The Truth About VPNs and Your Privacy

It seems like everywhere you turn there is an advertisement about VPN services from YouTube to Podcasts. They have improved a bit recently, but most often then not they mislead people into a false sense of security and privacy.

For those new to this site, my name is Jason Olson and I have been a network engineer in Redding, California for several decades. Certified by industry leaders Microsoft and Cisco, including VPNs! And I have personally worked on dozens of networks using VPNs in both small/medium businesses, as well as home based businesses, remote workers and just average citizens. SO for those reasons, you can trust be a lot more than some ad-spiel about what VPNs can do for you.

Let’s dive in! The term VPN stands for Virtual Private Network — and that is an accurate term. From the early days it permitted users who were physically distant the ability to create a “private network” between two or more locations, across an otherwise public network. In some senses you might consider the contemporary app, WhatsApp to be analogous to a VPN — in the strict sense that it lets two or more people, have a private conversation while doing it over a public network (the internet), even while connected to a very public wireless (like a coffee shop hotspot). Remember that analogy, we’ll come back to it.

Back to the VPN, it was first used by branch offices for site-to-site communicate to each other over the internet. Depending on the configuration it provided the ability for not only for the communication to be private (encrypted, secure) but also virtually guarantee the identity of both parties (because we only really want to share information with someone we trust).

Later this expanded to remote users, such as people working from home. Remember, before the days of web and mobile based apps, we often had actual software that had to run on our computers to do our jobs. In a lot of cases, pre 2008 it was very common for businesses to require you to VPN into the company to access Microsoft Outlook and your Microsoft Exchange server — just to send and receive email. And depending on how draconian your administrator was, sometimes it was the only way to access the web on your work provided laptop.

But pretty much, the only people using VPNs were those who were doing some sort of work or business transaction. Sure there were a few computer hobbyist who might VPN into their home network while out of the house — so they could access some files from home or send something to the printer at home, but this was very small.

Fast forward to 2018 and the normal consumer use of VPN started to rise. There are a lot of reasons for this, but marketing is a big part of this. Just realize that for decades business have used VPN extensively and a lot of work and effort has been put in to REMOVING the need for the VPN all together. More and more small businesses are not doing it, and I believe a majority of the larger companies are doing it out of legacy tradition more than a true requirement, because there are simply other (and arguably better ways) to accomplish the same results in a faster and easier way.

So we need to understand that the majority of the benefits brought through the VPN was for business uses cases and in many of those cases, businesses are abandoning those. By in large the push to everyday consumer use of VPN does not bring any new true features aside from fancy marketing.

Let’s look at a few things VPN Ads talk about:

  1. Privacy when on public WiFi — this is mostly false, and definitely misleading. Currently the vast majority of what people do on public WiFi is access the web from a browser. And in 2018 and beyond virtually every website has SSL security. Which effectively makes all of your internet activity while on that website invisible to every else. There was a huge push by Google and if your website wasn’t using SSL then they would penalize your search rankings on their sites. The only thing that anyone (other users of the WiFi or the owners of the hotspot) can see is maybe that you are visiting Facebook – but other than that, the actual contents are all invisible. There degree to know who “you” is, really depends on what information you give them. (ie if you have to login with your name or email or loyalty account or hotel room number to access the WiFi Hotspot). But if you never identify to the Hotspot Provider, then it is far less likely. (But we’ll get to identity protection in a bit).
  2. Bank Level Encryption — this is true, but very misleading. As mentioned above, most websites already use SSL encryption, and all of them are “Bank Level” encryption. There is no added benefit to double-bank-level-encrypt your communication with Facebook. In fact all you’re actually accomplishing is slowing down the internet experience for yourself. There may be a website that isn’t encrypted, and generally these are very old, not maintained websites which probably are innocuous – but yes, if you visit a non-encrypted website every page, content, click, will be easily read by someone else. In part because of this, Google Chrome has been providing a warning since 2018 when you access a non-encrypted website.
  3. Identity Protection — this is also mostly false the way most people use consumer VPNs — because there isn’t enough education going on about it. Yes, it will hide your IP address from the website you visit – so instead of looking like you’re coming from YOUR HOMETOWN, USA it will say SOME OTHER LOCATION. But that is not enough to protect your identity. Unlike in the movies it isn’t quite easy enough to take a consumer internet connection (Cable, DSL, Residential FiberOptics, or Mobile Phone) and immediate connect it to a physical address (although there is a few exceptions). The ads tend to promise protecting you from Google or someone else tracking you across websites. However this is false. Just rotating your IP address will not be sufficient to fool them about who you are. The moment, while using your VPN, you check your GMAIL or FACEBOOK the connection between your IP address and your identity has been re-established. And once you do that, the game is up. Now yes there are a few providers who do some technical wizardry to help prevent Google from tracking you when you’re on other websites, but this far from the magic pill is promises to be. So if you really want to do something private that cannot be tracked back to you — you need to have a VPN service that you use exclusively for such things, and never for any other sort of activity, and vise-versa.
  4. Law Enforcement Privacy – something that people also believe is that a VPN does not record your data – especially when it comes to what website you went to. Let me assure you of this — if you connect to a VPN based in the USA, and you do somethings criminal or come under criminal investigation, the authorities CAN AND WILL be able to get that information from your VPN provider. The only possible way to avoid this is to connect to a VPN service that is OWNED and OPERATED outside of the USA (and that country must not have any agreements to share your data). Think of like how people use Swiss Bank Accounts. But if you’ve never actually connected to servers in another country, let me assure you, it is EXTREMELY slow and you would not want to casually surf the internet this way.
  5. Improved Internet Speeds – this is an interesting one, a few places promise this, and there are a bunch of different technologies that are used by different providers to improve this. But by in large this is marketing and generally provides little to no benefit. First know that using a VPN itself will slow down your internet and computer, it might be only 2-5% but still, it starts out of the gate slower. Also, the further you want to “appear” to be coming from using a VPN, it will add a significant speed reduction factor. If you’re in California and want to appear in New York things will be noticeable. If you choose something very close, then it might have little impact, but doesn’t that avoid many of the stated benefits regarding privacy. Now the can speed things up by blocking some of the Google services and Ad Trackers (but if you’ve ever used an ad blocker, you know that these are not perfect and can be problematic). Generally there isn’t a huge gain here, if any. Another thing they can do is something called Caching, but for most of the big websites they use something called a CDN that actually is a lot better caching if you’re closer to their CDN center than you are to your VPN center. For example you live in Elko, NV and the closest CDN for Facebook is in Reno, but the closes VPN center is San Francisco. Using Facebook without the VPN would be faster. Conversely, if there is a VPN center closer, then there might be an improvement. Also if the website is small to medium (so they don’t have a CDN) and they are far away from you, a VPN with Caching might speed things up a bit (but probably not because if others are not also accessing that website, caching benefits will be limited).
  6. Avoiding Censorship – this is very mixed — it sounds like a good idea, but you can be assured that any branded and advertised VPN service will be easily identified and blocked by those countries involved in censorship. However if you ran your own private VPN service, you can possibly avoid censorship because you can connect from country A to country B through private, unpublished IP addresses and then yes, you can probably avoid this. Just like how large multinational companies can still contact each other privately even to/from a censored country.
  7. Streaming Services – yes, I can hear, this is what you’ve been waiting to hear about. This one is very similar to “censorship” above. Most of the major VPN services are well known to Netflix and similar streaming services, so they actively block you from using these VPN services. It is a big cat-and-mouse game that goes on, so it might work for a little bit and then stop working for a while. Especially if you’re trying to access content not available in your actual home country. But lets said you legitimately want to access your USA based catalog while travelling internationally, many times that will work — provided the country you’re in permits your VPN traffic in the first place. Also because the data has to actually travel from servers based in the US, instead of servers in the country you’re physically located in, the quality might be very poor. So yes, this will probably work if you’re travelling internationally, but if you’re trying to access data that isn’t available in your country of residence (or rather your billing address) you might have some problems with streaming services even with a VPN.

With all of that said, lets look at what CNET, a trusted source of computer information says about consumer VPNs and “WHO NEEDS THEM”:

People who access the internet from a computer, tablet or smartphone will benefit from VPN usage. A VPN service will almost always boost your privacy by encrypting your online activity. Communications that happen between the VPN server and your device are encrypted, so an internet service provider or someone on your Wi-Fi network spying on you wouldn’t know which webpages you access. They also won’t be able to see private information like passwords, usernames and bank or shopping details and so on. Anyone who wants to protect their privacy and security online should use a VPN.

CNET – Best VPN service of 2022

By now you can probably pick this apart. The only part which has any partial truth is the part I italicized about “know which webpages” — but as stated far earlier it also really depends on if you identified to them who you are – versus just someone on a Dell Laptop at Starbucks.

Now there is one thing that hasn’t been mentioned that has been alleged — your ISP or rather the ISP you’re connected to — might be selling your website activity to advertisers or other data aggregators (thing BIG DATA). And a VPN will now make all of that invisible to your ISP. However, all that does is prevent your ISP from profiting off of collecting your data (if they even do at all). But know that Google is tracking about 60% of the websites you visit — and so they have a good idea of what websites you visit. And this is all without using Google Search, this is simply by going to the website directly. Of the last 10 websites I visited, 8 of them have google track of one form or another. And even if I was using a VPN, they can still profile that data based on a concept called fingerprinting — which does not have to include your IP address. So you might be protected from your ISP, but they are just one of many tracking technologies being used.

So what do I recommend:

The only reason I see for the average family member of mine to use a VPN would be to access streaming services while traveling outside of the country. Forget all of the other security and privacy mumbo-jumbo that is promised.

When do I use a VPN and which service do I use:

I rarely connect to a VPN service, but it is almost exclusively when it is related to some sort of work related task – and in those cases it is connecting to a VPN network directly related to that work to be performed. And that is just about it. I really do not care if the guy at Starbucks knows that Jason Olson is on Facebook or on a cruiseline website. (See ISP above).

Based on the research I’ve done into the privacy concerns about how big tech and big data is tracking everyone, a VPN does not even come close to providing the needed solution. It is ineffective and it just provides comfort to the uniformed while the majority of the risk continues to exist.

But what about the tracking:

Excellent question, so while a VPN is not the answer, here are a few things that I do:

  • Two levels of DNS protection – both from a content filtering, but also from spoof and malicious websites.
  • Outbound internet filtering – only necessary ports are permitted out, just in case someone does get a virus (none yet, ever, even in a house with teenagers!) that it reduces its ability to spread outside of the home
  • For web surfing:
    • Google Chrome for anything that really must be Google (gmail, youtube, etc)
    • Firefox for Facebook and all other social media sites
    • Brave Browser for everything else (because it has tracker and google blocking built in).
  • Additionally for a couple of reasons, about once a week we reboot the network equipment, which generally results in a new public IP address.

Future Looking:

I believe that a small, privacy centric VPN service could be created to address most of the security concerns, but in order for it to really be meaningful it takes more than just technology but end user education. As long as people use the internet the exact same way when they’re on a VPN, they basically loose 99% of their privacy. And remember, the security (encryption, passwords, etc) is redundant and unneeded 99% of the times.

But what about the 1% — in most of those cases, it really should be end user education. A website that needs your password and is NOT already using SSL, is really a company you need to second guess yourself using all together. If they cannot keep your password secure, what can you trust them to keep private. VPN is putting a bandaid on a bullet wound (a much bigger problem) and giving you the false sense that everything is okay (when its not).

Back to WhatsApp:

At the end of the day a VPN provide a end-to-end tunnel of data that is encrypted from anybody snooping in on your conversation. However what it doesn’t provide is any assurances for the other person on the other end — and that is really your biggest online security in 2022 — not the internet itself, but rather factors regarding the way the other company is handling your data. Just like once you send a picture or text to someone on WhatsApp there is no way to prevent them from not copying and resharing or doing inappropraite things with it. And that does not even factor in the reports from 2020 and 2021 about WhatsApp actually doing some sort of content scanning (when they shouldn’t be able to). Just like how some VPNs who are not supposed to keep logs and records, have actually been found to be violating this trust.

WhatsApp is a great way to have a private conversation between two people (because SMS texting does not support this; but remember the internet DOES protect private conversations by default). And both WhatsApp and VPNs keep track of who are having conversations (that is not hidden from either). And they have nothing to really protect you what the other person does with the data they received (re-share a picture or conversely, share your data with big data).

Both VPNs and WhatsApp are great at solving some specific problems, but they are hardly the privacy panacea people are led to believe.