> VPNs were always meant to carry internal traffic to a private network, not the public internet
This. And the idea that these so called ‘VPN’ services somehow improve your security and privacy on the internet is laughable. All they do is let you get onto the public, untrusted, internet through a different on-ramp. There is no point to them. The internet is just as untrustworthy through a VPN service as it is through any other internet connection.
> All they do is let you get onto the public, untrusted, internet through a different on-ramp. There is no point to them.
Not true, at all. There are several good reasons to use VPNs to get a different on-ramp to the otherwise untrusted internet.
- Avoid ISP tracking: Your ISP should see only traffic to and from the VPN.
- Access content intended for those in other regions: Many sites and services only show certain content to people who enter the internet from specific places.
- Limit the amount of activity linked by trackers: Visiting certain sites only from different IPs/browsers will help keep logs of that traffic isolated from the logs of your other browsing.
- Allows you to connect to sites and services that cannot connect back to you once you've disconnected: A lot of people, even those with dynamic IPs, keep their address for months or years at a time. VPNs provide a great way to cycle through IPs.
VPNs don't solve every problem, but they're a powerful tool to keep in your tookbox.
There are many many very valuable uses for VPNs some that offer privacy/security benefits and some that are just plain useful. It's wild to hear anyone say that "There is no point to them."
To support multiple sites per IP the browser has to send DNS name of the site to the web server. Moreover, since certificates that the server uses for encryption depends on the site name, the name cannot be encrypted within HTTPS. So the browser sends the name in clear when initiating the connection. This is called SNI, server-name-identification.
It is possible to encrypt SNI, but most sites do not support that as the setup is non-trivial and error-prone.
I use CloudFlare's 1.1.1.1 DNS to mitigate my ISP tracking the domains I visit. They have an iPhone app too. I don't know enough about the space to say whether it's 100% effective.
Again, due to SNI tracking sites that one visits is possible even if DNS traffic is encrypted. At the very least one needs for the site to support ESNI or encrypted-site-name-identification.
But then in practice for ESNI to be effective one needs for the site to use CDN or similar solutions to ensure that there are a lot of sites for the given IP.
I rather have my VPN track me than ISP does. For example, connection to Signal and Kakaotalk servers is used as an evidence of being a member of a terror organisation (!) in Turkey. Evidence is gathered by Ministry of Communications from the ISPs, whom they have to provide real-time connection data to the State including CGNAT records. With a VPN, it is almost impossible (depending on setup, i.e. NAT) to obtain such an evidence - especially for political purposes, even if the VPN provider willingly give logs, no way to prove that info is legit.
I guess it depends who your adversary is. If it's the Turkish government, then you are probably safe to trust a foreign mainstream VPN. If you're trying to avoid scrutiny by a five-eyes western government, you need to be somewhat more careful.
I'm not paranoid, and I have no evidence of anything at all, but it does occur to me that if I ran the US CIA/FBI, I would totally start a company like NordVPN and give them enough money to advertise widely and get sponsor spots on popular YouTube channels.
Sure, you'll probably end up facilitating a few petabytes of copyright infringing torrent traffic every day, but you'll also have a direct connection to countless people who think they're totally anonymous.
> Sure, you'll probably end up facilitating a few petabytes of copyright infringing torrent traffic every day, but you'll also have a direct connection to countless people who think they're totally anonymous.
This is the best part really. No three letter agency is going to spoil their honeypot in order to bust some kid for downloading movies and video games. They've got bigger fish to fry. The more successful they are at keeping their users safe from the copyright goons the more popular and "trustworthy" their little honeypot will seem. Your downloads will still probably earn you another black mark in your dossier, one more thing they could use against you if you ever became a problem for them, but still, free movies, music, and games! Might as well make oppression work for you.
Most people who use VPNs for privacy will readily admit that their use is based on relative trust. They know that ISPs are notorious for harvesting and granting access to browsing data, and they trust that their reputable VPN provider of choice is truthful about their logging and internal data handling policies.
> You just replaced ISP tracking with VPN tracking.
Yeah, that's the point. People have infinitely more choices for VPN providers than for ISPs. The VPN provider could be in another country. You can even run your own VPN on hosted infra.
If your hosting provider makes similar privacy guarantees to a similar VPN provider, then perhaps. For bonus points, use a hosted VM and commercial VPN in serial.
Again though, if the US Government is a potential adversary, there's still risk here. Intelligence services could have a 0-day on your linux distro, or an operative within the hosting company. If they get access, they can turn your hosted VM against you.
I think you just have to assume there's a possibility that the infrastracture can be compromised at any moment. For both of these two options. Guarantees from providers are valid until the day they are not.
Though a point has to be made about using a hosted VM for VPN purposes, you have some level of control about which specific software, configuration and encryption schemes etc. you want to use for your stack. Only downside is that currently there isn't sufficient hypervisor protection from the host kernel afaik.
However I do agree with you that either way, the risk threshold is too high if you are concerned about high level state actors. Neither commercial VPNs nor hosting providers can solve the "anonymity" problem for you.
You can choose your VPN. Your ISP, not so much. It's also possible to run your own VPN on a public cloud or VPS. You might still need to worry about your provider then, especially if a government might request who is renting the server that is sending certain traffic.
There are levels to trustworthiness. I mostly trust my ISP enough to not bother with VPN at home, but when I'm traveling I'll take my VPN provider over a hotel WiFi any day.
"Under the provisions of the Investigatory Powers (IP) Act, it is now possible for the Law Enforcement Agency (LEA) community to lawfully obtain Internet Connection Records (ICR) in support of their investigations. Following the completion of some initial trial activities, work is now underway to provision a national ICR service."
I’ve heard the idea of “competing jurisdictions” advanced here: run your own Wireguard VM in China or Russia and route traffic through that box, with the goal of essentially introducing unfriendly international borders in your traffic. Ideally your Russian VM provider would be uninterested in responding to an American subpoena.
The other concept I’ve heard put out is to add layers - your traffic hits Vultr, then Hetzner, then etc etc. Conceivably if you cross enough jurisdictions you can make it very difficult for a legal adversary to attack your traffic.
Would I bet on this for activities I needed to remain exceptionally private? No - but if I needed relatively consistently low latency traffic and a decent baseline of privacy it might just work.
In the end you have to trust someone or you might as well just stay offline forever. In the US, very few people have much choice in their ISP. If you are lucky you might have more than two options. Many ISPs are known to be untrustworthy. They outright state they will mine your internet history and sell it. If I have the choice between an ISP who I know will sell my browsing history and a VPN which might, but claims not to? Well, I know which one I'm going to pick.
If ISPs don't shut down people's accounts they'll get sued for billions in fines.
There are still open court cases against multiple ISPs for not cutting enough people off from the internet. So far, courts have agreed with the RIAA/MPA who paid good money for the laws we have.
Yes, the media industry is certainly more to blame here. Although, the current ISP oligopoly means that there are less companies to sue or otherwise bully. And it doesn't help that some major ISPs are owned by companies that also produce copyrighted content they want to protect.
Moreover, why do you imagine that the VPN is not being operated by the NSA? THere are really a few different kinds of VPN operators: intelligence services, organized criminals, and legit businesses. You have no way of determining which is which.
Thing is, if you ping experts in the privacy field (like Mike Bazzell, the former FBI OSINT guy who billionaires and celebs hire to keep their personal info off the internet), they will all say the VPNs are a very important tool to create a layer of privacy between you and the site you are visiting and also a good tool to prevent said sites from easily profiling you. No, they are not a panacea -- much like the security universe, the privacy universe requires lots of other active and passive behavioral and technological changes to properly lock things down to whatever standard you require for your threat model. But they are very much an important tool. For a small subset of people it's literally a tool that protects their life.
So yeah, it's a kinda a big deal if it leaks. (Which is why most privacy experts, were you to tell them you were sufficiently paranoid, would have you fire up a pfSense and link it permanently to a VPN service and then run a separate brand of VPN software on whatever device, so that you have two layers going through two companies.)
> who billionaires and celebs hire to keep their personal info off the internet
I also do this type of work on the side. When it matters a device level VPN is never the correct option, because every OS leaks to some extent. They get a device where the cellular components have been disabled and it can only connect to a fixed wifi AP carried by one of their EP guys that tunnels the traffic back to a datacenter.
In the UK if you download a TV show or other copyrighted material without a VPN, you can get a letter from your ISP as a warning together with a list of the content you've downloaded, and they may terminate your service if you continue.
A VPN solves this, and does protect your privacy, so your comment is just needless hyperbole.
> This. And the idea that these so called ‘VPN’ services somehow improve your security and privacy on the internet is laughable.
Actually, they do: Neither your ISP nor the government (assuming the VPN provider is in a "hostile" jurisdiction) can intercept, analyze or modify your Internet traffic when you are using a VPN to mask your Internet access. There have been multiple instances of this in the past [1][2] and ongoing (e.g. DNS [3]), and ISP "middleboxes" have been historically the biggest impediment in rolling out new features.
Ubiquitous HTTPS has shut down a lot of that shit, but until DNS-over-HTTPS becomes actual mainstream DNS (and SSL SNI!) will still leak a lot of information to entities that have a direct financial interest in collecting, packaging and selling this data to advertisers - there is a reason why ISPs oppose any legislation that turns them into "dumb pipes" after all.
Security-wise, at least if you are using any kind of untrusted network (e.g. university campus, public hotspots) a decent VPN software that uses the OS-provided firewall to completely drop any incoming and outgoing packets except for the VPN tunnel connection is also a massive benefit.
The downside of course is that you are now forced to trust the VPN provider instead of the ISP - but at least the VPN provider market is healthy and extremely competitive, which means any sort of shady bullshit would be a virtual death sentence, unlike the ISP market where you are in many cases stuck with one or two options.
Not to forget, VPNs also provide privacy on the "other end": as many providers don't cycle through IP addresses sometimes for months, advertising providers can track your movement across the Internet simply by collecting your origin IP. A good VPN provider regularly changes the origin IP visible to sites you access.
> Actually, they do: Neither your ISP nor the government (assuming the VPN provider is in a "hostile" jurisdiction) can intercept, analyze or modify your Internet traffic
No, you're just delegating those capabilities to some completely unregulated random actors instead.
> which means any sort of shady bullshit would be a virtual death sentence
This assumes that their shady bullshit is discovered by someone. I would bet good money that the vast majority of it isn't. They could be sampling traffic and selling it to other companies without modifying it and users would never be any the wiser.
Honestly, I wish we could get past this broken narrative that VPNs are a panacea.
> No, you're just delegating those capabilities to some completely unregulated random actors instead.
It's a question of trust in the end. Telco providers not just in the US but across the Western world have shown time and time again that they cannot be trusted: traffic manipulation, DNS hijacking, selling data to the highest bidder [1], engaging in open corruption to prevent competition, predatory sales tactics, fee scams, peering extortion [2], misappropriating government funds [3] - name the act and you'll find a dominant ISP having done or still doing that practice.
VPN providers generally don't have that baggage attached.
> This assumes that their shady bullshit is discovered by someone. I would bet good money that the vast majority of it isn't.
I agree, but at least the incentives are aligned completely different than with ISPs. The large ISPs can do whatever they want, even breaking the law, because their consumers have no other choice - rural ISPs will get competition from Starlink soon enough, but people in condos? They're stuck with whatever the landlord offers, and the landlord won't care even if there is competition as long as the monopoly ISP pays higher kickbacks.
> Telco providers not just in the US but across the Western world have shown time and time again that they cannot be trusted
This is true, although there's still a very large risk element here. The average person is not likely to be able to safely determine which VPN providers are trustworthy or not. They also aren't likely to understand their limitations, i.e. they don't grant you perfect anonymity, they don't grant you perfect immunity, they may or may not capture the traffic that you intended or thought.
In that case, is it really a good thing for VPN internet provider usage to be on the rise? All we're seemingly doing is handing people more guns to potentially shoot themselves in the foot with.
ISPs, for all of their transgressions, tend to be registered and regulated companies and that makes it much easier to at least find someone to target with legal action if needs be. The bar might be low but there are some standards to which they have to adhere to. Many VPN providers are nameless and faceless "organisations" with little-to-no regulation or responsibility. It's difficult to know if they take your privacy seriously, whether they are taking adequate precautions not to log, to not leak data or to adequately secure their systems.
Hell, it's entirely possible that your VPN provider is actually just an FBI honeypot on the lookout for people who are only actually using a VPN service because they have something to hide. How would you tell if they were?
I just don't really buy the argument that having different incentives means they are any less likely to be nefarious or negligent.
> Neither your ISP nor the government (assuming the VPN provider is in a "hostile" jurisdiction) can intercept, analyze or modify your Internet traffic when you are using a VPN to mask your Internet access.
This is exactly the problem with VPNs, they give you a false sense of security. When your traffic goes over the public internet, you should assume everyone and their grandmother can track it. So the traffic cannot be intercepted at your ISP, that only leaves a billion other places where it can be intercepted.
> The downside of course is that you are now forced to trust the VPN provider instead of the ISP
This. And the idea that these so called ‘VPN’ services somehow improve your security and privacy on the internet is laughable. All they do is let you get onto the public, untrusted, internet through a different on-ramp. There is no point to them. The internet is just as untrustworthy through a VPN service as it is through any other internet connection.