I’ve been doing some research on VPNs. This is a quick and dirty post because I’ve talked about it on Twitter and enough folks there have asked for my opinions.
I won’t call my research exhaustive (see below for that), and the landscape is changing quickly. This is what I believe with 90% confidence today. I reserve the right to change my mind in the future. Also expect me to continue editing this after posting to add more information or clear up misconceptions.
I’m gonna skip over what a VPN is for now. The basic idea and the technical details are better-covered by others. (The Wikipedia article on VPNs is not a shining example but it will do for now.) It’s sufficient for my purposes to say that VPNs are a tool which some folks are recommending to those who are concerned about the proposed changes to broadband privacy regulations in the US and want to maintain their privacy.
Why should you trust me? I worked for four years in information security at Akamai Technologies, a leading content delivery network especially for secure content (banks, Fortune 500 ecommerce, government institutions). Secure content delivery networks have very similar security challenges to VPNs, and I was particularly involved with several of them. I know what taking customer data security seriously looks like from the inside. (That said, just to be clear, I don’t work for Akamai any more, and I don’t speak for them here.)
Disclaimer: I am a cybersecurity professional, but this does not constitute professional cybersecurity advice. I provide this for informational purposes only. If your browsing history gets sold to marketers despite this advice, you get to delete the resulting spam and/or deal with the resulting divorce, and if you do something the government really doesn’t like while following this advice and you get arrested by the FBI, you get to do the resulting jail time.
I have not received any promotional consideration for the opinions I express here.
This advice is targeted at general US persons (citizens and permanent residents), who are concerned about the potentially-changing residential broadband privacy rules, with a goal of helping you make your own best decisions based on your personal needs and risks. Other people will have different needs and risks. This advice is not intended to address all possible reasons someone might consider using a VPN.
A VPN does not provide any anonymity guarantees. Full stop. For anonymity protections, use Tor.
A VPN may provide some privacy protections.
In general, US persons today on residential broadband are safest not using a VPN. This may be changing, hence the renewed interest. Still, this is the status quo.
My advice, if you are concerned about changing US residential broadband privacy rules:
Call your Representative. Tell them to oppose Senate Joint Resolution 34. You can find their number and a script if you put your ZIP code in at the linked site. The House votes Tuesday, March 28 (two days from today, as I write this). This is the single biggest thing you can do to protect your Internet privacy today. (Yes, you’re calling your Representative to ask them to oppose a Senate resolution.)
If S.J. 34 passes the House and is signed into law by President Trump, you may still be safer not using a VPN. Ask your residential broadband provider to guarantee in their Terms of Service that they will not sell your internet connection history, or derived products of it, to third parties for marketing purposes.
If your residential broadband provider won’t do that, should you use a VPN? Maybe. There are a number of caveats to keep in mind, though.
It is hard to verify that VPNs provide the protections that they claim to. Very few of them have seen third-party security audits, and even the best such audit can only provide so much assurance. All software has bugs, all systems have failure modes, and any one could make moot the privacy protections the VPN service claims to provide.
It is easy to verify that some VPN services cannot meet their claims, and most VPN services are terrible.
That said, if you decide you want to use a VPN:
Don’t ever use a free VPN service. If you’re not paying, you’re not the customer, you’re the product. The whole point of the concern over broadband privacy is that you don’t want to be the product.
Don’t expect a VPN to protect you from law enforcement. That’s not their job.
Don’t use VPN services which advertise BitTorrent anonymity or content geolocking circumvention. Whatever your views on its ethics and morality, copyright infringement is a crime in the US, and a VPN provider which will turn a blind eye to crimes committed by its users is likely to commit a few of its own.
Only connect to US-based VPN servers while in the US. Even if your VPN provider offers servers outside the US. (There’s a lot of complexity here, but it’s a good rule of thumb.)
I use and recommend Encrypt.Me (formerly Cloak). They support Windows, macOS, iOS, and Android, their policies are detailed and honest, their technology and security choices are solid and well-defended, they are undergoing a third-party audit, and they’ve nailed the user experience.
Tunnelbear look like they may be a solid alternative. I haven’t done enough research to have full confidence in this pick. In particular, I have reservations about some of their technology choices, and would like them to publish more detail about their security choices and to undergo a third-party audit, but they avoid all my obvious red flags.
If you have sufficient technical skill, you may choose to run Algo. I don’t recommend this for general users because of its complexity, and frankly you get the same technology with a Cloak subscription, at a comparable or better price point, with a better UI, and somebody else on pager duty.
If you are interested in helping advance this research, e-mail me at kevinr@free-dissociation.com and I’ll give you access to the dataset where I’m collecting details about VPN providers’ legal documents and technical choices.
Update 2022-03-17 KR: Encrypt.Me (née Cloak) got bought by a company called J2 Global a couple years ago, which subsequently renamed itself to Ziff-Davis (of all the things), and the Encrypt.Me service has been merged with that of another VPN service called StrongVPN. I haven’t had the time or energy to assess the security of StrongVPN, but I found its performance insufficient for my needs last time I was traveling.
Given that since I wrote this five years ago, the Internet has only moved harder in the direction of HTTPS (as well as DNS-over-HTTPS, for better or worse), and made other changes to enhance privacy at the network level, this is where I currently stand:
- Most people should not use a VPN service.
- I no longer recommend Encrypt.Me as a VPN service.
- I have discontinued my personal use of it.
- Most people whose threat model requires network-level anonymity on the Internet should use Tor.
\end update 2022-03-17 KR
\ Browse safely. o7
Thanks to Christian Ternus for feedback after publication.
Edited 2017-03-27 13:00 EDT to clarify threat model/scope of advice in the “This advice is targeted at” paragraph.
Edited 2017-03-30 09:40 EDT to substantially expand “I’m gonna skip over” paragraph and add “If your residential broadband provider” paragraph.
Edited 2018-01-16 16:24 PST to reflect Cloak’s new name (Encrypt.Me) and addition of Windows and Android support.
Edited 2022-03-17 15:52 PST to reflect Encrypt.Me’s purchase by Ziff-Davis née J2 Global.
In the current surveillance climate and reactionary response to it, your post here is intriguing for it’s contrary postions. It would be helpful to read some followup on why:
* US persons today on residential broadband are safest not using a VPN. (Trust issues? Safest from … surveillance?)
* Only connect to US-based VPN servers while in the US. (Foreign law problems? Encrypted traffic to Panama or Lithuania is a red flag?)
NotaTroll: Glad you were intrigued by the post! Those are both good questions. I’ve posted a quick followup addressing your first question.
I may do something longer on your second question as well, but to quickly sketch out an answer: if you’re a US person in the US, you’re protected by US data privacy laws as long as your traffic remains in the US, which are actually pretty strong compared to many other countries’. As soon as your traffic goes through a VPN endpoint in another country, you traffic is at the mercy of your VPN provider and the data privacy laws of their host country, which are of varying quality, and international data privacy laws, which are a complex web. And this is just considering the threat of your VPN provider selling information about your traffic or otherwise snooping on you.
If you’re a US person genuinely concerned about US government surveillance, then as long as your traffic remains in the US only law enforcement up to the FBI has jurisdiction on it. As soon as it leaves the US, now the CIA and NSA can also get involved, and they have much broader powers. Vulnerable subpopulations may still prefer this to the alternative, having carefully chosen VPN providers and endpoints located in countries with useful data privacy laws, but US persons on US residential broadband are better off not rolling the dice on that.
(For starters, you have to trust that your VPN provider’s servers are actually in the country they claim they are, which is not a sure bet…)