Privacy Snake Oil: Beware VPN Services

Consumer level cybersecurity is full of good sounding security ideas that turn out to be far less valuable than they let on. Solutions that cost consumers money for little to no identifiable value. Some of these came directly to the market specifically to "help" consumers - identity monitoring services spring to mind. Others took a valuable corporate solution and tried to adapt it to consumers. Virtual Private Network (VPN) Services are a perfect example of this type of low-value consumer solution.

A Good Corporate Solution

Don't get me wrong, VPNs serve an important role in mature multi-site networks and for end-user remote access to centralized systems. The conversion to the cloud and the advent of Software Defined Networks (SDN) have diminished the value of a VPN for corporate environments, but they still exist.

The corporate use of a VPN is primarily about supporting access between two systems/environments that the organization owns/has control over across the Internet without the benefits and costs of a point-to-point dedicated connection. Secondarily, VPNs were used to ensure that remote end uses were protected by on-premise corporate tools like DNS filtering and web filtering solutions in order to ensure that corporate laptops weren't used for inappropriate purposes and to minimize the possibility of downloading malware.

But in general neither of these are what a consumer level VPN service offers.

The Basics of a Consumer VPN

The consumer VPNs we're discussing today generally operate by encrypting your data from your device through your network to their cloud. From there it stops being protected by their VPN encryption and privacy and is then sent out to the Internet the exact same way it would from your home, only from their cloud. The protection they're offering is effectively from your device up to their cloud. They can't provide full protection all the way to whatever system you're accessing across the Internet.

There are VPN solutions that you can use to connect your devices back to a network you control. but this type of VPN is not what is commonly advertised and sold as a consumer level security solution.

Problems With Questionable Solutions

Consumer VPN services claim to offer solutions to the following "problems:"

• Your ISP knows what you're doing, the VPN solution prevents that.
• Your browsing is being watched, the VPN solution prevents that.
• You need to encrypt all your Internet traffic, the VPN solution does this.
• Public WiFi is very unsafe, the VPN solution makes it all safe.

Let's tackle each of these individually to see what value your VPN provider is actually providing.

Your ISP Knows What You Do

Your ISP does, in fact, have a whole lot of data about what you are doing online. Every packet that comes to your home (or your cell phone, in the case of your cellular provider) goes through their network, and they are undoubtedly trying to derive corporate value from that content. However, since 2018 nearly all websites and web services have defaulted to encrypted communications.

That means that your ISP really generally only has metadata about what you're doing online. For example, they can see things like your DNS requests, and they can see what sites you go to and how much data you transmit back and forth from those sites, but they cannot generally read the contents of your communications back and forth. (text messaging and "regular" phone calls are exceptions to this statement with regard to your telephone provider)

A VPN service will not significantly change this situation, merely who has access to that metadata. You're shifting at least some of it to your VPN provider. I'm not sure what makes them any better custodians of your metadata than your ISP, and your ISP still knows that you're sending lots of data too and from your VPN provider.

Your Browsing Is Being Watched

Most of the surveillance focused on your online activity is carried out through a couple of mechanisms: cookies, email address/account tracking, and URL "referral" content. None of these methods are defeated by using a VPN. These are generally handled with freely available in-browser protections and through using different email addresses for different logins.

You Need To Encrypt All Your Internet Traffic

Well this is true. Interestingly however, since 2018 nearly all Internet traffic has been encrypted by TLS/HTTPS protocols. DNS is one of the few things that has trailed behind on the encryption front, but again, this ends up being metadata.

Text messages and regular voice calls are two of the other remaining items that are generally transmitted unencrypted. To encrypt those you generally need to use different software, such as Signal, instead of your default text and voice solution.

However, as described before, these consumer VPN solutions only protect your data between your device and the provider's cloud - between the cloud and the endpoint you're connecting with is only protected by the endpoint supports. So if you're using, say, old-fashioned FTP or (heaven forbid) Telnet, you're still sending unencrypted traffic across the public Internet where it can be seen by anyone between the VPN's cloud and the endpoint you're connecting to.

You're better off choosing encrypted protocols such as SFTP and SSH instead of protocols that rely on clear text - the VPN service can't provide the end-to-end encryption to cover up the flaws in vulnerabilities traffic.

Public WiFi Is Very Unsafe

Sure, public WiFi can be unsafe. Fake WiFi networks are hard to tell from legit ones. Legit ones are often essentially forgotten about by the people who put them up - especially when "mom and pop" places are doing the WiFi. On the other hand, public WiFi from major organizations - like that chain hotel, convention center or that airline - are generally kept up relatively well. But, again, we have a number of safeguards already built into how we communicate over modern WiFi networks that help protect our data.

First and foremost, most of what we do across the Internet is, again, already encrypted.

Further, WiFi6 actually includes features to encrypt your communication from your endpoint to the access-point even on networks that don't use a preshared key. So the newer the WiFi network is the more likely nobody else can just sniff and snoop your wireless traffic even on a public network. That doesn't mean, of course, that all networks have been upgraded to support this, but more and more are.

If this is your primary reason for having a consumer VPN solution you may want to think carefully about the value you're getting here.

Valuable Uses for VPNs

Instead of the sorts of VPNs that just encrypt your traffic to some cloud "exit point," for some dubious security and privacy benefits, there are meaningful benefits to be derived from other VPN types.

Securely Access Your Home Network

I utilize a VPN style solution to access my home network remotely. This allows me to safely access my NAS and other home assets without having to expose my systems to the Internet in general. Just recognize that using a VPN for this may mean that you're not complying with laws in your jurisdiction, so use good judgement about using them for this type of purpose.

Circumventing Local Restrictions

Whether you're trying to avoid the snooping of an authoritarian government, or trying to access content that is somehow restricted in your geography, VPNs can assist with overcoming geographic restrictions.

Higher Priorities For Your Personal Security Dollar

Much like the hair growth tonics of yesteryear and the many other cure-alls that cured very little, there are better things to spend your security dollar on than a VPN solution.

• Password Manager - A high quality password manager, properly utilized, will do wonders for your cybersecurity. Worth investing in a quality solution that can help you pool passwords with family members while maintaining private stores of them as well.
• Supported Software - Still running Windows 7 on that computer? Haven't gotten a security update on your tablet in 2 years? Still running Microsoft Office 2012? Your cybersecurity will be greatly improved by updating to currently supported software. Don't want to pay for the latest version of Windows? Sure, install Linux. Don't want to keep paying for Office? Great, install LibreOffice. As for that old cell phone, you're going to have to buy a new one, sorry.
• Supported Hardware - If the plastic on your home firewall and/or access points has started yellowing, odds are you're not getting security software updates for them anymore either. Invest in your network and replace those systems with ones that get updates (and, more helpfully, install them automatically as well).
• Donate to the Not For Profits - A great majority of the good cybersecurity tools out there are actually provided by not for profit organizations like Signal and EFF's Privacy Badger.

While there are edge cases where the sort of personal VPN we're talking about in this post can be of use, generally any of these suggestions will provide you better value for your dollar than the personal VPN solutions commonly advertised. If you're debating about spending money on one, look at spending your money on these solutions first.