Many readers are understandably concerned about recent moves by the U.S. Congress that would roll back privacy rules barring broadband Internet service providers (ISPs) from sharing or selling customer browsing history, among other personal data. Some are concerned enough by this development that they’re looking at obfuscating all of their online browsing by paying for a subscription to a virtual private networking (VPN) service. This piece is intended to serve as a guidepost for those contemplating such a move.
On Tuesday, the House approved a Senate resolution to roll back data privacy regulations enacted late last year at the Federal Communications Commission (FCC) that would block ISPs from selling to advertisers information about where you go and what you do online. President Trump has signaled his intent to sign the bill (S.J. Res. 34) into law soon.
As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.
Nevertheless, this hasn’t stopped news outlets from breathlessly urging concerned citizens to reclaim their privacy by turning to VPN providers. And VPN providers have certainly capitalized on the news. One quite large (and savvy) VPN provider even took out a full-page ad in the New York Times listing the names of the Republican senators who voted to repeal the still-dormant regulations.
I’m happy if this issue raises the general level of public awareness about privacy and the need for Internet users everywhere to take a more active role in preserving it. And VPNs can be a useful tool for protecting one’s privacy online. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process.
In case any readers are unclear on the technology, in a nutshell VPNs rely on specialized software that you download and install on your computer. Some VPN providers will supply customers with their own custom brand of VPN software, while others may simply assign customers a set user credentials and allow users to connect to the service via open-source VPN software like OpenVPN.
Either way, the software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. A VPN service allows a customer in, say, New York City, to tunnel his traffic through one of several servers around the world, making it appear to any Web sites that his connection is coming from those servers, not from his ISP in New York.
If you just want a VPN provider that will keep your ISP from snooping on your everyday browsing, virtually any provider can do that for you. But if you care about choosing from among VPN providers with integrity and those that provide reliable, comprehensive, trustworthy and affordable offerings, you’re going to want to do your homework before making a selection. And there are plenty of factors to consider.
For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers.
That’s because affiliate programs often create a perverse incentive for unscrupulous marketers to do things like manufacture phony VPN reviews by the virtual truckload, reviews that are aimed at steering as many people as possible to signing up with the service and earning them commissions. In my admittedly limited experience, this seems to have the effect of funneling search results toward VPN providers which spend a lot of money marketing their offerings and paying for affiliate programs.
Also, good luck figuring out who owns and operates many of these companies. Again, from the admittedly few instances in which I’ve attempted to determine exactly who or what is at the helm of a specific VPN provider, I can say that this has not been a particularly fruitful endeavor.
My bar for choosing a VPN provider has more to do with selecting one that makes an effort to ensure its customers understand how to use the service securely and safely, and to manage their customers’ expectations about the limitations of using the service. Those include VPN companies that take the time to explain seemingly esoteric but important concepts, such as DNS and IPv6 leaks, and whether they keep any logs of customer activity. I also tend to put more stock in VPN providers that offer payment mechanisms which go beyond easily-traceable methods such as credit cards or PayPal, to offering more privacy-friendly payment options like Bitcoin (or even cash).
Many VPN providers claim they keep zero records of customer activity. However, this is almost always untrue if you take the time to read the fine print. Also, some VPN services can’t truthfully make this claim because they merely resell network services offered by third-parties. Providers that are honest and up-front about what information they collect and keep and for how long carry more weight in my book.
Most VPN providers will keep basic information about their customers, including any information supplied at the creation of the account, as well as the true Internet address of the customer and the times that customers connect and disconnect from the service. I’ve found that VPN providers which collect the minimum amount of information about their customers also tend to offer little or no customer support. This isn’t necessarily a bad thing, especially if you know what you’re doing and don’t need or want a lot of hand-holding. For my part, I would avoid any VPN provider which asks for personal information that isn’t required by the form of payment I choose.
Then there are more practical, day-to-day considerations that may have little to do with privacy and anonymity. For example, some VPN providers pay a great deal of attention to privacy and security, but may not offer a huge number of servers and locations to chose from. This can present issues for people who frequently watch streaming video services that are restricted for use in specific countries. Other VPN providers may offer an impressive range of countries and/or states to chose from, but do not provide fast enough speeds to reliably satisfy data-intensive applications, such as streaming video.
These are only some of the many factors that are important to weigh when selecting a VPN provider. I asked my favorite source for online privacy — the Electronic Frontier Foundation (EFF) — if they had any recommendations for VPN providers. Alas, their press folks told me the EFF has not yet sought to vet the claims made by various VPN companies. Instead, their media folks referred me to this site, which covers many of the concerns raised in this post in greater detail, and includes what appear to be fairly straightforward reviews and side-by-side comparisons of many popular VPN services.
For personal privacy reasons, I’m not interested in sharing the name of the VPN service that I’ve paid for and trusted for years. But I can say with some gratification that they are one of the highest rated (greens almost across the board) providers listed here.
A quick note about “free VPN” services. Just as with “free” services like Facebook and Gmail, it’s important to know that with free VPN services you probably aren’t so much the customer as the product. Operating a business like a VPN service takes considerable effort and cost, and it’s very likely that anyone operating a free VPN service is also somehow monetizing your use of their service in some way — probably in an way that may be at odds with your reason for using the service in the first place.
Alternatively, if you’re looking for a free option, consider using Tor instead. Short for “The Onion Router,” Tor takes your communications and bounces them through a series of layers or “relays” around the globe, encrypting your data at every hop. The practical and privacy limitations of Tor are explained rather succinctly in this story at How-to Geek, but many of the traditional concerns about Tor are mitigated by the technical limitations that ship with the current Tor Browser Bundle. For most users, the principal drawback of Tor versus paid VPN services is that Tor is likely to be far slower than your average VPN (although, to be fair Tor has gotten quite a bit faster in recent years).
Finally, from the read-my-mind department, I fell asleep last night ruminating over what a grass-roots effort to lawfully and publicly resist this move by Congress might look like, and briefly considered that someone could even set up a site that would offer to purchase the Internet browsing records of the top lawmakers who voted for repealing the FCC rules (should those records ever go on sale by the major broadband providers). Incredibly, I awoke this morning to an email from a reader about exactly such an experiment — searchinternethistory.com — which has raised more than $170,000 so far toward a $1 million goal via GoFundMe.
As cathartic as this effort may be, I can’t recommend supporting it financially. However, if you’re in a generous mood I would wholeheartedly recommend supporting groups like the EFF, which orchestrates efforts to educate lawmakers on important technology policy issues and — failing that — to derail and sometimes overturn bone-headed policy moves in Washington, D.C. that endanger our security and privacy. KrebsOnSecurity supports the EFF with four-figure donations each year, and I would encourage anyone with the means and interest to likewise support the work of this important organization.
Author’s note: On any given week, I probably remove a dozen or so comments from people who appear to be shilling for various VPN providers. Any comments to that effect on this post will be similarly deleted without hesitation or explanation.