This post is intended to be accessible to a not-super-technical audience.
Virtual Private Networks (VPNs) are all the rage these days. VPN companies are even sponsoring podcasts and videos completely unrelated to computers. There's a lot of information out there, and a lot of it is written or paid for by companies who benefit from you believing you need a VPN. So maybe they don't have your best interests at heart when they tell you how important their services are.
People sometimes ask me, "Should I use a VPN?" There's a good chance you don't need a VPN, but it's also possible you should be using one in certain situations. Hopefully this post will help you understand what a VPN actually does and whether or not it's the right choice for you.
In practice, the term VPN is used to describe one of two things:
- The thing you use to log into your school or work network from home
- An encrypted proxy
This post is about the second meaning, which has been widely adopted by companies that want to sell proxy services. These services are generally promoted for security or privacy reasons, often claiming they will protect your data from hackers or make you anonymous or "invisible" on the internet. A lot of it is misleading advertising, but there are some legitimate uses for this type of service.
To understand whether or not you should use a VPN, I think you really need to understand what a VPN is and what problems it addresses. I'll try to explain this through an analogy to the postal service, which I expect will help most readers relate to and understand it.
Postal Service Analogy
The internet is like the postal service. Suppose you sent a letter to some organization, and they're sending you a response.
You're concerned for the privacy of this letter. Maybe it's something sensitive, or maybe you just have a healthy appreciation for people not rifling through your mail. Who's to say? But here are some privacy concerns:
- [Porch] After the letter arrives, before you bring it into your house, your neighbors might see or tamper with it.
- [Postal Service] The postal service might see or tamper with it before they deliver it (either as a matter of policy, or as the action of a rogue employee).
- [Contact] Your contact knows (at the very least) the nature of the correspondance and where you live.
The "postal service" may be more than one organizaiton. You can't know all the infrastructure that carries your mail from your contact to your house. We're abstracting away the steps between your contact and the postal service because those steps are not visible to you. All you really know is which organization delivers the letter to you.
In most cases, you already have some privacy protections in place:
- [Porch] You might have a mailbox or something like that which protects your your letter from prying eyes. Maybe you even have one of those slots in your front door so the mail carrier can drop the letter directly into your house.
- [Porch] The letter could be in an envelope, so your neighbors can't see what's inside.
- [Postal Service] The letter could be in an envelope, so the shipping service can't see what's inside. The postal service will still know the sender and recipient.
In most cases, letters are shipped in envelopes, so we don't need to worry about the postal service or our neighbors reading our letter. In this analogy, let's assume most people have home mailboxes are safe from prying eyes, but if you're receiving mail somewhere other than your house, you might not be so sure.
Victor's Mail Forwarding Service
Your friend Victor offers a service to mitigate some of these privacy concerns. It's very simple: You can list his address instead of yours, so he will receive the letter instead. He will then put the letter into an envelope and ship it to you. Here are the privacy implications:
- [Porch] Your letter is in an envelope, so your neighbors can't read it..
- [Postal Service] Your letter is in an envelope, so the postal service can't read it. The postal service also only knows you received an envelope from Victor, not the original sender. (Victor may, however, have used the same postal service as your correspondant, so they may be able to associate the two letters.)
- [Contact] Your contact now has Victor's address, instead of yours.
- [Victor] Victor now knows who's sending you mail, and if the mail does not come in an envelope, he can read it. How much do you really trust Victor?
In some cases, Victor's service might be useful to you, but in most cases, the protections it provides are unnecessary. Again, most letters already come in envelopes.
(Small detail: If Victor receives a letter that's already in an envelope, he doesn't open it, but he puts it in a second envelope and mails the letter in both envelopes to you.)
How the Internet Works
Now let's connect this analogy. When you use the internet, your computer is sending and receiving information to/from a server, which is just another computer somewhere. The two computers talk to each other, but they're not directly connected to each other, so they need to use infrastructure (like the postal service) which they don't own or trust and which may not be secure.
So we want to make sure we're protecting our "letters" from snoops between the sender and the recipient. This will mirror our postal service analogy.
Our key points of concern are the router, the internet service provider (ISP - this is your internet company, such as Comcast, AT&T, or Mediacom), and the server your computer is talking to. Our goal is to get the message from the server to our computer without anyone being able to read or modify its contents.
Here are places where we're concerned:
- [Router] If we're using Wi-Fi, other people connected to the same Wi-Fi network might be able to read your messages.
- [ISP] Your internet service provider is the infrastructure that connects you to the internet. They might be able to read your messages.
- [Server] The server knows (at the very least) what your computer says to it and your IP address (which is the digital equivalent of a home address - you probably share it with the people in your house, but it identifies you pretty uniquely).
(This is analogous to your neighbors reading your mail if the mail carrier leaves it on your doorstep.)
(This is analogous to the postal service which delivers your mail.)
(The server is your contact, and in the context of the internet, it is literally another computer owned by another person or organization. You may not want that person or organization to know what you did on their site.)
Again, we're abstracting away the extra infrastructure between your ISP and the server.
In most cases, you already have some privacy protections in place:
- [Router] You might have a secure connection to the router.
- [Router] If you're connected to a site using HTTPS, your messages are protected even if your connection to the router is insecure.
- [ISP] If you're connected to a site using HTTPS, your ISP can't read your messages. (It will still know which servers you talk to, but not what you say.)
(This is like the mailbox which protects your mail after the postal service delivers it.)
HTTPS is like the envelope your contact uses to protect the letter.
In 2020, most websites use HTTPS. I don't have statistics, but I would guess most routers also use secure connections, unless they're designed to be accessible to anyone. In most cases, you don't have to worry about your ISP (the "postal service") or other people on the same Wi-Fi network (your "neighbors") reading your mail because most people use envelopes.
Finally, we reach the actual explanation of what a VPN is. The VPN is like Victor. It's an additional server which stands as an in-between and forwards mail on your behalf. It gets the message from the server, wraps it up in a layer of encryption so no one can intercept and read it before it gets to you, and sends it on to you.
Here are the privacy implications:
- [Router] The messages between you and the VPN are encrypted, so eavesdroppers connected to the same network will not be able to read your messages.
- [ISP] The messages between you and the VPN are encrypted, so your ISP will not be able to read your messages.
- [Server] The server now has the VPN's IP address associated with your activity, instead of your IP address.
- [VPN] The VPN now knows what you're doing. It has essentially just become your new ISP.
Why are VPNS Useful?
Now with this understanding, let's explore the reasons to use a VPN. There are basically three:
When VPN companies say their service "protects you from hackers", they're talking about a very specific combination of circumstances:
- You're transmitting sensitive data
- Your connection to the site is insecure (not HTTPS)
- Your connection to the router is insecure (e.g., public Wi-Fi)
It's true that if you, for example, send your credit card number to a site over insecure HTTP using McDonald's Wi-Fi, someone else at that McDonald's might get your credit card details. But in 2020, most websites support HTTPS, and certainly all banks and web stores should. So this is largely selling a solution to an obsolete issue.
For this use case in particular, it's possible to set up your own VPN server in your home. Setting up your own VPN server will not give you the other privacy benefits of a VPN.
2. Privacy from your ISP
Even with HTTPS, your ISP can still know what sites you're visiting. Without HTTPS, they'll even know what you're doing on those sites. If you're connected to a VPN, your ISP will just see a bunch of messages to and from your VPN service, but it won't know what sites you're visiting or what you're doing on them.
Instead, your VPN provider will know what sites you're visiting and (if you're not using HTTPS) what you're doing on them. You've basically just shifted your ISP to a different company, as far as privacy goes. Sometimes this is desirable. Your VPN provider might be okay with you doing things your ISP isn't, or they might be located in a country with better privacy laws. But it would be dishonest to suggest this does away with the attack vector instead of just shifting it to a different company. Your VPN provider might keep records of everything you do while connected to its service. It might sell your browsing data. It might turn over the data to your (or another) government.
This can also be used to circumvent censorship. If your ISP doesn't want you to visit a site, it can block connections to that server. If all your connections go to the same VPN server, your ISP can block that server wholesale, but they can't pick and choose which sites you can use that VPN service to access.
3. Privacy from the server
If you're (properly) connected to a VPN service, any sites you visit should not be able to tell what your true IP address is. Instead, they will see the VPN service's IP address. This provides some privacy. The server will probably understand that you're using a VPN service, but it won't know which user of that service you are.
This is limited privacy. The VPN provider still knows who you are and what you're doing, so VPNs don't provide strong anonymity like some other tools (Tor, for instance) do. Also, there are a lot of other ways sites track users on the internet than just IP address.
Changing your IP address can also be useful because you can pretend to be in another place. Many VPN providers let you use servers all over the world. This can be useful, for instance, for accessing sites that are only available in certain countries, like if you really want to watch something online, but it's only available in the UK, and you leave in New Zealand. You could connect to a UK-based VPN server, and the site might believe you're in the UK and let you watch.
Conclusion and Final Notes
Generally, if you want to use the web anonymously, you should use Tor (or another anonymity network) instead of a VPN. VPNs are useful for things like torrenting (for which Tor is not appropriate) or downloading large files when you don't need strong anonymity but would prefer to keep the server from knowing your true IP address.
I wrote another post that specifically compares VPNs and Tor.
"VPNs protect you from hackers" refers to a largely obsolete problem. If you're connected to a site using HTTPS, a VPN is not necessary and will not make you more secure.
VPNs are useful for some things, but they're mostly overhyped by companies trying to sell you something.
I hope that this post is helpful in understanding what a VPN does and does not do for you so you can make educated decisions regarding them.
Choosing a VPN provider is outside the scope of this post. Sorry.