"What do you have to say about disinformation and myths about VPNs?" That question comes up a lot, when we talk about how Winston Privacy protects you compared to VPNs.
We recorded this relevant conversation with Richard Stokes, Winston Privacy's founder, after we prompted him with a simple question.
The #1 misconception I encounter — and it's a big problem — is the idea that a VPN will protect your privacy. Massive misunderstandings concerning that.
#2? The notion that VPNs don't do logging. It's a common misconception that if you use a VPN, your information isn't logged. That's false.
Those 2 are the big ones.
Of the two, the first one is bigger. Will a VPN protect your privacy? All a VPN does is encrypt a connection between a device and an endpoint. That's something, but that's not privacy protection, and certainly it's not complete privacy protection.
You get an encrypted connection between device and endpoint with a VPN, but at that endpoint, all kinds of forces are still capable of doing nefarious things, making you and your data part of the surveillance economy.
Imagine it this way. With a VPN, you've got this connection or link, and it's from you to Facebook on the other side, and it's a mile long, and the VPN encases 50 feet at some point in the middle.
It doesn't protect what's happening on the the other end. They're still tracking you. It doesn't protect you from what they do with the data they track, either.
It's a limited security solution, not a privacy solution.
I'll add this thought. It's a limited security solution — for working at a hotel or at a Starbucks. It's smart for public hotspots. It protects your internet connection at that point. A VPN is a solution to a different problem, not privacy, not as it's talked about in the age of personal data surveillance. A VPN solves a very specific problem. But if you're using apps or a browser, you're still getting tracked all over the place. You're just sending your personal data (mostly unknowingly) through an encrypted funnel.
It's bordering on a boldface lie to say a VPN offers anonymity. It's not a significant privacy solution. It's certainly not a complete privacy solution.
You're on a VPN for privacy reasons? Well, you're not private. You're exposed. If you're seeing ads, you're being tracked. You're not private — you're logged.
Issue 2: VPNs and Logging
The second piece I'd point to concerns logging. When it comes to VPNs, logging is more complicated than people would guess.
You have to think about how the economy around a VPN works.
Public VPNs are cloud-based. A cloud provider is involved, and that cloud provider logs all the traffic. It's a particularly rich, dense source of data to log, actually.
Where is that VPN, really? Is that VPN is on Rackspace or Amazon or Google? If so, you can be sure someone is logging that data.
That's the nature of the beast, because VPNs are centralized. They're ripe targets.
There's no way to avoid that information from being recorded permanently.
There are other dimensions that people don't think about. You have to be concerned about the future as well. Forward secrecy. Dragnet surveillance gathers and grabs data, even if it's encrypted, so that they can decrypt it later, when computers get faster or technology changes in another way.
The only true way to prevent future problems is to take steps from having that data collected in the first place — for a VPN, you can be almost certain your data is going to be collected.
Free VPNs are the absolute worst. If the product is free, then you're the product. VPNs cost money to run. You have to pay for bandwidth, and these VPNs are not charities. So the question is: how do they make their money?
Logging and selling that data to advertisers — that's how. I know. I know because I used to be on the other side of the transaction, buying that data, before it got to a point where I didn't feel comfortable.
In a household, a VPN is a particularly great way to log data. A VPN is the single best way to record data in a house. All the different devices and laptops can be accurately correlated. So, if you actively want to be tracked, using a free VPN is probably the single best way to do it, ironically.
Install that free VPN, and you've opened yourself up. A large group of computers can see what you're doing — and even install spyware through a backdoor. That's unlikely to happen with a paid VPN but more likely to happen with a free one. Installing software on your computers, software that VPNs are paid to install on behalf of third parties, is another way VPNs make money.
Hijacking purchases, like for Amazon affiliate money, is yet another way they make money. There are FTC briefings about ads being swapped out by VPNs. One reason to do that is to show an ad that includes an Amazon affiliate link, so they can get credit for the sale.
Also: Concern about Foreign VPNs
Here's a bonus third disinformation concern, beyond those first two issues.
Some peopel think that if you use a foreign VPN, one that is outside the reach of the US government, you're safe.
No. There's an intelligence alliance arrangement known as Five Eyes, in which governments have agreed to share surveillance data openly. Involve one of those countries, and you're still being tracked. There's reciprocity of surveillance.
What if your data is not in one of those countries?
That's where the CLOUD Act enters — if you're using a VPN outside of the US, the US government and foreign governments now have the right to get at those data logs. Any data that's over the US border is being logged, and you can presume it's being analyzed, or it will be.
Plus: Approach Centralized Servers with Caution
In general, there's a lot of confusion about surveillance in this context. Any site you're visiting is still collecting data on you, even if you're encrypted. Just because you encrypted how you send the traffic doesn't stop that collection of data. If you're visiting a site that is recording information about you, it doesn't matter what path the data took to get there.
There's an ad that says: "Picture it like a private room that you can do everything you'd typically do, like pay bills, answer emails, and shop, but you and everything you touch is invisible while you're doing it." It is invisible to those who are spying on your local internet connection. And hackers do try to compromise your local connection, like at a cafe or a hotel, or even at home, so that is a useful fix. If you're visiting a site that is recording information about you that shouldn't be, though, that tracking is not stopped.
As you secure that local connection, you especially have to do it with a VPN you trust. You are opening yourself up to anyone who is using that VPN with you, because what you've done is make a direct private connection to a central server, and you're now being pooled with other people. More people are going to be sharing that same direct connection to you, and those people have direct access to you, in that they have bypassed your firewall and your router and your usual defenses. That itself is a vulnerability introduced.
When I worked at a large corporation, one infected computer on a VPN took down a great many more, because the VPN bypassed the firewall. It happens. It's like you're swapping blood with people you don't know. Scary. It's like you've extended your network from being just your house to potentially thousands of other people you don't know. You have to do that carefully.
The Hidden Conversation: Why People Hate VPNs
Here's another point worth making.
This isn't disinformation, but it's related because it's something VPNs don't want to talk about. "VPNs just suck" is the headline for this. And here's why they suck, in real terms.
- They go down all the time. The connection breaks. There are practical reasons why that happens, and it happens a lot. Suddenly you're now unencrypted. And it takes 2 minutes to reconnect or doesn't connect at all. That's a familiar story to anyone using a VPN regularly. By the way, that's how you know you're sharing a network with lots of other people — the network is starved for resources, and that's why it shuts down.
- You get blocked a lot. All these guys running VPNS are using the same cloud resources. For instance, sites such as nytimes.com and Netflix know if they see a VPN, something is up. So you get blocked, and...
- ...now you have to choose. If you want to watch the game on Sunday night and work, well, you can't do work if you are streaming at the same time. You have to make hard choices.
- They're slow. They are like molasses, and you wait 30 seconds to a minute to get a webpage to load. That's exaggerated, by the way, by all the code doing the tracking that's bloating the website, and VPNs do nothing about that.
People complain about VPNs all the time. On a practical level, they're not a joy to use. I have never talked to one person who told me they enjoy using a VPN. They generally dislike it. It's a bad experience.
The Good Side of VPNs
We can talk about the opposite, too.
When can VPNs be good?
Have your own personal VPN server, and use it when you're away from home. That's a good use case. That's a good tie in because that's how we get around the common VPN problems with Winston. We're running hardware in your house. As a result, you get your own private VPN. We're taking the best part of VPN tech, and we're using it the way we think it should be used: take a small number of trusted devices and connect to a private network. One that doesn't leave you open and exposed the way a VPN commonly does. You have your own VPN? Well, then you know what it's doing. You have a commercial VPN? You have no idea what the VPN is doing.
I should say again: VPNs are good security tools when you're using an internet connection outside your house, to stop you from being compromised at the point of connection.
The Elephant in the Room: VPNs & Piracy
The elephant in the room? Pirating movies and stealing content. Yes. VPNs are generally are good for that. You're paying the VPNs a few bucks to be a legal shield for you. You're cloaked and encrypted and VPNs act as your shield in that case. They're not doing anything about the surveillance economy.
Given that, VPNs can't come out and say what they're used for.
So VPNs have to talk about something, and that's how a lot of this disinformation starts. VPNs can't acknowledge they're used for piracy, and they have to talk about something, so they talk about a mix of privacy and security. They talk a lot about privacy. Yes, they secure your local connection and encrypt your data. They don't protect your privacy from the surveillance economy and its dangers. VPNs do nothing to anonymize you in that regard. Nothing.