It's fascinating how VPN services have successfully marketed themselves as the ultimate privacy solution, when in reality, they are often just a middleman with full visibility into your internet traffic. How can we, as users, ever truly verify a VPN provider's claims of "no logging" or "complete privacy"? It's a promise based on trust, but why should we trust a company whose business model revolves around our data?
> How can we, as users, ever truly verify a VPN provider's claims of "no logging" or "complete privacy"?
Court orders. They might be lying to customers, but they're unlikely to lie to a court. So if a court approaches them and they respond with "we have no data", they have no data.
Okay it's never gonna be no data, they'll still supply email address, payment method, registration date and similar things, but that's not my concern.
If you already have a server somewhere, an SSH tunnel is a great, cheap way to have a VPN for browsing. I use it all the time to evade country blocks when I travel.
I don't use a VPN service to "hide myself", I use a VPN service to access content from other countries that is locked to that specific country. A use-case the OP seems to be completely oblivious about.
Imagine telling someone about your tincd setup to do NAT traversal and access your home server, and upon hearing the word "VPN" they ask what provider you use.
But a VPN service is only additive. The way I see it, it’s one of two ways:
1. The VPN is being honest. No tracking. All is well.
2. The VPN is lying, tracking, maybe even reselling your traffic. Fair enough, but they’re not in any more privileged situation than your ISP. They still can’t see inside your TLS connections and whatnot. And you still get the ancillary benefits of:
A. Geographic diversity of IPs;
B. Easy to get a new IP;
C. Security at potentially unsafe access points.
So, worst case, for $80 a year you get some IP flexibility and security at Starbucks. Best case, you also get the whole no-tracking thing.
> C. Security at potentially unsafe access points.
> you get some [...] security at Starbucks
This keeps coming up. What additional security do you get if everything is HTTPS nowadays? If you connect to unencrypted endpoints somewhere, why is a potentially untrustworthy VPN better than a potentially untrustworthy Wifi access point?
MAC addresses can be used to uniquely identify you, and then they can see what domains you are connected to. It really can tell them a lot especially factoring in background processes and capabilities of predictive ML right now.
Its all about how far you spread your information. Giving it all to a VPN or spreading it across every wifi access point you need to use.
Don't most devices use randomized MAC addresses for Wifi nowadays? I don't have a Windows machine handy to verify, but I'm pretty sure even they do it. Not sure if it's the default, though. Ditto for MacOS.
My Linux box (NetworkManager on Arch) does it, but I don't remember whether I had to manually turn it on.
edit: according to [0], NetworkManager defaults to randomized for scanning, but not for connections.
Being targeted, as opposed to general surveillance of random people in a coffee shop, is moving the goalposts.
If you are a target, how likely is it that whoever's after you only has control over the coffee shop wifi, but not over the possibly untrustworthy VPN provider?
>If you are a target, how likely is it that whoever's after you only has control over the coffee shop wifi, but not over the possibly untrustworthy VPN provider?
Because I'm not talking about some state actor. Just the kind of people (some stalker, private dick, con artist or script kiddy looking for a random target and see you with your laptop, whatever) that might want to eavesdrop on your IP visits while you're on a coffee shop.
There are several cases for which a VPN offers some protection, and the ones I mentioned are among them. If the agency/person you're a target of also controls the "VPN provider" you have bigger problems than choice of VPN.
Using a VPN prevents Starbucks from seeing which sites you connect to (by monitoring DNS traffic and IP addresses); I can see how people might find that useful.
If it's your own VPN, then sure. But if it's a random, untrustworthy VPN, it's just a question of who gets to sell your data. I also don't totally agree with the other poster's point. I think that it's maybe better for there to be multiple entities which each get a subset of the data (the different coffee shops I may visit), instead of a single one who gets everything (my VPN provider). Even if it's possible to somehow stitch everything back together again, at least this makes whoever's interested in my data work a little for it instead of having it on a silver platter.
Personally, I don't want my data sold at all. It's not Starbucks specifically who I want to prevent from selling my data. If it's totallynotshadyvpn.com who does it, it's just as bad.
"Personally, I don't want my data sold at all. It's not Starbucks specifically who I want to prevent from selling my data. If it's totallynotshadyvpn.com who does it, it's just as bad."
Yes, a VPN does drawn more attention to your self, especially with the automated targeting. Best practice is to use an uninteresting VPN of your own, say to a very well known cloud provider as many businesses do this, or to a well known VPN, as your first layer. Terminate this connection and add chains of stronger VPN's after that.
Also, yes TLA's run many of the major VPN's behind the scenes.
Use a VPN service. Always, if you live somewhere that restricts any kind of traffic. I bought a lifetime VPN for 10€ 9years ago. I never trusted this VPN - mainly because of plain text login data on their website. They still have 3 servers online. I gave that to a person in Iraq almost 5 years ago. They are still using it.
That article is a bit useless. Yeah, some people may not understand VPN and believe it somehow works similar to TOR, but I believe most people do know what to use it for, and this website doesn't seem like it caters to mostly non-tech people.
> Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.
That's incorrect, they can see your traffic if you are connecting without tls which basically never happens. Otherwise they see what your destination is, obviously.
And anonymizing VPNs literally are proxies, noone is denying this.
> The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.
Another nonsensical argument because subscription fees add up. A VPN provider with a 10 $ per month fee and a large userbase like the common providers makes an incredible amount of money.
> VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).
Okay, get back to me with directions on how I install a blackbox at the Datapacket datacenters
> If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.
If you've actually ever browsed Lowendtalk you'd absolutely not be confident in stating that none of the providers log. These are all super small fish without their own infrastructure. And you have a dedicated IP adress which defeats the user pool benefit per server. And additionally you'll need to maintain the OS and software yourself which isn't something a layman can or wants to do.
> Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup.
So OP suggests here, contradicting their previous claim, that VPN providers do indeed make a lot of money and as such wouldn't have issues with legal procedures.
Also no, you'd still need to develop your clients. Anonymizing VPNs absolutely are a lucrative business but it's not that simple.
Mullvad had national police come with a warrant and nothing was able to be obtained as they were able to prove their servers had nothing identifiable on them (and as such it would be illegal to seize anything per Swedish law).
They also had a recent audit of their VPN servers and no leakage or logging was found. Among other factors they're the only such VPN I'm aware of to hold up under scrutiny.
Do I even use a third-party VPN? No; but they're the only one I've seen that are as close to trustworthy.
>Mullvad had national police come with a warrant and nothing was able to be obtained as they were able to prove their servers had nothing identifiable on them (and as such it would be illegal to seize anything per Swedish law).
They also had a recent audit of their VPN servers and no leakage or logging was found.
Of course that requires trusting the police report and the auditor (and that the audit process didn't happen while they were on a different operation mode than their usual, and that the police case wasn't on some class of persons who they don't log, while for others, e.g. when they get "special orders" they do)...
The author of the OP's article was making the case that there's 'no way' to verify whether a third-party VPN logs and thus as their broad conclusion none should be used.
If the baseline position is that any company can and will lie, regardless of available knowledge about law enforcement intervention or audits then one could say nothing can really be trusted (even hardware we utilize everyday), since there's always some potential undisclosed 'gotcha'. Otherwise it's where one draws the line of verifiability.
There have been other VPNs that haven't held up under scrutiny and been found logging (and had poor security), while Mullvad goes into detail about their infrastructure, mitigation methods (including some quite paranoid anti-tamper hardware techniques, which anecdotally the founders were into prior to forming the company), has had various audits, resisted a warrant and apparently doesn't spend on advertising.
Could all these things be some elaborate ruse? Possibly. There will always be some judgment call.
>If the baseline position is that any company can and will lie, regardless of available knowledge about law enforcement intervention or audits then one could say nothing can really be trusted
I think it's a good starting assumption if you need full trust.
For regular Joes however, it's more about being able to trust the raw technical mechanics (that the data won't go to the wi-fi in the open or to your ISP and in-betweens, but to some remote VPN).
If you can assume those targetting you don't (or can't) buy your non-anonymized data from that VPN service, you're OK, even if the VPN service logs and lies that it doesn't log.
Because, sure, they can lie about that (and even the audit service can), but in-betweens can't just bypass SSL (unless you're compromised otherwise, in which case VPN or not is the least of your problems).
> If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).
Conflating "I use a VPN because my commercial ISP would probably sell my data if given the chance" with "I'm a potitical dissident being directly attacked by a nation-state actor".
You can still use a VPN despite it being vulnerable to your governments quantum computer...
Sure, it's hard to find a trustworthy VPN provider, but that's not to say they don't exist
>Why not? Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.
Most people use VPNs because they are a glorified proxy.
>Doesn't matter. You're still connecting to their service from your own IP, and they can log that.
This is true, although it can be possible to connect to the VPN from Tor (when using OpenVPN or WireGuard-over-TCP). Obviously, all traffic could be associated with your account so don't use multiple identities if you want reasonable anonymity. And it's slow, so it's usually not worth it.
>VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).
Your ISP cannot. Some (many?) countries like Australia have data retention laws. A VPN will hide your traffic from your ISP (although probably not a large sufficiently motivated adversary like a government out to get you), which can be useful even if your VPN provider can log your traffic.
(there may be some things like traffic analysis where they might be able to guess the type of traffic you're using, though I'm not sure how effective if is or if many ISPs actually attempt this)
>Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.
>Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.
This is true, though the impact can be somewhat minimized with Tor Browser with the Tor proxy disabled (or Mullvad Browser), which have decent fingerprinting mitigations.
>In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.
Do any regular proxy (socks5/http) providers provide the same quality of service as VPN providers? And you can't port forward over a socks5 proxy, which can be useful for torrenting. (if you're downloading popular content you don't need it, but if you're downloading torrents with only a few seeders or maximizing the amount of upload you get on a private tracker, port forwarding can be useful).
Also, if you're on Linux you can use network namespaces to use some applications over VPNs and not others. (remember to refresh private keys and use a different server before using the namespace for a different identity)
>If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS
>A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.
VPSes are arguably worse for some use cases as most probably don't handle DMCAs as well as commercial VPNs, you don't have access to a large amount of servers and countries to change your IP address, and you have less people to blend in with. I see your point, though I'm not sure how true that is.
reply