When, and when not, to use a VPN

“Do I need a VPN?”

That question frequently raises itself for those seeking privacy in a dangerous world.

VPN stands for “virtual-private network,” and refers to a secure tunnel between a source and a privileged destination. At its core, it's just a private network that sits on top of the public internet.

The source can be anything from a wandering individual user on a laptop, or another location, with both being physically separated with only internet access in common.

The destination is often a distinct location with data that is deemed secure and requires privileged access. A VPN provides a secure tunnel over the internet placing the remote source on that destination network.

That is the standard and original scenario for employing VPNs. But then there's the old story line of how a technology tool utilized for one purpose morphs into another role. VPNs are one of those tools.

For some VPNs are a way to bypass internet censorship, whether conducted by a corporate network or by a nation state.

Others use VPNs to mask their geographical location for streaming services.

VPNs are also used in an attempt to hide a user on the internet from various adversaries, including nation states and even from the wider array of internet tracking and surveillance mechanisms. Public VPN services often market themselves as critical privacy and anonymity tools in that context, and it's worth addressing why they are an ineffective and even a dangerous tool for such purposes.

A public VPN service allows a user to connect to their servers, then seamlessly access the internet as if the user is coming from that provider's network. There are usual claims about the VPN provider not keeping logs, and providing a secure gateway that hides the user's real identity.

But the problems in such a scenario are numerous.

First, there is no way to verify any claims from these services. What is verifiable is that many VPN services claim to not log, but then when push comes to shove, they do end up logging. This could be apparent from statements in their privacy policies, but also when one of them faces a data breach or a request from a legal authority.

There are even cases in which VPN providers have been known to actually market their customers' allegedly anonymized web site traffic.

Second, VPN service providers present a tantalizing target for hostile third parties. Think about it: a VPN service's customers are a highly qualified target audience. They aren't just normal internet users. They are internet users with something to hide. That increases the value of compromising a VPN service for a whole assortment of adversaries.

That of course also makes it hard for the VPN provider not to monetize their customers' web browsing data.

Think it’s unlikely? Hal Roberts of the Berkman Center for Internet & Society’s blog post from 2009 might be dated, but the contents are nonperishable. There are numerous internet posts about VPN providers selling their users’ web surfing activities, but it’s normally difficult to determine. The point is that they can do it, and you wouldn’t even know.

That’s a -1 score when it comes to “privacy by design” rating.

A well-resourced adversary like a nation state might censor their users or just monitor them, and sometimes both. But a more sophisticated adversary would probably dump a lot of resources into creating VPN providers. They might promote themselves as useful tools to bypass that nation state's censorship and surveillance, and might even gain a reputation as being effective while other services and tools fail. That nation state would then be able to collect and monitor the traffic of their targeted dissidents in a few nice containers, and might even maintain a profitable business in the meantime.

Users seeking to avoid censorship, or to cover their online tracks are better off investigating an open-source projects like Tor, which provides an easy to download and use customized browser with internet privacy and anonymity front and center to the design. Full disclosure: I’ve been contributing to the Tor Project for a very long time on multiple levels. I got involved since I firmly believe it’s the best option mitigating online surveillance.

Regardless of those scenarios when VPNs are inappropriate solutions, it remains a common and useful tool in an array of contexts.

A good case in point was some 15 years ago, a US government agency published its approach to secure cell phone infrastructures for its staff. At that point, few were concerned with cell phone security, and generally trusted that cell phones networks were secure and that the providers were somehow above reproach.

The core tool in this government agency phone customization was a VPN that would route all communications between the phone and the agency's data center infrastructures, in an attempt to avoid surveillance from the cell network providers and any other network-based adversary. It was a novel idea then, and is worth considering today.

Like all technology tools, VPNs can be effective if used in the right way, or can be disastrous. Organizations might provide VPNs to their members as secure access to network resources, or even to bypass censorship and surveillance in other contexts. More technical users might use VPNs to hide their own traffic from their internet service provider with a VPN infrastructure they themselves build and maintain.

But believing that VPNs are a simple solution to internet censorship and surveillance is often ineffective, and in many cases, puts ordinary users into precarious territory.

George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives in creating unorthodox solutions to ordinary problems.