VPN – Very Precarious Narrative

&gt; <i>If you are using your device on a public network, VPNs can help you protect your data. I have a ProtonVPN subscription myself, just for those instances where I am sitting in an airport waiting for my plane</i><p>Seems like a contradictory message. He just got through telling us how most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport? Is he checking his email? I can&#x27;t imagine that he&#x27;s using an email service that doesn&#x27;t use HTTPS. Is he logging into his bank account? I doubt any bank nowadays still uses plain old unencrypted HTTP. Is he watching cat videos on YouTube? Well, even that&#x27;s encrypted.<p>Remember, his argument is that VPNs don&#x27;t provide privacy--so that&#x27;s not the reason. And this is the section where he&#x27;s talking about public networks, not about other rationales for VPNs like geolocking or ISP blocking. It weakens the argument of his essay to say that he needs a VPN at the airport or cafe.

Seems to ignore two things...<p>a) Your ISP is almost always in the same legal jurisdiction as you are. A VPN need not be.<p>b) A VPN has some incentive to deliver on privacy. Your ISP does not.<p>It&#x27;s fair to call out that a VPN isn&#x27;t perfect for either privacy or anonymity. But it clearly <i>can</i> be better than your ISP.

Damn. I don&#x27;t even know where to begin.<p>It&#x27;s true that VPN services at best provide less anonymity than Tor does. And that some, such as HideMyAss (which pwned that LulzSec dude) provide none. But PIA clearly does, as demonstrated now in two criminal investigations.[0]<p>Of course, in both cases, defendants pwned themselves through poor OPSEC. But at least PIA didn&#x27;t give them up.<p>And the Facebook example. Nobody paying attention expects a VPN service (or even Tor) to hide their identity if they login using their real name. That&#x27;s just stupid.<p>0) <a href="https:&#x2F;&#x2F;torrentfreak.com&#x2F;private-internet-access-no-logging-claims-proven-true-again-in-court-180606&#x2F;" rel="nofollow">https:&#x2F;&#x2F;torrentfreak.com&#x2F;private-internet-access-no-logging-...</a>

I have a pretty limited selection of ISPs available to me in my area and they make no effort to promise any kind of anonymity or privacy. Indeed here in Canada ISPs have frequently given subscriber contact information to copyright holders to issue warnings based on bittorrent usage without being legally required to. When visiting the UK certain IPs are blocked by ISPs. I can choose from a wide variety of VPN providers in other jurisdictions whose entire business model is based around respecting my digital rights in ways that most ISPs explicitly don&#x27;t care about. Some of these providers accept bitcoin and other relatively anonymized forms of payment, including VISA gift cards.<p>The article makes some valid points but overstates the case. I continue to be happier with trusting my VPN providers than any of the ISPs available to me.

There&#x27;s a couple of bad faith arguments in this article that I didn&#x27;t care for:<p>- Regarding user identification, rolling my IP address is trivial with a VPN. Less so on my static IP.<p>- The Facebook example without cookie deletion is a low-effort Straw Man<p>- I reject the leap that &quot;we have figured out that they [VPNs] do not add much to your online privacy&quot;. In the very narrow terms defined, yes of course, but either the author has willfully missed out why people use them, or doesn&#x27;t understand why.<p>I did enjoy this note though: &quot;Somehow, VPNs have turned them not failing to do their job into something they can market as a special feature.&quot;; I think there&#x27;s some truth to that.<p>I tunnel my traffic over a VPN to avoid my ISP building a profile on me. I change my IP every-so-often to mess with trackers at large. I accept that browser fingerprinting is probably thwarting my overall effort somewhat, but I&#x27;m reducing the vectors that I can. I firmly believe that VPN companies are capitalising on fear but I respect the hustle. I don&#x27;t think any of those points are particularly niche (niche subject notwithstanding!) so I find it interesting to see this take on it. Perhaps this isn&#x27;t an article representative of the position of the wider HN crowd?

The slimy marketing around centralized VPN services is why I consider it a point of pride to include the following as a &quot;feature&quot; in the AlgoVPN readme (<p>&gt; Anti-features<p>&gt; * Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA<p>&gt; * Does not install Tor, OpenVPN, or other risky servers<p>&gt; * Does not depend on the security of TLS<p>&gt; * Does not require client software on most platforms<p>&gt; * Does not claim to provide anonymity or censorship avoidance<p>&gt; * Does not claim to protect you from the FSB, MSS, DGSE, or FSM<p>It&#x27;s incredible how quickly services that massively centralize bulk consumer web traffic were normalized. This is not ok. Further, most of these services are located in &quot;exotic&quot; locales with uncertain legal protections, anonymous or psuedo-anonymous owners, and make barely enough revenue to hire more than 3 or 4 staff members to maintain and secure their own infrastructure. This whole industry is a slow motion disaster.

&gt;However, the sad reality is, there is no such thing as a “no logs” VPN. Because running it would technically be impossible.<p>PIA has told the feds in the US to fuck off multiple times when asked for logs. You can&#x27;t provide what you don&#x27;t have, and lying to the feds is a fast track to PMITA prison (PIA is based in the US). I feel pretty confident they&#x27;re not risking prison to cover for Joe Blow subscriber. Other &quot;no log&quot; providers have been caught with logs, though.<p>I do agree with overall message about VPN advertising. It&#x27;s presented as a panacea when it&#x27;s really a single step you can take.

The articles like this are disastrous. So many people are using VPN to bypass government restrictions, protect themselves from ISPs, which are no longer run by idealists dreaming about uncensored access to information, but by managers, that will share your information with any agency the minute request shows up in their inbox. And these people don&#x27;t always have good knowledge of how security works, and who this article can greatly mislead.<p>I subscribed to a small VPN service 5 years ago for one reason: I needed static IP address for work, but my ISP at the time wasn&#x27;t selling them to private individuals (freelance).<p>And I couldn&#x27;t be happier! Wherever I go I don&#x27;t have any issues with access to my resources or worries that local government will fine me for watching porn (check out UAE or Saudi laws).<p>Hell, even Skype is blocked by a lot of telecoms around the world since you don&#x27;t pay roaming fees when calling through it. How ridiculous is that? On VPN it worked everytime.<p>HTTPS is great, but it is by no means private enough. ISP knows which service you are requesting, they can do SSL inspection and all kind of shady bullshit without your consent. With VPN they only see that I talk to 1 IP address somewhere in Netherlands and that is it!

It seems that the author&#x27;s target audience is highly non-technical readers. I&#x27;m not sure if the article does more harm than good by just citing existing technologies that aren&#x27;t used by privacy-minded power users without pointing towards proven solutions as well, even if they may require effort to implement. All is not lost.<p>The article touches on the OpenVPN protocol, &quot;commercial&quot; VPN providers (ExpressVPN in the screencap), but just glosses over the availability of better protocols, good providers, useful browser extensions, and democratized DNS encryption.<p>A combination of a WireGuard VPN provider (Mullvad comes to mind), using only the Firefox browser with a few extensions (such as Multi-Account Containers, HTTPS Everywhere, Privacy Badger, Decentraleyes, etc.), and using DNS over HTTPS (can be enabled in FF as well) will solve most of the problems the article posits. Running AdGuard as a local DNS server with upstream DoH is also something relatively easy to do.<p>Sure, overall security posture calls for a bit more but a good [VPN + DoH + FF + AdBlocking] setup should be the norm and not the exception; and will definitely pay off dividends rather than just letting a green padlock give users peace of mind.<p>I&#x27;ll actually write a how-to on this, since I don&#x27;t want to seem like I&#x27;m just mentioning a solution without actually providing the steps to get there.

&gt; Just like you have to trust your ISP that they do not collect data, you have to trust that your VPN provider is not storing the same data.<p>Bull. Shit.<p>Find me a major ISP that publicly claims they don&#x27;t log any data.<p>Anyone making a claim remotely similar to those made in <a href="https:&#x2F;&#x2F;torrentfreak.com&#x2F;which-vpn-services-keep-you-anonymous-in-2019&#x2F;" rel="nofollow">https:&#x2F;&#x2F;torrentfreak.com&#x2F;which-vpn-services-keep-you-anonymo...</a><p>If it was the norm for ISPs to claim this, maybe this argument would work. For now, we have many documented cases of ISPs selling your information, and they don&#x27;t even try to claim that they don&#x27;t keep logs, while many major VPN services (see link above) explicitly claim to never store logs.

I use VPNs for one main reason: so that my ISP does not build a complete profile of me based on the sites I&#x27;m visiting. This can be mitigated to a certain extent by using a VPN. I do not expect to become anonymous or invisible on the internet all of a sudden, I just do not want the guy listening next to my front door to know everything about me.<p>In the US, where personal data is a free-for-all and everybody and their dog sells data about me to everyone else, this is important.<p>I agree with the author that VPNs should not be advertised as a complete security and privacy solution, but I disagree with his statement that they can actually do more harm than good.

While there is plenty of nuance that VPN advertisements gloss over, this article is also simply verbose FUD. It shamelessly does the same exact thing that VPN ads do - attempt to replace one uninformed default option with another.<p>&gt; <i>The reality here is that your IP address is only a tiny piece of your trackable profile</i><p>Yes, a tiny piece you can never shake off <i>besides with a tunnel</i> (&quot;VPN&quot;). On this front, OP is effectively making the argument that surveillance by IP address is simply never done, even if all the other tracking signals are removed. This is doubtful.<p>&gt; <i>the location of a piece of large network equipment of your ISP, and not your location</i><p>Yeah which is still pretty damn indicative of <i>my location</i>, despite the &quot;streams coming together&quot; narrative. One less signal available to the surveillance advertisers is a good thing. One more feeling of &quot;otherness&quot; to an ad you&#x27;re being forced to see is a great thing.<p>&gt; <i>The only secured [encrypted] channel here is the route between your machine and the VPN server</i><p>Yes, simply hiding your traffic from your ISP is itself a huge win. They don&#x27;t spend millions on DPI gear without clear ROI.<p>Given that a vibrant market for VPNs provides for copious tunnel endpoints, and that common people imperfectly using VPNs still frustrates bad actors like banks and geofencers, I&#x27;ll forgive the messaging. They&#x27;re certainly more legitimate than pharmaceutical or political ads.

They are some valid points in the post, but ISPs collect and will market your data, including browsing data. They recently changed positions and claim they won’t anymore, but there’s no reason to trust them and they’re still using your data for targeted ads meaning they still retain the data.<p><a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;tech-policy&#x2F;2017&#x2F;03&#x2F;comcast-we-wont-sell-browser-history-and-you-can-opt-out-of-targeted-ads&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;tech-policy&#x2F;2017&#x2F;03&#x2F;comcast-we-wont-...</a>

All I know is that since I got a VPN my ISP no longer sends me letters warning me that I have 7 more warnings until I&#x27;ll be admonished for archiving movies.

&gt; Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.<p>Check out <a href="https:&#x2F;&#x2F;mullvad.net" rel="nofollow">https:&#x2F;&#x2F;mullvad.net</a> if you want a VPN that takes anonymity serious. They don&#x27;t even have real accounts, you just pay (preferably via BTC or even cash via postal mail) towards an account number that is also used as an identifier to authenticate towards the service. While there is no 100% guarantee, I would trust their claim that they do not log.

The article seems to talk about all kinds of things VPNs are <i>not</i> about, and criticises them for those, and give a thin touch, if any, to the actual reasons VPNs are useful and why they were designed in the first place. Weird.

Very misleading, factually wrong post.<p>&quot;Log in to your Facebook account. Connect VPN. Did Facebook forget who you are?&quot; He forgot step to open new private window to clear login cookie.<p>VPN is a must for everybody in there days of data harvesting. We will be sorry tomorrow, seeing many new ways it can be used by global corporations and governments.

This seems to be the YouTube video in question if anyone was curious<p><a href="https:&#x2F;&#x2F;youtu.be&#x2F;1PGm8LslEb4" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;1PGm8LslEb4</a>

&gt;In most circumstances, VPNs do absolutely nothing to enhance your data security or privacy.<p>&gt;Acting as they do, and promoting commercial VPN providers as a solution to potential issues does more harm than good.<p>I think this ignores the fact that some users have different threatmodels, sometimes the privacy threat model of a user does include their ISP for various reasons (think China).<p>&gt;<p>Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.<p>Depends on the VPN, some VPN providers actually don&#x27;t keep that kind of history or provide options to operate and pay an account anonymously.

Some of them are valid concerns.<p>But the article should have touched on _how_ one would actually achieve the privacy levels that the VPNs claims to offer. For example, using TOR rather than a VPN is a much better guarantee of privacy against IP based tracking (and what the draw-backs of TOR is - such as accidental real-ip leaks via javascript).<p>A lot of users simply trust the marketing of VPN providers - because it&#x27;s cheap, and it doesn&#x27;t look like it&#x27;d do harm. Like how multi-vitamin pills are marketed as a cheap silver bullet for a complicated problem.

What you really want for privacy &amp; anonymity are anonymizing proxies, which are not mutually inclusive with VPNs. Proxies work best at the app level, not network level. Proxies can also be located anywhere and hide your request origin, and your browser can even forward DNS requests through them. But to strip every inch of personal information out of HTTPS traffic you may need to accept a custom CA, which reduces your security. So use a VPN for security, and proxies for privacy &amp; anonymity.

The real problem with VPNs is that they are sold as a full privacy and security solution to people who don&#x27;t understand what&#x27;s going on technically.<p>There are some legitimate reasons to use a VPN. Those are far fewer than the marketing claims of those companies. What I&#x27;ve seen over time:<p>* hide your IP from the service you&#x27;re using (related to geoblocking)<p>* get around limitations of your ISP (blocked ports or throttling, torrenting)<p>* hide traffic&#x2F;service you use from your ISP&#x2F;government (China, UAE, Iran)<p>* get around bad routing of your ISP

I&#x27;m surprised he doesn&#x27;t mention torrenting directly. I have no stats to back this up, but I would assume the vast majority of people who get VPNs do so for torrenting. I agree that the current advertising riding the wave of the facebook hate&#x2F;privacy &quot;awareness&quot; is scummy, but nothing in the article seems to say VPNs aren&#x27;t effective from hiding your TPB traffic from your ISP, which if I had to guess is the real most popular use-case.

These past few months I have noticed several popular posts dissuading people from using VPNs. What do these people have to gain from people _not_ using VPNs?

Author has a computer science understanding of VPNs but is breathtakingly ignorant as to the actual use cases of commercial VPNs. They&#x27;re used for getting around geoocming and media throttling sure, but the biggest use is piracy.<p>Also, his disbelief of anonymous payment methods is incredibly stupid. I can walk into a store right now and get a prepaid visa using cash, no crypto currency shenanigans required.

The only way to get on a network is via an ISP or mobile provider and this step itself gives up your identity and credit card&#x2F;financial details and your browsing history, location data and other metadata is available to any state entity and the private surveillance economy. If you use a VPN you paid for that is the same thing.<p>There is no way to get absolute privacy in this context for the average user. Journalists and activists should be aware there is no technology solution to protect them from spying by any sufficiently committed actor, with state actors all bets are off.<p>It&#x27;s false self empowerment by some technical folks to presume there is a technical solution against state actors who are well staffed, have near endless resources and are working 24&#x2F;7 to thwart any localized technical solutions.<p>If there is a way to get online truly anonymously ie public wifi points, mesh networks these will immediately be subverted by state actors with things like illegal porn, terrorism and made illegal or compromised and used as honey pots. There is no winning here.

Regarding &quot;no logs&quot;, it is true that the VPN has to check if your account is valid, or maybe how many devices you can connect. But one thing is monitoring and another, different thing is to log that information.<p>Also, this doesn&#x27;t mean that the traffic or destination addresses are also logged at the VPN (the most important data).<p>But, is also true that you&#x27;ll never know.

Just a thought—Couldn’t there be a service In front of ~5-1,000 different vpn services that would locally (depending on your subscription level) send each request to a random list of vpn providers (like a random dns provider? Somewhat complicating&#x2F;obscuring the issue that arises with centralizing your traffic to single endpoint?

The main problem I have with all the VPN services I see springing up is that you’re basically paying to be man-in-the-middled.<p>I see people commenting ‘I use company X, they are great’ seemingly ignoring the fact that they have no real clue as to what Company X is <i>actually</i> doing.

It all comes down to this:<p>&gt; With a VPN, all you end up doing is shifting the trust from one party to another. You are not gaining anything.<p>This is where a lot of people would disagree. A known, reputable, audited, privacy-focused vpn provider, for example, could be more trustworthy than an ISP.

Has anybody evaluated whole-network hardware filter+VPN solutions that filter cookies ( such as Winston <a href="https:&#x2F;&#x2F;winstonprivacy.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;winstonprivacy.com&#x2F;</a> ) in the context of this article? I was planning on testing Winston at some point at my home, but Winston requires a separated modem and router as opposed to the combo box I have.<p>I think the declarations in the article do confuse the issue a bit - some of the benefits of a VPN such protecting against DNS logging are real but are probably not as useful to VPN marketing people as a &quot;pitch&quot;, because they&#x27;re a bit tougher to explain to laypersons.

I still have a few questions after reading that text:<p>1) I&#x27;m not entirely convinced on the IP address tracking thing yet. Sure, you probably sit behind a NAT device on your home internet connection. But what about mobile? Are cellular networks NATed? Also, do trackers really not use IP addresses for tracking? It seems like a stable identifier as long as the &quot;victim&quot; is not obscuring it and as long as you can somehow link it to the victim&#x27;s next IP address (unless it&#x27;s static).<p>2) How are DNS queries not sensitive information? They tell what services you use on the web. It&#x27;s how you use the internet. I don&#x27;t really want any untrusted party to see that.

VPNs still give you some protection especially for illegal activities.<p>I was recently a victim of a password cracking attempt from someone using a vpn. I tried reporting the incident by sending the logs to the vpn abuse email, and they ignored it. I looked into VPN company itself, and it was owned by some Russian in Panama. I tried emailing a lawyer there and he said that he couldn&#x27;t help me because he did work for that person.<p>I have no doubt that most of the major vpn providers are similarly structured so that they can just ignore all complaints except from the largest corporations.

I got a question:<p>So lets say you visit a website p0rn.xxx without a VPN, but this target website indeed gets HTTPS version of encryption, in such case, does your ISP know which website u visit?<p>Another case, when you connect to a VPN, your ISP indeed know you connected to an IP right?<p>Any more similar cases to let me learn more about what data gets encrypted and whats not?

The reason people pay for these &quot;VPN services&quot; is trying to hide from the extortionists and even the law in some countries, when using BitTorrent to download the latest GoT episode?<p>All other problems aside, how successful defence against that is this? Article doesn&#x27;t adress that as far as I could see.

VPNs can certainly be useful to hide your identity from a specific host and probably to hide your browsing habits from your ISP but does probably nothing against the Government (ie: if the NSA logs all packets worldwide, it should be trivial to connect the dots). But I prefer to use tor in my case.

The short story about the green padlock stating your connection is ‘secure’ is also not true. It depends on the encryption type they use. I don’t have time to go in detail, though for outdated browsers ssl 3.0 is still stated as green...

People advertise these because of the nice kickbacks. They make good money and spend all day on social media downvote the truth and promoting VPN&#x27;s with the other paid affiliates pointing to random articles that cause fear.

I have kind of a lot of issues.<p>First, the downplaying of IP location lookups. If you do a lookup on my home IP address, it&#x27;ll get you within 5 miles of my house. From there, the only other information you need is my name and potentially one or two more details like a birthday (easy, I use my real name online) and you can get access to my voting data -- and that&#x27;ll give you an actual address, not just a zip code.<p>OP is correct that your IP address doesn&#x27;t directly leak your home address, but in many cases it can be a pretty helpful clue. In a small town, a zip code and a name can be good enough on its own for a stalker to find someone even without voting data or public records to pull from.<p>OP is also correct in that there are plenty of other ways to get this data, but I fail to see how opening yet another trivial hole in my identity helps with that.<p>Second, the downplaying of encryption concerns. We&#x27;ve come a long way on SSL, but it&#x27;s frankly irresponsible to say that users should just assume all of their browsing will automatically be covered, regardless of what the top sites are doing. I am primarily visiting tech sites nowadays and I <i>still</i> occasionally run into sites that aren&#x27;t encrypted. And that&#x27;s nothing to say to the fact that there are multiple ways of configuring SSL and not all of them are equally secure.<p>This is just in my browser, which punishes sites with insecure warnings if they&#x27;re not encrypted. How many native apps are sending unencrypted data given that there&#x27;s no punishment and that the user gets zero indication of the SSL status? We know from the IOT industry that a lot of these products and apps are regularly getting rushed out the door.<p>Of course, VPNs only encrypts the data between you and the provider. But we don&#x27;t live in a world where people are primarily using desktop computers. Most users are going to be on tablets, phones, and laptops, and they travel. And no, public networks are not the only risks -- even if a network forces you to put in a password you still don&#x27;t know how that network is configured, you still don&#x27;t know what vulnerabilities exist on it.<p>If you don&#x27;t know who set up the network, you should treat it as if any unencrypted data could be intercepted before it reaches the router. And you should be suspicious of the router&#x2F;provider itself, particularly if it&#x27;s wifi being offered by a store&#x2F;hotel&#x2F;airport, or other commercial entity.<p>And that leads to the final, big objection -- the idea that VPNs are harmful because all they do is shift the trust model. If you&#x27;re in the US, unless you are very, very lucky, you can not trust your ISP. Shifting the trust model is not a fatal flaw, it is literally the entire point.<p>Yes, needing to trust someone is not ideal. But my VPN provider has more of an incentive to take care of my data than my ISP does. If you&#x27;re using something like Proton or PIA, then I feel very confident saying that I trust both of them more than Verizon or Comcast.<p>So I agree that bulletproof claims that come from VPNs are often inaccurate. I agree that there are problems. I don&#x27;t see this article as any less sensationalist and inaccurate than the provider claims though. VPNs are just a kind crappy solution we&#x27;re stuck with, and absent everyone moving to Tor, I have yet to see anyone propose a better solution.

So if VPNs are basically no good for keeping yourself anonymous, how do you?<p>Or is the solution multifaceted and you should use a combo of VPN, don&#x27;t logon to services connected to first party data etc.?

I remember specifically the same video the author was talking about (<a href="http:&#x2F;&#x2F;youtu.be&#x2F;1PGm8LslEb4" rel="nofollow">http:&#x2F;&#x2F;youtu.be&#x2F;1PGm8LslEb4</a>), and I also cringed when Destin read the ad copy for ExpressVPN.<p>Commercial VPNs are the homeopathy of the Internet.<p>They&#x27;re selling snake oil. For all but the most impossibly pathological customer scenario, nothing that a commercial VPN can give you will actually protect you in any meaningful way. But they can hurt you. Since there&#x27;s no quality control of any sort, and since their customers are self-selecting for dangerous behavior, it&#x27;s a horrible environment to go mixing your traffic into.

Each time a podcast praises the credibility of a VPN sponsor, it reduces the credibility of the very show in my mind.

What VPN provider would you guys recommend?

Lethean VPN is the answer to that question... as there is no credit card, just pay with cryptocoins ;)

Great article for bringing across the basics and I do wholeheartedly agree that just because a VPN promises to do X it doesn’t necessarily have to do that and that the advertising is sometimes deceiving, but I don’t agree with everything OP said.<p>&gt; in theory, your ISP could keep a list of all domains you requested and based on that, they would have a pretty good understanding of what you were doing online<p>I would argue that this is not theory but reality. In the EU you have the Data Retention Directive forcing telecoms to store metadata for a period of between 6 months and 2 years for example. [1]<p>&gt; With a VPN, all you end up doing is shifting the trust from one party to another. You are not gaining anything.<p>I know this article is about commercial VPN’s but what if I run my own VPN? Then I do gain some privacy. I’m not saying to use a self hosted VPN and you’re good to go; a VPN in my opinion is a vital part to improve privacy but it’s just that, a single part.<p>&gt; what is your reasoning behind trusting an anonymous company [..] more than you trust your ISP, which is a big company with [..] something to lose?<p>I’d argue that a VPN, even a commercial one is more trustworthy than my ISP, who doesn’t need to care if I trust them. It’s in the interest of my VPN to protect&#x2F;delete my data if they say they do so. My ISP does not make that promise, quite the contrary actually.<p>&gt; if you pay for a VPN service, [..] your VPN account will be linked to your actual identity<p>It’s entirely possible to pay for a commercial VPN anonymously, Mullvad for example offers the option of paying via cash that you physically mail them. [2] Many offer payment with crypto currencies.<p>&gt; Large commercial VPNs [..] make governmental surveillance easier.<p>That’s not true and it’s what bothers me the most about this article. Why wouldn’t my government just get the data from my ISP? There are far less ISP’s than there are VPN’s. In Germany for example Telekom alone had around 18 Million customers in 2017 and Vodafone had another 10 Million. I’d assume strongly that you’d have to get to a lot of VPN providers to reach nearly 20 Million people. Personally I just assume that every request I make with my ISP’s DNS is known to my government.<p>Another thing: a VPN can protect it’s user. In Germany for example it should be expected that when you torrent copyrighted content, like a movie, you’ll get a letter from a law agency like “Waldorf Frommer”. Those law agencies only purpose is to go after copyright infringement by connecting to the torrent swarm and logging IP’s. They then ask your ISP to hand over your address and a week later they’ll send you a letter asking for fines in the realm of €1k. [3] They sometimes go to court to collect those fines. Regardless of how you might feel about copyright infringement that is a valid use case where a VPN will protect it’s user.<p>[1] - <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Data_retention" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Data_retention</a><p>[2] - <a href="https:&#x2F;&#x2F;mullvad.net&#x2F;en&#x2F;" rel="nofollow">https:&#x2F;&#x2F;mullvad.net&#x2F;en&#x2F;</a><p>[3] - <a href="https:&#x2F;&#x2F;www.heise.de&#x2F;ct&#x2F;artikel&#x2F;Ignorance-isn-t-Bliss-Rights-Holders-Threatening-Lawsuits-against-Refugees-in-Germany-3127309.html" rel="nofollow">https:&#x2F;&#x2F;www.heise.de&#x2F;ct&#x2F;artikel&#x2F;Ignorance-isn-t-Bliss-Rights...</a>

Run PiVPN on an t2.nano on AWS. Takes 15 minutes to set up. $5 &#x2F; month for the instance and 9 cents &#x2F; GB. Turn off logging. Will cost you a bit more than real VPN services but is completely private.

Likewise, if you&#x27;re &quot;tired of getting your passwords stolen&quot; sign up for XYZ where all your passwords are stored on their servers!

just a small correction: it&#x27;s Wikipedia that&#x27;s blocked in Turkey, not YouTube (anymore).

A charming piece of evidence for the IP addresses aren&#x27;t actually all that useful for tracking point is just how easy it is to evade volume-limitation paywalls on sites like medium: open a clean browser, oh hey, the website has no idea I&#x27;ve already read 3 of your crappy clickbait articles this month! Clearly wouldn&#x27;t work if they bothered to keep track of IP addresses in addition to cookies or whatever.

Any claim reg anonymity is hard to uphold. The tor project makes it clear that using tor-as-a-proxy is suicide for anonymity [0], so there&#x27;s nothing VPNs could do that tor doesn&#x27;t do better. Also, anything stupid one might do at the application layer can absolutely make tor useless in protecting your identity let alone the VPNs (like updating OS over tor, or accessing email, WebRTC apps and the like). So, the author is right on all accounts, but one needs VPN for similar reason one needs IPSec <i>and</i> TLS-- there are multiple levels to it.<p>Here&#x27;s why I think using a VPN makes sense:<p>1. ISPs cannot track and mitm you. ISPs have MiTMd https [1].<p>2. Circumvent censorship, esp DNS manipulation attacks.<p>3. Prevent use profiling: traffic meta-data analysis (what IPs you connect to, what protocols you&#x27;re using and so on) [2].<p>4. A lot of propaganda is targeted at a demography in a particular location. Tunneling traffic through a VPN might mask your location unless the app or website had access to it prior, and fingerprinted you already [3].<p>Sophisticated actors can still do all of the above VPNs or not.<p>The trackers have it too easy and use IP addresses as a signal. Masking IP address is one signal less. Then, up the stack at the application layer, it&#x27;s up to the end user to make saner choices. That isn&#x27;t on a VPN provider or Tor.<p>VPNs could def do better:<p>1. Firewall known trackers server-side. Similar to how how browsers today block known rouge websites that have been caught phishing or spreading malware.<p>2. Stripe traffic over multiple exit IPs. Much like Firefox&#x27;s multi-account containers.<p>3. Let the end user analyse their traffic client-side, and help them take control over what the client should send and not send.<p>4. Open-source their stack, and provide ability to inspect what&#x27;s running on the servers.<p>5. Provide technically better internet experience by accelerating traffic over uncongested paths, provide better connectivity over lossy networks [4][5].<p>If VPNs aren&#x27;t improving the experience and if IP masking is all you need, then remember, Tor is free [6], and is pretty decent in terms of speed and latency these days.<p>--<p>[0] <a href="https:&#x2F;&#x2F;trac.torproject.org&#x2F;projects&#x2F;tor&#x2F;wiki&#x2F;doc&#x2F;TransparentProxyLeaks" rel="nofollow">https:&#x2F;&#x2F;trac.torproject.org&#x2F;projects&#x2F;tor&#x2F;wiki&#x2F;doc&#x2F;Transparen...</a><p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=495830" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=495830</a><p>[2] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11278784" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11278784</a><p>[3] <a href="https:&#x2F;&#x2F;panopticlick.eff.org" rel="nofollow">https:&#x2F;&#x2F;panopticlick.eff.org</a><p>[4] <a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;1111-warp-better-vpn&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;1111-warp-better-vpn&#x2F;</a><p>[5] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=19543085" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=19543085</a><p>[6] <a href="https:&#x2F;&#x2F;guardianproject.info&#x2F;apps&#x2F;orbot&#x2F;" rel="nofollow">https:&#x2F;&#x2F;guardianproject.info&#x2F;apps&#x2F;orbot&#x2F;</a>

&gt; “Your IP is used for tracking and leaks private information. You should hide it.”<p>There is a lot of marketing, agreed. However, those messages do serve a purpose - they make it clear you configured that particular VPN correctly and that it works.<p>&gt; IP addresses for user identification<p>Yes, there are more factors than just IP. Clear cookies, use uBlock Origin and HTTPS Everywhere, and know you can be tracked anyways, especially if you log in to the sites you have ever used without a VPN. For stronger privacy protections, use Tor Browser over Tor - Tor is better in terms of privacy, but due to Tor being heavily abused, a lot of services outright block Tor IPs or put you into reCAPTCHA hell, so it&#x27;s not really suitable for day-to-day browsing, unlike a VPN you can set up and leave it turned on all the time.<p>&gt; Location leaking<p>It&#x27;s not always the case that the IP provides inaccurate information. Out of curiosity, I disabled the VPN, and went to <a href="https:&#x2F;&#x2F;www.privateinternetaccess.com&#x2F;pages&#x2F;whats-my-ip&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.privateinternetaccess.com&#x2F;pages&#x2F;whats-my-ip&#x2F;</a>. The guessed location was within 120 meters of an actual location, on the same street, in a big city. Sure, it doesn&#x27;t point to an actual building, but it is dangerously close.<p>Just to be clear here, I don&#x27;t use PIA as my VPN, they have a good demonstration of an issue however.<p>&gt; “Network Encryption”<p>This is accurate. Part of why having HTTPS everywhere improves the security. Keep in mind however that SNI and the IP you are connecting to is not encrypted. This may change however soon (while you cannot really &quot;encrypt&quot; IP, a lot of websites are using services like Cloudflare, essentially preventing anyone on a path from guessing the website you are connecting to).<p>&gt; What about “DNS leakage”?<p>The thing about DNS is that if you are using your ISP DNS while using a VPN, you are leaking an information about your ISP. To prevent DNS leaks, you should be using a DNS provider not provided by your ISP, and if you don&#x27;t have any idea which DNS to pick, many VPNs provide their own DNS.<p>&gt; The “no logs” thing<p>The article is arguing that paying with a payment card will leak your identity. This is true. Pay with cash, gift cards, or cryptocurrency (although this is a complicated subject, Bitcoin is tricky to pay privately with, I use Monero myself for VPN payments).<p>About logging, this is a complicated subject. The answer is: you have to trust the VPN. Read the privacy policy to tell how serious they are about &quot;not logging anything&quot;. Generally, avoid any VPN that over-promises what it can do, a VPN is not &quot;100% effective&quot; whatever that means. Look out for conflicting messages in privacy policy, anything that goes &quot;we don&#x27;t log&quot; and then later &quot;except we log&quot; should be avoided.<p>As for trusting your ISP - look, most ISPs don&#x27;t promise &quot;not logging&quot;, and in fact, where I live, they have an obligation to log.<p>In the end, don&#x27;t rely on &quot;no log&quot; policy. It should be here, but assume the VPN is actually logging.<p>&gt; Using a VPN does not make you anonymous.<p>Yes. If you violate the law, unless you are really careful, the law enforcement will find you. The police may be able to ask Google to provide details of an e-mail account using this IP address (from your VPN). VPN will however protect you people finding your IP address, contacting your ISP claiming to be a copyright owner needing user&#x27;s details for a lawsuit - most ISPs will just give the details with this simple attack, and it doesn&#x27;t matter whether you have downloaded or not, &quot;no logs&quot; VPNs won&#x27;t.<p>In short, a VPN won&#x27;t magically protect your address if you send it over the Internet. It cannot do that.<p>&gt; Security issues in VPNs and their clients<p>Yes. All software can have vulnerabilities, this is nothing new. To improve your security, don&#x27;t use the official VPN client but use an OpenVPN&#x2F;WireGuard configuration file - if a VPN doesn&#x27;t provide it, then don&#x27;t use it.<p>&gt; VPNs are a central point for attackers<p>So is your ISP. All software can have vulnerabilities.

aside: bandwidth is super expensive in all cloud services, how do VPN make money?