VPNs, or virtual private networks, have been a buzzword for the last few years. In fact, only a month ago, a well-known VPN provider ExpressVPN was purchased for 1 billion US dollars – one of the biggest deals in cybersecurity history. Now the owner, Kape Technologies plc, is the biggest “privacy” company in the world, on its way to being a monopoly.
However, whilst Kape now owns several major VPN providers, plenty of less famous ones are still active on the market. So it’s no surprise that consumers are overwhelmed with the number of options when it comes to VPNs. But what problems are they actually looking to solve with a VPN? And how truthful are the promises that VPN companies make to their users?
Expert Tom Scott dives deeply into this in his video below. I tried to do the same, with the help of his video, and here’s what I found:
What VPN customers want
When most people hear about a VPN, they visualize a tunnel that conceals your Internet traffic that would otherwise be exposed to everyone who wants to see it – be it a government, your ISP, or a hacker.
Interested in commercial services? Check: How to Keep Networks Secure in an IIoT World
A lot of VPN customers want this level of privacy – whether because they’re living in a country with restricted freedoms, want to be safe from hackers, or for more nefarious reasons. Others want to use a VPN to unblock streaming platforms like Netflix or BBC iPlayer to watch content that’s unavailable in their home countries. However, that might be illegal as well, depending on where you live. There are also some people who travel a lot and want to make sure that:
- Their data is protected when they connect to public Wi-Fi in airports.
- They can access content from their home country whilst abroad.
What VPN companies promise
In simplest terms, customers’ expectations overlap with what VPNs promise them. A (functioning) consumer VPN supposedly creates an encrypted tunnel over your data, encapsulates it so that it gets there without leaks, hides your IP address substituting it with one of its own, and sends your traffic to a server in the country of your choosing, before sending it to your destination.
As a result, any website you visit is invisible to whoever is watching, and your real location is obfuscated. At least, that’s what consumer VPNs claim to offer. In order to achieve that, they often promise these VPN features, as confirmed by Tom in the video:
- No-logging policies (sometimes audited independently)
- An encrypted tunnel that “protects people from stealing your passwords”
- Military-grade encryption
- Concealment of your Internet activities from your ISP
- Connection to streaming services around the world
What these promises really mean
No logging policies
Many VPNs claim to have “no-logging policies,” which they define as keeping no logs of customers’ activity on the Internet. That means that they shouldn’t have records of what web pages the customers visit, what IP addresses they used, where they connected from, and the time and date of connection. If VPNs don’t keep logs, they have no information to give to the authorities or advertisers (many free VPNs keep logs because they make money from adverts, which effectively renders them worthless for many use cases).
Usually, this is specified in VPNs’ terms of use or privacy policies. And some of these policies have even been audited by third parties like PwC. I have a copy of a well-known provider’s audit report from 2019 (that I cannot share for legal reasons), and it does confirm that “the <…> service is suitably designed and implemented in relation to their privacy policy as of May 2019”. So, these claims by VPN providers are technically correct, even though they hinge on how much users trust them and the auditors.
However, as Tom confirms, in real life, it often means that such VPNs can be used for illegal things. And whilst some providers’ terms of use do state that by using this VPN, users confirm they’re not using it for illegal activities, in reality, that’s often not true. And since the VPNs don’t keep logs, there is no way for them to verify this compliance. So, the no-logs claim might be true in some cases (although you should carefully read the policies as some contradict themselves). Still, by not keeping logs, VPNs essentially absolve themselves of any responsibility for any of their users’ crimes made possible with the VPN with no logs.
Password protection
Some VPNs claim that the protection of their encrypted tunnel is necessary when you’re connected to a public Wi-Fi, as people might steal your passwords over the unencrypted network. Tom, however, clarifies that browsers with SSL certificates (the ones with the little padlock in the URL field) already send your data through an encrypted tunnel (HTTPS) and protect your passwords from being stolen over Wi-Fi. It’s no longer a threat that it once was unless you’re using insecure websites.
With such encrypted websites, the people on the network can only see the domain name (e.g., techacute.com), but not the rest of your URLs (e.g., /author/kate-sukhanova), or the data you enter to those websites. So, the VPNs’ claim that your passwords aren’t safe in public networks is no longer the full truth.
The well-publicized data leaks of certain companies, such as those advertised on HaveIBeenPwned, don’t happen because the customers didn’t use a VPN. They happen because the security of those companies’ servers was compromised, and their data has been leaked, as, unlike some VPN companies, they do actually keep logs required for them to function. And, despite having your data encapsulated and hidden from your ISP whilst it’s on the way to your destination, a VPN doesn’t actually protect your e-mail and password that you provide to access a third-party service in that destination.
Military-grade encryption VPN
It’s true that 256-bit encryption, which most VPNs promise, is military-grade. However, as I stated earlier, most websites with SSL certificates already encrypt your data, and the encryption level is 256-bit. This encryption would take billions of years to crack. So, when a VPN promises that, it does not promise anything beyond what most websites already provide.
Hiding internet activities from an ISP
As I said earlier, some VPN customers purchase VPNs because of the restrictions in their country and the requirements for ISPs to share the logs of Internet activities with the government. And it is true that ISPs can see the domains of the websites to which you connect unless you’re connected to a VPN. So, for some people living in countries where certain content is deemed “illegal” or where ISPs build data profiles on them to be used for some purpose, a VPN could help them mask their activities from their ISP and stay safe.
However, as I’ve mentioned in the previous sections, unless the websites or apps you visit don’t have an SSL certificate, your ISP cannot read your messages. Many VPNs claim that they can, but the encryption doesn’t allow that.
So, unless you’re an activist persecuted by the government, a member of a social group deemed undesirable by the authorities, or, as Tom put it, a “gay pirate assassin,” you might do just fine without a VPN. Plus, even if an ISP doesn’t see your activities, a VPN company does – it has to in order to reroute you to your destination. And given that Kape Technologies, the world’s largest VPN company I mentioned earlier, has previously been associated with a malware company, it might be worth it to think twice before essentially handing all the information to a single company.
VPN for streaming
Some VPNs claim to allow users to stream content that’s unavailable in their countries, and many of them even offer streaming-optimized servers. This content is unavailable in certain countries due to applicable copyright laws. Yes, it’s true that some VPNs can help users unblock streaming services from other countries. However, most often, it is not compliant with VPNs’ own terms of use which often prohibit usage of VPNs for illegal activities – and copyright infringement is an illegal activity. VPNs’ marketing teams would hardly put that into their adverts, though, as Tom confirms.
Summary
So, before buying a VPN package, I recommend you to seriously consider why you need it if you’ve already got all the security tools for your needs and aren’t planning on breaking the law. And if you do decide to invest in a VPN, read all the terms of use and privacy policies, as well as audit reports, before making a decision. And don’t forget: If you’re not paying for a service, then you’re the product.
Photo credit: All photos shown are symbolic. The feature image has been done by Olly. The picture showing a man in a café was done by Khosrork. The photo showing a relaxed woman at home was taken by Bullrun.
Source: Steven Scheer (Reuters) / Tom Scott / Rashi Garg (GeeksforGeeks) / ExpressVPN press release on Cision / Rae Hodge (CNET) / Human Rights Watch
