, Insightful)
Can one pay for a cloud service anonymously?
Re: (Score:3)
One can "borrow" a credit card to sign up for the free tier service, theoretically.
Re: (Score:2)
I'll borrow my wife's.
Re: (Score:2)
No, and BTW they can possibly seize your server, but we are not talking about perfect anonymity, just improving privacy, and a "home-made" VPN goes a long(er) way towards that.
Re: (Score:3)
You can pay for services with pre-paid credit cards (AKA gift cards).
Re: (Score:3)
Re: (Score:1)
Bitcoin isn't anonymous.
Re: (Score:2)
That looks like just a VPN service.
Re: (Score:1)
Sir, may I interest you in this bridge I have to sell?
Re: It's very simple (Score:1)
He's somewhat on the right track... most EU countries have extensive data privacy laws and a responsible regulatory body. The USA has mostly nothing and places the "burden" of privacy on the consumer, hence it is generally lacking. However, it's not clear cut as some EU CL countries are moving toward excessive data retention.
Proxies vs. VPN (Score:4, Insightful)
Re: (Score:3)
That was my thought too. And the "free VPN service Hola" turns out not to be a peer-to-peer "VPN" service, routing users' connections through each other's devices.
In other words, if you actually get a VPN (which means you'll have to pay for it), from a provider who will not sell your information, then yes, it will protect your privacy.
Re: (Score:2)
A VPN is a type of proxy.
Re: (Score:2)
Re: (Score:2)
Competition (Score:5, Insightful)
And now thanks to the f*ckwit Republicans in control of Congress, my ISP can now sell everything it knows about me to anyone they like, without any recourse on my part, short of using some sort of proxy. At least with VPN proxies, there's no real barrier to entry, save for bandwidth capacity, and I can choose from any number of options, that I'm going to now have to start looking at.
*Apologies to gonorrhea and syphilis for comparing them to the likes of Verizon and Comcast.
Re: (Score:1)
That part may or may not be true. You really don't know. That is a risk you take no matter who is in charge of your network traffic.
Re: (Score:3)
Oh look, the binary guy being wrong again.
They can't see the content unless:
A: They're providing fake certs for the domains you're accessing and you trust those certs for some reason.
B: The client you use injects legit certs for the proxy into your OS's or browser's cert store for every site you visit. Many corporate network management systems do this. They inject bullshit certs into your machine as trusted for everything. You're fucked unless yo do something the client isn't aware of (like cert pinnin
Re: (Score:2)
Re: (Score:2)
You could get both Verizon and Comcast at the same time.
I did this with Charter and AT&T when my wife worked from home.
Of course, with regards to your analogy, this doesn't sound like a comfortable solution.
Re: (Score:1)
AFTER the damage is done.
Re: (Score:2)
Re: (Score:2)
Privacy isn't easy to regain nowadays. If someone publishes your connections to midget furry porn sites, that information is almost impossible to remove, and everyone from then on will be able to find out about your midget furry porn fetish. Your browsing history can hurt you even if it's all legal.
shady (Score:2, Insightful)
Re: (Score:1)
This. I wonder what he would get if he analyzed for pay services like HMA, VyprVPN, SwissVPN, ipredator, and other commercial offerings.
$10/month VM + SOCKS5 (Score:1)
n/t
Seems like it's somewhat worse than that... (Score:5, Insightful)
If you don't use a VPN, your data is vulnerable to your ISP. If you do use a VPN, your data is vulnerable to your VPN provider *and* to *their* ISP.
Maybe they've got a better (in terms of privacy) ISP than you do. But be aware that that is also a concern.
Re: (Score:2)
How would the data be vulnerable to the VPN provider's ISP? The ISP I am using, their ISP, and everyone in between the endpoints sees a stream of encrypted traffic on port 1194. The ISPs can throttle or delay the traffic, but they can't really do much else.
Re:Seems like it's somewhat worse than that... (Score:5, Interesting)
Once the traffic reaches the endpoint (the other end of your VPN tunnel) its decrypted. The VPN provider and their bandwidth suppliers (The VPN providers ISP)can then see all your traffic :-)
The VPN encapsulation layer is decrypted. If you've got HTTPS inside there it's still HTTPS.
Further, you typically have many users connecting to one VPN. The VPN's ISP will have a harder time tracking any individual, and will not be able to associate traffic with a user at an address, a user of a certain age or sex, etc. The VPN provider could track in more detail, however, as they manage the individual connections, know who's paying for service (unless you're using fake info when signing up, paying with pre-paid gift card you bought for cash and NOT from a retailer, etc.).
Re:Seems like it's somewhat worse than that... (Score:5, Insightful)
If you don't use a VPN, *your* ISP can correlate all your traffic to your billing information (which is necessarily very detailed as they often have a physical cable to your location). If use a VPN, *their* ISP can only correlate that traffic to the VPN's billing info and not your own. Of course, the VPN provider can make this correlation but there are more options for VPN providers than ISPs in a given location.
Re: (Score:2)
Responding to legal requests is significantly different than treating the data as a good to be sold though.
Re: (Score:2)
Maybe they've got a better (in terms of privacy) ISP than you do. But be aware that that is also a concern.
Their ISP would see the occasional packet of yours mixed in with a sea of other stuff pouring through continuously at high rates. Sure they may be able to identify the occasional packet of yours but tying it back to you would be incredibly difficult to you.
Your own ISP on the other hand sees "lazlo visits fetlife.com 10 times per week, mostly on Saturday at 6:50pm"
They can, but they likely won't (Score:1)
Stop using the Internet for everything you can, and encourage others to do the same. When nobo
Re: (Score:2)
My VPN has no information. (Score:5, Interesting)
What's to stop the VPN from selling your information to the highest bidder? The fact that my VPN of choice, Mullvad, collects no information.
You click "create account," they give you an account number, and that's the end. They don't ask for your name, address, phone number, or anything. I pay via Bitcoin, so they don't even have my credit card info.
Re: (Score:1)
The fact that my VPN of choice, Mullvad, collects no information.
all your browsing history and times, your IP address
I pay via Bitcoin, so they don't even have my credit card info.
oh look, extra value for this one. they can sell your data to curious state agencies
Re:My VPN has no information. (Score:5, Informative)
You know, nothing is perfect. You do the best you can. If you're actively breaking the law I'd suggest not doing it over the internet.
Re: (Score:2)
The fact that my VPN of choice, Mullvad, collects no information.
That you know of. And you don't. All you have to back this up is their ephemeral TOS, which they may or may not adhere to, and could change at a moment's notice.
Re: (Score:2)
I wonder... they have your IP address, and could possibly have your browsing history. So your ISP analyzes your history, and sees a bunch of connections to Mullvad and not much else. And they ring up Mullvad and say, we'd like the browsing history for IP XXX.XXX.XXX.XXX. Where is the guarantee of privacy here?
Check the log policy (Score:4, Informative)
Guarantees. (Score:1)
There are none.
"Log policies" are about as meaningless as "uptime guarantees" and "we do backups". How, exactly, do you verify this?
Chances are, you'll be fine. But only a fool is going to be shocked when the shit hits the fan with some random VPN provider.
Re: (Score:2)
And further, as others discussed earlier there is the risk that the VPN provider's ISP is collecting the information. Traffic from your home IP goes to the VPN, and then the VPN ISP logs all traffic from
Re: (Score:2)
But if I was going to run a VPN service out of my house, I'd just pick a cheap VPS provider, rent VMs with fast network connections but low resources otherwise, assign maybe 5-10 customers per VM, and run OpenSSL on the VMs. Nowhere near as cost-efficient as the "enterprise" route, but the init
Re: (Score:2)
So the US requirement eliminates Scaleway (dammit). I'm looking at OVH, Kaiju Hosting https://kaijuhosting.com/vps.p... [kaijuhosting.com], DigitalOcean, Linode, Codero. Any go
Re: (Score:2)
Re: (Score:2)
I could run a VPN service on AWS, true. At that point, Amazon is effectively my endpoint ISP, and they can observe my web traffic out of my EC2 instance and tie it in with my billing information. I don't see how this is a win.
Google doesn't care about VPN (Score:5, Interesting)
VPN's may only protect you from your own ISP, but what about the biggest spyware organisations, such as Google [softpedia.com]/Facebook?
They all rely on browser fingerprinting [mozilla.org] more than anything else these days, and subtly transmitting information back in an encoded form, including mouse movement patterns [slashdot.org] to learn about the individual.
Cookies/HTML5 storage are so last decade, as I've seen a growing number of companies (Cyberfend [pastebin.com] / iovation / iesnare [iesnare.com] / "cformanalytics" [cformanalytics.com], browser.id [browser.id] (navigator.io [navigator.io]), etc [011235813.ga]) provide services specialising in tracking and individually identifying users - even surprisingly across devices [seerinteractive.com], somehow [duckduckgo.com].
As far as I can tell, only Mozilla is attempting to reduce/fight this with their browser, especially as they recently removed the Battery status API [mozilla.org], added disconnect.me to blacklist known trackers in v43 [mozilla.org], Font fingerprinting [winbuzzer.com], etc.
Sure, you can use addons like adblockplus, noscript, decentraleyes, etc to some degree, but many times they break websites as more and more sites are utilising javascript exclusively for a website to function, including third-party scripts, such as GoogleTagManager, etc.
Just recently discovered that the popular London travel website TfL also contains a third-party tracker, without which their journey planner doesn't work, thus the website doesn't work with Firefox's disconnect.me privacy list.
Re: (Score:2)
If you're searching for a site using Google, or going to a site that has embedded Facebook shit chances are you're not trying to hide something.
In any case the privacy aspects of Google and Facebook are different again. It's one thing to be lumped in with Google's anonymised analytics and sold to a third party, or Facebook's "here's a list of everyone who lives in {insert here} and is gay", but it's quite another to be identified as "Firstname, Lastname, SSN, living in address {insert address}, spent all la
Re: (Score:3)
If you're searching for a site using Google, or going to a site that has embedded Facebook shit chances are you're not trying to hide something.
Tired old, "if you have nothing to hide" line coupled with "Google/Facebook are the good guys" bootlicking.
In any case the privacy aspects of Google and Facebook are different again. It's one thing to be lumped in with Google's anonymised analytics and sold to a third party, or Facebook's "here's a list of everyone who lives in {insert here} and is gay", but it's quite another to be identified as "Firstname, Lastname, SSN, living in address {insert address}, spent all last night browsing fetlife.com"
The ISP
Re: (Score:2)
Thanks, good reply :)
By the way, try using the <quote> tag next time when quoting the parent ;)
Re: (Score:2)
Tired old, "if you have nothing to hide" line coupled with "Google/Facebook are the good guys" bootlicking.
Then you misread what I was saying. I didn't say "if you have nothing to hide then you don't have to worry" like you instantly assumed.
I said : "If you're searching for a site using Google, or going to a site that has embedded Facebook shit chances are you're not trying to hide something."
Or to paraphrase: The vast majority of tracking performed by Google and Facebook is on innocuous websites or basic commerce sites which are of little concern to people in general. Quite a bit different in scope to the ISP
Re: (Score:2)
Try the TrackMeNot plugin: https://cs.nyu.edu/trackmenot/ [nyu.edu] and source at: https://github.com/vtoubiana/T... [github.com]
It doesn't hide anything that you are doing, so the signal is still there, but it sure puts up a lot of noise. If you are technically minded, please consider improving the software / forking and trying different things.
Independent VPN Comparison (Score:5, Informative)
ThatOnePrivacyGuy on /r/privacy [reddit.com] manages That One Privacy Site, including a handy VPN section [thatoneprivacysite.net]. Unlike the vast majority of VPN provider reviews you'll find in web searches, this one encourages community discussion [reddit.com] and appears to be impartial [reddit.com]. Next time I need a new VPN provider, I expect I'll be turning to that site.
Regular Use of VPN (Score:2)
Using a self setup vpn in a data server that does not gather you data is what I am doing. Its not that I care that the government gets it, its I don't need Comcast, Verizon, Tmobile or other service provider that I am SURE will sell my browser data. I do quite a bit of research on our products, and even at work they use comcast! I do not know if management realizes the trove of data that comes from this. Maybe someday they will wake up.
I also use my server for transferring large files to my customers using
Seven Proxies (Score:1)
Everyone knows you have to go behind seven proxies.
Eh. (Score:1)
Opera browser VPN (Score:3)
I've installed Opera browser on my computers which has a free VPN provided by SurfEasy which is a Canadian company they own.
Privacy Policy includes "no logs"
https://www.surfeasy.com/priva... [surfeasy.com]
https://www.opera.com/privacy [opera.com]
This should give good protection from my local ISP. Hopefully I will be able to trust SurfEasy and Opera to adhere to their policy.
(BTW, the browser seems much faster than Chrome or Firefox on my old MacBook.)
Re: Opera browser VPN (Score:2)
Re: (Score:2)
VPNs kinda sorta ... they will help, a little. (Score:5, Informative)
I've been running an openvpn link from my home to our colo for years. I also have it set up on all my devices so I can use it while traveling. Some of our DFly devs also use it when they are traveling. Here's my cumulative wisdom on the matter:
Generally speaking it works quite well. I use a medium-numbered port but I also have a server running on port 443 because the many weird networks one runs through when traveling often block most parts, but usually leave the https port open.
* Use UDP for the transport when running openvpn over a broadband link. This provides the most consistent experience.
* Use TCP for the transport for connections from mobile devices. This provides the most consistent experience. There are several reasons for this not the least of which being that the telco infrastructure seems to devalue UDP by a lot verses other traffic. TCP is also a lot easier to run on the server-side if you potentially have many devices connecting in, because you can run one server instance.
* Configure a smaller mss, I use 1300, so the encapsulation doesn't get fragmented by the transport. This is very important.
* Configure a relatively frequent keepalive in openvpn over a WAN link (I use 1sec/10sec), but a less frequent one over mobile (I use 20sec/120sec). This is particularly important on mobile because cell tower switches can cause long disruptions. You don't want to drop the VPN link in such circumstances if you can help it. DO NOT DISABLE THE KEEPALIVE. Always have an openvpn keepalive setup, particularly over TCP, because the TCP connection backoff can prevent your sessions from recovering or cause them to take a long time to recover if one or the other direction is not actively sending data (such as with most web connections, downloads, streaming, etc).
I personally like 'OpenVPN Connect' on IOS (which I use to connect to our project colo). And of course I run openvpn on all the DragonFly boxes including my laptop.
--
Reliability of the VPN depends entirely on the path between your location and the VPN server. The packet must travel this path in addition to the path from the VPN server to the nominal destination, and even in the best of circumstances it will double the chances of something going wrong.
I've had a number outages at home where my cable link is still operational but the cable company's path to the VPN server is having problems. Also, recovery times are longer because not only does the dead network have to revive, but the openvpn setup has to reconnect and renegotiate.
--
Commercial services are going to be hit or miss. VPN'ing your broadband link might be problematic and you have no real visibility into what the commercial service is doing with your data. That said, they are probably going to be a lot better than trusting your data to the telco and wifi hot-spots you connect from when you are mobile.
Netflix and other video streaming providers will often block-out commercial VPN IPs from the service. Generally speaking, using a commercial service for high-bandwidth connections is really hit-or-miss. You are using their bandwidth as well as your own.
When using a VPN, you are bypassing any special deals your broadband provider has made with the likes of YouTube, Netflix, etc. Remember that if the cell bandwidth is supposed to be free, because it won't be over the VPN.
--
In terms of security, its a mixed bag. The VPN will secure your traffic from your immediately ISP/Telco (aka Comcast, AT&T), and that's actually very important. However, you are not anonymous and once your traffic reaches the egress point its up for grabs by any network it flows through and, in particular, the target web page or whatever might be doing its own data collection.
But the telco data collection is MUCH more valuable to third parties than target data collection, and the VPN link at least protects you from that.
The VPN will not do a whole lot for your internal network security. If someone bre
The good old public library (Score:1)
I'm going to go back to the good old days.....head over to the public library for an anonymous connection
Unfortunately VPNs are likely only a temporary fix (Score:1)
Much ado over nothing again. (Score:2)
This is so stupid. Does anyone really think this even matters? The vast majority of people use cookies, other tech so they know who we all are, our credit cards, etc. Google/bing/duck duck go, etc... all keep track of the searches. How you search, what you search. What you buy.
As Scott McNealy said years ago - you have no privacy. Get over it.
Re: (Score:1)
What? The fire plan thing? That's kind of a joke. The fact that DC is destroying America? I see evidence of that every day.