The truth about VPNs…

If you have been on the internet, and specifically YouTube these past few years, it’s safe to say you have faced an onslaught of VPN advertisements. Promising service of fancy features such as accessing region restricted content, anonymizing your connection, and keeping your information safe. However, of these 3 features, only the first one is generally true. Before we get into the privacy conversation, it’s a good consumer habit to watch out for products that are overly advertised by many different brands, all promising the same thing for minutely different prices, with free trial periods. Sponsored content on YouTube can be good for creators as it lets them have a more reliable source of income that doesn’t require YouTube to reliably decide what content is advertiser friendly, with the advertiser coming directly to the creator to pay to have them advocate their product. However, it often leads to misinforming those audiences into thinking that the VPN service will do as they promise. They are playing on the familiarity bias a tendency for humans to agree with something that comes from a reliable source and/or something that has been exposed to them multiple times over a long period of time. With the advocacy coming from creators that they know, many times, it’s perceived as being a legitimate product. The author of this blog post, before learning about digital privacy properly fell in the trap of buying one of these advertised products with a recommendation from a friend. There does exist a handful of good VPN services and VPN-like services. However most are not good for actually going about protecting your digital privacy. There are many illegitimate VPN companies selling you products because it is such a technically easy service to make. Because of that it’s an extremely low cost to keep the service running and thus they are able to pay so much money to them for advertising. 

Here is how VPNs work on the inside. When using a VPN all of your data, instead of requesting and sending information directly to and from websites, it takes one step before that through a server that the VPN company own somewhere in the world. These connections are technically by default encrypted and can be very useful when connecting to a free wifi at an airport for example which is quite prone to breaches and even beginner level hackers. Technically this method of connection should be safe. Some would argue it’s better because your Internet Service Provider (ISP) who are known to snoop around users and log information are not getting that information anymore. All they are getting is that the user is connecting to a VPN server. However, this is just a shift of trust from the ISP to the VPN company. Both entities are providing you their services with the sole goal of making profits and/or are connected to a federal agency, for profit or as required by jurisdiction. The VPN company could very easily just claim to customers that they aren’t logging any information and keep your information regardless. In an age where information has tremendous value, it isn’t hard to think that a profit driven entity would be interested in doing that. By doing that, they could lower their prices and blow drive the competition out of business. On top of that, when paying for their services most don’t have an anonymous method of payment, often going through massive global companies such as Visa, Mastercard, and PayPal with a lot of crucial personal identifiable information. With this they can connect your online activity with your identity. Arguably, VPNs are able to accumulate more information about you than an ISP could. An ISP is only able to collect the online activity of yours that takes place at home on your wifi connection. But VPNs are used constantly, meaning they are able to read and log your activity when outside on a cellular connection or on a wifi connection outside. 

With the reasons above it can be said quite easily that using VPNs is not a good method for anonymizing and protecting your identity and activity online. “Then what do I use?” you may ask. Within the privacy community there exists many, often free to use services that anonymize your data in the same manner as a VPN would. But instead of going through a server owned by them, it goes through servers that individuals set up. Instead of entrusting profit driven entities, you are able to rely on individuals to relay your information that is encrypted to them by design of the protocol. So it would be extremely difficult for the people setting up servers as nodes to read the information that you are sending and receiving from them. On top of this, those people are also users of the service. This means that everybody trusts each each other to not be malicious as they wouldn’t want others to be malicious to them either. The one downfall of these kind of services is that if they are able to jump through the hoops and read and log your data, they could do so without being identified unlike a massive entity that openly puts themselves out there. On top of this, it may be unstable, especially if many people try to access a country with only a few nodes, over flooding those servers. These services don’t have as many users, nodes, and servers as a VPN service would and so it’s not uncommon for some countries to only have a few nodes. However, these services are gaining traction and it has become more stable and easier to start using. As more and more users join, there’s a multiplying effect as some of those new users also become nodes themselves, making the service more stable and reliable. What is more, the biggest remaining selling point of enterprise run VPNs, of accessing region locked content is at times better with these individually run VPNs. Because those enterprises receive a lot of traffic on individual servers that they run, everybody knows which servers belong to VPN services, thus being able to block connection from them. This means that accessing region locked content from these services is not all too reliable either. This is a side effect of these VPNs that is built in by design. However, with individually run nodes, each one is getting less traffic, being less detectable as a VPN provider. As stated previously, with more users and subsequently more nodes, the connections can be more stable. This means that by design, in the long run, these individually run nodes will perform better for providing the biggest remaining selling point of enterprise run VPNs.