If you haven’t been living under a rock, you’ve certainly noticed the ubiquitous promotions for commercial VPN providers. Their aggressive affiliate marketing campaigns pose the question, “Should you use a VPN?” The answer depends. But in most cases, the answer is No. You don’t need a VPN. Let me explain.
Obviously, virtually everyone using the internet likes the idea of more privacy. Maybe they fear getting caught when doing something that is not entirely legal. Maybe, if they live in the U.S., they are alarmed by the gross privacy invasion initiated by the FCC, which now allows Internet service providers to sell your web browsing history to advertisers. Of course, those Internet service providers didn’t need to wait for that law in order to collaborate with the NSA and contribute to the mass surveillance. So, no matter where you live, it can seem to make sense to use a VPN if you don’t want to be spied upon all your ailments and little secrets. However, many people have no clue what a VPN actually does and are consequently easily hoodwinked by omnipresent marketing and its empty promises of increased privacy or even false hopes of anonymity. A VPN is not what you think it is and using one does not achieve what you think it does. Using a VPN service will not make you anonymous. Not in any way.
Why VPNs Were Originally Invented
VPNs historically had one purpose and one alone. While using a VPN can achieve a lot more things than just their intended purpose, these outcomes never were intended use cases for a VPN and are misuses of the true function of a VPN. So what’s the original purpose? Imagine you’re working from home, but you need to access some files on a server located at your office or university. Because of security reasons, the network administrator won’t let you access those files unless you are in the same network, i.e., physically present at the office or university. Of course, that’s inconvenient. If you’re outside the office, e.g., at home, you’re just out of luck … unless you use a VPN. This scenario is the one and only use case VPNs were invented for—to let you access private networks, i.e., not publicly accessible networks such as your company’s or university’s network, while being outside said network. Everything else is a “misuse” of the VPN technology.
The Delusion of Anonymity
Make no mistake. VPNs do not increase your privacy nor do they grant you anonymity. They solely enable you to join a private network that would normally not be reachable from the outside over an insecure connection such as the internet. They do this by securing the traffic between you and the office by encrypting the traffic so that, e.g., a coffee shop’s prying IT guy cannot see confidential company information when you are reading your work email while sipping your Chai Latte at your favorite coffee shop. But because you are connecting to your work’s network, your office’s network administrator can of course—despite using a VPN—still see what you are doing and which sites you are visiting. From a networking point of view, it’s just as if you were physically present at the office. If you’re checking Facebook at the office, your company’s network admin can of course see that you visited Facebook. With a VPN, that doesn’t change. And while your ISP, or in this example the coffee shop IT guy, may not be able to see what you are doing (because the man in the middle, the VPN provider, is hiding/encrypting what you are doing), the ISP or coffee shop IT guy can still see who is doing it, i.e., who you are.
A common delusion is that people think they’d be completely anonymous with a VPN and free to do all sorts of illegal things. That’s absolutely not the case. Your VPN provider can still see what you are doing and your ISP can still see who you are. All they need to do is to combine their halves of the data, and bada bing … the authorities know who you are and what you did. Therefore, using a VPN will not make you anonymous.
The key difference between using a VPN and not using a VPN is the following: if you’re downloading pirated content without a VPN, your ISP will gladly turn you in. If you’re downloading pirated content with a VPN, your VPN will probably not turn you in, because (in most cases) they just don’t care enough. Nevertheless, you never were anonymous. Thus, if you’re committing a crime worth his attention, even a VPN will hand you over to the police. Never rely on a “no log” policy.
Reasons to Use a VPN
Of course, there are many other motives for using a VPN than just the original use case of connecting to your office network. At the end of the day, people do not care whether they use the technology as it was intended or whether they misuse it. All they care for is the result, i.e., what they can achieve using a VPN.
Common use cases for a VPN service are:
- You are outside the U.S. but want to watch American Netflix. The same is true if you live outside the UK but want to watch BBC. However, Netflix has blocked most VPN providers by now.
- You live in the U.S. and don’t want your ISP to spy on you and sell your browsing data. In this case you have no choice but to choose the lesser of two evils. Would you rather have your ISP, a well-known company with known personnel, definitely sell your data? Or would you rather have a shady company with its place of business in Panama or Belize, whose operators nobody really knows, possibly sell your data and do who knows what with your data?
- You live in an authoritarian country such as China or Iran, where repressive censoring is the norm.
- You often visit coffee shops, airports, and the likes, and don’t trust their Wi-Fi.
- Your intention is to illegally torrent copyrighted content and you want to make it harder (yet still possible) to catch you.
I do not endorse or encourage illegal activities.
As you can see, there are comprehensible reasons for using a commercial VPN service. If you live in a country like China, you essentially have no other choice but to use a VPN. Most people on this planet, however, will not need a VPN service. Before you cry out, “That’s not true! You even mentioned the FCC yourself.” let me say that the world isn’t just the USA. Especially if you live in Europe, you do not need a VPN. At least not if your objective is to escape mass surveillance by the government. European ISPs are prohibited by law to sell your browsing behavior. VPN providers are not. You are probably in safer hands if you don’t let an completely unregulated VPN provider intercept the traffic between you and your ISP. If you’re living in the U.S., that’s another matter. In any case, you cannot escape the NSA by using a VPN service.
Furthermore, most people probably aren’t paying for the VPN service with cryptocurrencies such as Bitcoin … if the VPN provider even offers that option in the first place. And if you’re paying your VPN subscription via PayPal, with your credit card, or through any other payment option that is linked with your identity, you’ve already done the job of combining the Who data with the What data yourself for the government/authorities. If you goal was anonymity—you’ve just rendered that already non-existent anonymity void.
I hope this clarifies your questions whether you need or don’t need a VPN service. Don’t fall for the ubiquitous advertisements, sponsorships, black friday offers, etc. The VPN business is a dirty business. Fear-mongering marketing people try to capitalize on the lack of knowledge of most internet users by spreading myths and giving them a false hope of privacy or security. Many reviews are bought for that reason, i.e., YouTubers and reviewers are bribed such that they e.g., get a free lifetime account if they promote the service or write a positive review. Even the YouTubers themselves most often do not understand what they’re advertising and, in many cases, just read off the scripts they were given by the VPN company. In times where YouTube often demonetizes their videos and thus is an unreliable source of income, YouTubers need those sponsorships. Of course are many of them going to take the money.
If you decide to take the risk of letting a VPN provider potentially sell your data in place of your ISP, e.g., because you live in the U.S. or because you are in China, I would pick one of those deemed trustworthy by That One Privacy Site which is a well-respected site. I am not going to recommend any VPN service so as not to turn this post into an advertisement and undermine my credibility. But as I said, don’t fall victim to the aggressive marketing campaigns of omnipresent VPN providers, just because every YouTuber/Podcaster seems to be using them, or because they currently have this fantastic once-in-a-lifetime offer that seems to be too good to be true and expires in 9 hours. You’re not a sheep, am I right? Act accordingly.
Update October 2019: I didn’t want to mention any names or badmouth any company, but since NordVPN probably is the most well-known and also the most used VPN service … they suffered a breach—19 months ago, at that, letting their customers in the dark the entire time. Let’s just say their handling of this matter could have been better.
Better Options For More Privacy
As I said, almost everyone wants more privacy. Whether they are actually willing to take the necessary steps, however, is a different kettle of fish. I’d also like to earn $200,000 a year. But am I willing to work 80–100 hours a week? No, of course not. Similarly, people want more privacy, but are they willing to delete their Facebook account or give up on Instagram? No, they aren’t. Instead, they are looking for this magic pill that will absolve them from taking uncomfortable actions. Yet such measures would yield far better outcomes than allowing a man in the middle of uncertain trustworthiness (i.e., a VPN provider) to intercept your browsing behavior.
If you need to research a sensitive topic, you should not rely on a VPN service but rather send your search query in the Tor Browser rather than in Google Chrome, Safari, or Firefox. The Tor Browser is an alternative browser, i.e., a browser just like Google Chrome, but it will obfuscate your traces. In contrast to a VPN, Tor will make you anonymous.1
What you can begin with to increase your online privacy is to install a proven selection of browser extensions that block trackers and thus stop companies from creating a profile of you. See this article to learn which extensions I use and recommend.
What Else to Expect?
This blog post is the second in a series about some basic security guidelines everyone should follow. In case you missed the first post of the series, I’ve written an article about email privacy in which I address privacy-respecting alternatives to Gmail.
If you liked this article, consider following me on Twitter so that you get notified when I post the next article in the series.
If you have remaining questions, let me know either on Twitter or in the comment section below. Cheers!
At least with a probability that is near to certainty. Some people argue that the FBI has subverted the Tor network and that it isn’t safe anymore. But that’s only relevant if you’ve committed a serious crime, are a terrorist, or are on “the list” for whatever other reason. If you’re a regular person, that makes no difference and Tor is safe. ↩︎