Table of Contents
This article assumes a basic level of proficiency in computer use and an understanding of how computer networks work at a high level. You need not be an IT guru to read it but some passing knowledge will help you better put everything in context.
What is a VPN?
A VPN is a service that creates a digital tunnel between your computer and a remote computer. In this model, your computer is known as the VPN client and the remote computer is known as the VPN server. This connection is secured via encryption making it much harder to others to “listen in” and see what data’s being transferred across the wire.
In the business world VPNs are used to allow off-site employees to securely access internal intranets and company networks.
VPNs do not make you anonymous, they increase your privacy
There’s a critical distinction to be made here between being anonymous and increasing privacy. Unless you’re taking a lot of extra steps you are still easily identifiable as you while using a VPN. All they’re doing from a privacy perspective is adding an extra layer of encryption between your PC and the site you’re connecting to. Because of this, your ISP will have a more difficult time inspecting your traffic to determine exactly what information you’re transmitting.
You will also enjoy some increased security if you’re using VPN while on a WiFi connection, making it harder for people sniffing the WiFi traffic to capture the information you’re transferring. Remember, WiFi is basically two radios broadcasting to each other and any malicious user can trivially intercept those broadcasts and see what you’re doing online. Again, VPN adds another layer of encryption making it harder for malicious users to do this.
Bottom line: VPNs make it harder to listen into your online “conversations” but it’s not impossible and it also does not hide your identity.
VPNs do not protect you from viruses, malware, phishing or spyware
Let’s just get this out of the way. Anyone who says VPNs protect you from viruses, spyware, phishing or malware is lying to you. The vectors of attack for these four horsemen is either getting you to download and execute code on your computer — sometimes without you even knowing that you’re doing it — or getting you to visit a fake website and enter your information.
VPNs are a “pass through” and will let you do all of these things even if you’re not on a VPN.
Bottom line: Don’t believe or trust anyone who tells you that VPNs will protect you from viruses, malware, phishing or spyware. They don’t.
What your ISP still knows even when you’re using a VPN
DNS leakage
The most serious information leakage while using a VPN is called DNS leakage. Think of DNS as a phonebook – you enter a domain name like “duckduckgo.com” and then your computer connects to a DNS server to look up the correct IP address to connect you to.
Many VPNs, by default, don’t protect or change your DNS traffic. This means that your ISP can still view and log every DNS query you make…and from that easily see which websites you’re using even if the actual traffic to those websites is encrypted and thus unreadable to them.
Bottom line: Make sure you aren’t leaking DNS requests while using a VPN.
VPN Meta-data usage
This should be obvious but your ISP will still have access to meta data such as when you turned on the VPN, when you turned off the VPN, how long you were connected to the VPN, which VPN service you used, which specific VPN server you connected to. This can provide enormous insight into where you were and what you might have been doing.
Furthermore, ISPs can still determine the VOLUME of traffic you’re generating and the shape of that traffic even if the actual traffic is encrypted. For example: I can 100% tell if you’re torrenting, when you’re streaming video and when you’re idle even if I can’t see what’s actually in the encrypted traffic.
The first couple can be mitigated by using multiple nested, different VPNs but traffic volume and patterns can’t be hidden.
Bottom line: meta data can and will be collected on your VPN usage.
Can you trust your VPN provider
When you’re using a VPN, you’re intentionally injecting another entity into your internet connection…one that can monitor and even manipulate all of your traffic. This raises a number of concerns.
- Does the VPN log your traffic? Even if they say that they don’t, how do you know for sure? This is unverifiable for most users and clients.
- Who owns and operates the VPN? It it a law enforcement honeypot designed to attract those using VPNs for illegal purposes so they can identify users and prosecute them? For law enforcement to identify and jail political dissidents?
- We know the CIA and other foreign intelligence services operate a number of “anonymous” VPN services. Are you sure that you’re not leaking sensitive traffic into the data warehouses of a foreign intelligence service?
- Using a VPN does make you more of a target. You’re not swimming with the other fishes. You may be more of a person of interest just by using it.
- Are your payments anonymous? If you’re paying for a VPN then all of your VPN usage and traffic can be linked back to your payment method. Used paypal or a credit card? They know exactly who you are. Used bitcoin? How did you on-ramp the bitcoin into your wallet — if you used Coinbase or similar they know who you are.
- Did you ever send personally identifiable information over a VPN – logged into a website, connected to google in any way, used webmail or similar? You’ve just linked your VPN access to those web accounts and online identities are notoriously easy to connect.
- VPNs can also manipulate packets being sent to you. This means they can insert advertising, spyware or malware of their own. You’re putting a lot of trust in a VPN company that they won’t do this.
Bottom line: You’re entrusting a third party with total access to all of your traffic. How much can you really trust them? Is the squeeze worth the juice?
Are VPNs different than private browsing
Yes, enormously. Private browsing just prevents the browser from sharing cookie data and other local storage data across browsing sessions. Private browsing is best used while on VPN but it absolutely does not replace being on a VPN.
Please be aware that private browsing does not make you anonymous even when used in conjunction with a VPN.
Bottom line: Private browsing doesn’t do much to actually make your browsing private from anyone other than your mother or spouse checking your browser history.
Identity leakage while using VPNs
There are almost an infinite number of ways that your identity can be leaked while using a VPN without you even knowing it. I’m going to list a few of the most common ones here but the solution to all of them is simple…if you need to stop identity leakage then you need to have an entirely separate computer running Linux (not Windows or OSX) that is exclusively used for your VPN activities. You never use that computer off the VPN and you never, ever transmit any personal information or personally identifiable information while using that computer. Ideally you never use that computer at home and only use it on free public wifi.
Samples of identity leakage over VPNs
- Your operating system, Windows or OSX, is phoning home constantly with information about you. It can share your location and an enormous information about how you use your computer. This all happens silently and in the background without your knowledge and without indication.
- Supply chain leaks – most modern software automatically phones home to check for updates. Often times in doing so it shares your identity or fragments of your identity. This information can be used to build a profile of you.
- Browser fingerprinting – almost every web browser is a unique combination of tens of thousands of individual settings. Various researchers and advertising agencies have used this fingerprinting to uniquely identify users across multiple websites without needing cookies or any other local storage or special permissions.
- Browser plugins – almost all browser plugins leak information by silently phoning home – some innocently doing their job and others more maliciously recording all your traffic to build a shadow profile of you so they can resell it to other companies or governments.
- Logging in – Any website that you log into without a VPN and then log into with the same credentials while on the VPN will instantly link your VPN and non-VPN usage. This information can be collected and used to make larger connections.
- Cookies and local storage – similar to logging in, these cookies send the same identity information on and off the VPN, connecting your non-VPN usage to your VPN usage. Private mode can mitigate some of this but not in a complete way.
This is obviously not an exhaustive list but should serve to make the point that you can’t rely on a VPN to become anonymous. It’s not Harry Potter’s invisibility cloak.
Bottom line: There are literally thousands of ways that you can leak your identity while using a VPN without even knowing you’re doing it. You’ll have to go above & beyond just using a VPN if you’re trying to be anonymous.
Subpoenas, legal requests and VPNs
What VPNs excel at is ensuring that your ISP does not have any knowledge of your traffic. This can be legally advantageous in certain cases when combined with a VPN that’s overseas and doesn’t keep logs.
The US Federal government likes to bypass 4th amendment protections enjoyed by its citizens by requesting traffic and communications logs from ISPs, telephone and cell phone carriers. By using a VPN regularly you cut that avenue of data collection out of the picture and force the government to try and subpoena the information from the VPN provider. If you’ve picked your VPN wisely then that VPN provider won’t keep any information worth handing over.
What VPNs hide from websites you’re connecting to
They hide your IP address and the region of the world that you’re coming from. Servers that you’re connecting to won’t see your IP address and won’t be able to look that up to estimate the region of the world you live in. To them, the connect appears to be coming from the VPN server and thus they see the VPN server’s IP address and region of the world that the VPN server’s ip address is associated with.
This is useful for obscuring part of your identity at a basic level and also circumventing region & country locking that some countries try to implement.
Bottom line: VPNs hide your IP address from the site you’re connecting to and nothing else. VPNs are not a complete privacy or anonymizing solution.