10 VPN Myths Everyone Should Know

Posted on Apr 14 2017 - 9:52pm by TekGuru

Recently if you live in the United States or any of the Five, Nine or Fourteen eyes countries  you know that your privacy is under great threat. I have also seen a lot of news lately about people paying or using bad or fake VPN services, I have also gotten a lot of emails asking me a lot of questions about VPN and being “anonymous online.” So much so that I decided to tackle on some of what I think are the biggest VPN myths out there.

Before we jump into the myths, I just want to take a second and address a few things. First thing and I have mentioned this before privacy is best done in layers. The more layers you have the more secure you are on the internet. There is no such thing as 100 percent full proof method of staying anonymous or being completely private. Second thing I want to address is that I know many will disagree with this list and just something I say in general about this issue. To that I say I welcome the further discussion and debate. I am not perfect and I have a lot to learn, and I am always open to new ideas.

Myth #1

I can be anonymous on the InternetImage result for become anonymous online

Anonymity is defined as not being named or identified. You are not anonymous when you are online, even when using privacy tools like Tor, Bitcoin or a VPN. Every service has at least one piece of information that can be used to distinguish different users, whether it’s a set of IP addresses (VPN and Tor) or a wallet (Bitcoin). This information alone may not reveal any private details about the user, but it can be associated with other similar information to eventually identify an individual.

Several publications have correctly pointed out that neither Tor nor Bitcoin make you anonymous.

A VPN just increases  your privacy and security online especially in a public setting. A VPN is similar to the curtains for the windows of your house. The curtains provide privacy for activities happening inside your house, even though your house address is public. Privacy is a more realistic goal with a VPN, not anonymity so much.

Myth #2

Anonymity and privacy are the same

Image result for Anonymity vs privacyServices that claim to make you anonymous attempt to eliminate any identifying data (see first myth). However, services designed to protect privacy instead allow users to control access to their personal data, but do not eliminate all identifying data.

Internet users can use private web browsers, proxies, Tor, encrypted messaging clients, VPNs and other great tools to increase their privacy online. These privacy tools help defend against mass surveillance by governments or by private corporations trying  to collect information for the government or for their own use. But none of these tools, alone or in any combination, make you really  anonymous. Online privacy  is a more realistic goal, but full anonymity is a false promise. You can remain anonymous but only for so long. After a while if they were really after you they would piece little bits together to find out who you really are (see link about browser fingerprints)

Edward Snowden has  encouraged Internet users to focus on increasing privacy to defeat “mass surveillance:”

“…basic steps will encrypt your hardware and … your network communications [making] you…far, far more hardened than the average user – it becomes very difficult for any sort of a mass surveillance. You will still be vulnerable to targeted surveillance. If there is a warrant against you, if the NSA is after you, they are still going to get you. (emphasis added) But mass surveillance that is untargeted and collect-it-all approach you will be much safer.”

Myth #3

 VPN provider advertises an “anonymous” service, that means they don’t log any identifying information about me right?

Well actually this can be quite false. As a matter of fact several VPN providers advertise an “anonymous service” on the marketing pages of their website, but have terms in the fine print of their privacy policy indicating they do log.

A VPN Provider in the UK that advertised an “anonymous service” on its website was outed for turning over customer information about a LulzSec Hacker to the authorities. As you will read below, limited VPN logging is not necessarily bad, as it helps the VPN provider troubleshoot customer issues, prevent abuse of its IP space and network and offer different VPN plans (such as multi-device or GB limited plans). But advertising one service and delivering another service is wrong.

Here are some examples of VPN providers’ marketing messages that appear to contradict the fine print on the Privacy Policy page:

  • Express VPN:

    Website: “surf anonymously”

    Privacy Policy: “In addition to the information you provide through our order-form, we may store the following pieces of data: IP address, times when connected to our service, and the total amount of data transferred per day. We store this to be able to deliver the best possible network experience to you. We keep this information secure and private. If we receive complaints regarding copyrighted materials such as music and movies being shared over our network, we may filter traffic to see which account is sending it, and then cancel that account.”

  • Pure VPN:

    Website: “PureVPN anonymous VPN service;” “makes you anonymous;” “anonymous web surfing”

    Privacy Policy: “…we will never release any information about you or your account to anyone except law enforcement personnel with the proper documentation and paperwork.”

    “Furthermore, in the course of using PureVPN services, you or someone else on your behalf may give out information about yourself or give access to your system. This information may include, but not limited to:

    • Names and IP addresses
    • Operating systems
    • Operational logs””

Myth #4

If you VPNs terms of service say they don’t log that means you are anonymous right?

All a VPN provider simply says when they perform “no logging” it does not guarantee online anonymity or privacy. Most systems or network engineer will confirm that some minimal logging is required to properly maintain and optimize systems or the network. In fact, any provider claiming “no logging” should cause you to immediately question what is happening with your private data. If a VPN provider kept absolutely no logs, they wouldn’t be able to:

  • Offer plans with limits on GB usage or per user basis
  • Limit VPN connections to 1, 3 or 5 on a per user basis
  • Troubleshoot your connection or offer support for server-side problems
  • Handle your DNS requests when using the VPN service. They might rely on a 3rd Party DNS provider that logs DNS requests
  • Prevent abuse, such as spammers, port scanners and DDOS to protect their VPN service and their users

Myth #5

Even if my VPN provider uses hosted or cloud-based VPN servers I can still be anonymous

Anyone that runs server infrastructure knows running infrastructure with ZERO logs is extremely difficult, if not impossible. Now imagine how hard it would be to eliminate logging if you DIDN’T run your own infrastructure and instead rented your VPN servers and network from 3rd parties! Aside from Golden Frog, virtually all VPN providers in the world do not run their own infrastructure. Instead, VPN providers “rent” their servers and network from a “landlord,” such as a hosting company or data center. When the VPN provider “rents” instead of “owns,” how can it guarantee that its “landlord” will respect the privacy of its VPN users?

Just last year, a Dutch customer of a “no log” VPN Provider was tracked down by authorities by using VPN connection logs after using the “no log” VPN service to make a bomb threat. The VPN provider’s data center provider (“landlord”) apparently seized the VPN server at the direction of the authorities. The data center provider was also keeping network transfer logs of the VPN provider. The VPN Provider says they cancelled the contract with the data center but strangely didn’t address the other 100+ locations where they presumably rent VPN servers. Did they cancel contracts with those data centers too? Predictably, this same VPN Provider still prominently advertises an “anonymous VPN service” and claims it keeps “absolutely no logs.”

In the forum of a different VPN Provider, a discussion thread conveniently disappeared when a user questioned whether users can trust data centers to not log.

Some questions to ask about VPN Providers who “rent” servers include:

  • How can the “Server Renters/Cloud” protect their users from their hosting companies taking snapshots of their machines for backup purposes, DDOS purposes, or at the direction of law enforcement?
  • How can “server renters” prevent a live migration of the hosted VPN server in which an entire image is taken of the computer, including operating system memory and hard drive, especially when live migrations can be invisible to the VPN Provider?
  • What happens to the data when the hosted machine is no longer used by the VPN provider?
  • If you don’t own the server, how can you be sure your landlord doesn’t have a key or backdoor into the hosted server?

Myth #6

Even if my VPN provider doesn’t own and operate the network I can still be anonymous

Most VPN providers (except Golden Frog of course!) don’t run their own network and instead let hosting providers run the network for them. “Running your own network” means you own and operate the router and switches. If your VPN provider does not run its own network, you are susceptible to their hosting company listening for traffic on both inbound and outbound connections. Listening to Internet traffic allows for a tremendous amount of correlation and identification of user activity.

For example, if you listen to two people talk in a restaurant you can learn enough from the conversation to identify who is talking – even if you don’t know their identity when you start listening. If a VPN provider does not run its own routers, then it can’t control who is listening to its users. Even worse, a “no-logging” VPN provider recently admitted that it used a “packet sniffing” software to monitor traffic to prevent abuse.

 

Myth #7

Any VPN logging is bad

By logging a minimal amount of data, VPN providers can vastly improve your experience when using a VPN. VPN providers should only retain the minimum amount of data to operate their business and delete that data as soon as they don’t need it.

Minimal logging provides VPN users the following benefits:

  • Improved speed and performance by allowing VPN providers to optimize network connections
  • Improved reliability by allowing VPN providers to identify and fix low level service issues to prevent outages
  • Troubleshooting of specific customer issues, including speed, connection and application issues
  • Different levels of accounts to meet customer needs, such as connection limited accounts and byte limited accounts
  • Protection against abuse from spammers, port scanners, DDOS, etc, so VPN providers can terminate customers who are abusing other Internet users
  • Termination of malicious users so VPNs remain a respected Internet tool for preserving users’ right to privacy, and so VPN users are not blocked from websites and services

 

Myth #8 New

Privacy companies don’t collect or sell my data

Image result for customer dataI  have noticed a disturbing trend of “so-called” privacy companies offering free services so they can snoop on users. Just because a company offers a privacy product or service does not mean they will keep your data private. This is especially true for companies that offer free services to users. When you use a privacy tool you are often are required to give access to more information than the tool can protect, so you need to trust the company. Marketing companies have rushed into the privacy space and are abusing that trust. Here are some examples:

  • Onavo (by Facebook)

    Facebook bought a VPN app called Onavo in 2013. Why would Facebook buy a VPN app? Because the VPN functionality gives the app visibility into the network connection for the entire phone. Consequently, information such as URLs and app usage is exposed, and Facebook can examine user activity for their own purposes. The price of free is just too high.

    Privacy Policy: “When you use the Apps, you choose to route all of your mobile data traffic through, or to, Onavo’s servers. As a result, we receive information regarding you, your online activities, and your device or browser when you use the Services.”

  • Hola

    Hola is yet another offender masquerading as a privacy company. Hola offers “secure browsing” to its users, but was recently revealed to be selling the bandwidth of its free users without their knowledge, effectively turning them into a botnet.

    Privacy Policy: “The Personal Information we collect and retain include your IP address, your name and email address in case you provide us with this information (for instance when you open an account or if you approach us through the “contact us” option), screen name, payment and billing information (if you purchase premium services) or other information we may ask from time to time as will be required for the Services provisioning.”

  • VPN Defender (by App Annie)

    App Annie is a mobile analytics firm that collects and sells app usage data to companies, such as venture capitalists, for competitive research. App Annie bought VPN Defender last year presumably, just like Facebook, so they could collect more app usage data. In the analytics industry, this practice is called “selling the insides.”

    Privacy Policy: “Analyzing your use of mobile applications and data, which may include combining such information (including personally identifying information) with information we receive from Affiliates or third parties; Providing market analytics, business intelligence, and related services to Affiliates and third parties; Operating the Services, such as virtual private networks and device monitoring.”

Myth #9 New

My VPN is not hosted in the United States so I am good to go right?

While having your VPN hosted outside the United States is a good idea, just because it is does not mean it still won’t cooperate with the US when push comes to shove. There are also countries that call themselves five eyes, nine eyes, and fourteen eye countries that all share data among themselves ( for more info on what they are and what they do click here). Now while there are some “safe countries” such as Hong Kong, Switzerland, and Panama just to name a few. Again this is not full proof either, anything can change at a moments notice and all of the sudden your data is in the hands of the US government.

Myth #10

Tor is a better alternative than a VPN

Myth #10Tor is frequently cited as an alternative to using a VPN. However, as several publications have correctly pointed out, Tor doesn’t make you anonymous. Even Tor admits that it can’t solve all anonymity problems and cautions users to proceed accordingly. Tor is difficult for the average Internet user to setup, and users often complain that Tor is slow. One publication even said “If you still trust Tor to keep you safe, you’re out of your damn mind.”

Tor has even accused the FBI of paying Carnegie Melon $1 Million to use their “Tor-breaking research” to reveal the identity of some of the service’s users.

About the Author

I love anything that is tech related, gaming, science, movies ect. I am the owner and founder of AllThatTek.

1 Comment so far. Feel free to join this conversation.

  1. Billy bob April 16, 2017 at 1:04 am - Reply

    Great post with solid information and examples. I would really like an entire post dedicated to myth 8 that has a more comprehensive list of ‘privacy’ companies that abuse users trust.

Leave A Response