Wednesday, 30 May 2018

VPNs Don't Make You Anonymous, But Use One Anyway

When you use Wi-Fi networks that aren't in your control, such as those at a coffee shop, hotel, or airport, you instantly become low-hanging fruit for perpetrators—unless you use a VPN. VPN stands for "virtual private network," and you should be using one pretty much all the time on all your devices, not only for the added security it provides from snoops, but also to keep data private from internet service providers (ISPs), mask your location, as well as other reasons.

There's a lot of confusion about what VPNs are, what they do, and what they don't do. VPNs add a layer of protection to your online activities, but which data do they protect and how do they do it?

What Is a VPN?

The clearest and most common analogy used to explain how a VPN works is to call it a private tunnel.

Imagine the internet as a highway. The highway allows information to travel among servers and devices all over the world. Let's call the information packets. Now think of VPN as a tunnel. Instead of using the open roads to send and receive items, your packets travel in a private tunnel. Additionally, you never send or receive packets directly, choosing instead to route them via a third party; that third party is the VPN provider's servers. So you send a packet through a private tunnel to a VPN provider server (let's call it VPN Wakanda, for argument's sake), and VPN Wakanda delivers it to its final destination. Similarly, when receiving packets, you never get them directly because they also go to VPN Wakanda first. That way, anyone sending you a packet thinks you receive it at VPN Wakanda and has no idea where you actually are.

Liz Kintzele, VP of revenue at VPN provider Golden Frog, maker of VyprVPN, uses a simpler analogy that indicates what the services do and don't do:

We liken using a VPN service to the curtains on your windows at home. Curtains significantly improve privacy for your residence despite the house address being public.

Why Use a VPN?

While there are many reasons to use a VPN, the two most common for personal use are 1) enhancing privacy and security and 2) bypassing geographic restrictions or censorship. For business use, VPNs are used commonly to give employees remote and secure access to private company servers, where they might keep shared drives and host other non-public data. In that use case, the organization and employees still get the same enhanced privacy benefits.

Enhance Privacy and Security

Enhanced privacy isn't the same as total privacy, but it's still important. Using a VPN does not make you anonymous online, which is one of the biggest myths people believe about these services. Rather, a VPN specifically protects your internet traffic in transit by encrypting it. So for example, without a VPN, when you fill out a form on a web page and hit enter, you are then sending the information to the person who runs the website, and while that information is moving from your computer to theirs, other people can intercept it and may be able to read it.

When you use a VPN, however, "people using the same network as you will only see military-grade encrypted data if they look at your connection," according to Caleb Chen, director of external communication for the VPN service PrivateInternetAccess. That means that even if someone intercepts your data, they won't be able to read it.

Privacy concerns apply to your Internet Service Provider (ISP) as well. In the U.S., ISPs can collect, share, and sell your browsing data and other information without your consent. Using a VPN limits how much information ISPs can collect. Your ISP will see you sending packets to VPN Wakanda, but it won't see where the packets go after that. Vice versa, it'll see you receiving packets from VPN Wakanda, but it won't know their true origin.

When you don't use a VPN, someone snooping on the same open, unencrypted network as you can see your IP address (which may indicate your physical location), the device you're using and its operating system, the domains you visit, and, for sites not using HTTPS, the specific web pages you visit. Depending on other factors, a perpetrator could see additional information as well, up to and including everything you type if the web page itself doesn't encrypt your data (sites that use HTTPS use encryption; that's why it's important to look for that 'S').

"With a VPN service running, people using the same network as you will only see military-grade encrypted data if they look at your connection"- Caleb Chen

When you do use a VPN, someone on the same network who wants to get your data would not be able to see the details of what you're doing online. Instead of seeing the domains you visit and everything else, they only see an encrypted packet.

VPNs give you enhanced privacy from not just would-be hackers, but also websites you visit and other services you use online. People running the websites and services cannot see your IP address but instead see the IP address of the VPN server you're using.

Still, even when you have a VPN running, a local snoop can see your local device's IP address, Chen said, as well as when devices are actively online and which operating systems they run. There's a lot of other data still available for someone to scoop up. Remember, VPN offers enhanced privacy but not anonymity.

Bypass Geographic Restrictions or Censorship

Internet censorship map
Image from Golden Frog

Because of the routing described earlier (passing your packets through VPN Wakanda), the websites you visit and online services you use can't tell where you physically are. If you connect to VPN Wakanda, any website you visit thinks you're in Wakanda, which means you can access sites or services that are only visible to people in Wakanda.

Conversely, if you're in a region with online restrictions or censorship, often you can get around them by connecting to a VPN server in a country that isn't restricted. If you're traveling and want to continue watching your favorite series on Netflix, you may need a VPN to get the Netflix catalog for your home country. As another example, the Great Firewall of China famously blocks anyone in the country from accessing Facebook, Twitter, YouTube, Snapchat, and other sites. A VPN service connected to, say, Ottawa lets you bypass this restriction…at least in theory. Governments that censor internet access often try to block VPN services, as do streaming sites such as Netflix. The list of VPN services that successfully keep up with their efforts changes all the time. (That's a long way of saying don't purchase any old VPN before your next trip to Guangzhou and expect it to work—you have to research what's currently effective for different locations and services.)

Using a VPN to bypass a geographic restriction comes in handy in more cases than trying to watch YouTube from China. If you try to access a financial account from certain foreign countries with high cyber crimes rates, the bank will likely lock you out. Using a VPN to mask your location might prevent problems, although, that said, financial institutions and governments are pretty savvy at detecting VPN usage. Even if they can't see the encrypted material, they may block you from taking certain actions online if they notice you're using a VPN. The reason is to protect their own security. You wouldn't want hackers in another country who got their hands on your banking details to be able to use a VPN to make it look like they're in your region and start wiring money out of your account. I spend a lot of time abroad and often hit roadblocks when trying to open new financial accounts or access my taxpayer information in my home country, with or without a VPN.

VPNs Don't Protect Against Other Threats

I asked Bogdan Botezatu, senior e-threat analyst at security software maker Bitdefender, what myths people believe about VPNs. He said:

One of the most frequently encountered misconceptions is the fact that people associate VPNs with security. They perceive the VPN connection as a 'filter' that renders the computer or phone immune to web-borne malware since the connection is 'secure.'

But VPNs don't screen the data coming to your computer, phone, tablet, or any other internet-connected device you use. Whatever you ask for, you get. Using a VPN doesn't stop suspicious links from showing up in your email either, and it doesn't prevent you from being tracked via GPS.

Since the VPN solution only encrypts the information sent over the Internet, it is not effective against any other attack avenues except for data snooping over the network. For instance, if mobile applications or the operating system itself collects telemetry data, that information will flow freely to the developer's servers.

In other words, VPNs are not a complete security solution or a replacement for other security software, such as antivirus or antimalware software.

How to Choose a VPN Service Provider

Before you can start using a VPN, you need to find a provider you trust. While Zapier hasn't run VPN services through the ringer, Wirecutter's recommended VPN services may be a good place to start.

Building trust is tricky business among VPN providers. You might assume you want a to use a provider that logs absolutely no information from you, but the issue of what your VPN service provider knows and keeps track about you is more complicated.

Is logging good or bad?

"VPN providers have different service level agreements for their services," Botezatu explained. "Some providers offer full anonymity in that they do not keep connection logs, so they won't be able to hand over these logs to law enforcement even if subpoenaed. Other VPN vendors do keep logs but will only allow law enforcement access to them in case of abuse (child pornography, online fraud, or other misuses of the VPN service). Last, there are VPN vendors who not only keep logs, but also process the traffic in an anonymized way to better 'understand the user,' which defeats the whole purpose of using a VPN."

Kintzele, howevers, argues that logging doesn't necessarily compromise your security. "Not all logging is bad. Managing an extensive network of VPN servers means some degree of logging is necessary to realistically maintain that network," she said. "A VPN service typically references two types of logs: connection logs and usage logs. Connection logs track times connected and amounts of data transferred, though not the content of the transfer. Usage logs, on the other hand, track online activity throughout your session. Chances are most VPN providers keep connection logs for use in maintaining the quality of their service, even if their marketing claims they are a 'no logging' provider."

"If you don't pay for a product, you are the product. Free VPNs will often serve you ads or monitor and potentially sell your online activity."-Caleb Chen

Look for a solid history and beware the free providers

Knowing a company has been in business for several years and has a solid reputation are two more signs in the right direction. Charging a reasonable market rate—generally in the range of $75 per year, with much better rates when paying for multiple years at a time—is another good indicator.

While several VPN providers offer a free service, be wary of them and read all the fine print to make sure you know what you're getting. Chen put it this way, "As some people say, 'If you don't pay for a product, you are the product.' Free VPNs will often serve you ads, or monitor and potentially sell your online activity. Paid VPNs shouldn't need to do that to make money but the potential for that same type of traffic snooping exists, which is why trust is so important in this space."

Bad actors certainly exist. A 2016 research paper on Android apps that use the VPN permission found that 38 percent of the 283 apps included in the study injected malware of one kind or another onto people's devices. And 18 percent didn't even encrypt data.

Kintzele also noted that a VPN provider that owns and operates its own servers is another big plus. If the servers are in their control, then so are the privacy and security policies that govern those servers.

There are plenty of other factors to consider, too, such as the clarity and transparency of the company's instructions, documentation, and privacy policies. You might want a provider that offers additional features, such as an ad blocker. Some customers also care about the jurisdiction of the service provider for legal reasons.

PrivateInternetAccess mobile app
PrivateInternetAccess' mobile VPN app

How to Get a VPN and Use It

Not every VPN service works the same, but the biggest players more or less follow the same setup, activation, and connection process.

Once you find a reputable VPN provider, you typically download an app to your computers and mobile devices. Then you pay a subscription fee to use the service and sign into the app with your account. Setting up access to a business VPN is slightly more complicated and involves changing the network settings on your device. You'll need instructions from your administrator that include specific details about the configuration and access credentials.

Any decent VPN provider has apps for computers as well as mobile devices, and you want both. It's just as important to protect your mobile data as your computer's data.

Next, you launch the app and connect to a server. The server you choose depends on which location you want to use. If you're only using VPN for privacy, you might want to pick a server in your home country to keep your internet search results local, keep all your browsing in your preferred language, and not get redirected to international versions of sites.

Some VPN providers help you pick a server by showing their speeds. They can get bogged down with heavy traffic. Others simply let you choose a country or city, and then they automatically connect you to one of the servers in that place.

You can disconnect the VPN at any time. Be sure to check the connection and make it active again if you reboot your computer or wake it up after it's been idle, though most VPN services will push a notification letting you know the connection has dropped and asking if you want to reconnect.


VPNs Don't Make You Anonymous, But Use One Anyway

People lock their our doors not because locks provide total protection, but because they offer a layer of security and deter intruders from breaking into our private spaces. People also sometimes have security cameras, a gate around their home, guards at their building, a private garage for their cars, and so forth.

On the one hand, you don't necessarily need to run a VPN all the time. When you're on your password-protected network, for example, you probably are safe from snoops. On the other hand, it doesn't hurt you to leave the VPN on either, and it might help you develop the habit of remembering to use it. But do use a VPN when on unsecured public networks, such as those in airports, hotels, parks, public transit, coffee shops, and so forth.

Security should be multilayered. Think of VPNs as providing one of the essential layers, as well as providing other services, too, such as masking your location. A VPN doesn't protect you against every cyber threat, but it goes a long way to deterring perpetrators from accessing your internet traffic in transit.

Top Image: Elaine333 via Shutterstock. Inline graphic from Golden Frog. Mobile app screenshot courtesy of PrivateInternetAccess.



source https://zapier.com/blog/what-is-VPN/

No comments:

Post a Comment