Privacy and security are related, but they’re not the same thing. I would say security enables privacy – for example, using encryption to hide the contents of files and messages. But many companies market virtual private networks (VPNs) as security products, with terms like “military-grade encryption” that are supposed to sound impressive. Much of these claims are just snake oil. So I wanted to take some time to explain just what a VPN is and what it’s not.
What Problem Does a VPN Try to Solve?
When your smartphone or computer communicates via the internet, it’s sending and receiving digital data in the form of packets. A packet is just a bundle of bits and bytes in a standardized format – an internet protocol – including things like a “from” and a “to” address. Files, emails, web pages, podcasts and video conferences are all broken down into many little bite-sized chunks and then reassembled (in order) at the other end.
Until recently, many of those connections were unencrypted, meaning that the data itself was readable by anyone who could monitor the passing traffic, such as internet service providers (ISPs), telecommunications companies, law enforcement, and hackers. Thankfully, thanks to efforts like Let’s Encrypt, the vast majority of internet connections today are fully encrypted. This means that the contents of the data stream are unreadable. However, the metadata – things like the sender and receiver, the time and duration of the connection, and the amount of data – are still knowable.
What a VPN Is
Sending data over the internet is a lot like sending a letter through the regular postal system. Let’s say you suspect that your mail carrier is nosy and would peek at the letters in your mailbox if given the chance. To prevent this snooping, you can put your letters in a sealed envelope (as opposed to, say, sending a postcard). But they can still see who you’re sending it to. So let’s say you want to hide that, as well. How might you do that?
Well, you could engage a third party carrier to act as an intermediary, say Fedex. You could then put your letters in a Fedex envelope and send it to the Fedex routing facility. Your carrier can’t see who your letter is going to, only that it’s going to Fedex. When Fedex receives your packet, it would open it and send the contained letter on to the final destination. Finally, to allow for a private response, Fedex would list itself as the return address on your letter. That way, if your recipient were to reply, it would go to Fedex first and they would forward it on to you (in a private Fedex envelope). This has the added effect of hiding your real return address from the recipient. More privacy!
That’s all a VPN does. It wraps your digital traffic in an opaque virtual envelope (encrypts it) and funnels it through a third party (VPN provider) so that your ISP can’t see what you’re sending or who you’re communicating with. It also masks your return address from the recipient. That’s it.
What a VPN Isn’t
But you wouldn’t know this looking at the marketing language of many VPN services. A VPN doesn’t protect you from viruses. It doesn’t hide the amount and timing of your communications. It doesn’t even encrypt your traffic all the way to its destination (though, again, most connections today are already encrypted end to end – just like most people send letters today and not postcards).
VPNs also don’t prevent regular web tracking by the sites you visit. They have zero impact on tracking cookies, web redirect tracking, Referer header leaks, or browser fingerprinting. That’s because VPNs only hide your communications from outside third parties, not from the sites you’re visiting. For example, in our analogy, there’s nothing preventing you from revealing your real identity in the content of the letter you send (on purpose or by accident).
Also, you are just shifting your trust from your ISP to your VPN provider – in our analogy, from your local mail carrier to Fedex. Who’s to say they’re any more trustworthy? If Fedex offered to perform this service for you for free, then you should definitely be suspicious. How are they making money? (This is why Facebook bought VPN provider Onavo.)
You also need to understand that your traffic is only encrypted in the VPN tunnel. It will eventually pop back out onto the regular internet. Again, to relate this to our analogy, Fedex will eventually hand your package right back to the postal service to deliver it on the far end. And the mail carrier(s) can still tell how big/heavy your package is and when you sent it, which might leak some important information.
Should You Use a VPN?
Using a VPN makes plenty of sense, in the right situations. Using a VPN will keep your ISP from keeping a record of the websites you visit and people you communicate with. (And make no mistake, they are doing this.) It will also ensure that the contents of those communications are hidden.
But be aware that some metadata is still visible. That includes when and how long you send data and how much data you transmit. And remember that your internet service provider is whoever is currently giving you access to the internet. This includes your cell phone service provider when you’re not on WiFi and any public WiFi hotspot host (coffee shop, restaurant, hotel, airport, etc).
You may also be able to use a VPN to circumvent blocked websites and services – like watching US Netflix when you’re traveling in Europe, or getting to restricted websites from your corporate network or from a repressive country.
If you do choose to use a VPN, be ready for a lot of frustration. For example, VPN addresses are pretty well known and often blocked by sites that want to know who or where you are. You will likely trigger a lot of security checks, like CAPTCHAs and two-factor auth codes, too. And sometimes they just won’t connect at all, forcing you to either disable your VPN or have no internet connection.
See this article for help choosing a trustworthy VPN provider.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!