Why a VPN isn't enough to protect your privacy

One of the things we hear most frequently is "I have a VPN. I'm anonymous."

It may be startling to hear but that's not true. Not by a long shot.

To learn why, consider that there are three broad methods which hackers, corporations and other spies can use to obtain your personal information:

1. Eavesdropping on your internet connection
2. Gaining access to your computers and home network
3. Collecting data from the websites you visit

Attack #1: Eavesdropping on your Internet Connection

If an attacker can gain access to your internet connection, they can collect metadata which tells them a lot about you. From this data, they can infer your interests, income, hobbies, the number and types of devices you own, the websites you visit and more. Collectively, this data can be used to produce an impressive personal profile about you (are you a gambler? Do you drink too much?). At worst, an attacker can intercept unencrypted account information and take over your identity.

This is one of the the types of attack that you will be subjected to if you connect to public wifi at a coffee shop or the airport. But ISP and cellular carriers also collect this information about you and with the fall of net neutrality, they will be selling it very soon.

A VPN is ideal for reducing this threat so let's move on to the others.

Attack #2: Gain Access to your Computers and Home Network

Any software installed on your PC can potentially see what you are up to and transmit that information to third parties. In fact, if you use Chrome as your browser (or many other popular browsers), Google does this exact thing when they transmit your browsing history to the cloud. Once there, it is permanently stored to be used in any way they see fit, now or in the future.

When your antivirus software scans the URLs you go to, they are also collecting that data and selling it to advertising companies.

Your cellphone isn't safe either. A 2013 study showed that over 80% of the top iOS and Android apps were leaking personal data. And haven't you ever wondered why Google invested so much money in Android, just to practically give it away? It's because your data is so valuable, that they have spent billions building and maintaining a "walled garden" just so they can collect it.

As we head into the "Internet of Things" (IoT) era, we should become increasingly alarmed about the potential for any of the numerous devices on our home networks to act as security back doors as well the possibility that they may even be overtly spying on us.

It isn't possible to use a VPN with most of your devices. And even for those devices which do allow you to use it, this doesn't prevent apps from accessing personal data nor does it prevent the device from bypassing the encrypted connection. For instance, your Intel computer is likely running Minix, a secret operating system with full access to your files and network that you have no control over. And for years, Google Chrome has been using a protocol called QUIC which bypasses firewalls and other security gateways, giving them unfettered access to your browsing history.

So a VPN is useless for preventing this kind of privacy attack. Once something is running on your computer or home network, it can usually communicate freely with the outside world.

Attack #3: Collecting data from the websites you visit

It is a well known fact that many websites sell their usage data. It is not so well known how promiscuously this data is shared throughout the advertising ecosystem.The songs you listen to on Spotify, the searches you conduct on Google, the items you buy on Amazon... all of it is for sale.

This data is aggregated into clumsy and insecure databases known as "DMPs" and tied to you through your unique audience identifier, a kind of digital social security number that you aren't allowed to access.

If you login to these sites, you typically agree to allow them to do whatever they want with your data. However, even sites that you don't typically log in to, such as entertainment sites, newspapers and blogs also uniquely identify you using a variety of methods, such as cookies or browser fingerprinting.

Have you searched for anything related to medical symptoms? Your insurance company is willing to pay to find out.

A VPN does nothing to protect you against this form of nonconsensual data collection, because their code is allowed to enter your network and run (almost) without any limits. Using these methods, it is relatively easy to identify an individual even though they are using a VPN.

What's The Solution?

So as we've seen, VPNs are a good first step, but there is only one way to stop unwanted digital surveillance: you must control the single point of access to your home network.

If all outbound internet traffic is forced to go through a single point, then even apps running secretly on your network can be stopped from transmitting data to the outside world.

Similarly, by monitoring all inbound traffic, we can stop corporations and hackers from transmitting code to our devices and spying on us, consuming bandwidth and slowing down our computers.

Winston was built as new type of security device, one which combines a firewall, antivirus, VPN and much more to eliminate as much nonconsensual data collection as possible.