It's been clear for a long time that every single commercial VPN service is a waste of money. At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations. At worst, it's a government agency honeypot or someone like Facebook.
If you think you want a VPN for "privacy", use Tor Browser. If you want a VPN for any other reason that "normal people" think they want a VPN, you're probably wrong.
Why do we even give these companies the time of day?
(Small clarification - Most people who want VPNs should use a proxy instead. It fits the use case better. Those still exist and don't route ALL of your device's traffic over the tunnel.)
It's far from a waste of money. They help with things such as skipping geoblocking, able to deceive ISPs that send mail warning users about pirated content, can in some cases help with gaming ping, allow users to trick sites that rely on IP logging and many other applications besides cybersecurity and privacy.
The main issue is that they all seem to advertise themselves as these privacy and cybersecurity services first, while ignoring all the other added benefits.
Meanwhile, a lot of users really can't trust their ISP: your "ISP" might be coffee shop, or someone renting on AirBNB, or your friend (as you are at their home or office). If you are in any of these circumstances, I would probably first recommend "tether off your phone or something", but if you are finding yourself needing or merely wanting to use someone else's internet connection (maybe for speed or because you don't have a good cell signal), it totally makes sense to use a VPN.
(Also: I don't think anyone has mentioned this yet, as maybe it is somehow "gauche" to do so, but one of the top reasons people use VPNs around the world is because they want to browse porn and they don't want people around them to know. At some point, the people in the apartment next door to me figured out my wi-fi password and seemingly felt the correct solution to this issue was to use me for their porn browsing, but it was then all the more awkward when I figured out why my network was slow and knew all of the porn sites they were browsing. Most people seem more OK with the idea of paying a company like ExpressVPN--even if they are legitimately run by "spies"--to be their dedicated porn access point than hoping that someone else more locally won't find out what sites they are browsing.)
Totally agree. The geoblocking is the most common reason a lot of people use VPNs, even if that isn’t always how they are directly marketed. A friend’s mom asked me a few weeks ago for VPN recommendations so she could watch British TV easier. She’s 70. Her concern isn’t about safer browsing stuff but watching GBB more easily.
*Disclosure: ExpressVPN has sponsored my podcast in the past (tho I don’t handle ad sales fwiw) and I’ve always chosen to do the “this is how I watch X service in X country” use case in ad reads, b/c that’s the value in it for me vs rolling my own Wireguard/Tailscale setup (I actually have Tailscale setup for my home network).
Browser fingerprinting works much better than checking IPs. With multiple devices being behind the same IP, it's necessary to distinguish between users.
I'm not saying VPNs are worthless - I'm on one right now for work. Commercial VPNs, for most people who purchase them, are completely worthless.
And I very much doubt that tunneling your connection through a VPN can improve ping.
And no wonder! All of those things you listed as benefits sound shady and illegitimate to people who aren't very tech savvy or have a poor understanding of their rights to a free web. Notice you're using words like "Trick" and "deceive" good luck selling that!
This. I'm an occasional customer of ExpressVPN because they're pretty good about getting past the Great Firewall. When we go visit her family I want access to the same things I have in the US. It's not going to be any real protection if the government is after you.
True. I use VPN to get behind the geoblocking on my banking app which is prohibited to work in my African country. Also viewing movies banned in my country.
> you replace trusting your ISP with trusting a different group of unknown people with similar motivations
I've always seen this argument but it's never made sense to me.
For starters I absolutely don't trust my ISP. I know they are collecting, storing, likely selling my data and that they are 100% going to comply with any government requests from my government (I don't even trust that they would only respond to legal requests).
Years ago I used to use AirVPN. They claimed:
> AirVPN started as a project of a very small group of activists, hacktivists, hackers in 2010, with the invaluable (and totally free) help of two fantastic lawyers and a financing from a company interested in the project and operated by the very same people.
Maybe they're lying but at least there's some chance they actually care about privacy.
But even if they don't care about privacy at all and are lying, at the very least they are based in Italy and have their servers spread throughout Europe. Additionally you can pay via crypto (which gives you more anonymous payment options than your ISP). Simply being in another country then the one I live in makes it much harder for my government to arbitrarily request my data.
Yes if I want to do highly illegal activity that is going to get my government interested in me I absolutely don't think that would be enough. But if I want privacy from routine surveillance this seems like a fantastically better option that 100% giving up.
Use an alternative DNS server, Firefox/Brave/Ungoogled Chromium, uBlock Origin, and disable JavaScript everywhere you can possibly help it. As far as reclaiming some privacy from routine surveillance, this is probably better advice than "Pay Unknown Company X $9/mo to maybe be slightly better than your ISP in terms of privacy".
>*are collecting, storing, likely selling my data and that they are 100% going to comply with any government requests from my government (I don't even trust that they would only respond to legal requests).*
> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations.
When one party with auditors says they will protect your privacy, and the other openly spells out in their stated policies that they will run roughshod over your privacy, cataloging and trading your data as much, as long, and as insecurely as they like...
You don't have to trust the former party a lot to recognize the lesser evil.
> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations. At worst, it's a government agency honeypot or someone like Facebook.
My ISP is required by law to be an informant for government agencies, so the VPN can only be equal or better than my ISP.
Honest question: it's still a consensus that they do have value in situations such as airport Wi-Fi, correct?
Separately from that, I still do wonder whether, if you subscribe to a VPN that has well-examined security practices and whose reputation depends on such practices, whether it still may have value over relying on the security over a local ISP which may not have as much expertise or reputation investment with respect to security.
I'm not arguing, just trying to understand the issue better.
Argument is the spice of life! An argument doesn't have to be angry. But nonetheless I appreciate your earnest kindness.
It's less of an issue when every site you connect to uses https, and every app you use employs ssl/tls for its connections. That is common practice these days. Getting man-in-the-middle'd on airport Wi-Fi is less feasible these days than it was 10 years ago. The attacker would have to also install a certificate on the user's device. I welcome corrections if I'm wrong.
VPNs aren't obligated to tell you the truth. They don't have to have good security or even honor what they say on the front page. People trust marketing, not actual policy or actions - just look at Apple. Still waiting on "HMA" VPN to go out of business because they handed over users to the FBI. They're still around and claim No Logs just like everyone else, just like ProtonMail did until this month.
> Honest question: it's still a consensus that they do have value in situations such as airport Wi-Fi, correct?
No. I don't think this was ever a consensus. When is the last time you've used a (sensitive) website that is not run over HTTPS? Unless the CAs (or the certs) are compromised, you have no reason to use a VPN when on public Wi-Fi, because it is encrypted with this so-called "military grade encryption" that VPN providers love to mention.
Edit: forgot to add, if the CAs or the certs are compromised, VPNs won't help anyway.
> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations. At worst, it's a government agency honeypot or someone like Facebook.
You're starting with the (completely correct) observation that any VPN is not guaranteed to be secure, confidential, or private, and then making an argument as though it were the case that every reputable VPN is equivalent to every untrustworthy ISP. I think that's why your argument doesn't make sense to me: I don't think there's an equal chance that a VPN provider with a good reputation is going to sell me out as my ISP.
It's axiomatic in risk management that there is no way to completely remove all risk. Running a proxy and Tor is not a guarantee of security any more than running the world's shadiest VPN is, though it's obviously more secure by far. But, it's a question of what the acceptable level of risk is, and what the marginal cost to reduce that risk is. For many people, a $5-10 (non-shady) VPN is a perfectly reasonable step to take.
Essentially the only valid use of a VPN. That, or masking your location from other users online.
I find YouTube in my country is just filled with content being pushed because it's local to my country. Some VPN exit points have less local content pushing, which gives me more options. Eastern European content is really good, but also completely missing from American YouTube suggestions.
Then either do without (because, come on, nobody's gonna die if they can't watch reality TV), buy it on disc, or pirate it? Netflix is blocking IP ranges so hard that residential space is getting caught in the blast radius. It's a cat and mouse game that you'll only win by refusing to play.
https://torrentfreak.com/netflix-intensifies-vpn-ban-and-tar...
I'm convinced that you can get most of the privacy "benefits" of a VPN with an encrypted DNS, which a pihole can be configured to provide for your whole home network.
Your ISP could still figure out which sites you are visiting by what IP addresses your traffic gets pointed to, but I'd be willing to wager that the bulk of their data collection for the purpose of advertising comes from logging DNS requests, since it is far easier to do and captures 99.99% of their customers habits.
This won't do anything to protect your IP from being sniffed out by media companies when seeding copyrighted torrents, but that has never been a major concern in my house. This is probably also meaningless if you are being targeted for surveillance.
It is - they know their market and they serve them well. One of the few VPNs that actually don't log traffic.
That said, I've had websites flat-out refuse me because of using Mullvad (not just because it's a VPN, but a supposedly "disreputable" VPN). Meaning blackhats love it. Meaning it works.
Tor is practically unusable in 2021. Tor is blocked or is very difficult to use for a growing number of sites. Google is the big one (whether one should use google at all is a different story).
Plus ISPs can detect tor use by its customers just from packet patterns. I don't want to be flagged as a tor user by either my ISP or the sites I visit.
The only other option is to set up your own ISP either in a colo rack or on a cloud VM. That's going to cost $50-$100 month plus your time fiddling with it and any network overages
I think there’s been good criticism of your arguments so far and I don’t want to pile on; but I see _a value_ in commercial VPN companies.
I, a tech savvy person, have no issue creating an SSH proxy server in any country in seconds.
But I also make online video games, and the US sanction system means I must block people from accessing our services; even if they have a copy of the game.
They did nothing wrong, my company isn’t even US based: we just used a cloud provider and all of those are US based.
So, I encourage those users to use a vpn if one is available to them.
> If you think you want a VPN for "privacy", use Tor Browser.
What about Tor over VPN, so that your ISP can't see that you're using Tor? That is, the VPN hides your usage of Tor from your ISP and Tor hides your browsing from the VPN (and since many VPN services even advertise Tor support, its not like it would be suspicious, plus you can pay for many VPN's with cryptocurrency while I definitely can't hide my identity or location from my ISP).
> It's been clear for a long time that every single commercial VPN service is a waste of money.
This is nonsense. It depends entirely on your goals. It's important to me that my ISP doesn't know what I'm doing while I couldn't care less if my VPN provider does. I also need to circumvent geoblocking from time to time.
> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations.
I'm not sure what country you live in, but in the US, all the big ISPs might as well be run by the government, at least when talking about privacy. Private VPN companies are far more trustworthy, all else being equal.
I believe Mozilla's contract with Cloudflare to provide Firefox Private Network provides great value, and I've been happy with it service for quite some time. Mozilla and Cloudflare are both well known organizations, and Mozilla acting as a buyer's agent is a good position to be in.
1. my threat model is not my government. It seems that the TLAs have thoroughly pwned our privacy for a long time now. (please note that I am in no way advocating for this mass surveillance, but I don't see that I have much choice in the matter)
2. My threat model includes my ISP. I am forced to use a scummy ISP who would openly steal my data if I let them. Same with my mobile provider.
3. My threat model includes the data thieves who have obvious business models built around selling my stolen data to the highest bidder.
4. My threat model includes black hats and script kiddies.
5. Do I trust my VPN provider? Eh. A little. For now. The thing is, I trust them more than #s 2,3,4 above. What other choice do I have?
I wouldn't say commercial VPNs are waste, It depends for what purpose do you want to use the VPN. Privacy? Yeah maybe not the best for that but these are extremely useful to bypass geoblocking of content. Moreover, many ISP do not like you downloading content via torrent. How do you propose we solve it? User experience with Tor is not always the best as well. Tor network does not have lots of bandwidth, It is okay for browsing but the moment you want to download something using Tor you'd notice that its actually very slow. I'd bet my money that using Tor would attract lot more attention by your ISP than using a regular VPN.
To make it slightly more expensive for the adtech industry to spy on all my internet traffic. I have little illusions that any tech measure whatsoever can thwart government entities.
We use a commercial VPN at our company because it provides a mechanism for traffic encryption for employees who might be connecting from insecure networks. Sure most sites use HTTPS but there is still some unencrypted traffic like CDN or similar.
It’s not a cure all or some privacy guarantee, it’s just that for us, the risk of our employees browser history being stolen by that VPN for some nefarious purpose is just less than the risk of information leaking via insecure network.
The main reason that I use (and many around here) VPNs is to access sites blocked by the government. And these blocked sites even included Wikipedia until recently.
The utility in a VPN is in travelling, not at home. I’m not sure if I trust ProtonVPN more than I trust my ISP, but I sure as hell trust them more than I trust the little hotel I stayed at in Brooklyn.
Long term I’ll probably just solve this by setting up a VPN server at home, so I can tunnel through to my local services and protect myself from wifi endpoints I use on the go.
> Why do we even give these companies the time of day?
My understanding is that most people use a VPN to either watch the foreign catalogs of streaming services or insert a third party in a foreign country to make themselves less tempting targets for random enforcement of copyright laws.
Obviously they don't advertise like this because these activities are illegal.
Kevin Poulsen's book Kingpin, about the takedown of CardersMarket, describes how the FBI ran a VPN service as a honeypot for quite a while as part of the operation, logging everything that passed through it. As you say, it could be anyone on the other end of that connection.
> VPNs do not effectively solve this issue. Most modern browsers can detect the geographic location of a device based on data from GPS, available Wi-Fi networks and GSM/CDMA cell IDs and will submit this information to websites requesting it.
Did I miss something? Even the ad-tech browser will ask the user before sharing that?
Diversification. Theoretically most of the nodes are owned by different people, and every connection will randomize your node list route between them, making it difficult to track, unless most of the nodes were owned by one organization. With VPNs, all of your connections are through servers owned by one company, identified by an account ID.
Tor is almost certainly a government honeypot, but if you're just trying to hide from Google and other ad companies, it'll help. Except that it's cripplingly slow.
You are right that most people are just signing up with the same credit card and details as their isp and even if they claim they don't keep logs the vpn needs to link the use of their service to your details for billing just like your isp.
That said if you live in the UK the government logs your internet history to be used against you at their convenience. Using a vpn like mullvad.net that you can buy with bitcoin and no details prevents the government logging my history, thats worth the £5 a month.
Accounts can be completely decoupled from the payer. As long as the account is paid for, it should work. If there are no speed or time limits imposed, then why worry about who is using the VPN? If you allow a reasonable number of connections to the account at any given time, the rest shouldn't matter.
Making someone with a history of doing exactly the thing that a company purportedly stands against the CTO seems like an absolutely baffling choice... unless the company is doing that thing (enabling surveillance).
If I were to use a VPN service, this news would certainly disqualify ExpressVPN from my list of possible options.
I imagine that if I were working for a company like that out of belief in the mission that this news would be difficult.
In the field of legal representation oftentimes the best defense lawyers that specialize in defending against federal probes and investigations have years of prosecutorial experience leading those government teams.
That idea of insider knowledge turned to the client's benefit might be utilized here - but yes it is a bit less comforting in contexts where the legal duty to client does not apply.
If that was the case I would expect it to be disclosed. The reason there is a reaction from customers and employees is that they were not forthright with this info.
Besides that, I think Kape is highly suspect, and the whole VPN space is filled with marketing of false promises and FUD.
Get a VPS, they are actually cheaper than VPNs (if you only need one country location).
You will have one single IP and you won't share IP with hundreds of other people thus being flagged.
I have never been blocked from a site when using my VPS, including sites that otherwise block VPNs, I think they don't care for whatever reason.
Doesn't mean they can't know, they will, but they seem to not care?
Some websites might do.
Only way you can get a completely "native" experience is for someone to set up a VPN in a computer connected to a residential connection in the country you want appear in.
The problem is a VPS isn't anonymizing because your traffic isn't pooled with others. So if your goal is to bypass geoblocking, etc. then sure a VPS is a good choice. If improved anonymity is what you're after then a VPS isn't going to do that.
Popular VPS hosts like Digital Ocean, Linode, etc are all going to smack you down if you do anything remotely fishy on their networks. They have to have a pretty good idea of what's happening with their VPS systems, and I've seen them (DO/Linode) smack down everything from specific VPN connections to web scraping.
If you're going to use a VPS for anything remotely sketch you probably don't want to go with a reputable provider - they're reputable for a reason.
What strange ToS clause would those fall under? Skimmed the DO ToS and found nothing, while they also have a separate page promoting the deployment of your own VPN
A lot of people in the Cybersecurity industry are solely motivated by money. This is an egregious case. In milder cases, I've seen US SAS Cybersecurity providers being casual about customer protection, only caring if it starts hitting their reputation. Protecting people's privacy is much lower on their list of priorities. Human rights activists , and other vulnerable people of human-rights-abusing - they're not even on the horizon.
He must've made a nice packet of money. Must have taken care of his retirement - the company's even promoting him. Some citizen's family is now at risk, or already imprisoned without a legal process. This must've come as a shock to the Human Rights community. VPN usage is universal there. And this is the tip of the iceberg - surely we know how fine of a dragnet the FBI has. Iran, China, Saudi Arabia, UAE, there's a long list of nations that'd like to snoop on their own people wherever they may be living. Like someone said, Tor is the way to go (tails).
I can't believe that employees and customers are falling for the Big Lie technique. "Yes, our CTO is an ex-spy that we never revealed, but he's totally not doing it anymore! We promise!"
Honestly, how stupid do you have to be to believe this?
It [ExpressVPN] said it had not known of the federal investigation or the details of Gericke's work in UAE
Seriously?
So either he lied or they are lying. I'm not an expert in American employment laws but would have assumed that one of the conditions of employment would be disclosing/reporting being under a federal investigation.
I think there's a potentially valid argument in saying "who better knows how to protect us from these people than one of their own?". It's perfectly valid to doubt their motivation (and I do), but there's a reason defectors are valuable.
For any company, ask why they'd actually care about doing the right thing.
Is it reputation? Integrity? Is the reasoning purely financial?
Then ask whether the company operates in a way that suggests they'd do the profitable thing over the right thing if they think they might get away with it. Does that picture look realistic?
As an example, look at Apple. Leaving the tangential discussion about scanning iCloud photos for CSAM aside, they are a company that claims to care about users and about privacy. Whereas every other company is literally trying to send all data to the cloud, Apple is telling us they're working to process everything they can on the device itself.
What would happen if they were caught selling location data? Caught allowing companies direct access to data aggregated from users that they explicitly say they're not collecting? They'd stand to lose literally many billions of dollars of sales because the thing differentiating them from everyone else would be erased.
Which is greater - those billions of dollars of sales as a premium device maker, or those scraps of money they'd make from underhandedly selling data?
Now look at the same scenario but with Facebook, or Google - is it the same? No, because we have no realistic expectation of privacy with either company. They're in the news quite often because they're doing nefarious things, allowing access to data most people didn't even know they're collecting, yet people aren't really doing things differently because of the news.
Imagine the same with companies like ExpressVPN. How much would a disclosure hurt them? How much money could they possibly make by selling private data? Do they employ the kind of people who'd take the gamble between the two?
Proton logged IPs in response to Swiss court order and handed over that data after the order was received. They do not log IPs otherwise. And bear in mind, the specific request in question here had the involvement of the French state as well.
I have never in my life met anyone that has an iPhone or a Mac because Apple is processing everything on the device itself. People have iPhone and macs for 2 reasons. iMessage and because Apple is a premium brand that even that richest of richest people use. The money Apple would lose if they started mining your data like Facebook would be indistinguishable from random noise.
Readit News
If you think you want a VPN for "privacy", use Tor Browser. If you want a VPN for any other reason that "normal people" think they want a VPN, you're probably wrong.
Why do we even give these companies the time of day?
(Small clarification - Most people who want VPNs should use a proxy instead. It fits the use case better. Those still exist and don't route ALL of your device's traffic over the tunnel.)
The main issue is that they all seem to advertise themselves as these privacy and cybersecurity services first, while ignoring all the other added benefits.
(Also: I don't think anyone has mentioned this yet, as maybe it is somehow "gauche" to do so, but one of the top reasons people use VPNs around the world is because they want to browse porn and they don't want people around them to know. At some point, the people in the apartment next door to me figured out my wi-fi password and seemingly felt the correct solution to this issue was to use me for their porn browsing, but it was then all the more awkward when I figured out why my network was slow and knew all of the porn sites they were browsing. Most people seem more OK with the idea of paying a company like ExpressVPN--even if they are legitimately run by "spies"--to be their dedicated porn access point than hoping that someone else more locally won't find out what sites they are browsing.)
*Disclosure: ExpressVPN has sponsored my podcast in the past (tho I don’t handle ad sales fwiw) and I’ve always chosen to do the “this is how I watch X service in X country” use case in ad reads, b/c that’s the value in it for me vs rolling my own Wireguard/Tailscale setup (I actually have Tailscale setup for my home network).
I'm not saying VPNs are worthless - I'm on one right now for work. Commercial VPNs, for most people who purchase them, are completely worthless.
And I very much doubt that tunneling your connection through a VPN can improve ping.
I've always seen this argument but it's never made sense to me.
For starters I absolutely don't trust my ISP. I know they are collecting, storing, likely selling my data and that they are 100% going to comply with any government requests from my government (I don't even trust that they would only respond to legal requests).
Years ago I used to use AirVPN. They claimed:
> AirVPN started as a project of a very small group of activists, hacktivists, hackers in 2010, with the invaluable (and totally free) help of two fantastic lawyers and a financing from a company interested in the project and operated by the very same people.
Maybe they're lying but at least there's some chance they actually care about privacy.
But even if they don't care about privacy at all and are lying, at the very least they are based in Italy and have their servers spread throughout Europe. Additionally you can pay via crypto (which gives you more anonymous payment options than your ISP). Simply being in another country then the one I live in makes it much harder for my government to arbitrarily request my data.
Yes if I want to do highly illegal activity that is going to get my government interested in me I absolutely don't think that would be enough. But if I want privacy from routine surveillance this seems like a fantastically better option that 100% giving up.
If you want online anonymity, use Tor. And torrent with a seedbox.
https://en.wikipedia.org/wiki/Carnivore_(software)
And this was the very very crude version, what is happening today is obviously light years ahead of what Carnivore was...
We really need a "*Moore's Law For Surveillance Capabilities Multiplying by X Every N Period*"
When one party with auditors says they will protect your privacy, and the other openly spells out in their stated policies that they will run roughshod over your privacy, cataloging and trading your data as much, as long, and as insecurely as they like...
You don't have to trust the former party a lot to recognize the lesser evil.
My ISP is required by law to be an informant for government agencies, so the VPN can only be equal or better than my ISP.
Separately from that, I still do wonder whether, if you subscribe to a VPN that has well-examined security practices and whose reputation depends on such practices, whether it still may have value over relying on the security over a local ISP which may not have as much expertise or reputation investment with respect to security.
I'm not arguing, just trying to understand the issue better.
It's less of an issue when every site you connect to uses https, and every app you use employs ssl/tls for its connections. That is common practice these days. Getting man-in-the-middle'd on airport Wi-Fi is less feasible these days than it was 10 years ago. The attacker would have to also install a certificate on the user's device. I welcome corrections if I'm wrong.
VPNs aren't obligated to tell you the truth. They don't have to have good security or even honor what they say on the front page. People trust marketing, not actual policy or actions - just look at Apple. Still waiting on "HMA" VPN to go out of business because they handed over users to the FBI. They're still around and claim No Logs just like everyone else, just like ProtonMail did until this month.
https://arstechnica.com/information-technology/2021/09/priva...https://hacker10.com/internet-anonymity/hma-vpn-user-arreste...https://www.theregister.com/2011/09/26/hidemyass_lulzsec_con...
No. I don't think this was ever a consensus. When is the last time you've used a (sensitive) website that is not run over HTTPS? Unless the CAs (or the certs) are compromised, you have no reason to use a VPN when on public Wi-Fi, because it is encrypted with this so-called "military grade encryption" that VPN providers love to mention.
Edit: forgot to add, if the CAs or the certs are compromised, VPNs won't help anyway.
I’ve never had reliable VPN working over public wifi/mobile network, unless I roll my own custom protocol that masquerades as HTTP traffic.
No, with SSL and https now the default for 90%+ of the web, you can be sure no one is casually listening in.
You're starting with the (completely correct) observation that any VPN is not guaranteed to be secure, confidential, or private, and then making an argument as though it were the case that every reputable VPN is equivalent to every untrustworthy ISP. I think that's why your argument doesn't make sense to me: I don't think there's an equal chance that a VPN provider with a good reputation is going to sell me out as my ISP.
It's axiomatic in risk management that there is no way to completely remove all risk. Running a proxy and Tor is not a guarantee of security any more than running the world's shadiest VPN is, though it's obviously more secure by far. But, it's a question of what the acceptable level of risk is, and what the marginal cost to reduce that risk is. For many people, a $5-10 (non-shady) VPN is a perfectly reasonable step to take.
I find YouTube in my country is just filled with content being pushed because it's local to my country. Some VPN exit points have less local content pushing, which gives me more options. Eastern European content is really good, but also completely missing from American YouTube suggestions.
Your ISP could still figure out which sites you are visiting by what IP addresses your traffic gets pointed to, but I'd be willing to wager that the bulk of their data collection for the purpose of advertising comes from logging DNS requests, since it is far easier to do and captures 99.99% of their customers habits.
This won't do anything to protect your IP from being sniffed out by media companies when seeding copyrighted torrents, but that has never been a major concern in my house. This is probably also meaningless if you are being targeted for surveillance.
That said, I've had websites flat-out refuse me because of using Mullvad (not just because it's a VPN, but a supposedly "disreputable" VPN). Meaning blackhats love it. Meaning it works.
Plus ISPs can detect tor use by its customers just from packet patterns. I don't want to be flagged as a tor user by either my ISP or the sites I visit.
The only other option is to set up your own ISP either in a colo rack or on a cloud VM. That's going to cost $50-$100 month plus your time fiddling with it and any network overages
I, a tech savvy person, have no issue creating an SSH proxy server in any country in seconds.
But I also make online video games, and the US sanction system means I must block people from accessing our services; even if they have a copy of the game.
They did nothing wrong, my company isn’t even US based: we just used a cloud provider and all of those are US based.
So, I encourage those users to use a vpn if one is available to them.
What about Tor over VPN, so that your ISP can't see that you're using Tor? That is, the VPN hides your usage of Tor from your ISP and Tor hides your browsing from the VPN (and since many VPN services even advertise Tor support, its not like it would be suspicious, plus you can pay for many VPN's with cryptocurrency while I definitely can't hide my identity or location from my ISP).
This is nonsense. It depends entirely on your goals. It's important to me that my ISP doesn't know what I'm doing while I couldn't care less if my VPN provider does. I also need to circumvent geoblocking from time to time.
I'm not sure what country you live in, but in the US, all the big ISPs might as well be run by the government, at least when talking about privacy. Private VPN companies are far more trustworthy, all else being equal.
How? I don't see how being a VPN company as opposed to an ISP makes a difference in regards government seizure or request of logs.
1. my threat model is not my government. It seems that the TLAs have thoroughly pwned our privacy for a long time now. (please note that I am in no way advocating for this mass surveillance, but I don't see that I have much choice in the matter)
2. My threat model includes my ISP. I am forced to use a scummy ISP who would openly steal my data if I let them. Same with my mobile provider.
3. My threat model includes the data thieves who have obvious business models built around selling my stolen data to the highest bidder.
4. My threat model includes black hats and script kiddies.
5. Do I trust my VPN provider? Eh. A little. For now. The thing is, I trust them more than #s 2,3,4 above. What other choice do I have?
We use a commercial VPN at our company because it provides a mechanism for traffic encryption for employees who might be connecting from insecure networks. Sure most sites use HTTPS but there is still some unencrypted traffic like CDN or similar.
It’s not a cure all or some privacy guarantee, it’s just that for us, the risk of our employees browser history being stolen by that VPN for some nefarious purpose is just less than the risk of information leaking via insecure network.
Long term I’ll probably just solve this by setting up a VPN server at home, so I can tunnel through to my local services and protect myself from wifi endpoints I use on the go.
My understanding is that most people use a VPN to either watch the foreign catalogs of streaming services or insert a third party in a foreign country to make themselves less tempting targets for random enforcement of copyright laws.
Obviously they don't advertise like this because these activities are illegal.
Mullvad VPN seems like the best choice.
Kevin Poulsen's book Kingpin, about the takedown of CardersMarket, describes how the FBI ran a VPN service as a honeypot for quite a while as part of the operation, logging everything that passed through it. As you say, it could be anyone on the other end of that connection.
> This site was conceived and built by IVPN to challenge aggressive marketing practices in the VPN industry.
> VPNs do not effectively solve this issue. Most modern browsers can detect the geographic location of a device based on data from GPS, available Wi-Fi networks and GSM/CDMA cell IDs and will submit this information to websites requesting it.
Did I miss something? Even the ad-tech browser will ask the user before sharing that?
so replace a vpn, which might be logging your traffic, for a service which absolutely is logging your traffic?
Tor is an anonymity service, not a privacy service.
- the exit node knows the second-to-last node, the cleartext data and the destination,
- each intermediate node knows the previous and next nodes,
- the entry node knows the sender and the second node.
And using HTTPS prevents the exit node from knowing the cleartext data.
This doesn't enable any individual node to know who sent what to whom, assuming that the whole path isn't entirely controlled by one person.
Isn't using Tor browser trusting a group of unknown people as well (nodes)? I hear all the time theories that Tor is a giant honeypot
As far as I can see, normal people are asking for VPNs to access Netflix catalogs of other countries.
Deleted Comment
Deleted Comment
That said if you live in the UK the government logs your internet history to be used against you at their convenience. Using a vpn like mullvad.net that you can buy with bitcoin and no details prevents the government logging my history, thats worth the £5 a month.
[1] https://en.wikipedia.org/wiki/Tom_Okman
If I were to use a VPN service, this news would certainly disqualify ExpressVPN from my list of possible options.
I imagine that if I were working for a company like that out of belief in the mission that this news would be difficult.
That idea of insider knowledge turned to the client's benefit might be utilized here - but yes it is a bit less comforting in contexts where the legal duty to client does not apply.
Besides that, I think Kape is highly suspect, and the whole VPN space is filled with marketing of false promises and FUD.
You will have one single IP and you won't share IP with hundreds of other people thus being flagged.
I have never been blocked from a site when using my VPS, including sites that otherwise block VPNs, I think they don't care for whatever reason.
Doesn't mean they can't know, they will, but they seem to not care?
Some websites might do.
Only way you can get a completely "native" experience is for someone to set up a VPN in a computer connected to a residential connection in the country you want appear in.
Deleted Comment
If you're going to use a VPS for anything remotely sketch you probably don't want to go with a reputable provider - they're reputable for a reason.
What strange ToS clause would those fall under? Skimmed the DO ToS and found nothing, while they also have a separate page promoting the deployment of your own VPN
https://www.digitalocean.com/solutions/vpn/
He must've made a nice packet of money. Must have taken care of his retirement - the company's even promoting him. Some citizen's family is now at risk, or already imprisoned without a legal process. This must've come as a shock to the Human Rights community. VPN usage is universal there. And this is the tip of the iceberg - surely we know how fine of a dragnet the FBI has. Iran, China, Saudi Arabia, UAE, there's a long list of nations that'd like to snoop on their own people wherever they may be living. Like someone said, Tor is the way to go (tails).
Honestly, how stupid do you have to be to believe this?
Seriously?
So either he lied or they are lying. I'm not an expert in American employment laws but would have assumed that one of the conditions of employment would be disclosing/reporting being under a federal investigation.
Is it reputation? Integrity? Is the reasoning purely financial?
Then ask whether the company operates in a way that suggests they'd do the profitable thing over the right thing if they think they might get away with it. Does that picture look realistic?
As an example, look at Apple. Leaving the tangential discussion about scanning iCloud photos for CSAM aside, they are a company that claims to care about users and about privacy. Whereas every other company is literally trying to send all data to the cloud, Apple is telling us they're working to process everything they can on the device itself.
What would happen if they were caught selling location data? Caught allowing companies direct access to data aggregated from users that they explicitly say they're not collecting? They'd stand to lose literally many billions of dollars of sales because the thing differentiating them from everyone else would be erased.
Which is greater - those billions of dollars of sales as a premium device maker, or those scraps of money they'd make from underhandedly selling data?
Now look at the same scenario but with Facebook, or Google - is it the same? No, because we have no realistic expectation of privacy with either company. They're in the news quite often because they're doing nefarious things, allowing access to data most people didn't even know they're collecting, yet people aren't really doing things differently because of the news.
Imagine the same with companies like ExpressVPN. How much would a disclosure hurt them? How much money could they possibly make by selling private data? Do they employ the kind of people who'd take the gamble between the two?
Proton logged IPs in response to Swiss court order and handed over that data after the order was received. They do not log IPs otherwise. And bear in mind, the specific request in question here had the involvement of the French state as well.
Deleted Comment
Deleted Comment