What is a Virtual Private Network | How VPN works and why VPN is not all you need for privacy

Most consumer Virtual Private Networks are
terrible. That is at least if privacy is your main concern. There are of course different threat models,
which will vary for each person. But as a general rule, most VPNs are just
scams stealing your browsing data. Sometimes they even make you pay for it. But there is an issue at user side when it
comes to privacy and VPNs, even the trusted ones.

When you visit a website over a VPN, the only
thing that changes on your advertising profile they maintain, is your IP address. Websites will still be able to track your
browsing history and identify you through browsing habits. The only people you are protecting your browsing
history from are your Internet service provider. And that’s only assuming you have a proper
VPN that doesn’t leak your private information. To understand why this is a case, you need
to learn three things – what is Virtual Private Network, how VPNS work, and how websites
track you. To answer the first question, we are going
to look at the purpose virtual private networks entered the market. As Internet was becoming predominantly widespread
means of communication, companies started building local networks to speed up their
business.

But as businesses grew in size, many of them
started to spread to off-site locations and send their employees to work from home or
while traveling. To connect two company local area networks
at a reasonable distance, business would have to dedicate a real-world connection through
physical infrastructure such as leased lines. This wasn’t a problem, if a company had
two networks to bridge.

But the longer the distance and the more networks
a company needed, the cost of leased lines would grow exponentially. Internet is a public network, open and visible
to everyone. No company could afford to risk data breaches
and have their private information stolen by anyone. They needed a secure connection that was fast,
reliable, and cost effective. Thus came Virtual Private Networks. VPN is a private network that makes “virtual”
connections routed through a public network, which could easily be and in most cases even
was the Internet. Connection through a VPN could answer specific
company needs, like speed, data integrity, or confidentiality. Virtual private network is a flexible model
that can adapt to various standards that corporations needed to adopt. This is the first very important point.

There is no single standard for building a
VPN. Each provider has its own structure and protocols,
which offer different features, and not all of them are privacy. So how do VPNs work? Basically what a VPN does is that it takes
packets of data that would normally run through an insecure network, like Internet, encapsulates
them in an entirely new packet, and puts its own VPN header on top of it, masking the original
source of information. This process is called tunneling and it is
how VPNs mask your IP address. This is why you can trick websites to having
a different IP and bypass geolocation censorship. But this is not what guarantees the confidentiality
of your data. For that you need encryption. Data confidentiality was the most important
feature companies usually needed. VPNs achieve that by encrypting the traffic
between a client and the VPN server. This means that a company VPN client can encrypt
data coming from their employee’s laptop working out in the field and connected to
a local wifi. For companies, this is near perfect security,
because they can choose to host the VPN server at their own headquarters, where the VPN decrypts
all the traffic.

Encryption doesn’t necessarily mean privacy. For companies, encrypting their network gave
them security layer to guard their data from outside adversaries. But it didn’t give their employees within
their network any level of privacy, because the leadership of the company had direct access
to their VPN server, and thus to traffic of everyone connected to that VPN. With your consumer VPN, you don’t own the
VPN server. You have to trust a company maintaining the
VPN server with you data. Encryption still takes place on your device,
where a VPN client configures your computer’s connection to be routed and encrypted through
the VPN.

When the VPN server receives your data, it
decrypts it and sends the request to a website you are trying to visit. Purely from analyzing the IP address, the
website will only see connection from a private VPN server, and not yours. Provided it’s a good VPN that doesn’t
leak other data that can identify you. So by design, this is a totally different
model from end-to-end encryption in email communication. And you should adjust your expectations accordingly. The reason why VPNs work to protect corporate
privacy but fail at guarding consumer privacy is the fundamental design of VPN technology. VPN server is always going to know some personally
identifiable information about you. Whether it’s your real IP address, information
you submitted upon account creation, and information taken from your payment method. The process of collecting this information
is called logging, and there is not much you can do to verify what a VPN company really
does with user logs.

To help you better understand the issue with
privacy on VPN, we are going to compare end-to-end encrypted email service and a VPN service
provided by the same company. Protonmail’s end-to-end encryption is done
so well, that if you lose your password, they are only able to recover access to your account,
but all your messages will be discarded forever. You’ll lose your decryption key. This may come as inconvenience, but it is
actually an excellent defense mechanism to protect yourself from hackers. No one, not even Protonmail, can get access
to your messages. But the same company that offers Protonmail,
also offers ProtonVPN. And your expectations of privacy for these
two products should differ significantly. With email encryption, Protonmail can block
itself from accessing your messages easily. Users generate decryption keys, and Protonmail
exchanges encryption keys. Protonmail doesn’t decrypt your messages. Your web browser does. But ProtonVPN has to both encrypt and decrypt
your information. Making ProtonVPN server a single point of
failure. A big cyber security no go.

Disclaimer – this is not just about ProtonVPN. Every VPN provider has this problem. It’s technologically impossible to create
a consumer VPN with perfect privacy. Are VPNs useless for general Internet consumers? For vast majority of VPNs out there yes. But for a trusted few, and for specific threat
models, VPNs can offer some protection from your ISP, advertisers, and non-state hackers. For example, the United States Federal Communications
Commission recently repealed a rule barring ISPs from selling your browsing history for
advertising purposes. This is incredible invasion of privacy, because
they basically record what you do in your living room to manipulate your economic activity.

So if you are in the Unites States, ISPs are
selling your browsing history to whomever they want. This is not just a privacy violation, but
also a security risk. Because once they sell your browsing habits,
hackers and foreign governments can and certainly do intercept those exchanges to steal a copy
of your private life. There are databases of private information
of millions of people available for sale or for free and you’ll never notice until you
become a victim of a cyber crime. Provided you can find a trusted VPN server,
but be aware we are talking about a great deal of trust here, it’s sensible to hide
your browsing habits from your ISP.

But the way the Internet works, you always
have to trust someone. And you need to decide for yourself whether
it’s going to be your monopolistic Internet Service Provider giving you data caps, Internet
censorship, and overpriced slow broadband , or a Virtual Private Network made by privacy
activists. So how do you choose a VPN provider? Well you need to do two things – you need
to evaluate your threat model.

We will go over that on my channel in the
future. And you need to do a lot of research and educate
yourself about the topic. Never trust a single source. Don’t even look at torrentfreak or Pcmag
reviews. Look at what the community is saying about
VPN providers. One good source of reviews of a lot of features
from a lot of VPN providers is at thatoneprivacysite.net. Reddit is an excellent source of customer
reviews and you can browse those without having a Reddit account. You need to ask yourself some questions to
see what you care about the most. Where is the jurisdiction of the VPN provider? Is it in any of the 14 eyes countries that
collaborate with the NSA on mass surveillance and their government could force to log users? What steps are you willing take against government
surveillance? Do you want to keep your private information
away from manipulative advertisers? Are you looking for protection of your sensitive
information from hackers and cyber criminals (on public wifi)? Is your goal bypassing government censorship
end geo-location blockade of Internet content? What countries do you want to connect to websites
from? How much are you willing to pay for a VPN? All of these questions are part of analyzing
your threat model.

If privacy is your biggest concern, then VPN
is not the solution. Tor is. If you want a better security when you connect
to a Starbucks wifi, VPN is a great remedy. Never EVER trust a free VPN. Those are the most scammy out of all. Although VPNs came as a cheaper solution for
business networking compared to leased lines, it’s still pretty expensive to offer it
as a free service. But now we are getting to answer our third
and most problematic question – How can websites track you even if you use
a VPN? Let’s say you find and buy your monthly
subscription at a renowned VPN provider. And then you do something like this. You successfully configure your VPN connection,
then you open your favorite web browser, which should NEVER be Chrome, but statistically
it most likely will be. You login to your Gmail, which Chrome takes
as if you are logging in to the browser itself for syncing, and then you browse the web for
all kinds of purposes – education, work, entertainment, shopping, travel… You just handed over ALL of your private information
to the most privacy-violent corporation in the world.

China doesn’t have the surveillance capabilities
of Google. And Google will sell your privacy to every
website and retailer you visit. If you want to know more about how websites
and advertisers track you everywhere on the Internet, I recommend that you watch my video
about Facebook surveillance and another video on How to use Facebook anonymously. If you don’t block trackers properly, you
are just wasting your money. You need to re-assess your threat model. You need to ask yourself: from whom are you
trying to protect your private information? Your Internet Service Provider, vendors of
software and applications connecting to the Internet, website operators, advertisers,
governments, and hackers. All of your adversaries use common points
of access for data collection of your browsing history – either through your ISP, trackers
on websites, identification codes on software and applications, and online communication
tools, like emails and instant messengers. For websites using trackers, everything about
your identity remains unchanged except for your IP address. What stays visible is your device, which probably
has a unique ID, your hardware, software, configuration, operating system, software
versions, web browser, browser plug-ins, extensions, screen resolution, battery life… combination
of all of these information and your browsing habits make a unique personal identification.

You are giving many websites your real name
to confirm your identity anyway, like your Facebook and email accounts, and every online
retailer that has your payment info. If you are serious about privacy you need
block access to all of these access points. VPNs block ISPs. Tor blocks governments. How do you block websites from tracking you? By using privacy configured web browsers,
and by compartmentalizing your browsing habits over separate browsers. There are several extensions that block trackers,
ads, cookies, and traffic analytics scripts. Among the best are uMatrix, NoScript, uBlock
Origin, Privacy Badger, Cookie Autodelete, and Decentraleyes. You don’t need to use all of these. Properly configured uMatrix will make all
the others redundant. Take uBlock Origin and Privacy Badger, and
set your browser to block 3rd party cookies and delete them regularly. But even if you go all these lengths, you’d
still fail if you do the same mistake as I described earlier. You have to block access to websites with
your online accounts, even pseudonymous ones, to your browsing habits.

Have a separate browser for your social media,
email, and banking, and a separate browser for general surfing. Only if you block all trackers, only if you
put a wall between your online identities and browsing habits, only then using a trusted
privacy focused VPN has some sense..

You May Also Like