Why Not Advise Use of a VPN?

I’ve been surprised and gratified by the reception my post on Quick and Dirty VPN Advice has gotten.  Within the last two weeks, I’ve been retweeted by Zeynep Tufekci; invited on the Techdirt podcast, along with Kenn White; and interviewed by no less than the San Jose Mercury News.  That’s not why I do this, but it’s not unappreciated!

One of the questions I’ve gotten regularly, online and off, is why I recommend people not use a VPN.  It’s surprising advice to people in a context where so many people are recommending them. (Including no less than The New York Times and The Wirecutter, both of whose articles don’t meet my standards and so I won’t link.)

Here’s what I wrote to one person who e-mailed me:

When I say people on residential broadband are safest not using a VPN, I mean that advice to serve as a sort of sane default.

Based on my research and the research of others, the median VPN service is somewhere between plain incompetent and outright malicious.  If I just tell someone “use a VPN” and they go off and Google it and select something as best they can, they’re extremely likely to wind up with something which will hurt them more than if they hadn’t used a VPN.

Having ads or malware injected into your browsing by your VPN service is a lot less safe than having your browsing habits included in your city’s aggregate data which Xfinity sells to marketers.

Even with the VPN that I use and recommend, Cloak, I can’t be 100% certain that they aren’t selling my data, and they’re a small company without much reputation on the line, so I don’t have much protection from them doing so, or recourse if they do.

So that’s my motivation for telling people that their default should be to not to use a VPN, even if they’re concerned about their privacy, and then to use Cloak only if they’re willing to trust Cloak.

It’s kind of an unusual structure for security advice, which tends to veer drunkenly between infantilizing oversimplification and “JUST RTFM”, but it follows a “first, do no harm” principle that I hope threads the needle both for the general public and for vulnerable subpopulations within it.