Virtual private networks, or VPNs, have become a popular privacy tool. We are hearing about VPNs more and more often. Television commercials about VPNs are becoming more common, and one company ran a full-page ad in the New York Times. Major internet service providers have launched their own VPNs, as have adult websites.
This all begs the question: What even is a VPN and should we all be using one?
A VPN encrypts and obscures some of the information we generate whenever we browse the internet or connect smart technologies to a network. Enterprise VPNs have long been used by employers for teleworking or to give remote employees access to employers’ computer networks, but data breaches, worries about how companies are surveilling our location data and debates about net neutrality have driven additional VPN use by individuals in the United States.
Unsecured Wi-Fi networks are everywhere and easily accessible to anyone with a bit of technical skill who might be curious. Even when you connect to a secured network, whoever runs that network, including your internet service provider, can see some of this traffic. A VPN provides privacy and security by creating a virtual tunnel that can protect your traffic and disguise your precise geolocation from these sorts of prying eyes. My organization, the Center for Democracy & Technology (CDT), has written a more detailed primer on how VPNs work.
What’s the Catch?
This all sounds great so far, right? There’s a catch, and it’s a big one: one company can still access what you are doing on the internet — the VPN service itself. This isn’t necessarily a bad thing, but it does mean that users are functionally swapping the privacy and security practices of their internet service provider for those of their VPN service. This requires users to trust that the VPN is adequately obscuring their digital footprints and otherwise safeguarding their data. For many reasons, this has proven challenging for VPNs. VPNs have been caught leaking data, providing user information to marketers and making information they claimed they didn’t have available to law enforcement.
Just a quick search for “VPN” on an app store shows how opaque and confusing it can be to sort through the number and variety of different VPNs. Many promise additional security and privacy, but as the U.S. Federal Trade Commission has warned, promises alone do not necessarily make a VPN trustworthy. So, what does?
The Data Privacy Day (January 28) mantra of stop, think and connect is well suited for anyone interested in using a VPN.
First bit of advice: beware of using a free commercial VPN product. It’s a cliché now to say if you’re not paying for the product, you are the product. This is especially true with VPNs.
Researching Quality VPNs Is Easier Said Than Done
It is easier said than done to tell individuals to do their homework and only choose a VPN that can protect data and won’t sell or disclose information. There’s a lot of guidance materials out there already and a seemingly endless number of VPN review sites. Still, it’s very hard to gauge how accurate these resources are. On one hand, Wirecutter’s recent exploration into VPNs (which in full disclosure, CDT contributed to) is pretty readable but limited in scope, while That One Privacy Site’s in-depth comparisons of hundreds of different VPNs is detailed — but isn’t for the VPN newbie!
CDT’s contribution to this confusing state of affairs was to work with a handful of VPN providers to create a questionnaire that VPN services could answer to improve their transparency. You can read more about that effort here, but for any VPN service you’re interested in using, we’d suggest keeping the following four questions top of mind:
- Who’s running the show?
- What’s the company’s business model?
- What does the VPN say about its “logging” practices?
- How does the VPN think about security?
The first two questions establish the legal credibility of a VPN and its connection to other platforms, services or security companies. Unfortunately, fly-by-night operations and the ease with which a service can be set up as a scam are serious concerns in the VPN ecosystem. Being able to put a face to the product and the company being willing to describe how it keeps the lights on are good first steps.
What Is in a Log?
Logs can generally be divided into connection logs, such as where and when you used a VPN, and activity logs, which capture browsing history. VPNs often trip over themselves to make broad “no logging” claims that have turned out to be inaccurate time and time again. What is relevant is what information can be tied back to a user. This can include:
- Traffic activity (like downloads)
- DNS requests (details of what websites are being visited)
- Connection timestamps (reveal when a user was online)
- Bandwidth logging (reveal how much data was used, which can be used to guess what devices were being used or even what movie was being watched)
- IP addresses
Logging this information can be useful for troubleshooting purposes, but any information that can be kept after a VPN session ends is a privacy risk. A trustworthy VPN is very up front about what it means by logging and what data it retains over time, even if it is aggregated or anonymous.
What Makes for Good VPN Security?
While VPNs are a useful security tool, it is functionally impossible for an individual to assess the actual security practices of a VPN company. There are a few practices, however, a company can engage in that you should be on the lookout for, including public auditing, vulnerability handling programs, clear disclosures about different encryption protocols and VPN server controls and physical security.
We have encouraged VPNs to undergo independent security audits, but these audits are neither cheap nor easy to do. Many VPNs either want assessments done on the cheap or the results are so problematic that nothing is ever revealed publicly. When we first began working with VPNs, only one service had undergone security audits and released information about them. Last fall, two more VPN services underwent independent audits of their data security and logging practices.
VPNs Should Work for Your Trust
While trying to make heads or tails of all this information might seem like a heavy lift, VPN providers have every incentive to put this information front and center. We’ve been encouraging VPNs to put all this information on centralized “trust” pages. More can be done, but if you’re interested in using a VPN, finding clear answers to the four questions above is a great place to start.