You have probably heard of Virtual Private Networks (VPNs), ads and partnerships are everywhere. They can be — and are — used for legitimate purposes. Nevertheless, some claims made by some VPN companies' marketing department aren't exactly true or even mostly false. You probably don't even need one, and would be counterproductive by using one.
In this article, we'll explore what VPNs are and why they were developed in the first place, the risks and myths about free and paid VPNs, but also why you probably don't need one.
What's a VPN ?
Originally, VPNs were created for professional purposes. They were used to connect remotely and securely to an internal professional network.
The basic principle is that all of your internet traffic is redirected to an intermediary server, before arriving at the end server.
It means that to the end server's eyes, you are located where the intermediary server is.
In the original case, it means that the servers will think that you are directly connected to the internal network. This method is more secure than accepting remote connections directly, but we won't get into these details now.
However the use case for mainstream VPNs is a bit different.
First of all, the goal isn't the same.
Here, the service's aim is to "secure your connection against hackers", "hide your internet traffic from your ISP" or "unblock geo-restricted content".
That last one is similar to the original goal : make the end server believe you are somewhere you're not.
Why would you need a VPN ?
If you intend to use a VPN to upgrade your security or encrypt your unencrypted traffic, there's no point.
As PrivacyTools explains, VPNs cannot encrypt data outside of the connection between your device and the VPN server.
So if your connection isn't encrypted before going through the VPN, it won't be after it either.
If you are looking for anonymity, you're not looking in the right place. You should go for self-contained networks like Tor for that.
VPNs only offer pseudonymity, not anonymity.
It only masks your real identity, it doesn't completely obfuscates it, meaning that the VPN provider can still see who you really are.
Besides, your VPN account can probably still be linked to your real identity : money leaves traces.
By using a VPN to hide your activity from your ISP, you are only transfering your trust from your ISP to the VPN company.
To be clear, here are a few legitimate use cases for VPNs :
- Hide your browsing activity from your ISP or local network operator
- Access content from other countries or bypass censorship
- Reliably block ads
For example, if you want to hide your sexuality or personal questioning from your college administrators.
If you want to access the Netflix library of another country, or access your country's Netflix library while you're abroad. Or if you live in a censoring country, access restricted content.
Most good VPNs offer an ad-blocking feature so you can enjoy the web without the hassle of ads.
Free VPNs
When you search for 'Free VPN' on any app store or just on the internet, you get many results with offers for "fast and unlimited VPN". While they may work for unblocking content, they generally have very weak privacy and security practices. If you see something like "ultra-fast tool providing totally free VPN proxy service", you should run in the other direction.
Concretely, they bring along security holes and vulnerabilities, logging (even when they say they don't), monitoring of your activity and viruses (sometimes).
UFO VPN exposed millions of log files about users of its service, including their account passwords and IP addresses, despite claiming that it keeps no logs.
So, in short, free VPN companies don't have very good security. They are also sometimes owned by shady companies and based in not-so-privacy-respecting countries like China. They also don't necessarily respect the rules of the store you download them from.
Nearly 60% of popular free VPN apps were secretly Chinese-owned and [...] nearly 90% had serious privacy flaws. [...] 80% of the top free VPNs in the App Store are also in breach of Apple’s data sharing ban.
Among the leaked data in the UFO VPN breach, you could find account passwords, IP addresses of users' devices, and even URLs that appear to be domains from which advertisements are injected into free users’ web browsers
meaning that the VPN was adding adverts to its users' browsing.
Because with totally free VPNs comes another very pertinent question : how do they keep their service going without having any income from users ? Indeed, it is very expensive to run a wide network of servers in many countries around the world. To cover the operating cost and make a profit, the most likely option is advertising.
As mentioned above, Comparitech's research clearly shows that some free VPNs inject ads in users' web browsers. It is also probably safe to assume that they also sell collected data to advertisers.
As Comparitech pointed out in their report, most of the data found in the breach contradict what UFO VPN's Privacy Policy says.
Having said all this, it's reasonable to prefer spending a few Euros extra on a paid VPN instead. But bare in mind that you probably don't a VPN anyways.
Premium VPNs
We can include in 'premium' all VPNs which have a paid plan, so ProtonVPN, NordVPN, Surfshark, ExpressVPN, Ivacy, IVPN, PrivateInternetAccess, Mullvad...
Overall, premium VPNs have much better security. As users need to pay to have access to the service, they automatically have money to spend on making a good and secure VPN.
On the other hand, privacy concerns can still be risen. Nothing is keeping them from eavesdropping and logging your activity. On that point, your only argument would be how much you trust them. It is very important to do a background check on the VPN company to see if they have been involved in issues in the past and check their Privacy Policy — even if that has proven to not be foolproof. But it is also crucial to check what kind of marketing they do.
Most VPN companies like NordVPN, ExpressVPN and Surfshark use scare tactics in their marketing. Indeed, they try to make the customer frightened to make them buy the product. And by doing so, they often invoke false claims.
The Advertising Standards Authority [...] has now told NordVPN not to repeat the advert's claims that public Wi-Fi is so insecure that it amounts to handing out your personal details to everyone around you.
For example, they claimed that when you connect to free wifi, everything you send over the internet is visible to other people on the network and that hackers could get your bank details whenever you make a transaction.
Fortunately for everyone, that isn't true.
Nowadays, most websites have 'https' and a little padlock in front of their address, meaning that the connection between your computer and the website is secure.
On top of that, every iPhone app since 2016 and every Android app in 2018 use HTTPS.
When using that protocol, a hacker looking at your internet traffic would only be able to see which websites you connect to, but they will never be able to see the content of the request.
So don't worry, your bank details and credit card information are most likely safe.
According to NeoReach, NordVPN was the single most viewed brand through sponsorships, and ExpressVPN was the brand which sponsored the most videos on Youtube.
To wrap up, should you need a VPN, here are two which seem to be among the most trustworthy and reliable :
- ProtonVPN
- Mullvad
Based in Switzerland, it is created by the team behind ProtonMail, while still being an independent company. That means if ProtonMail gets banned in a country, ProtonVPN can still operate their servers.
ProtonVPN has a very clean and good history, has open-sourced all of its code (which is extremely rare for a VPN), benefits from very good speeds and servers in 54 countries. It is also available on many devices, including Android TV, and offer a limited free offer.
Based in Sweden, Mullvad benefits of European privacy laws, like GDPR. Its parent company Amagicom is 100% owned by its two founders and active maintainers and has a good past record. Its mobile and desktop apps are open-source.
It has the most privacy-respecting account creation method : there is no need to enter an email or password, only a randomly generated 16-digits-long account number is given to you.
This will be the only thing needed to access your account.
In addition to that, Mullvad accepts anonymous payment options : cryptocurrencies (Bitcoin and Bitcoin Cash), vouchers purchased in a store, and even cash.
More information : Honest VPN Advert by Tom Scott, Free VPNs are a privacy nightmare. You shouldn’t download them by WIRED UK.
