You probably don’t need to use a VPN

We currently live in an exceptional time: a global pandemic where beyond the public health crisis and national security issues we see a mass movement to working from home.

Various technological challenges are born from seismic changes to worker patterns/behaviours: geographical diversity is definitely one of them.

This post is triggered by a discussion that it came up in a UK cross-government security forum as to whether home users, on a personal device doing personal things, should be encouraged to use a VPN or not. The VPN would not be provided by the organisation given the personal use.

Scope

My post here is talking about when an individual (for personal or professional reasons, but not as provided by an employer) uses a VPN service.

The picture of a ‘hacker’ being unable to hack you because your connection between your laptop and ‘the Internet’ uses a VPN
Images like this are unhelpful and misleading

DoINeedAVPN.com

What does a VPN actually do?

It is the characteristics of the VPN service and components of the target network that determine what you actually ‘get’ from the VPN: access to private file stores, onward access to the Internet, access to intranet web pages or something else.

General VPN services

By default, these VPN services are ‘captive’ or ‘full tunnel’ whereby, once connected, all of your non-local (for example, a ‘local’ connection might be to the WiFi printer in your house) network activity (browsing websites, etc) are routed through the VPN service.

The subliminal or overt claim here is that this is ‘secure’ or otherwise better for you because they add security of some kind or some other privacy angle such as keeping your habits private from a government.

VPNs just move some stuff around

Your Internet Service Provider (ISP)

Your ISP, generally, knows what website (but generally not webpage within the site) you are visiting. They still can’t see stuff like online banking (they know you banked, but not that you paid a bill or loaned money to a friend).

ISPs are also tasked with blocking bad stuff ranging from illegal activity to copyright theft. ISPs can also influence or monitor Internet usage to enforce local laws, for example, limit access to news content or communication systems.

Your VPN provider

The VPN service would then ‘terminate’ the VPN, which at this point is just an encrypted tunnel and do what your ISP would have done: provide a network connection to the Internet so you can connect to the service you want to.

In this case, your ISP knows you connected to a VPN service but that is it. The VPN service can now see all of what your ISP would have: that you visited a website (but probably not the page/content).

VPN providers are subject to legal mechanisms just like ISPs. They can be instructed to divulge user activity or block content.

Comparing ‘trust’

I don’t explicitly trust ExpressVPN but I trust their VPN service more than I trust a network which I believe to be hostile.

So, the really big question is: who do you trust more… your ISP or the VPN service provider?

Mind the snakeoil

Some are well established companies who really exist to provide a service and take user security/privacy seriously.

Some close down as quickly as they pop up and have outright nefarious intentions (manipulate your Internet usage to inject advertising, monitor/log it so they can sell behavioural statistics etc).

Whatever you’re doing is probably encrypted anyway

If a service does not use encryption, a VPN does not help with this. The connection will still be unencrypted from the VPN service to the service in question. The VPN only adds encryption so your ISP can’t see what is going on.

There is a time and a place for everything

A VPN can readily do more harm than good (even if the VPN service provider isn’t malicious) by giving people a false sense of security — malware is still a thing, they can still be phished, unencrypted websites are still unencrypted websites.

If you really don’t trust your ISP, I hope for your sake that you have free choice to change to one that you do. If you can’t, you likely have some other restrictions and concerns not discussed in this post.

If you’re being encouraged to use a VPN but not provided with a VPN service, given what is discussed in this post, I would take that advice with a big ol’ bucket of salt.

Do the good stuff

  • Visit websites using HTTPS (TLS) and think about using HTTPS Everywhere to help your web browser do that (it also does a bit more)
  • Use a DNS service that both encrypts your DNS activity but also helps you filter out malware and known malicious (like phishing) domains — I use NextDNS with DNScrypt.

Alright fine, I trust my ISP enough

I don’t trust my ISP

I generally recommend* TunnelBear to people who ask me which VPN provider they should use. TunnelBear put a good amount of effort into being trustworthy (it doesn’t mean they 100% are, but that they try to do so, which is all you can ask!) — you should still ‘do the good stuff’ listed above.

You should also consider whether you need a full VPN, or whether something like Tor suits your needs.

*TunnelBear do not know about this post. I am not paid or otherwise compensated to recommend them.

Picking a VPN service

  • privacy — check their privacy policy and legal jurisdiction (avoiding ones known for privacy issues)
  • cost — free isn’t good when it comes to VPN services. I’d be willing to part with $120/year to have a fast, safe(r than the local ISP/WiFi) and reliable VPN service whenever I needed it
  • speed — a slow VPN service will make you sad
  • location — VPN providers with servers all around the globe is better for flexible connecting and travel
  • reputation — without getting caught up in paid reviews and review-spam sites, if a provider has been around for awhile and aren’t being reported with security/privacy issues, they might not be terrible

My employer has a VPN

You might find other exciting posts in my Medium profile. I’m on Twitter as @JoelGSamuel.

The thin blue line between technology and everything else.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store