Unfortunately, VPN comparison sites, VPN review sites, and VPN provider marketing all seem to have a tendency to gloss over the limitations of VPNs as a whole.
VPNs are limited in the privacy protections they do provide. These limitations include the trustworthiness of the VPN provider, VPN compatibility with other devices on your network, defense against malware, encryption, and jurisdiction.
As you should be aware, virtual private networks (VPN) can prove beneficial to a user's privacy and security in some situations. Generally, they are great tools for bypassing geo-restricted content and protecting your browsing traffic from third-parties such as your Internet Service Provider (ISP) - provided other good practices are followed.
As consistently iterated on avoidthehack - a VPN is not a tool that guarantees anonymity nor should it be used as a "crutch" to make up for lackluster security habits. You should use a VPN alongside other privacy-oriented solutions and maintain good security hygiene.
One key to understanding how a VPN may enhance your privacy/security posture is to understand the limitations of VPNs. Understanding VPN limitations can help you in accomplishing your privacy and cybersecurity-related goals and answering important questions such as whether a VPN is a tool you should use or even how to choose a VPN.
Keep in mind that some VPN limitations can be mitigated via different approaches, whether technical or utilizing researching skills! Based on limitations outlined here, you may find that using a VPN isn't for you - and that's completely okay.
This is the biggest limitation when it comes to VPN Providers/VPN Services out there. The security and privacy gained from using a VPN truly starts begins with the provider and is not something to be underestimated in the slightest.
Naturally, this limitation doesn't directly affect those who choose to run their own self-hosted VPN setups. However, if you're not using your own hardware, then this limitation can and frequently does apply to the hosting/server provider.
This may seem like a given, but it can be easy to lose track of just how much direct access a VPN provider has to data directly related to you. Access doesn't necessarily mean they're automatically logging or storing this data, but it has been made available to them - typically for services to be rendered.
Remember, in the wide majority of cases a VPN provider has direct access to:
- Payment information. This is especially relevant for using traditional payments. Traditional payment methods, like credit cards, are unique-enough identifiers for revealing your identity - or breaking anonymity. Depending on your threat model, this may be of concern.
- Any information provided during account creation. Many VPN providers require some sort of account in order to use the service; the information the provider requires to establish an account differs widely.
- The entirety of your browsing activity. True whether logs are kept or not; you're essentially routing the traffic your Internet Service Provider (ISP) would see through the VPN provider.
- The IP addresses of the devices used to connect to the VPN servers. This is a given. Again, this doesn't necessarily mean your VPN provider is logging or storing this information, but it is being routing through the VPN servers.
Ultimately, if you feel that your VPN provider is not trustworthy, then why trust them with any of the above information points? Unfortunately, evaluating the trustworthiness of a provider can be hard; many times, it's not readily apparent that a VPN provider is "untrustworthy" until after the fact. However, there are some key points you can look for...
Who actually owns the VPN service? This often goes further than branding or whatever logos you may see on the VPN provider's website.
Put simply, sometimes "COOLVPN" is actually owned by "NOTCOOLVPN." It's important to dig a little when determining the "real" owner of a VPN service; you should look for whether the company has been acquired/bought, mergers, and change of ownership/management. In the VPN world, "friends" can turn into "not friends" overnight.
We can even look at a big, real-world example with Kape Technologies, Private Internet Access, and Express VPN.
For the record, Kape Technologies was formerly called Crossrider and has been accused of some shady dealings, such as the "Crossrider malware."
In 2019, Kape Technologies acquired Private Internet Access, a popular VPN provider at the time. By this point in time, Kape Technologies had already acquired VPN providers ZenMate and CyberGhost.
In late 2021, Kape Technologies acquired Express VPN for nearly $1 billion. ExpressVPN is another popular VPN provider that had a decently privacy-friendly reputation.
Private Internet Access and ExpressVPN were once independent companies. Now, ZenMate, CyberGhost, Private Internet Access, and ExpressVPN are all owned by the same parent company, Kape Technologies.
Security audits are important for verifying a VPN provider's claims - especially if the provider claims it has a "no logs" policy. Ideally, security audits would be performed by a reputable third-party vendor.
Keep in mind most reputable VPN providers are willing to make third-party security audits public by posting them (and their results) on an easily accessible place, such as their website. Doing so is a two-way benefit; the user gains confidence in the VPN provider's claims and the VPN provider can point to evidence of their claims.
The absence of any kind of security audit - especially if a VPN service claims to have a "no logs policy" can be a cause for concern.
Personal Identifiable Information Handling
Does the VPN provider collect and/or store Personal Identifiable Information (PII?) If so, what PII is collected? How long is it stored? What is it used for? These are pertinent questions when faced with a VPN provider that collects PII - the answers as to what is "acceptable" mostly rests in a user's given threat model or goals.
PII can include:
- Your full legal name
- Date of birth
- Traditional payment details such as credit card numbers/bank account information
- Email address(es) and phone number(s)
- Address information
Naturally, the more PII a VPN collects, the more scrutiny you should pay to their information retention and any information sharing practices. Generally, a VPN provider doesn't need a ton of PII - if any - to render services.
There are a number of key questions to ask when it comes to data breaches. The number one question to answer is whether the VPN provider has ever been breached. If the answer is yes, then here are some other follow-up questions to consider:
- What information was leaked?
- Was any information leaked anything the VPN provider claimed not to have "logged" or stored?"
- How did the breach happen?
- How was the data breach handled?
- When was the breach disclosed?
Data breaches happen, but how they happen and the facts surrounding them (such as how they were handled by the breached organization) are very important.
VPNs can be subject to various leaks. This can actually compound in the event that your VPN provider isn't the most trustworthy and/or didn't properly mitigate known possible weaknesses in the service - to include leaks.
There are a number of ways a VPN connection can "leak," and therefore fall short in providing you the promised security and/or privacy you would otherwise expect.
Even though IPv6 is due to replace IPv4 (as it has been for the past decade), many websites, web apps, and web services still utilize IPv4. Some ISPs support IPv6 and therefore supply your connected devices with both an IPv4 address and a IPv6 address.
Unfortunately, sometimes this dual-assigning of IP addresses results in VPN providers successfully masking your IPv4 address while failing to mask your IPv6 address. This is an IPv6 leak.
The significance of a IPv6 leak is that, similar to IPv4 addresses, it can serve as an identifier. Arguably, IPv6 addresses can serve as a more unique identifier than IPv4 addresses.
A reputable VPN provider should block IPv6 traffic so that the IPv6 version of your IP address doesn't leak everywhere you visit while connected.
DNS leaks occur when the VPN tunnel fails to include your device's DNS queries within its encryption. This failure enables the likes of your ISP (and potentially other third parties) to view your DNS queries. These leaked DNS queries effectively reveal your browsing traffic, defeating the purpose of the VPN in the first place.
DNS leaks can happen a few different ways. Some devices route DNS traffic outside of the VPN tunnel due to a combination of configurations and settings; sometimes these settings can't be changed, as is the case with "hardcoded" functions.
Additionally, your device might send your DNS queries directly to a third-party server unaffiliated with your VPN provider. This situation becomes far less of a concern if you configure either your router or your device(s) to use
trusted, secure, and private DNS servers.
If DNS leaks occur when connected to the VPN server(s), then users are advised to review their settings on both the device and the VPN client. In some cases, the DNS leak may be a provider issue - if this is the case, then it's highly advised to contact your VPN provider with your issues so they can be addressed.
WebRTC leaks don't have to do with the VPN provider itself. However, these leaks are important for VPN users to be aware of.
Even with the most solid VPN provider and VPN client settings in check, it's still possible for your IP address to leak from behind the VPN due to WebRTC leaks.
Rather than messing with VPN client settings or contacting your VPN provider, you'll have to go through the settings of the browser(s) you use to properly address WebRTC leaks.
Some devices don't have the cabability to install VPN clients and therefore can't route their traffic through a VPN. You'll find that this is usually the case for IoT devices such as "smart" appliances.
Additionally, there's also the issue of some devices not routing all their network traffic through the VPN connection; some devices are more prone to this issue than others. This issue can be the result of the development of the device itself, device settings, firewalls, or anything in between.
Traffic leaking from your devices can undo what security and privacy benefits you may have otherwise gained while using a VPN; in the event of a leak, your device will likely revert to using the IP address assigned by your ISP or continue its connection to a network even in the event of a dropped VPN connection.
A device may also revert to its "default" DNS settings, which could mean your device's DNS queries pass over the network unencrypted - such is the case with DNS leaks. Ideally, your VPN provider would provide a reliable killswitch when connectivity outside the VPN tunnel is detected. This killswitch "kills" your device's network traffic, preventing leaks from occuring.
Mitigations and solutions for VPN connectivity are completely device dependent and users should be aware that in some cases, it's exceedingly difficult or near impossible to get every device on a network to connect to a VPN.
In some cases, you may be able to use a router to provide VPN connection for devices unable to be configured for VPN connectivity. The possibility is certainly there and would provide the benefits of a VPN to all devices connected to the network without installing a VPN client on each device.
However, it's also highly important to note that most consumer grade routers don't have the processing power to ensure VPN connection for the devices that may be present on a home network. Routers marketed as "VPN routers" for home usage tend to be gimmicky and not worth their price. Enterprise options can prove even more costly and hard to source for an average consumer - enough so that the effort may not be necessarily worth the resources (money, time) required.
A VPN lives and dies by its encryption. Without secure encryption, a VPN is nothing.
In the case of VPN providers, encryption plays two major roles:
- Ensuring truly secure VPN connections and servers
- Protecting any data stored or retained by the VPN provider
Due to a VPN's absolute reliance on encryption, it's absolutely imperative that a VPN utilizes a secure encryption protocol for the tunnel; a weakly encrypted tunnel defeats the purpose of using a VPN in the first place - your browsing data is equally at risk of exposure to third parties than if there was no encryption present. Additionally, VPN providers should use strong encryption methods for any account related data you may share with them, either as a requirement or an opt-in.
The VPN tunnel, or the VPN's connection protocol should be a secure VPN protocol. Generally, it is advisable to only utilize VPN servers that deploy OpenVPN or the newer WireGuard encryption protocols.
Using a VPN protocol with known vulnerabilities or comparatively weak encryption implementations puts your data at risk; older standards are often insecure and/or crackable/exploitable in comparison with more modern and robust standards. Additionally, the OpenVPN and WireGuard protocols are open-source and auditable, which helps with the privacy aspect of using a VPN provider in the first place.
VPN providers collecting any amount of PII should encrypt the data collected and store it securely and safely. Unfortunately, verifying whether the VPN provider is indeed encrypting this information is difficult - usually any security faults surrounding data storage aren't made apparent until too late, as was the case with WindScribe unencrypted server seizure.
Here is another area where the trustworthiness of the VPN provider comes into play; if you doubt the trustworthiness of the VPN provider, then perhaps you shouldn't trust them with your data.
A VPN is not a viable tool for preventing or removing malware.
While it's true that many VPN providers can block connections to hosts or domains known to serve malware, this doesn't provide any comprehensive protection against malware itself.
A VPN can't protect your device from zero-day attacks. A VPN cannot remove malware infections. A VPN cannot protect your information entered onto a phishing site. A VPN cannot prevent ransomware. A VPN can't prevent password-related attacks such as credential harvesting.
Of course, the list of what a VPN can't do in regards to malware goes on; the bottom line is to understand that you should not expect a VPN to protect you from these types of threats. They're simply not designed to.
Generally, good protection from malware first rests in you as the user - you may have heard this before, but you really are the first line of defense.
Please follow common security best practices such as not clicking on suspicious links, not downloading suspicious files, or opening email attachments. Keep your systems and software updated. Malware doesn't stop evolving; many forms of malware don't necessarily require user interaction to execute. Likewise, malware doesn't always give obvious signs to the average user of its presence on a system.
For some privacy-related services, jurisdiction matters more than others.
In the privacy community, generalized advice says to avoid any providers or services operating in any of the Five Eyes countries. By extension, users should also avoid VPN service providers operating in any of the 14 eyes countries.
Again, depending on the service or product offered, jurisdiction might not matter as much. Additionally, it can easily be argued that as long as strong and secure encryption algorithms are implemented in a service or product, then the jurisdiction of where the servers are hosted doesn't truly matter.
However, given the rising popularity of VPN services in recent years, there has also been a noticeable uptick in legislation/rulings that directly affect VPN providers operating in specific jurisdictions:
- In 2020, LiquidVPN - a US based VPN provider - was slapped with a $10 million lawsuit. The lawsuit, filed by various film studios, alleged LiquidVPN was complicit in DMCA violations, generally concerning users torrenting works licensed by these film studios.
- Depending on jurisdiction, even VPN providers boasting a "no logs" policy can be forced to log users pursuant to a criminal investigation.
- In May 2022, the Indian government ordered VPN providers operating in India to log user activity and associated PII. Data is required to be stored for a minimum of 5 years and includes retaining subscribers' name, email address, phone number, purpose for using a VPN, associated IP addresses, and the "ownership pattern" of the customer
Given the amount and type of information a VPN provider may have access to, perhaps users should give some weight to jurisdiction when choosing a VPN.
Understanding the limitations of a VPN can greatly help in deciding whether using any VPN solution is right for you; knowing a tool's limitations is a large step to understanding that tool, including how and when to use it.
In addition to these limitations you should also consider your use case - what are you using the VPN for? What goals for your privacy and security does a VPN honestly accomplish?
These are answers that ultimately you must answer yourself. If using a VPN, despite a VPN solution's overall limitations, fits in your threat model - great! If not - that's also great!
With that said, stay safe out there!