[Discussion] We should stop relating VPNs to a privacy tool. Isn't it making you more unique?

VPNs were never meant to be a privacy tool. As the name says, it basically connects you to another network “as if you were there,” through an encrypted tunnel. Also, it was never meant for web browsing. Hence, VPNs are useful if you, for example, are in a shady network and need to work on that corporate spreadsheet, do some maintenance on your corporate LDAP etc. As a corollary, it allows you to bypass geolocation. Let’s not delve into this, but if you are using it for copyrighted P2P stuff, it is still illegal, and VPNs are useful only for not getting those letters.

Now, let’s dive into this scenario: Suppose you live in Mexico and connect to a VPN server in, let’s say, Romania, and you are just browsing your regular stuff: local news, local blogs, some nsfw reddit etc. Your VPN is giving you the same IP address every time you connect. Who the hell else is accessing what you frequently do from Romania? Sysadmins can easily pinpoint you based on your IP. When you connect to a VPN server, you are effectively swapping your ISP for a dubious company offshore that claims “No logs!”. Instead of telling your ISP that you go to CNN.com, finance blogs, and Pornhub, you’re indicating that you only connect to a known VPN server elsewhere; pretty suspicious, right? (If your DNS is leaking, that makes it 100% useless).

Conclusion? We should redirect our efforts towards developing and sharing software and services that genuinely address privacy concerns, such as encryption, tracking blockers, spoofing User-Agent, Referer, Screen Canvas, etc., ultimately reducing fingerprinting. VPNs are merely easy money for companies that allow you to bypass geolocation when necessary.

To clarify, ‘more unique’ to whom? Your ISP can see you connecting to the Romanian server, but that’s about it. The local Mexican news site sees you connecting from Romania too, and to my knowledge, they wouldn’t be able to trace that back to you. The public-facing IP from the VPN is shared among all users on that server, which means there’s a lot of noise (e.g., the ‘person’ at that IP may also be visiting Canadian local news or other sites).

Plus, you don’t need to always connect from the same point. For instance, NordVPN has over 4,400 servers in over 60 countries, so today you could be ‘from’ Romania checking Mexican affairs, and tomorrow you’re ‘from’ South Africa.

At the end, you suggest we instead focus on ‘encryption’ when you noted at the beginning that VPNs create an ‘encrypted tunnel.’ This implies that VPNs are something worthwhile to focus on? I’m unsure what difference you intended to highlight. It also sounds like you’ve framed this as a zero-sum game where promoting VPNs leads to under-promoting other tools. VPN info is the top post here and highlighted on the privacytools website, but multiple other tools are recommended there as well.

I’m not an expert, but my understanding is VPNs are beneficial privacy tools, just one aspect of the overall solution. Is your concern that VPNs get too much emphasis, or that they aren’t useful? Your ISP inherently tracks everything you do online and likely sells that data, while a VPN helps you avoid this, making it useful.

@Tai
To add to this accurate comment, there are countries where data retention laws for internet and telecommunications have been ruled unconstitutional, alongside others where you can expect to be monitored by the state or its allies (look into the 5, 9, and 14 eyes zones).

Therefore, a VPN user may opt for a privacy-friendly country to avoid logging by ISPs.

@Peyton
> countries where data retention logs for internet and telecommunications are ruled unconstitutional

Which?

Tavi said:
@Peyton
> countries where data retention logs for internet and telecommunications are ruled unconstitutional

Which?

I did some research on this and wrote this post with some links and info at the end.
Living in Europe, my picks are Austria, Czech Republic, and Romania, but keep in mind the laws are always changing.

@Tai
This is a discussion post, not a verdict. Appreciate your input.

That’s my point. If you browse something regional, there’s a strong chance you’re the only visitor on a known VPN IP. There are countless VPN services, reducing the noise significantly. (Furthermore, the big names like PIA and NordVPN are, in my view as ‘trustworthy’ as your ISP). If your fingerprinting entropy is ‘poor’, switching servers doesn’t help.

Would you prefer exposing (with a dynamic IP) that you visit CNN, Weather Underground, and NSFW sites just like the average user to your ISP, or that you only visit known VPN servers? It’s akin to not enabling the ‘Do Not Track’ feature in browsers. If you’re already blocking trackers, deploying that flag only makes you more identifiable.

The encryption on VPN servers is solely between your ISP and the server you’re connected to. VPNs were never intended for privacy. These companies provide something they cannot truly deliver, as I stated, it’s easy cash. The focus should be on tools like Veracrypt, Let’s Encrypt, spoofing metadata, and decentralization, among others.

@Fifer
Your ISP is motivated to log and sell your browsing history, attaching it to your identity (from account information.)

Your VPN might not even know who you are, and they have a disincentive to log or sell that info.

> Would you rather expose (with a dynamic IP) that you visit CNN, Weather Underground, and NSFW sites like the average person or that you only access known VPN servers?

What good does it do for your ISP to know you connect only to VPN servers? We aren’t just trying to appear innocent to a government authority; we seek to prevent a corporate entity from collecting and monetizing our data.

@Fifer
I was trying to talk about that, I’m new to Reddit so I might not fully grasp all the community interaction patterns yet, and I apologize if it seemed otherwise. However, I did see some of your posts as “verdicts” (like saying, “We should stop relating VPNs to a privacy tool.” in the title).

I think your observation about PIA and NordVPN being (potentially) just as admin-friendly as an ISP is worth considering. For me, the biggest counterpoint is that we know our ISPs track us and profit from our data. Major VPNs might do the same, but they assert in their privacy policies that they won’t log anything and keep minimal info (like an email and credit card, or cash if that’s how you pay). Meanwhile, ISPs generally do the opposite. That disparity is worth $3/month in my view to obtain a VPN—I’d prefer to trust those who might be dishonest and at least claim in a contract that they don’t keep logs, rather than an honest ISP who says they do.

I’m still puzzled by your closing remarks. To my knowledge, the tools you referenced don’t help against ISP tracking your browsing activities (though I think Let’s Encrypt protects against your ISP seeing specific contents from those sites.). There’s no reason to avoid using many or all of those tools simultaneously (not that I’m advocating for it, but, for example, Mysterium markets itself as an open-source, decentralized VPN). Are you implying ISP tracking or sales is not a privacy concern enough that we shouldn’t use VPNs, and instead only rely on other tools to address “true” privacy threats?

>We should shift our efforts towards developing and sharing software and services that genuinely address privacy concerns, such as encryption, tracking blockers, spoofing User-Agent, Referer, Screen Canvas, etc., ultimately reducing fingerprinting.

Why can’t we pursue both?

Using a VPN is an improvement because it conceals your traffic from your ISP, a company that has access to your name, address, phone number, and potentially your banking details. Your VPN provider doesn’t have to gather any of that info.

Plus, at least in the USA, ISPs have been known to sell information or even inject ads.

Besides, changing VPN providers is straightforward compared to switching ISPs.

So yes, utilizing a VPN is preferable to not using one.

> Your VPN provides the same IP address on each connection.

Not entirely accurate from session to session, if that’s what you mean by ‘connect.’ Each time I connect to the same VPN server, I get assigned a different IP. However, while connected, the same IP remains used for all site connections.

It seems you might be blurring the lines between privacy and anonymity. Using a VPN aims to stop your ISP or a government body from monitoring your online activity, not to render you anonymous. Clearly, if you log into Gmail and Pornhub while using a VPN, each site knows that you’re utilizing their services. Still, your ISP won’t have insight into the fact that you’re visiting both sites.

> When connecting to a VPN server, you change your ISP for a sketchy offshore company that claims ‘No logs!’.

I agree that, ultimately, you need to trust your VPN provider not to log your behavior. The difference is that the privacy-focused VPN market is very competitive (you have limited choices for ISP based on your locality, but VPNs can be based almost anywhere). If a provider suddenly logs your activities, they would lose most of their clientele because of the severe backlash. As a result, they have an incentive to uphold a no-log policy.

Indeed, not all VPNs are created equal, and some may undermine your privacy or security. If you disclose your ISP’s IP or other details revealing your location or ISP, then a VPN could further contribute to your identification. VPNs should only be employed if you trust the provider and have mitigated risks of leaks through methods like preventing WebRTC and other fingerprinting techniques. I like to conceptualize it as follows:

Direct < Proxy (HTTP/HTTPS) < SOCKS Proxy < VPN (public) < VPN (Private) < TOR/I2P*

*Tor/I2P can potentially be observed, but there are strategies to make this more challenging for an adversary, including public networks and TOR bridges.

Edit: On DNS, employing DNS over VPN, via Tor, or DNSSEC/DNSCrypt can assist in protecting against that. When using a VPN for privacy, all traffic should ideally be routed through it.

Tl;dr: Only if you’re not utilizing them appropriately, or if the VPN provider is malicious or coerced.

> Suppose you live in Mexico and connect to a VPN server in Romania, just browsing your typical sites: local news, local blogs, some nsfw reddit, etc. Your VPN provides the same IP every time you connect. Who else is doing what you typically do from Romania?

But consider you are in Mexico and connecting bareback from your home IP, say 421.12.54.75, visiting your regular news, weather, and NSFW reddit. Who else is also doing that from 421.12.54.75? The uniqueness is no greater when you leverage a VPN.

I’ve been stating for three years that VPNs are overrated; it’s entertaining how much praise they receive.

Dallas said:
I’ve been stating for three years that VPNs are overrated; it’s entertaining how much praise they receive.

I don’t understand why they’re seen as overrated. They accomplish exactly what they claim, at least regarding the protocol’s intent. If people believe they turn you into a ghost, that’s on them.

The entire situation is quite dubious.