What is a VPN?
Let's begin with defining the acronym:
VPN = Virtual Private Network
The easiest way to explain what a VPN is - without getting overly technical - is to explain how one works.
A VPN creates an encrypted connection between your device and the VPN server. This is frequently and commonly referred to as the "tunnel."
Assuming the encryption protocol of the tunnel is up-to-par, there are very few methods which can directly penetrate it.
Essentially, barring any leaks, the information that passes through this tunnel between your device and the VPN provider is secure and "private" from just about any third party you can think of - to include your Internet Service Provider (ISP).
How a VPN can benefit your privacy
- Hides your internet traffic from the likes of your ISP, governments, and other 3rd parties
The encrypted tunnel that VPNs create effectively hide your internet traffic from third parties, including your ISP. For example, your ISP would only see that you're (1) online and (2) connected to a VPN service.
Assuming other factors are either kept in check or not present, this means that your browsing history and connections are kept private between you and your VPN provider only. And ideally, your VPN provider would have a verified "no logs" policy so even they wouldn't necessarily "know" about your internet activities.
Please note that in order to get the maximum amount of privacy out of a VPN, you should take care to also set your network/devices to use an encrypted and privacy-friendly DNS provider.
Though some providers route DNS traffic with their own servers (which in itself may not be ideal), a VPN is not a drop-in replacement for securing DNS lookups. Even a VPN provider's DNS servers can leak from the tunnel and if your device/network is defaults to using unsecure resolvers such as those of your ISP, then your DNS traffic is for the taking by any entity willing to do low-effort snooping. Learn more about the importance of DNS privacy
In addition to using secure and private DNS resolvers, you should also force HTTPS connections within your browser. Furthermore, and ideally, you would be using a properly configured privacy browser that should handle this for you. A VPN provider cannot encrypt the connection between its servers and a website's servers for you. Learn more about HTTPS and browsers
Lastly, please be very cognizant that a VPN is not a silver bullet against many different entities.
Depending on your "adversary," they may be capable of employing advanced techniques both online and offline to expose your internet activities. A common example of this is that your adversary may take advantage of leaks coming from your VPN tunnel or probe and exploit other operational weaknesses surrounding your VPN.
- Hides your IP address from the sites you visit and during P2P activities
When both configured and working properly, a VPN masks your IP address from the sites you visit and Peer-to-Peer (P2P) sharing you may engage in, such as torrenting. Instead, the IP address that gets shared is that of your VPN provider's server.
While this doesn't provide anonymity, hiding your IP address can benefit your overall privacy since you're removing the availability of another piece of potentially identifying information about you and your device(s).
Your IP address is a great indicator of your general location - and combined with other supplemental bits of information, your location can be pinpointed with a high degree of accuracy. However, on the other hand, hiding your IP address accomplishes little if you don't utilize other privacy and security tactics as well.
To ensure that your IP address doesn't get accidentally revealed, you'll want to make sure your VPN provider resists IPv6 leaks and you'll want to address the potential for WebRTC leaking your actual IP address from within your own browser.
Additionally, you should be aware that your VPN provider will have your IP address(es) since you're connecting to their servers!
- Protects and encrypts data when on unfamiliar networks
This is a benefit primarily for those who may often find themselves using Wi-Fi networks outside of their home. For example, people who travel a lot with their personal or business/work devices may take advantage of free Wi-Fi at the airport and/or hotels.
A good and trustworthy VPN can virtually eliminate most common risks associated with using unfamiliar and/or public Wi-Fi networks.
Many Wi-Fi networks are poorly secured. This means that "danger" has a higher probability of being present - and there's not much you can do to control that, as you can with a network that you control.
Remember, especially for public Wi-Fi networks, any device within range can join -- including that of a malicious actor. Therefore, the risks of getting caught in common network attacks - typically variations of the man-in-the-middle attack model - are far higher.
VPNs can provide some additional benefits not necessarily tied to privacy, but relevant enough to highlight here.
For one, VPNs are good tools for navigating around censorship. Many jurisdictions who engage in mass media censorship also go to lengths to make access to VPNs harder for the population - which is a testament to their effectiveness.
VPNs are also great tools for accessing geo-restricted content since you have the ability choose a server that's not location in the blocked jurisdiction(s). Once you select a server in a locale where the geo-restriction is not present you now have access to that previously blocked content!
Who needs a VPN?
As with many things you'll run into within the privacy-conscious world and on your own journey, determining whether you need a VPN falls within a gray area. Though, you can say VPNs themselves are a special gray area.
The short answer is: it depends on your threat model.
In general, if you are looking to hide your traffic from the likes of your ISP/3rd party eavesdroppers or hide your IP address from websites/P2P activities, then a VPN may be a worthwhile tool for you. But, of course, this is assuming you've taken other steps in improving your privacy and protecting your data.
Remember, VPNs have a number of limitations and you should consider how these limitations factor into your unique situation and goal(s). VPNs are not a silver bullet. VPNs are not a drop-in replacement for good privacy and security practices. VPNs are not a "privacy shortcut."
If you are a user seeking anonymity, then your best option is not using a VPN - despite what marketing materials may say. Your best bet would be to get familiar with the TOR browser and trusted live operating systems such as Tails.
Choosing a VPN
If you've determined a VPN fits the bill for you and your privacy journey, then how do you go about choosing one?
Ultimately, this is dependent on a number of interacting factors, some of which are personal to you. However, as a general rule of thumb you should:
- Avoid most "free VPNs." Generally, free VPNs are the epitome of "if it's free, you are the product." They frequently collect your data and have highly invasive privacy practices. Remember, whatever VPN you use theoretically has a high level of access to your browsing history and connectivity.
- Avoid VPN providers located in the US or the Five-Eyes Countries
- Ensure the provider has OpenVPN protocol support at a minimum
- Ensure the VPN provider has a reliable killswitch.
- Ensure the provider engages in minimal data collection... think: what information is needed to sign up, logging policy, etc.
- Trustworthiness of your VPN provider
This is the biggest limitation when it comes to VPNs. It's not to be underestimated in any capacity.
Truthfully, the security and privacy gained from using a VPN really begins with the provider.
Remember, a VPN provider has direct access to a ton of data about you:
- Payment information - especially if you've used traditional payment methods which create a paper trail right to you
- Any information provided during account creation
- The IP addresses of the devices you use to connect to the VPN servers
- The entirety of your browsing activity
If your VPN provider is not trustworthy, then why trust them with any of the information points above?
- Your devices (that may not send all traffic through the VPN)
Some devices aren't able to have VPN clients installed and therefore can't route their traffic through a VPN. This is usually the case for the likes of IoT devices such as smartTVs.
Some devices may not route all network traffic through the VPN connections. Some devices are more prone to doing this than others. This can be due to the device itself, device settings, firewalls, or any other software present.
Traffic leaking such as this can undo what security and privacy benefits you may have gained when using the VPN. More than likely, your device will revert to using your ISP's IP address or continue its connection to a network even without the VPN connection present.
On a device with a VPN client installed, a good and trustworthy VPN provider should provide a reliable killswitch in the event your connection to the VPN service is jeopardized. Since the connection to the VPN provider can be jeopardized by your device, your ISP, or the provider themselves, a killswitch automatically terminates your connection in the event your connect to the VPN provider drops.
- Subject to various leaks
This is in an addition to the second limitation described above.
Unfortunately, even when a connection is established, VPNs themselves can be rather leaky - especially when these leaks aren't properly mitigated or addressed. There are a number of ways a VPN connection can "leak," and therefore fall short in providing you the promised security and/or privacy you expect.
VPNs are subject to IPv6 leaks, WebRTC leaks (which occur from a browser), and DNS leaks.
- Jurisdiction matters more than some other tools/services
For many privacy-related services, jurisdiction matters.
The general rule of thumb is to avoid any or providers services that operate within any of the Five Eyes countries. For some providers/services, this may not matter as much.
However, given the amount and type of information that a VPN provider has access to (as detailed earlier) and how it can be compelled to record/store such information, jurisdiction proves far more important for VPN services.
Because of this, you'll more than likely want to strive for your VPN provider to be outside the greater 14 eyes.