Apr 19, 2020

VPNs are overrated

One piece of cybersecurity advice that comes up time and time again is to use a VPN. VPNs, or virtual private networks, encrypt the internet traffic between you and your VPN provider, securing data from your internet provider and local network as well as hiding your IP address. Through clever marketing, VPN providers position themselves as an all in one tool to secure yourself online. However, the reality is a lot more complicated.

VPNs can sell your data

Privacy wise, all a VPN does is shift who you trust with your data. Normally, you would trust your internet provider, like Comcast or AT&T, to not intercept or change any of your data packets. When you use a VPN, that traffic is encrypted through your local internet provider and released at the VPNs servers. This means that your VPN provider could intercept or track your connections. Most VPNs will claim that they do not do this, citing that they have no logging policies. However, VPNs have lied about this policy before.

Free VPNs are especially prone to these shady business practices, as they have to pay for their servers somehow. For example, popular free VPN Hotspot Shield was caught injecting affiliate links into their users traffic. Generally, it's a good idea to avoid most free VPNs and do your research before using any VPN, even if it's paid.

VPNs don’t make you anonymous

While VPNs do change your public IP address, this isn’t as helpful as you might think. Most IP addresses are shared between multiple people or devices anyway, so services don’t rely on it much for tracking. However, there are lots of other factors that companies use to track you. This includes the cookies in your browser and what accounts you are logged in to, but also many other factors outside of your control such as your user agent or browser fingerprint. Browser fingerprinting, for example, uses factors such as your device, screen size, plugins, and other information about your computer to uniquely identify you. To see this in action, you can visit a site like Panopticlick to see how unique your browser is to trackers.

VPNs don’t make you (that much) more secure

VPNs do secure your traffic from your local network, but we already have technologies that do that for us. HTTPS, the padlock in your browser, means that content is encrypted between your computer and the website you are connected to. This makes it really hard for someone to intercept or view the site you are looking at. The most an onlooker would be able to see is the domain name you are connected to, but they wouldn't be able to see the exact page or content you are looking at. Generally, for most people, this should be enough and VPNs wouldn't add many security benefits - especially if the VPN is sketchy itself.

So why would I use a VPN?

While VPNs aren't needed for most people, there are definitely scenarios in which they are useful. If you are trying to access content that is region restricted, VPNs are useful tools to bypass geoblocks. VPNs are also useful for bypassing restrictive firewalls, or add extra security if you are connected to a public Wi-Fi network. However, before you use a VPN, make sure you do your research about which VPNs are trustworthy and won't sell your data.

So how do I secure myself online?

The most important way to secure yourself online is simply to follow basic cyber hygiene habits. Use unique passwords for each site with a password manager, don’t click on links in suspicious emails or websites, always keep your software up to date. As internet security and privacy becomes more popular, major VPN companies are going to grow and get more popular. However if you follow basic cyber hygiene habits, your cybersecurity posture will be stronger than if you just used VPN companies.