Recently if you live in the United States or any of the Five, Nine or Fourteen eyes countries you know that your privacy is under great threat. I have also seen a lot of news lately about people paying or using bad or fake VPN services, I have also gotten a lot of emails asking me a lot of questions about VPN and being “anonymous online.” So much so that I decided to tackle on some of what I think are the biggest VPN myths out there.
Before we jump into the myths, I just want to take a second and address a few things. First thing and I have mentioned this before privacy is best done in layers. The more layers you have the more secure you are on the internet. There is no such thing as 100 percent full proof method of staying anonymous or being completely private. Second thing I want to address is that I know many will disagree with this list and just something I say in general about this issue. To that I say I welcome the further discussion and debate. I am not perfect and I have a lot to learn, and I am always open to new ideas.
I can be anonymous on the Internet
Anonymity is defined as not being named or identified. You are not anonymous when you are online, even when using privacy tools like Tor, Bitcoin or a VPN. Every service has at least one piece of information that can be used to distinguish different users, whether it’s a set of IP addresses (VPN and Tor) or a wallet (Bitcoin). This information alone may not reveal any private details about the user, but it can be associated with other similar information to eventually identify an individual.
A VPN just increases your privacy and security online especially in a public setting. A VPN is similar to the curtains for the windows of your house. The curtains provide privacy for activities happening inside your house, even though your house address is public. Privacy is a more realistic goal with a VPN, not anonymity so much.
Anonymity and privacy are the same
Services that claim to make you anonymous attempt to eliminate any identifying data (see first myth). However, services designed to protect privacy instead allow users to control access to their personal data, but do not eliminate all identifying data.
Internet users can use private web browsers, proxies, Tor, encrypted messaging clients, VPNs and other great tools to increase their privacy online. These privacy tools help defend against mass surveillance by governments or by private corporations trying to collect information for the government or for their own use. But none of these tools, alone or in any combination, make you really anonymous. Online privacy is a more realistic goal, but full anonymity is a false promise. You can remain anonymous but only for so long. After a while if they were really after you they would piece little bits together to find out who you really are (see link about browser fingerprints)
Edward Snowden has encouraged Internet users to focus on increasing privacy to defeat “mass surveillance:”
“…basic steps will encrypt your hardware and … your network communications [making] you…far, far more hardened than the average user – it becomes very difficult for any sort of a mass surveillance. You will still be vulnerable to targeted surveillance. If there is a warrant against you, if the NSA is after you, they are still going to get you. (emphasis added) But mass surveillance that is untargeted and collect-it-all approach you will be much safer.”
VPN provider advertises an “anonymous” service, that means they don’t log any identifying information about me right?
A VPN Provider in the UK that advertised an “anonymous service” on its website was outed for turning over customer information about a LulzSec Hacker to the authorities. As you will read below, limited VPN logging is not necessarily bad, as it helps the VPN provider troubleshoot customer issues, prevent abuse of its IP space and network and offer different VPN plans (such as multi-device or GB limited plans). But advertising one service and delivering another service is wrong.
Website: “surf anonymously”
Website: “PureVPN anonymous VPN service;” “makes you anonymous;” “anonymous web surfing”
“Furthermore, in the course of using PureVPN services, you or someone else on your behalf may give out information about yourself or give access to your system. This information may include, but not limited to:
- Names and IP addresses
- Operating systems
- Operational logs””
If you VPNs terms of service say they don’t log that means you are anonymous right?
All a VPN provider simply says when they perform “no logging” it does not guarantee online anonymity or privacy. Most systems or network engineer will confirm that some minimal logging is required to properly maintain and optimize systems or the network. In fact, any provider claiming “no logging” should cause you to immediately question what is happening with your private data. If a VPN provider kept absolutely no logs, they wouldn’t be able to:
- Offer plans with limits on GB usage or per user basis
- Limit VPN connections to 1, 3 or 5 on a per user basis
- Troubleshoot your connection or offer support for server-side problems
- Handle your DNS requests when using the VPN service. They might rely on a 3rd Party DNS provider that logs DNS requests
- Prevent abuse, such as spammers, port scanners and DDOS to protect their VPN service and their users
Even if my VPN provider uses hosted or cloud-based VPN servers I can still be anonymous
Anyone that runs server infrastructure knows running infrastructure with ZERO logs is extremely difficult, if not impossible. Now imagine how hard it would be to eliminate logging if you DIDN’T run your own infrastructure and instead rented your VPN servers and network from 3rd parties! Aside from Golden Frog, virtually all VPN providers in the world do not run their own infrastructure. Instead, VPN providers “rent” their servers and network from a “landlord,” such as a hosting company or data center. When the VPN provider “rents” instead of “owns,” how can it guarantee that its “landlord” will respect the privacy of its VPN users?
Just last year, a Dutch customer of a “no log” VPN Provider was tracked down by authorities by using VPN connection logs after using the “no log” VPN service to make a bomb threat. The VPN provider’s data center provider (“landlord”) apparently seized the VPN server at the direction of the authorities. The data center provider was also keeping network transfer logs of the VPN provider. The VPN Provider says they cancelled the contract with the data center but strangely didn’t address the other 100+ locations where they presumably rent VPN servers. Did they cancel contracts with those data centers too? Predictably, this same VPN Provider still prominently advertises an “anonymous VPN service” and claims it keeps “absolutely no logs.”
In the forum of a different VPN Provider, a discussion thread conveniently disappeared when a user questioned whether users can trust data centers to not log.
Some questions to ask about VPN Providers who “rent” servers include:
- How can the “Server Renters/Cloud” protect their users from their hosting companies taking snapshots of their machines for backup purposes, DDOS purposes, or at the direction of law enforcement?
- How can “server renters” prevent a live migration of the hosted VPN server in which an entire image is taken of the computer, including operating system memory and hard drive, especially when live migrations can be invisible to the VPN Provider?
- What happens to the data when the hosted machine is no longer used by the VPN provider?
- If you don’t own the server, how can you be sure your landlord doesn’t have a key or backdoor into the hosted server?
Even if my VPN provider doesn’t own and operate the network I can still be anonymous
Most VPN providers (except Golden Frog of course!) don’t run their own network and instead let hosting providers run the network for them. “Running your own network” means you own and operate the router and switches. If your VPN provider does not run its own network, you are susceptible to their hosting company listening for traffic on both inbound and outbound connections. Listening to Internet traffic allows for a tremendous amount of correlation and identification of user activity.
For example, if you listen to two people talk in a restaurant you can learn enough from the conversation to identify who is talking – even if you don’t know their identity when you start listening. If a VPN provider does not run its own routers, then it can’t control who is listening to its users. Even worse, a “no-logging” VPN provider recently admitted that it used a “packet sniffing” software to monitor traffic to prevent abuse.
Any VPN logging is bad
By logging a minimal amount of data, VPN providers can vastly improve your experience when using a VPN. VPN providers should only retain the minimum amount of data to operate their business and delete that data as soon as they don’t need it.
Minimal logging provides VPN users the following benefits:
- Improved speed and performance by allowing VPN providers to optimize network connections
- Improved reliability by allowing VPN providers to identify and fix low level service issues to prevent outages
- Troubleshooting of specific customer issues, including speed, connection and application issues
- Different levels of accounts to meet customer needs, such as connection limited accounts and byte limited accounts
- Protection against abuse from spammers, port scanners, DDOS, etc, so VPN providers can terminate customers who are abusing other Internet users
- Termination of malicious users so VPNs remain a respected Internet tool for preserving users’ right to privacy, and so VPN users are not blocked from websites and services
Myth #8 New
Privacy companies don’t collect or sell my data
I have noticed a disturbing trend of “so-called” privacy companies offering free services so they can snoop on users. Just because a company offers a privacy product or service does not mean they will keep your data private. This is especially true for companies that offer free services to users. When you use a privacy tool you are often are required to give access to more information than the tool can protect, so you need to trust the company. Marketing companies have rushed into the privacy space and are abusing that trust. Here are some examples:
Onavo (by Facebook)
Facebook bought a VPN app called Onavo in 2013. Why would Facebook buy a VPN app? Because the VPN functionality gives the app visibility into the network connection for the entire phone. Consequently, information such as URLs and app usage is exposed, and Facebook can examine user activity for their own purposes. The price of free is just too high.
Hola is yet another offender masquerading as a privacy company. Hola offers “secure browsing” to its users, but was recently revealed to be selling the bandwidth of its free users without their knowledge, effectively turning them into a botnet.
VPN Defender (by App Annie)
App Annie is a mobile analytics firm that collects and sells app usage data to companies, such as venture capitalists, for competitive research. App Annie bought VPN Defender last year presumably, just like Facebook, so they could collect more app usage data. In the analytics industry, this practice is called “selling the insides.”
Myth #9 New
My VPN is not hosted in the United States so I am good to go right?
While having your VPN hosted outside the United States is a good idea, just because it is does not mean it still won’t cooperate with the US when push comes to shove. There are also countries that call themselves five eyes, nine eyes, and fourteen eye countries that all share data among themselves ( for more info on what they are and what they do click here). Now while there are some “safe countries” such as Hong Kong, Switzerland, and Panama just to name a few. Again this is not full proof either, anything can change at a moments notice and all of the sudden your data is in the hands of the US government.
Tor is a better alternative than a VPN
Tor is frequently cited as an alternative to using a VPN. However, as several publications have correctly pointed out, Tor doesn’t make you anonymous. Even Tor admits that it can’t solve all anonymity problems and cautions users to proceed accordingly. Tor is difficult for the average Internet user to setup, and users often complain that Tor is slow. One publication even said “If you still trust Tor to keep you safe, you’re out of your damn mind.”
Tor has even accused the FBI of paying Carnegie Melon $1 Million to use their “Tor-breaking research” to reveal the identity of some of the service’s users.