Most People Probably Don't Need A VPN, Experts Now Advise
from the first-do-no-harm dept
Given the seemingly endless privacy scandals that now engulf the tech and telecom sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to protect data in the wake of scandals, breaches, and hacks.
Unfortunately, many consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bulletproof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.
After a repeated few years where VPN providers were found to be dodgy or tracked user data when they claimed they didn’t, professionals have shifted their thinking on recommending even using one. While folks requiring strict security over wireless may still benefit from using a reputable VPN provider, experts say the landscape has changed. Improvements in the overall security of ordinary browsing (bank logins, etc.), plus the risk of choosing the wrong VPN provider, means that many people may just be better off without one:
“It?s time we retire the stock advice to get a personal VPN,” Bob Lord, former chief security officer at the Democratic National Committee, told Motherboard in an email. “Most people do not need personal VPNs today because the internet is much safer than it was in 2010. Personal VPNs create additional risks. Giving everyone advice that only pertains to some people misdirects them from the steps that will actually help them secure their digital lives.”
Granted there are plenty of journalists, government officials, or folks researching dangerous or volatile people who probably still benefit from using a quality VPN. There are also instances where using a VPN can help thwart invasive advertising data tracking:
“There is at least one thing that some VPNs could help with: blocking malicious ads. The online advertising ecosystem is so dangerous that the U.S. Intelligence Community has blocked advertisements on a network-level, Motherboard reported recently. But online ads are not just a threat to intelligence agencies; Motherboard has repeatedly shown how data brokers harvest ‘bidstream’ data by participating in the online advertising process. This sort of information can include location data.”
But as the VPN field has become crowded by dodgy players, just injecting an entirely new dodgy player into your traffic flow isn’t really helping anybody. Especially if you lack the capacity to ferret out which VPN provider is keeping its word, and which is just another shady business collecting, storing, and monetizing your data (while breathlessly insisting they don’t do that).
Filed Under: cybersecurity, encryption, privacy, security, vpns
Comments on “Most People Probably Don't Need A VPN, Experts Now Advise”
One other reason to still advise VPNs: if they are commonplace, people who have a special need for VPN don’t attract extra attention. If VPNs are rare, the fact that you use one may invite extra scrutiny.
I think we’re currently covered enough by corporate VPNs for people working at home to at least partially cover that aspect.
Re: useful
yes, many good reasons to use a VPN and about a 3rd of internet users do so.
Nobody claims that VPN’s are a "near-mystical panacea…bulletproof shield".
But they can be very useful even to average consumers who don’t understand the technical and business aspects of VPN service.
(how many consumers understand how their cellphones work, or the actual trustworthiness if their cellphone service comoany?)
Several good websites rate the quality of VPN’s for consumers.
Yes, ultimately you cannot trust any software/hardware/system that you personally did not build from scratch, but that is true for all your digital equipment
Re: Re: useful
I’d start with TorrentFreak:
https://torrentfreak.com/best-vpn-anonymous-no-logging/
Notice specifically Question #6, about court cases. Now look at the responses by various companies.
Re: Re:
The same applies to encryption of all types (chat, email, etc). If everyone does it, if encryption and privacy are the norm rather than the exception, there is no way that using encryption or other privacy-enhancing features can attract extra scrutiny.
Re: Re:
"I think we’re currently covered enough by corporate VPNs for people working at home to at least partially cover that aspect."
Yeah, when everyone working from home does so through the corporate intranet then it really isn’t odd to see the use of VPN for private use either.
AS I keep saying, using a VPN is putting your postcard into an envelope. Something most people got around to doing fairly early in snail mail and other physical messenger services. Normalizing this use of basic message obfuscation is one of the core pillars required for democracy to exist.
I wonder how much money the copyright lobby paid for that statement?
Re: Re:
Inquiring minds want to know why he’s a former advisor, and what his current position is 🙂
Perhaps no money changed hands, just some leaning by the security agencies.
Re: Re:
+1
almost like an insurance company realizing seatbelts while saving lives actually costs them more money than a dead person and slowly try to spread the news backhand that seatbelts are worse than not wearing them
How to trust?
Can anyone tell which VPNs are trustworthy? Are there independent auditing groups that have deep access to server logs & configuration to ensure no tracking is occurring?
Re: How to trust?
End of the day, even if a VPN is trusted right now, the FBI can come in, take over the hardware, and install a tap tomorrow and never tell anyone.
Some VPNs have deadman switches or post daily "we have not been ordered by the gov to do anything" type stuff, but knowing the FBI, a full takeover could include getting access to the accounts that publish that message as well.
So the only VPN you can really trust is the one you built yourself.
Re: Re: How to trust?
meh.
VPN for private networking between self-controlled Point A and Point B, yes, a self-implemented VPN is useful.
However, Internet browsing, not so much.
As suggested, NordVPN is
Re: Re: Re: How to trust?
The main uses I see for VPNs are jurisdictional arbitrage and avoidance of legal threats. A self-controlled VPN in a non-DMCA country could be useful, but if the traffic can be (easily) traced back to you, you might still get the spurious threats. (Nevermind what the intelligence agencies can do; that’s a very different problem than MAFIAA sniping.)
Re: Re: Re:2 How to trust?
Which is why people who don’t know what the point of VPNs is should just pipe down.
Traffic can be traced back to you? Great. Moron.
Traffic can be decrypted? You did it 100% wrong.
Now go post your "opinions" online. You’ll help confuse other stupid people, help nobody, and generally just provide noise when people are looking for signal.
E
Re: Re: Re:2 How to trust?
"The main uses I see for VPNs are jurisdictional arbitrage and avoidance of legal threats."
…and common privacy.
Putting your mail into envelopes to keep everyone én route from reading them rather than shouting your message from the rooftops has been a normal state of affairs since forever.
Re: Re: Re:2 How to trust?
"The main uses I see for VPNs are jurisdictional arbitrage and avoidance of legal threats"
So, you don’t understand how the majority of modern business works? OK…
Re: Re: How to trust?
Re: Re: How to trust?
NordVPN won a lawsuit a few years ago (in Eastern Texas, of all places), stating unequivocally that they do not keep logs, and no one can prove otherwise. The judge was forced to accept this, as the plaintiff could only state that it was both easy, and the normal procedure, to make and keep logs, but they also had to admit that there was no legal requirement to do so.
I am unaware if any other VPN provider has gone through a lawsuit with the same results. IIRC, at least one provider did indeed cough up logs that were supposedly never made in the first place. Can’t recall which provider though, sorry.
Re: How to trust?
I would suggest NordVPN, per their Features page, as well as my own experience in using them: https://nordvpn.com/features/
also less expen$ive than others.
Re: How to trust?
No.
Re: How to trust?
Several have been audited to varying degrees (article at https://www.techradar.com/vpn/vpn-audits ). In several court cases, at least one (PIA) was found to be unable to provide the information being sought. Several websites (e.g. torrentfreak, thatoneprivacysite) compare the apparent trustworthiness of various VPNs. There’s never going to be 100% certainty (what if the VPN is lying? what if they change things after the audit? what if one of their employees is a NSA mole?). But it’s unlikely that a nation-state level attacker is going to blow its cover to catch you downloading a movie.
Re: Re: How to trust?
"But it’s unlikely that a nation-state level attacker is going to blow its cover to catch you downloading a movie."
It all depends on the stakes. Your normal door lock isn’t secure by any means against a determined attacker. It will still deter 999 out of a 1000 as long as what you keep locked away is just your person and personal belongings.
If what you have behind the door is of great interest to entities with resources at their disposal then you need better and more expensive security.
Same applies to VPN’s. National security concerns and serious crime will prompt a direct attack on the security provider. Mere unlawful acts won’t.
Actually,...
as is well known (as showcased multiple times here on TD) of ISPs (even admitted, by Tmob) that they have fashioned themselves into "First Mile Voyeurs;" and from personal experience on my Sprint WISP, prior to Tmod buying Sprint, Internet browsing was seamless and snappy as it had been for years;
Yet AFTER the merger, however, with NO CHANGES on my part, browsing was noticeably slow, even to the point of non-existent (page c/n be disp).
Once I implemented YogaDNS+NextDNS which employ DNSSEC, browsing immediately increased in speed and reliability. Subsequently increasing also with the employment of a FlashRouter VPN router that employs OpenVPN w/ NordVPN.
Forget not that your ISP hates you, and everything they do will be ONLY for their benefit, not yours.
VPNs are yet a benefit.
Re: Actually,...
"Yet AFTER the merger, however, with NO CHANGES on my part, browsing was noticeably slow, even to the point of non-existent (page c/n be disp)."
There’s actually a more likely cause for this, though it’s almost as bollocks as monitoring nd packet sniffing. A change in routing protocol from traffic management to traffic shaping.
I.e. since the US no longer has net neutrality guidelines in effect in most places, it’s A-OK for your ISP to prioritize traffic according to it’s own needs rather than just network needs. This leads to the equivalent of traffic congestion.
"Once I implemented YogaDNS+NextDNS which employ DNSSEC, browsing immediately increased in speed and reliability. Subsequently increasing also with the employment of a FlashRouter VPN router that employs OpenVPN w/ NordVPN. "
Because aside from a VPN anonymizing you visavi listeners it also obfuscates which type of traffic and the end address, meaning that traffic shaping rules the router runs by can’t determine whether your requests should wait in line or not.
Generally speaking if use of a VPN suddenly increases your latency and ping it means your ISP is shit at network management, probably for self-serving reasons (like wanting netflix to contribute extra moola to restore that unhindered linkage to their customers. The online version of the protection racket).
if people stop using vpn to access the ‘net, whatever they do, say, read, download/upload, everything is then completely open, no privacy, no freedom. the security services will have an even bigger field day than they do at the moment! no one is safe from ‘prying eyes’, regardless of whose they are! consider the lengths that courts go to to assist PD etc from accessing your data now and imagine how much worse it’d be with no protection at all!!
Re: Re:
The limit on the governments ability to spy on everyone is limited by how much humans can look at. Algorithms only work to select what is offered to humans for further evaluation. If you use a mobile device, a VPN won’t stop the telco or Google or Apple from tracking you. Also, any data from any US site that you log into can be obtained by the security services. Also, the VPN may have logs, and have you identified. If you want to try and hide what you are doing from the government, using sites anonymously via TOR is you best bet, so long as the security services are not controlling a site that you visit.
Also, how do you know that the security services are not controlling the VPN that you choose to use?
"experts" opining on things in which they have no expertise
It’s funny that the headline says "Experts now advise"…
There are experts on whether people (9 billion or so of us) "need" or "don’t need" a VPN? No. There are not.
That pretty much covers the article. Know-it-alls who pretend to speak for 9B people say we don’t "need" something.
I am happy to consult to those who want the protections that VPNs provide. It’s neither free, nor insulting to clients who want something.
Lying to the client is wrong. At least it’s FREE stupid consulting, not the real kind.
Get a VPN or two or three. Use them. Just go search YT for all those people who say "I’m ok with cops searching my car because I dint do nuffin wrong." You can be that idiot, or you can decline unlawful searches. The same is true of VPNs.
E
Re: "experts" opining on things in which they have no expertise
Network security experts. The ones big name companies hire to assess the security in place and the tradeoffs between more security and more usability. Every company, every network, has its own security needs and its own tolerance for interruptions to work flow to maintain security. These are experts in discussing the relative value of security.
The advice is not that VPNs have no value, but that to the ordinary consumer, finding a VPN that is within their budget, won’t sell your data, and can be trusted to do what it says on the tin is difficult, and might provide false confidence through the security theater. Your own commentary about not using a VPN being equal to letting a cop search your car is kinda odd, given the big arguement is that with many VPNs there is no genuine difference, all you’ve done is change who is doing the search.
Re: "experts" opining on things in which they have no expertise
When an expert (that I recognize as such) tells me X about Y, I usually listen carefully. When a batch of people I’ve never heard of before, all claiming to be experts, tell me to do something, I generally tell them to get fscked, and do the opposite. That’s not contrarian thinking, that’s realizing that what P.T. Barnum said about there being an expert born every minute is as close to Gospel as I need to get.
Re: "experts" opining on things in which they have no expertise
In your rush to fixate on a single word in the headline, you seem to have missed that it had other words in it too. Such as "most" and "probably".
And why should someone listen to you? Do you have some sort of, I don’t know, high level of skill or knowledge in the field in question? There’s a word for somebody like that but I can’t quite remember what it is.
Re: Re: "experts" opining on things in which they have no expert
(Course, the word at the top of the page that’s really got him all wound up is "Karl".)
Re: Re: "experts" opining on things in which they have no expert
But do listen to the experts who say that you do need a VPN. How hard is this? Right? lol
Re: "experts" opining on things in which they have no expertise
"9 billion or so of us"
Erm, there’s around 7.8 billion people on the planet, and around 4.6 billion of those on the internet.
I appreciate the idea that nobody who knows what a VPN actually does and who cares about the rights of those people could realistically oppose it, but let’s not give ammunition to the people who are deluded about those facts.
This sounds suspiciously like the first step in a plan to first try and convince people not to use vpns, then the next step is to vilify them (only criminals and pedos need them) with the last step being to outlaw them.
Or maybe I’m just being too cynical.
Re: Re:
That was exactly my thought as well. The ISPs are already banding together on the call of contentmafia bosses (like the CUII in Germany), taking DNS based blocking into private hands. The easy defense is using a public DNS resolver or VPN (using their DNS resolver). You can also set up your own resolver, e.g. via unbound, but that requires technical knowledge which cannot be expected from the majority. Ready-made physical boxes which hook up between your PC and router require more effort than following 1.1.1.1 instruction page or purchasing VPN. By attacking public DNS resolvers (Sony vs. Quad9 in Hamburg court) and now (possibly) starting to vilify VPN, the hands close ever more around the neck of a free internet. No cynicism needed.
Re: Re: Re:
how likely is Quad9 to win the lawsuit?
Re: Re: Re: How likely is Quad9 to win the lawsuit?
Hi. I’m on the board of the Quad9 Foundation. I think it’s quite likely that we’ll prevail in the long run. Both the German privacy community and the DNS industry globally are firmly behind us in this. Nobody wants to see a precedent set that would spread to firewall manufacturers, browser vendors, et cetera.
You can read more about the case and how it’s going here:
https://quad9.net/news/blog/quad9-files-official-objection-opposing-sony-music-s-german-court-ruling
Re: Re:
Did you not get the memo that VPN villification started, oh idk, 10 years ago or so? Because how dare you pretend to be from somewhere else in order to watch or buy a thing? Of course, using VPNs for that, which they still frequently advertise, is less and less likely to work every day.
— Karl Bode, Techdirt Blogger
— Bob Lord, former DNC security chief
— Paul B, commenter
Each of these statements runs counter to pretty much everything I would expect…
1) VPNs – Once the VPN connection is established, you effectively supplant the ISP’s snooping ability with that of your VPN. … unless your ISP performs a man-in-the-middle attack on you – in which case you’re VPN protects you from nothing. The NordVPN page describes a great many things the ISP can no longer see once you’ve connected to the VPN, so the link Mr Bode provided does not illuminate the "universe of ways".
2) Ads – VPNs only quell one route to identification – your IP address. If you allow JS, ads could well fingerprint your system and send that information back. And if you allow advertisers to put cookies on your system, you might as well give up any thought of avoiding tracking. So what is it Bob thinks we’re actually protected from? Unscrupulous VPNs? Unscrupulous ISPs?
3) roll-your-own – Um… RUNNING your own VPN is one thing. Running your VPN between sites you control is excellent. CREATING your own VPN? You should remember the maxim: "Good security is hard". Anything you create will have bugs and flaws in it that will be exploited. Anything someone else creates will ALSO have bugs and flaws. But it’ll have been tested for longer than your bugs and flaws, so they might be harder to penetrate.
Re: Re:
Try this on for size:
https://www.wizcase.com/blog/how-to-create-your-own-vpn-in-the-cloud/
That’s not the only way, but it works. I’d say "trust me", but that would invoke issues of…. trust. Let’s not go down that particular road just now, OK? 😉
Re: Re:
In context I was talking about running your own, with your own private key.
I agree, building a crypto VPN algo is stupid hard and it would be A) Slow or B) buggy
Re: Re: Re:
^ Building one’s own VPN from scratch does indeed require a high level of competence. But even I’m too lazy to do that, in spite of any competence I might possess. Best to fit ready-built parts and pieces together, and have a working unit (or at least 98% of one) right out of the box.
I did this years ago, with instructions from another source, and so far, I’ve not been tagged for downloading something that I shouldn’t have.
Secure VPN
I do security consulting. I’m no idiot (sorry, Paul and Karl, you guys own that domain) and things work for a long long time without issue.
If you think you need a VPN you’re already talking "methods" and not "problems" and "solutions." So … likely you don’t "need a VPN."
Step 1:
Identify the problem you want to resolve.
Step 2:
Identify methods to resolve that problem.
Step 3:
Identify best practices to accomplish #2 to solve #1 without introducing additional issues.
4: (Not really a step)
Identify the costs if you are unable to do this right. It can in the worst case lead to loss of life and in the best case … loss of some small funds. This becomes the priority of the whole project. Don’t lose sight of that. If the potential loss is $5/yr then put your CC#,EXP,CVV2 on the web and by the time you die your loss will have been insignificant compared to the cost of implementing a security solution… Give a little … save a lot.
If you are unable to articulate any of 1,2, and 3, you are the wrong person to be selecting, designing, or implementing anything that will lead to success.
Remember, not every person who is in a position to do something is the person who SHOULD do something. Delegating to experts who know what they are doing is a good thing.
E
Re: Secure VPN
Would you say, then, that giving everyone advice that only pertains to some people misdirects them from the steps that will actually help them secure their digital lives?
For all of this?
The idea is your Personal info?
Thats GONE already.
And most of the breakin’s and Loss are NOT from personal computers.
Its everywhere they have computers and Access to the internet for BUSINESS.
Hospitals, doctors office, Credit card corps, STEAM, PLAYSTATION, MICROSOFT, AMAZON, FACEBOOK, Anyplace that has your REAL name associated with other info.
Be that they SELL your data or that they get Cracked from the internet or Even that 1 employee that sends out the data Themselves.
LET alone that the gov. for all the rules and regs of Personal privacy, DONT enforce Anything about Privacy.
Sometimes Even Americans Need VPN's
My ISP blocks certain legal websites that use services other than Cloudflare for DDOS protection. To access these sites, I have to use a VPN (since Spectrum is the only broadband option available to me).
In my opinion, the only personal VPN is one you run yourself. If it belongs to someone else, it’s either a corporate VPN or a public VPN. Each has its own uses, but privacy isn’t really a use for a public VPN unless you’re using Airport WiFi or similar… and even then, you’re just limiting risk, not eliminating it.
There are definitely still good uses for all types of VPNs. Most of them have only specific nods to privacy or security.
Fuck VPN shills.
Well, if it’s a choice of trusting your ISP which in America probably works with Big Brother and his partner Big Copyright to spy on you as well as sell whatever personal information you would not prefer to be shared to partner Big Ad or trusting a reputable VPN provider, I’ll say it’s a easy choice. Remember your ISP is not in the privacy business, that’s not what they sell, but a VPN provider is.
Don’t believe everything you read on the internet especially the so-called "experts" in pocket of Big Copyright or Big Brother spreading their misinformation or propaganda or others who spew their bullshit, like this article writer, maybe.
It’s well known that Big Brother and Big Copyright dont want people using VPNs and wants VPNs out of business. Seems these "experts" this writer is referring to are implying that ISPs are more trustworthy and reputable than VPN providers. Really? Let’s see real evidence on that.
To help correct this misleading article, I’m telling this: you dont just use VPNs to shield your content but to shield your metadata as well. Remember the thing learned of about Edward Snowden and NSA, it’s all about metadata, that Big Brother loves. And not 100% of all the data is encrypted and yes this matters. And even if you trust your ISP enough, there’s the public internet access points, not all that be trusted.
When you use VPN, only thing your ISP is going to know is the VPN server you use, when you use it, how much data you send and receive from VPN server, and that’s much it.. Big Deal! nothing important your ISP can report to Big Brother or other malicious parties. VPNs still have good use for the average consumers, at least those who are concerned with privacy.
Most people "probably don’t need" a VPN in the same way that most people probably don’t need a personal lightning rod. You’re probably not going to get struck by lightning. But on the other hand, it’s not as though governments and other organizations have had a great track record with the need to track random citizens down just because.