What is a VPN and why do I want one?
VPN stands for virtual private network. In layman’s terms, it is for creating a secure connection between two points. Remember tin cans and string? You speak into one can and your friend can hear you from the other can? If the string were long enough, and someone in between you two walked up to the string, no matter how hard they listened, they wouldn’t hear the conversation just from the string.
Harry Potter fans will remember how Malfoy and others broke into Hogwarts Castle. They all climbed into a Vanishing Cabinet in Knockturn Alley, and with the sister Vanishing Cabinet in Hogwarts, they were able to move from one point to another, and no one in between had any idea what was going on. They could walk around through the castle and no one knew where they came from.
This is the concept of a VPN, where two computers can talk to one another, and with much more advanced technology(well, maybe not more advanced than magic!), keep anyone in between from listening to the conversation. This technology has been around for a while. But there’s a new twist to the technology being offered now. Companies are allowing you to VPN to them, and then they direct your internet traffic to the final destination. Originally a VPN was used for connecting, let’s say, two company offices together, or allowing an employee to work from home and connect securely to the main office. But this isn’t what the new VPN services are for. Let’s talk about what they are for.
Keep your data safe
You hop on that open WiFi at the cafe, you plug into a hotel network on a trip, you wander through a hacker-con with your phone automatically jumping on the nearest WiFi signal it can connect to without a password. Instead of risking your information getting exposed through one of these unsavory methods, a VPN app will create a secure connection through that haze of unsafe networks, that Knockturn Alley of sketchy characters, out into the safety of their equivalent Hogwarts Castle, and from there out to the internet.
But what makes the internet safe from there onward? You’re still ultimately going onto the internet where bad things can still happen. Which means this new VPN concept doesn’t remove risk entirely. It does however offer a few different protections.
Spying ISPs
Our ISPs (internet service providers) such as ATT, Comcast, and local cable companies offering internet, are entrusted with delivering your data to where it needs to go. They also deliver all that wonderful streaming goodness, Netflix, Amazon, Hulu, CBS Access, Disney+, and more, to your devices. In many cases, ISPs can’t see what you’re doing when talking to these different places. More and more services secure those conversations between your devices and them. It used to be just banking websites that did this. Now a Google visit for a search keeps the conversation secure between you and Google. But the ISP can see you’re visiting Google even if they can’t see what search terms you’re using. This may have additional merit due to a browser company, Mozilla, accusing ISPs of interfering with a new technology browsers are toying with to try and stifle at least some of this kind of spying (link).
Enter VPN apps. While the browser technology I referenced (DNS over HTTPS aka DoH) helps some, the VPN app tunnels beyond the ISPs spying eyes. When using the VPN technology the ISP can’t see who you’re visiting.
Faster Internet
There are some claims that the VPN technology offered speeds up internet access. From a technology standpoint, intuitively this sounds dubious. The reason is when you add a VPN, it also adds a layer of security that takes up some bandwidth. However there’s been recent back and forth with the FCC and Net Neutrality. The gist of changes in Net Neutrality is it gives ISPs a greater ability to shape internet traffic, like controlling how fast toothpaste comes out of the tube, but in this example, it’s internet data. They can do this by looking at where your internet traffic comes and goes and restricts certain types of traffic. This is not a fully evidenced claim, yet is a concern. How does the VPN help? It removes the ISPs ability to shape the type of traffic because all the traffic is obscured through the VPN.
No logging
Many of the VPN technologies offer no logging as well. What is logging? It means they aren’t keeping track of you and where you’re going once you leave their network. If a government agency goes to them and asks for your internet history, they won’t have it. I do wonder about a specific scenario though. Analogously a phone doesn’t record your conversation with someone you call. You can still have a phone tap placed on your number through court approval. I could imagine quite easily a court order to ‘tap’ your traffic and allow the government agency to view activity over a certain allowed time frame.
Over 40% are based in China
This disturbing piece of research revealed a number of these VPN providers are linked to China. This doesn’t bode well for a system built on the claims of privacy and security. China has a large number of human rights issues, government monitoring, and privacy issues making a VPN provider tied to China difficult to trust, even if the advertising looks good.
Passing The Spying To Someone Else
Eliminate the China problem and there’s a different concern. A number of these VPN’s are free. If they are free to use, how do they pay to keep the lights on? Unless they have a group of generous philanthropists backing them, it’s hard to say they are discarding the data altruistically. If you still want to use a free VPN, I can only say read the terms of the agreement, look for publicly shared privacy statements that are well written and clear, and check back with them over time to see if they shift their stance. If you’re serious about privacy look at paying for the service so they can afford to avoid those temptations of using your data for their profit.
Actual Use
You may be thinking this isn’t worth the effort. Who cares if someone sees you’re viewing Netflix tonight? Netflix knows anyway, and if a few others like Comcast know big deal. Let’s talk about possible use cases that still might make a VPN meaningful for accessing the internet.
Pop-Out From A Different Location
Remember the Hogwarts analogy? You can disappear from one location and appear at another? With a VPN, they typically have several jumping-off points. Let’s say you’re in St Louis. Your internet provider connects you to the internet, and now all the different services, e.g. Netflix/Facebook/Twitter, see you as connecting from St Louis or the general area there. Facebook knows this because you get an internet address, much like a house address, and this address stays fairly regional in most cases. There’s a lot more tracking going on and I’ll write more about that in a later post, but suffice it to say, you’re linked to the St Louis area in this scenario.
Using the VPN service you can disappear from St Louis and appear in Boston instead. Now all your traffic ‘pops’ out on the internet from Boston. Facebook sees you coming from Boston now. What’s the advantage of that? For Facebook, it might not be much. But for a streaming service that only allows certain shows from certain locations, this can be great. A show that can only be watched from Britain no longer means you have to travel there to watch it. Other streaming systems showing television programs like the Olympics may not allow it to be shown in the US, but appear just north of the border in Canada and it’s free to watch. Use your VPN and appear as if you are there.
Open WiFi
If you’re hopping on cafe WiFi, the hotel WiFi, free WiFi hotspots found in your travels, there’s no limit to who else could be on these free and open systems either. I’ll place the tin foil hat down for a moment though. As an individual, it is a lower risk scenario to worry about. It is more likely you’ll be infected with malware, someone will steal your password and get into email or other systems of yours than having a bad actor sitting at a cafe is hacking into everyone’s activity. That’s just a reality to face. However, if you want to employ an abundance of caution when connecting to open WiFi systems, the VPN can be an added mechanism of safety from that risk.
The open WiFi could be tracking your activity just like an Internet Service Provider at home, gathering your information up into a statistical mass to sell and report to marketing companies. A VPN would protect from this possibility.
Other Countries
This is perhaps the most meaningful security concern to use a VPN app for. If you are traveling to another country, their laws may not be as friendly to spying on you while there. It also could be more likely a bad actor will try to get at your login information. Are you logging into your banking while visiting another country? Transferring funds from one account to another so you can purchase that item at the local shop and bring it back home? Here is where a VPN app that secures your traffic back to your home country can be useful. It funnels your phone’s traffic past any prying eyes and drops it safely into Hogwarts Castle.
Conclusion
A VPN app service has its uses. Determining where it’s useful for you and why it is an important step since there’s a lot of marketing fodder being put out there.
If you have any additional questions about VPNs or have further thoughts on the matter email me at josh@securityscrolls.com.