0

Why a VPN isn't enough to protect your privacy

One of the things we hear most frequently is "I have a VPN. I'm anonymous."

It may be startling to hear but that's not true. Not by a long shot.

To learn why, consider that there are three broad methods that hackers, corporations and other spies can use to obtain your personal information:

  1. Eavesdropping on your internet connection
  2. Gaining access to your computers and home network
  3. Collecting data from the websites you visit

Spying on your Internet Connection

If an attacker can gain access to your internet connection, they can collect metadata that tells them a lot about you. From this data, they can infer your interests, income, hobbies, the number and types of devices you own, the websites you visit and more. Collectively, this data can be used to produce an impressive personal profile about you (are you a gambler? Do you drink too much?). At worst, an attacker can intercept unencrypted account information and take over your identity.

This attack is one kind to which you will be subjected if you connect to public wi-fi at a coffee shop or airport. But ISP and cellular carriers also collect this information about you, and with the fall of net neutrality, they will be selling it very soon.

A VPN is ideal for reducing this threat, so let's move on to the others.

Gaining Access to your Computers and Home Network

Any software installed on your PC can potentially see what you are up to and transmit that information to third parties. In fact, if you use Chrome as your browser, Google does this exact thing when they transmit your browsing history to the cloud. Same with many other popular browsers. Once there, it is permanently stored to be used in any way they see fit, now or in the future.

When your antivirus software scans the URLs you go to, they are also collecting that data and selling it to advertising companies.

Your cellphone isn't safe either. A 2013 study showed that over 80% of the top iOS and Android apps were leaking personal data. And haven't you ever wondered why Google invested so much money in Android, just to practically give it away? It's because your data is so valuable, that they have spent billions building and maintaining a "walled garden" just so they can collect it.

As we head into the "Internet of Things" (IoT) era, we should become increasingly alarmed about the potential for any of the numerous devices on our home networks to act as security back doors as well the possibility that they may even be overtly spying on us.

It isn't possible to use a VPN with most of your devices. And even for those devices which do allow you to use it, this doesn't prevent apps from accessing personal data nor does it prevent the device from bypassing the encrypted connection. For instance, your Intel computer is likely running Minix, a secret operating system with full access to your files and network that you have no control over. And for years, Google Chrome has been using a protocol called QUIC which bypasses firewalls and other security gateways, giving them unfettered access to your browsing history.

VPNs can't prevent this kind of privacy attack. Once something is running on your computer or home network, it can usually communicate freely with the outside world.

Collecting data from the websites you visit

It is a well known fact that many websites sell their usage data. It is not so well known how promiscuously this data is shared throughout the advertising ecosystem.The songs you listen to on Spotify, the searches you conduct on Google, the items you buy on Amazon... all of it is for sale.

This data is aggregated into clumsy and insecure databases known as "DMPs" and tied to you through your unique audience identifier, a kind of digital social security number that you aren't allowed to access.

If you login to these sites, you typically agree to allow them to do whatever they want with your data. However, even sites that you don't typically log in to, such as entertainment sites, newspapers and blogs also uniquely identify you using a variety of methods, such as cookies or browser fingerprinting.

Have you searched for anything related to medical symptoms? Your insurance company is willing to pay to find out.

VPNs can't protect you against this form of data collection, because their code is allowed to enter your network and run (almost) without any limits. Using these methods, it is relatively easy to identify an individual even though they are using a VPN.

What's The Solution?

VPNs are useful for cloaking your IP address and are often ideal for file sharing services or accessing geographically limited content.

But for everyday internet use, you need something different:

  • You need to protect all of your devices and applications... even hidden ones you may not know about
  • You need to encrypt your DNS
  • You need to block application layer tracking technologies (cookies, browser fingerprinting, etc)
  • You need to block tracking and advertising services at the network layer

Furthermore, these things matter a great deal for most people:

  • It shouldn't break streaming or gaming
  • It should be fast
  • It should just work without too much tweaking

A smart hardware device is called for. Because if all outbound internet traffic is forced to go through a single point, then even apps running secretly on your network can be stopped from transmitting data to the outside world.

Similarly, by monitoring all inbound traffic, we can stop corporations and hackers from transmitting code to our devices and spying on us, consuming bandwidth and slowing down our computers.

Winston was built as new type of security device, one which combines a firewall, IP cloaking and much more to eliminate as much bloat and data collection as possible.