Why VPNs won't always keep you safe online
If only you could solve your online-privacy problems with the right three-letter abbreviation, things would be so much easier.
Sign up for a virtual-private network service, the sales pitch goes, and end online spying: Your browsing will once again be nobody’s business but yours!
But the reality of using a VPN is much more complicated. Sometimes—as seen in this week’s report by TechCrunch that Facebook (FB) has been using a relabeled VPN app to collect data on the online habits of teenagers—using one can actually leave you more exposed online.
Here’s what you should remember the next time somebody suggests that online privacy starts with using a VPN.
In the memorable phrase of the late Sen. Ted Stevens (R.-Alaska), you can think of a virtual private network as a series of tubes—but a VPN’s tubes stretch from your device to its own gateway to the wider internet and come protected by encryption that scramble everything going to and from your device.
Anybody snooping on your connection will see only gibberish, and sites will see you arriving from an Internet Protocol address that can correspond to a spot on the map thousands of miles away from your actual location.
The immediate upside of that: The source of your internet connection—your internet provider, a coffee shop, a hotel, your neighbor’s open WiFi router—can’t see what you’re doing online.
A VPN also won’t stop hacking attempts against your computer. If you open the wrong attachment or visit a hacked site with an out-of-date copy of the already-insecure Adobe (ADBE) Flash player, the VPN won’t block those malware sources.
It’s also important to remember that the absence of a VPN does not mean you’re left naked in the open. Most sites already encrypt their sessions—Google stats show that 82% of pages loaded in Chrome for Windows are encrypted—so your ISP or coffee shop would only see the domain names of the sites you visit, not distinct page content.
Transferring your privacy fears
Meanwhile, a VPN connection does leave one party in a privileged position to see all your unencrypted online data—the VPN provider itself. It’s essentially taking over your internet provider’s role in routing your data online, so in the bargain you must transfer your tracking fears from your ISP to your VPN.
Picking a trustworthy VPN is much harder than picking an ISP because a) there are so many more of them and b) so many of them leave you guessing about their virtues.
What you want to see—as the Center for Democracy & Technology, a Washington non-profit, laid out in a recent study of VPN privacy—are clarity about their ownership structure and business models, commitments to keep a minimum of data about your online history, and clear documentation of how they respond to legitimate law-enforcement queries.
What you may see instead are improbably generous prices that leave you wondering how the VPN service stays in business (beware of lifetime subscriptions for less than the price of an okay dinner), contact-us pages that leave no hint of where the company operates, and leaky data-management systems.
This industry also overflows with sketchy marketing ties, where VPN services pay for promotion on review sites that tout themselves as independent.
That CDT study includes detailed answers from five well-regarded VPNs; I would also trust the advice of Consumer Reports and the New York Times’ Wirecutter (a site I also write for occasionally). If you were curious about my own choice, I paid for a two-year subscription to Private Internet Access in 2017; I will consult those sites and others before renewing that.
When you should use a VPN
But awareness of all the risks of using a fly-by-night VPN service should not lead you to throw up your hands and assume nothing’s safe online. A good VPN will prove enormously helpful in three scenarios.
First, if you’re on a connection you shouldn’t trust too much—not even just the WiFi at a hacker conference, but at a hotel or a coffee shop—a VPN’s shroud of encryption will vastly lower the odds of an attacker peeking at your information.