We have all seen the adverts on TV, and in the media in general, around how a Virtual Private Network (VPN) will secure your web browsing, and make your connection totally private.
Well, I hate to say this, but this is not totally true.
So, what is a VPN?
We need to first of all show how a VPN is used, and how it provides you some protection.
When you connect to the Internet (be it via WiFi or wired connections) you connect your device to a Router or access point. This might be your home router, a network at your workplace or maybe a free WiFi hot spot in a Cafe.
Your device connects to the router, which in turn connects to the Internet Service Provider (ISP) that provides the external connection to the internet. We have no control over the external connection to the Internet as this is totally managed by the ISP.
If you are using WiFi, the connection to the router is typically encrypted and secure, but once the connection terminates in the router what is sent out is not encrypted unless you have encrypted the data you are sending.
However we do have control over what we pass down to the ISP.
When we browse a website using an HTTPS connection, it is encrypted. This mean that even if someone inspected the data being transferred, they would not be able to read it. However, anyone observing the network traffic would see you are accessing a website, the URL and that you were transferring encrypted data to and more than likely the IP address if the web server you were communicating with.
When you connect to the router using a VPN, all traffic is encrypted between your device and the router. Anyone observing the network traffic will just see you are connecting to a VPN Provider, and won’t be able to observe any of the traffic between your device and the VPN provider. This helps to make your connection private to any other users of the same access point and to the ISP.
Let’s zoom out a bit …
This is the sequence of events that happens:
- Your device connects to the Router/access point/hot spot
- Your device establishes a connection to a VPN Provider
- The router routes all traffic via the Internet to the VPN Provider
- The VPN Provider then decrypts the network traffic from your device and then forwards it onto the target website via the internet.
Once the web request gets to the VPN provider it is decrypted back to the basic HTTPS connection that you sent from your web browser.
Once the request gets to the target website, it knows everything there is to know about you from the resulting HTTPS connection. This will include:
- Your Browser User Agent String, which will identify the browser you are using (e.g. Chrome, FireFox, Edge, Safari) as well as the version of the browser and other information about your device
- Your Browser Fingerprint (look this up in our Glossary)
- Any username and password you provide
- Information relating to browser cookies the website had read
- Any tracking information your browser/website records and transmits.
Basically, you are only private up to the point the VPN Provider exits onto the internet. From there on you are in clear water.
If you login to the website, they know everything that you have previously provided to them, as if you had just connected normally without a VPN.
So, what is the use of a VPN?
A VPN protects you at the access point, which is probably the most vulnerable connection especially if you are connecting to public WiFi. The protection is does provide you is:
- Hides all traffic coming from your device so that it is impossible for anyone to observe your messaging even if you are using an unencrypted connection
- Hopefully hides all DNS lookups when you are not using an encrypted DNS lookup (see my blog on this)
- When the DNS lookup has resolved to an IP address, this is also hidden from the router and any observer
- Stops your ISP from tracking what websites you are looking at.
In other words it does provide some privacy and security when browsing on public networks.
What is doesn’t provide are:
- Privacy from the target website
- If you are connecting to a malicious website, the malware could still get back to your device
- Privacy from the VPN Provider
- Tracking cookies and other tracking mechanisms employed by search engines and websites.
While your ISP doesn’t know what websites you are visiting, your VPN provider does as they need to make the connection to the target website for you. The better VPN providers will state they don’t retain logs of what websites or services you access via their service. But they do log some information, for example:
- The Date/Time you connected to the service, when you disconnected and the duration of your connection
- The device you connected with
- The total amount of data you transferred
- Where you connected from.
They need this information to adequately manage the service and handle peek loads on their servers. They will often claim to only retain anonymised data that doesn’t identify you directly and to delete it after a short period.
The better ones won’t record:
- The Websites/services you visit
- Data Transferred to the target service
- Target website usernames/passwords
- Tracking information.
However, not all VPN’s are made equal. The better ones are not free to use, and will provide a better privacy and security experience. The free ones will monetise your connection in various ways:
- Record your traffic and sell this data to other services for tracking and marketing purposes
- use your device to provide some aspect of the VPN connection for other users (e.g. route traffic through your device instead of through their servers).
There are many ways to monetise your data through these free VPN’s. The general principle is ‘If you are jot paying for a product, your data is likely the product’.
Why would I use a VPN?
There are many reasons to use a VPN:
- If you are accessing your workplace remotely, your employer will likely provide a VPN to make that connection secure and private
- You want to hide your activity when using public WiFi
- You want to hide your activity from your ISP to limit their ability to market your data
- You want to communicate privately with someone and you don’t want people to monitor your conversation
- You want to access material in a different geographic location that is blocked from your current location.
Lets look at the last point a little closer. Try to access the BBC iPlayer while you are on holiday outside the UK. Try to access Hulu from the UK. You will be greeted by a screen telling you that the content you are trying to access is not available in your location. This is GeoFencing. The restriction of information to a particular geological, or political, border.
When connecting to a VPN you can choose which country you are connecting from, and which country you are exiting in. If you are Spain and access the BBC iPlayer with the exit node of the VPN in the UK, then the BBC thinks you are in the UK and unblocks the content. However, some services are getting wise to this and detecting the exit node from the VPN and blocks the content anyway irrespective of whether you are in the relevant country or not.
However, if you are using a VPN to ensure total privacy, then as soon as you exit onto the open internet you are visible again and a lot of the perceived privacy and security evaporates.
What VPN Services are there?
I should firstly mention that I have no affiliation to any particular service and any recommendations are based on freely available data.
Tech Radar is a very good consumer technology website that performs periodic reviews of VPN services. Perform the following search to see a lot of their current material:
There are also other sources of information and I suggest you do your own research in your own country as the advice there might be different to the UK.
Also look to see where they are based. Look up in our Glossary ‘Surveillance Alliances’ , and in particular the “5 Eyes”, “9 Eyes”, and “14 Eyes” global surveillance alliances. If your VPN is based in any of these countries, then any use of the VPN has to be recorded and can be requested/disclosed as intelligence to any of these nations. Even if you don’t live in these countries, they may disclose any information they have about you.
Express VPN is based in the British Virgin Islands. NordVPN is based in Panama. Both these countries have very few restrictions on what they are required to record and are amonst the top VPN providers. However, neither are cheap and definitely do not have any free options.
Mozilla (makers of the FireFox browser) are also trialing a VPN, but this is currently limited to certain US States. However it will eventually be rolled out to most countries and when it does, I expect I will try it. While we are on this subject, I strongly recommend using FireFox as your default browser as it provides a lot of the privacy protection you need even without a VPN (see also below).
Are there places I can’t use a VPN?
The short answer to this is ‘YES’.
Some countries monitor and actively block VPN’s. Russia, China and Saudi Arabia are very active in blocking VPN’s. There are some that are approved for corporate use, but very few are available in these countries for consumer use. If you use one, you may get arrested and you are unlikely to get any internet access.
If you are traveling and intend to use a VPN, do your homework on whether or not you may land in trouble if you use it in your destination country. Ignorance of the law is definite not an excuse in these countries.
You have been warned!
How do I protect myself if I don’t want to use a VPN?
All modern browsers have some form of ant-tracking feature either by using an Add-on or native features. FireFox is by far the best for privacy because they don’t market any information processed through their browser. On the other hand, Googles Chrome browser leaks everything back to Google who will monetise that data.
There are a number of browser extensions for Chrome and FireFox that will help to limit privacy invasions and help secure your browsing experience (other browsers may also have these):
- U-Block Origin – this is a very effective Advert blocker, but also has a number of other features, e.g. Link Tracking Protection
- Ghostery – this is a tracking protection add-on that blocks a lot of the trackers that appear on web pages
- HTTPS Everywhere – this is produced by the Electronic Frontier Foundation (EFF) and enforces HTTPS connections even when you don’t specify one
- Privacy Badger – this is also an EFF add-on that provides intelligent tracking protection similar to Ghostery and that provided by browsers (you don’t need both)
- ClearURLs – this removes a lot of the tracking information in the URL you use to access a website.
These are the extensions/add-ons I use all the time to secure my own browsing. However, they can break websites functionality and you may have to experiment to see which one is causing the problem by selectively disabling its function for the website or disabling settings.
You can also block auto-play of HTML 5 Video, which is more of an annoyance limiter than anything. However ,malware can creep in via video players so this should also be considered. There are various extensions available, and most browsers offer this in their advanced settings.
You can also enable the ‘Do Not Track’ function in your browser. However, this is little or than a suggestion to the receiving web server that you don’t want to be tracked and the majority of web services totally ignore this setting. However, I would suggest you enable this setting for those websites that do honour the request.
I would suggest using the above add-ons even if you do use a VPN since all the tracking data is not typically blocked by the VPN.
FireFox also has extensive Tracking Protection built in. Chrome is providing similar functionality in the future. The Chrome version of Microsoft’s Edge browser will offer this protection when it releases for Windows and Macs. The Microsoft Edge browser for Android does provide some ad-blocking and privacy features, but FireFox on Android is by far the best for this.
You can also use Encrypted DNS lookups.
What about the TOR network?
This is the subject of a blog that I have yet to write. However if you want to use TOR then go and look at the TOR Projects website which will provide you with a lot of the more technical information and how it is funded. You can also use the TOR Browser on most platforms, including now Android, that makes a connection to the TOR network before you start browsing. However, if you use the TOR network as a VPN, once you exit the TOR network you are in clear water again and can be tracked. The TOR Browser does provide the best safeguards to limit the ability for any service to track you, but once you login into the service they own you.
If you use the TOR network you should steer clear of the dark and deep web as his will only get you into trouble (a subject of another future blog).
You should also know that some services block access from the TOR network, so you could end up being locked out of your favorite websites. Also, as you are accessing the TOR network from an ISP, they will track that access, and you could find yourself being actively watched by law enforcement and intelligence agencies. Accessing the TOR network from some countries is also banned, punishable by law so do your research before you travel. Some countries, like China and Iran, have managed to block access to the TOR network because of the way they have set up the internet in these countries. Russia is also actively researching how to decrypt the TOR network and render it useless – good luck with that!
On Android, you can also use OrBot, which is a free VPN/Proxy that routes through the TOR network that is sponsored by the TOR Project.
BE WARNED – The TOR network isn’t for the feint hearted and definitely not a safe play ground even for experienced people. More on this in the future blog (when I get round to writing it).
I hope this blog, while a bit long even by my standards, has demystified some aspects of VPN’s and that you will be better informed to decide whether or not one if you.
I also hope that you can now see through the ‘BS’ that is pedaled by a lot of the VPN providers around total privacy and security while accessing the Internet.
If you are going to use a VPN, DO NOT USE A FREE ONE!! If you do, you are the product they are selling, not the VPN.
Look out for my blogs on the TOR Network and the Dark/Deep Web and keep coming back for more content as I produce it.
Headline image provided by Shutterstock.