Please stop using VPN services for privacy!

 March 29, 2024

For many years, VPN companies have advertised their VPNs as a necessary tool for all people who want to preserve their privacy. For the same amount of time, I tried to explain to the people that this view made no sense if not for those company’s sales.

As an example, Onavo, a Meta subsidiary, used to advertise its services, highlighting that, among other advantages, using their product “protects your personal info”. This claim would not be a problem by itself, but it becomes one when a court finds out that this is not actually true and that new courts documents seem to indicate that the behavior was worst than initially thought.

I think it is crucial at this point to clarify what a VPN is and what it does. A VPN is simply a secure pipe from your system to the VPN server itself. This notion means the VPN protects your traffic from being intercepted up to the VPN server. Also, it means that the VPN server can see all your traffic passing by.

Considering this last aspect, the obvious question should be: how much do you trust the VPN server? I use a VPN connection frequently, but I personally control and manage my VPN server, so my level of trust in it is very high. On the other hand, if you buy a VPN service from a company, this company (or potentially other people delegated by this company) manages the server, so they can spy on your traffic.

Another aspect to consider is that a VPN protects your traffic up to the VPN server, but your traffic usually has some more bouncing to do to reach the final destination. The VPN does not protect all the bounces after the VPN server. Some of those bounches are mandatory steps to reach a service since they are very near that service, and therefore, wherever you connect from, you’ll go through them. Other steps are dependent on where you connect from. The most relevant dependent step is the first one, the Internet Service Provider (ISP), which provides the Internet connection to you (if you are connecting directly) or to your VPN server (if you are using a VPN). ISPs are often the control point for government taps, and in some areas of the world, they sell their customers’ traffic data to data brokers. Therefore, your data might be safer if you connect directly to the Internet in a country with strict rules prohibiting ISPs from selling data rather than using a VPN with servers in countries where ISPs can sell user data.

Another important aspect is that VPN service providers are not ISPs. Consequently, even in countries where ISPs can not sell their user’s data, VPN providers can since they are not bound to those rules. And, as far as I know, there is no country today where VPN providers are bound to stricter rules than those that apply to ISPs.

So, closing up this post, I want to emphasize that VPNs are as secure and trustworthy as the servers they run on, and sometimes even less if their servers are in places where it is easy for ISPs or the local government to over-reach.

 Networking, Security, Self-hosting

 Facebook, Meta, VPN

Say something

Comments

SeeM on 2024-04-02 04:34:43 UTC said:

VPN is a great tool while on hotel wifi, or to have insight on home systems from everywhere.

It is like any other proxy. You need to terminate encryption somewhere, or Your traffic will never reach destination. I know my VPN and I made it’s ceetificates, but - when I’m using it - most of my traffic goes trough hosting provider, which serves VPS. Do I trust them? No. They provide a tool and it is useful. They do not sell privacy.

Fabio Alessandro Locati on 2024-04-02 09:03:28 UTC said:

The case you are describing is not what I would define a VPN service, but rather a self-managed VPN built on IaaS. All the concerns I raised in the blog post impact only marginally your scenario. It would still be possible for the IaaS provider to intercept the traffic, but I would expect to be much rarer than for VPN services.

Kushal Das on 2024-04-07 11:08:09 UTC said:

This is why we ask to verify, and in general as you said most VPN companies store all information.

Mullvad seems to be one still caring about privacy. https://www.theverge.com/2023/4/21/23692580/mullvad-vpn-raid-sweden-police

Fabio Alessandro Locati on 2024-04-07 22:51:46 UTC said:

Mullvad is undoubtedly one of the VPNs that seem to be really privacy-focused. Still, the fact that they have behaved in a certain way up to now does not guarantee that they will always behave in that way. If a person needs to use a VPN service, surely some are better than others, but it is still not a privacy tool by itself, but a tool that allows you to shift privacy concerns from one set of vendors to another set.