here's a lie people tell about vpns: they're the only way to keep you safe in a dangerous internet. they're a magic cryptographic solution to all your security and privacy concerns. you have to use them to be safe and anyone who doens't is a mark.

here's another lie people tell about vpns: they're useless. they don't do anything. they're real tech slapped onto a bundle of mumbo jumbo. there's no point in using them and anyone who does is a mark.

the truth about vpns is that they're not the omnipotent techno-wizardry protrayed in the ads, but they're also not pointless wastes of cash. the first group is maliciously trying to fearmonger you into wasting money, but that doesn't mean the other is accurate– just more moral. instead, vpns are moderately niche security tools that form one part of a complete security posture.

how vpns work

the first step to peeling back the aura of bullshit is explaining what vpns actually, concretely are. unfortunately that's quite hard to do, since they're like four levels deep into technobabble, but bear with me, please.

think of the internet like an enormous hedge maze. you're currently plugged into the internet at one specific spot, which is identified by your "ip address". the job of the internet is to route messages through the maze so you and websites can talk to each other – you send the site messages like "show me this webpage" or "initiate this purchase", and it sends back messages like "here's that webpage" or "OOPSIE WOOPSIE!!".

a vpn is like a pneumatic tube to another spot on the internet. it's fully enclosed, so people can't see inside it, though they can tell that messages are passing through it. when messages reach the end of the tube, they route as normal to the website. the end of the tube is called a "vpn server", and it can host tubes between itself and lots of users.

usually, though, you don't choose a single vpn server. instead you pick a country, or even just let the vpn service pick the server outright.

and… that's it. no, really, beyond all the marketing, a vpn is just a private route from you to some other spot on the internet, and then your messages continue as normal from there.

so… why?

there are a few reasons. first and foremost: you may not trust where you're plugging into the internet! for example, american isps are notorious for spying on their customers, manipulating webpages, etc. to mooch out a few extra dollars from subscribers that are already paying more for less.

the other primary danger for most people is stalking from the other end. your ip address is a pretty strong identifier which you can't change easily, and which is somewhat associated with your irl location. they won't get your exact gps coordinates from it, but they will know what town you're in, and maybe even what neighborhood.

but with a vpn, there are a few useful features:

1. because you're sending messages through the tube first, the way you're plugged into the internet doesn't matter. your messages are only in the open once they reach the other end of the tube, so no matter how much rent your isp seeks, they can't do anything about it.
2. because a lot of people are using the same server and every time you reconnect you get a new server, it becomes much harder to use the ip address for tracking. your "real" ip address is relatively stable and the grouping with other real people is, too; your choice of vpn server is much less so.

combined, these protect you from people trying to do malicious things with your internet connection.

but are they actually useful?

simply put: ip addresses and isp stalking aren't the whole threat. sure, it's not great that every website you visit gets your rough location, but if you have the facebook app on your phone and location services turned on, then they can get it whether you use a vpn or not, and so can every criminal, cop, and abusive ex who wants it.

this isn't the only reason people call vpns snake oil – we'll get to the third side of this coin in a second – but in my opinion it's the most salient thing to discuss: like any other security tool, vpns are only part of a solution. if you do everything else right, vpns don't matter much. if you do everything else wrong, vpns also don't matter much.

the thing is, though, it's hard to do everything else right. companies make a lot of money selling every piece of information they can find about you, and that incentivizes them to spy on everything all the time. your ip address is just one piece of information, yes, and it's easy to leak an even more valuable version of that information, yes, but using a vpn is still an incremental improvement.

and that's going to be the theme over these next couple sections. vpns aren't magic, they're an incremental improvement. for example:

but what about https?

those who know anything about tech know that most of your usage of the internet is already encrypted, thanks to the widespread adoption of "https". you may or may not have heard of it, but it's kind of a miracle, and it rules!

and like before, https prevents a lot of the danger that could also be addressed by a vpn – in some senses, more, since a vpn only goes from you to "somewhere else", where https goes all the way between you and the website.

for example, all that puffery about "passwords stolen on public wifi"? if everything is using https, that's literally impossible.

at the same time, though, https isn't a complete solution. first, some stuff still isn't using it, for some fucking reason. second, more saliently, a lot of stuff can't be hidden – for example, the domain name of the site you're connecting to more or less needs to be out in the open, since systems besides that website need to route you to the right place.

so again, vpns are an incremental improvement. with a vpn running, unencrypted traffic will be secure until the vpn server.

and in some cases, this can be really significant! for example, you might live in a place where being gay is a crime, and looking for a support network. your local internet is probably being spied on, but the vpn exit point might be in a freer country that doesn't care.

or it might be meaningless, because you're livetweeting every url you visit or, equivalently, signed into facebook and google while browsing.

but can you trust the vpn?

a fantastic question! and, indeed, the hardest one to answer.

the cop-out i'm going to give is "it depends on the service", because this post is already several hours overdue and i want to go to sleep, but also because i don't have it in me to litigate every single major vpn provider to decide whether they're "really secure™".

instead, here are a few things to watch out for:

• avoid free vpns like the fucking plague. some are legit, yes; they're provided with surplus revenue from paying customers. the vast, vast majority are making their money off of you.
• if it's a mobile app, carefully consider what permissions it's requesting. technologically, the only thing they need is internet access. if they're prompting you for location info, contacts, local files, whatever – chances are they're trying to spy on you.
• what do their legal agreements look like? privacy policies and terms of service aren't magic spells, but good companies will go out of their way to make legally binding promises about your data. bad companies will use standard, collect-it-all boilerplate.
• how transparent are their financials? do they explain every dollar they receive and spend? are they getting hefty sponsorships from facebook and beaucoup bucks from google or are they fully funded via paid subscribers?

at the end of the day, though, the vpn provider is just another company. you have to decide whether you trust them or not.

and this is especially important because the vpn server sees where you're sending messages from, and where they're going. if it's a paid vpn, they see that while knowing exactly who you are in real life. and if any of your apps sends sensitive information unencrypted, then they can see your location or passwords too.

in other words: all the trust you didn't have in your isp, you have to have in the vpn provider instead.

what else even is there?

maybe my favorite objection to vpns is "just use tor!" on the one hand: sure! that addresses some of the issues with vpns.

but a lot of sites block tor outright. i personally use it for a solid 95% of my web browsing, and it's extremely frustrating how often sites block it. there are a handful of reasons why and i won't get into them, but suffice to say, "just use tor" isn't the silver bullet some people imagine it to be.

vpns can also be blocked, as anyone who uses mullvad knows, but it's less likely and harder to do.

at the same time, tor does provide benefits. for example, tor isn't run by a single organization, so it's harder to corrupt and more obvious if it takes steps in a bad direction. instead it's run by a steering organization with servers donated by a few kajillion hundred volunteers.

for another, tor uses multiple "hops". you can think of it like setting up one tube, then sliding another tube through that to some third place on the internet – that way, the end of the first server only sees you connected to the second server, and the second only sees you coming from the first. neither knows both your real ip and who you're connected to.

for a third– actually, you know what, it's now even later and i'm more tired. suffice to say that tor does have advantages over vpns, but it's not as simple as "just use tor". if you can use tor, it's a great idea; if you can't, a vpn might be an acceptable substitute.

so what do i do?

well, first, consider your "threat model". that's the fancy security-speak for "the things you're worried about". this is a complex and multi-layered thing, but here's a reasonable start:

• what information do you want to keep private, and who do you want to keep it private from?
• who can currently access that information, besides you? (be a little paranoid with this step – it's better to check things that turn out not to matter than to miss the one place that really, really did)
• how might that information move from the folks who can access it to the folks you want to keep in the dark? remember – plenty of info gets leaked in hacks. it's not just legitimate usage that you need to worry about!
• what steps can you take to either revoke access from the people who currently have it or ensure they don't spread it around?

for example, let's say you don't like your current exact location being broadcasted, and you have an abusive ex who you're trying to avoid. well, your phone can access your location if location services are turned on, and thus so can every app on that phone with location permissions. some of those could be selling your location data to data brokers, and your ex might buy it from them.

so maybe step 1 is to simply turn location services off. instead of using gps mode, use google maps for directions. it's not a perfect solution – google can sell the information about the directions you asked for – but it's reducing the threat.

of course, the most crucial step is the hardest: check whether you've actually made any difference! because as it turns out, reliably testing your own privacy is hard. on purpose; companies really don't want you to be able to improve that, so they make it really hard to test how good any specific change is.

and that's another extremely long and complex subject that i am, again, dodging. this post was supposed to be about vpns. it's only talking about privacy in general because defusing the snake oil requires explaining the truth, and when you're being lied to about privacy, you need to understand what it actually means.

so let's leave it there, for now. you've got a few steps you can take to start considering your privacy, and a lot more information about vpns, specifically. i hope it helps! or at least, that it was interesting.

g'night!