VPNs don’t protect your privacy*

I’m sure you’ve seen enough sponsor spots from other youtubers boasting about their sponsor’s VPN service’s ability to protect your privacy. The services themselves flaunt that notion – NordVPN’s homepage is almost exclusively about privacy, “Get secure and private access to the internet”, “Protect all of your devices”! They aren’t alone either, Surfshark equally claims a whole slew of privacy benefits by using their service. The thing is though, VPN services don’t do all that much to protect your privacy. They almost always provide some kind of “privacy shield” service on top, but I’ll come back to that later. At a base level, a VPN service does very, very little to protect your privacy.

A VPN, or virtual private network, acts as a secure tunnel for all the data leaving your machine. Instead of it going to your ISP and then straight to whatever site you are visiting, a VPN will route all of your traffic to their servers first, then it’ll go out to the site. Normally you can change where that endpoint is – they’ll often have servers all around the world for you to choose from.

Let’s take a look at what these services claim to protect you from. Surfshark has a handy page where they explain the “major threats on public Wi-Fi networks”. That includes man-in-the-middle attacks, “evil twin attacks”, ”Cookie Theft”, “computer worms” and “Wi-Fi pineapples”. The data they say is at risk includes “Credit card and bank account details, “Social media passwords”, “Email login credentials” and “Any other personal information that you input”. Quite broad there Surfshark… Of course, they say by using their service, you can prevent all of this disaster! This sort of language is designed to sound realistic and frighten you into believing that any of this is actually possible.

Just to eschew any worries, let’s go through each of these briefly. “Man-in-the-middle attacks” do exist, but with the widespread introduction of SSL – the little padlock in the address bar you get by going to an https site with an SSL or secure sockets layer certificate – all your traffic to that site (including passwords, tokens and data) is encrypted and secured. When you go to log into Youtube, the whole transaction from you putting in your password to Youtube sending you a session token – a cookie – back is encrypted and while someone “eavesdropping” on the same network as could get a copy of that data, they couldn’t access it because it’s encrypted.

“Evil twin attacks” are also thwarted by SSL and modern browsers. If anything in the chain doesn’t add up, your browser will make it very clear that you shouldn’t trust your connection to the site. If you decide to continue past the warnings anyway, then maybe a VPN would help, but if this fictional attacker has gone to the effort of setting up a fake WiFi hotspot and properly intercepting the data, they’ll probably just make a fake version of the website you want and steal your credentials directly and nothing can stop that but you.

The next is “Cookie theft” – specifically they claim that ‘attackers’ “can post your social media”. No. They can’t. If they have direct access to your machine – like Linus experienced when his channel was hacked with an infected zip file that was downloaded onto a machine with access to his channel, then yes session hijacking is possible, but over WiFi? No, because, again, encrypted.

Next, “Computer worms”. This is a beautiful piece of manipulation – calling it a “computer worm” is a purposefully retro term that invokes images of those 80’s and 90’s films – like Hackers – that talk about “worms” and “viruses”. Surfshark is apparently talking about “Malware that doesn’t need you to download anything to infect your computer”. I have no idea how a VPN is meant to protect you from that, unless they are talking about their additional ad blocker feature. A VPN itself wouldn’t stop a site from downloading an infected payload as part of the website, or something like the WannaCry malware that made use of a vulnerability in the SMB file sharing protocol to execute its virus payload without any user input.

Lastly, “Wi-Fi pineapples”. This is pretty much the same as the whole “evil twin attacks” and “man-in-the-middle attacks” thing. Again, your data is already encrypted before it leaves your web browser, let alone your machine, so generally speaking you are all good.

The only privacy benefit VPNs can legitimately claim to offer is hiding what sites you visit from your ISP – your internet service provider. If you are with, say, BT, there’s a very good chance that BT records every site you access and sells that data to advertisers and anyone who wants to buy it. A VPN provider can hide that data, since all BT will see is you exclusively talking to that VPN provider. The only trick there is that all you’ve done is move who sees that data to a smaller, much less verifiable company. They all claim to not keep any logs, although as a general rule I prefer to trust the ones that have been challenged in US court and weren’t able to provide any information. Private Internet Access meets that bar. Most other services have hired external auditors to prove they don’t, and while I have no reason to doubt them at all, it’s still a slightly lower bar to meet.

Now I mentioned the additional “privacy shield” type features they often include as part of your membership. These are good, although most of the benefits you get can be had from a secure DNS service like cloudflare’s 1.1.1.1, a pihole for DNS blocking, and an ad blocker in your browser like UBlock Origin. Of course, having all of those features rolled into one service that also lets you change what your public IP address displays as is more convenient than setting all of that up separately, but you should know that those features aren’t special or unique to VPN providers and you can get all of these features for free with an hour or two of setup.

Of course, there are legitimate benefits to using a VPN, like spoofing geolocation. Most sites – including Locally for that matter – determine what country you are in based on your public IP address. These addresses are divided between countries and you can basically look up in a big list where an IP is meant to be from. A VPN service lets you change what your public IP address shows up as, therefore allowing you to trick sites into thinking that you are in Rome when you’re really in Rhode Island. Most people say this is good for streaming services like Netflix, and sure, sometimes that will work, but most sites have pretty strict policies with VPNs in general so you might be disappointed to find out your VPN of choice doesn’t work with the streaming service you wanted to use. Something that can work a lot better is for booking things like hotels, flights and car rentals. Strangely, you might find that booking those things are cheaper if you are booking from certain regions – and that’s something a VPN can definitely help you with.

In short then, VPN providers are mostly lying when they say you are at risk of losing your login or banking details online, or that their service does pretty much anything to protect your privacy. Most people don’t really need a VPN – it is convenient to have the geolocation and ad blocker features for sure, but your parents shouldn’t feel afraid to use a Starbucks WiFi hotspot for fear of a hacker stealing all their money. The whole see-what-sites-you-visit thing can be fixed with a personal VPN you set up using a raspberry pi from home too – let me know in the comments if that’s something you’d want to see a video on.

Tags:,