Is My Friend Right About VPNs Not Being Safe Anymore

I have a friend who works in IT and runs servers.
His view is that VPNs are no longer safe and not worth the investment.

But why does he think that?
He claims the ISP keeps a record of the key for the aes256 that VPN uses.
I mentioned private exchanged keys, but that wasn’t a strong argument.
I mean, sure, aes256 isn’t the best, but can an ISP really break that easily?

I think he’s being a little too paranoid.
A VPN connection might look suspicious to an ISP, but really, what are they going to do?
Spend resources figuring out what VPN users are doing?

Edit: I didn’t expect this to get so many responses.
From what I’ve gathered, a VPN is still better than not using one in 95% of situations.
Even if some VPN providers might know what you do, the best ones don’t share any info or can’t access any info at all.

It’s true that the VPN provider knows your online activities. You depend on them to keep your data safe, but they’re usually more trustworthy than ISPs.

Zimri said:
It’s true that the VPN provider knows your online activities. You depend on them to keep your data safe, but they’re usually more trustworthy than ISPs.

That’s what I was thinking.

@Marley
Reputable VPNs use servers that physically can’t store your data.

Also, there are many VPNS that have been raided by authorities and did not have to provide any data, not because they refused, but simply because they had none.

@Denali
That doesn’t stop real-time monitoring.

Oren said:
@Denali
That doesn’t stop real-time monitoring.

True, but that applies more to the ISP or your device, not really the VPN itself.

Denali said:

Oren said:
@Denali
That doesn’t stop real-time monitoring.

True, but that applies more to the ISP or your device, not really the VPN itself.

Or the VPN provider… traffic is the same at the exit point of both the VPN and the ISP.

Zimri said:
It’s true that the VPN provider knows your online activities. You depend on them to keep your data safe, but they’re usually more trustworthy than ISPs.

How can you be sure of that? A lot of them might just be traps.

Denali said:
@Oren
A VPN isn’t going to protect you if the government is specifically looking into you. It’s not designed for that.

But your data could still be collected unintentionally by the state or other bad actors. Just don’t think of a VPN as a total shield. It’s still on an untrusted network.

@Oren
I wouldn’t call it untrusted by default, especially if the company is reputable; it’s definitely better than an ISP, but it’s not perfect.

Apologies if my comments seemed aggressive; that wasn’t my intent.

@Denali
Any network you don’t have control over, or the encryption endpoints, should be viewed as untrusted. That’s a good rule to always remember.

@Oren
While it could be hard for them to monitor, the VPN could still pursue legal action against them if discovered.

Yes, there’s risk in everything, but just because something bad might happen doesn’t mean you should live in fear.

Using hypotheticals to downplay everything isn’t a useful approach.

In theory, you could join the government and create strong privacy laws. So why aren’t you doing that?

Sorry if that came off the wrong way.

@Denali
I mean a tap on the VPN provider’s endpoints, whether that’s by a bad actor or the government.

Not hostile, but maybe missing some key points. VPNs are good for certain situations, but they’re not all-purpose solutions.

@Marley
Try using two VPNs along with Tor. Tor may break your single VPN, but using two VPNs with Tor could encrypt your data from the first VPN while keeping your ISP from seeing where your data goes after that. You can find the right setup online. With the correct configuration, your ISP can’t see your data or its source, and the VPN provider also can’t read the data. Of course, the VPN might know where the data is coming from, but that info would be lost after the second VPN. This setup might be breakable, but it’s rarely done; I’ve only read about one instance where the FBI went to such lengths, though I’m sure there are more.

@Layne
Lol, no. That’s not how it works at all. Using a VPN with Tor is actually worse, and using multiple VPNs doesn’t help.

Seriously, not a good idea.

@Layne
Wait, what?

@Layne
That makes no sense at all.

@Layne
How do you use them in order?

@Layne
If you use Tor with Tails OS, that should give you enough security.

@Marley
I think you both have different views here.

Your VPN provider knows your activities. You’re counting on them to have the right processes to avoid handing over logs. They may be vulnerable to legal requests, so trusting them can be tricky.