Something Bense

You might see ads on the internet almost everyday about VPN service providers. On social media posts, YouTube sponsorships and website ads, these companies make bold claims on why you need to use their VPN services… or else.

More recently, the biggest providers at least, seem to have toned down some of the most outrageous and misleading claims. It seems as their lawyers finally got them to understand that no amount of fine print can save you from misleading advertising.

But some VPN providers still say some wild stuff which might not be obvious to the uninformed. Also, some not-that-old content online will still have those sponsorship talking points. Therefore, I’ll take a look at what those claims are give my 2 cents on them: some are true and some are disingenuous at best.

Note: I'm doing my best to not quote or mention any VPN service provider in particular. This is not due to respect of any company, I simply don't want to endorse/oppose any of them.

There might be some links in this post which mention one or more providers. Understand that some of the points made here are not with a company in particular but with the whole "thing".

Also, recommending any specific company is like treading on murky waters for me. I've been very skeptical of this industry for a long time and most reviews/endorsements I see online smell of paid advertising all over the place.

Therefore, I'm not expecting you to take anything of this at face value. If anything, what I just said should make any bias I have obvious. Consider this post leaning more towards opinion and less towards fact.

Before I get started, I want to clarify that I don’t hate or have a grudge against VPN service providers. There are legitimate use cases for them, it’s the marketing-speak which I have issue with. I’m also aware that there’s people that can only see things either as black-or-white, if that’s you then you’re not the intended audience of this post (or this blog).

What is a VPN?

If this was two computers on the same network, we could easily transfer files between them, on Windows for example, we’d enable shared folders and start copying files away. Using shared folders over the internet however, is not a good idea. Even if modern versions of the protocol (SMB) might support encryption and “better” authentication, it’s not considered safe to be openly used over the internet. Remember WannaCry?

If only something existed that allowed us to make a private connection between both of our computers. You know, something like a secret tunnel between computers…

By now you probably figured out, but basically that’s what a Virtual Private Network (VPN) is. In layman terms:

• Virtual: fancy software and network magic makes it work as if you had a cable between both ends, but it does so over already existing infrastructure, such as the internet.
• Private: only those holding the appropriate keys can access and make sense of what’s being transmitted. Everyone else just sees gibberish because encryption.
• Network: it connects devices and/or networks on each end.

That’s basically what your VPN provides gives you: a virtual private tunnel between your device and their servers. Anyone else in the middle can only see you’re connected to the VPN. What’s actually being transmitted remains private (unless they break the encryption or your VPN provider tells them, but we’re getting ahead of ourselves).

Now that we got that out of the way, let’s see the most common selling points VPN providers use and how much of that is true, what is false, what is misleading and what’s irrelevant.

The #1 reason: it allows you to access geo-blocked content

A common selling point of VPN services is that you can evade region locking on streaming platforms such as Netflix. The way this works is by choosing a server on a different region than yours. On the streaming site’s side, you’ll be seen as accessing the service from a different region and therefore you’ll access that region’s catalog. In practice this works, because some services such as Netflix allow you to:

Taking Netflix with you while you’re on the go? All you need is a stable internet connection for your supported device.

Traveling or moving with Netflix, Netflix Help Center

Same goes for Disney+:

While abroad, subscribers can stream Disney+ content that is available in the country/region they’re in. To make sure you can still stream your favourite movies and shows while travelling, download them to your device.

Where is Disney+ available?, Disney+ Help Centre

In theory, streaming providers could work around this by peeking on your devices, for example web browsers can use APIs such as Navigator.language or Navigator.geolocation. Native apps might make use of location services as well. Of course, a less creepy approach would be to check against your billing information.

Yet, here’s what Netflix says about consuming their services through a VPN:

You can use a VPN with Netflix, but what you can watch will be limited to TV shows and movies where Netflix owns the global rights, for example Squid Game or Stranger Things. To be able to watch all TV shows and movies available in your country, turn off your VPN and try Netflix again.

Watching TV shows and movies through a VPN, Netflix Help Center

The main reasons on why streaming services might want to limit a VPN user’s experience or outright block them are:

1. International licensing mess: content licensed from third-parties is usually negotiated for a specific region. For example, they might be able to license some movies in the US but not in South America, or the licensing terms might differ.
2. Subscription or product prices might vary from region to region. This is often known as “regional pricing“: customers in lower income countries need lower prices otherwise the platform is not competitive.

Despite that, users all over the world report being able to successfully access a different country catalog while remaining undetected by Netflix. It seems as they’re not “doing much”. On one side, blocking VPN users is futile because it would require having access to up-to-date list of IP address ranges assigned to VPN providers (or even hosting providers). Consider it a cat-and-mouse game. On the other side (and this is pure speculation) they only need to look as they’re doing “enough” to keep the studios happy.

Of course, as streaming platforms invest more and more on original content, and everyone starts rolling their own, this becomes less of an issue. Their goal here is to keep as much revenue as possible. Sure, you might take a cut from offering 3rd party movies and shows, but you get to keep all of it when it’s yours.

It protects your… privacy?

What’s also one of the top selling points of any VPN service provider is that they protect your privacy. But from who exactly?

It certainly protects you from your ISP but after that there are no guarantees, unless the VPN server you’re connected to is on a different country, then you could argue that it also protects you from your government (more on that below). It’s a question of trust. Keep in mind that:

• VPN providers have been found keeping logs despite their claims or not doing so.
• VPN providers have been forced to hand over data to authorities.
• VPN providers have been found tracking their users activity.

Sure a company might claim they don’t do it. They might even have audits to back-up those claims. Which is a nice thing until they turn their backs. The thing about audits is that they’re valid for a specific point in time, at most, an audit might tell you they didn’t lie in the past.

However, the fact a VPN provider for which nothing shady has been found, several times in a row by independent and trusted auditors is something worth considering. After all, “they didn’t screw up their customers so far” is more trustworthy than “I have no idea“.

What’s also surprising is how close is the link between “trusted” VPN providers are and intelligence agencies. And not many people seem to care even if it happens over and over again. At all.

Note: in some jurisdictions your VPN provider might not even be legally able to let users know authorities forced them to either hand over data or grant them access to their infrastructure. Gag orders are a thing and they're not an US exclusive.

With that in mind, there are scenarios where a VPN can protect your privacy from governments, it comes down a Geo-political choice. A VPN provider that operates in the same country as the government you want to hide from is not a good choice. Nor is one on a country that’s a close ally of your enemy.

For example, if you’re a Chinese dissident in August 2022, you obviously won’t choose a provider which is either based-off have servers in Russia. If you’re a pro-China Taiwanese dissident it’d be wise to stay away from providers in the US, the UK, Canada, countries that are members of “Five Eyes” or even key NATO countries.

Of course, the “protecting my privacy from my government” may fall short depending on what services you’re using and/or where you’re connecting to.

What is DNS and DNS leaking?

In case you don’t know, the Domain Name System (DNS) is the naming system we use to translate human-friendly domain names, such as google.com, into IP addresses, such as 142.251.133.68. Names are easier to remember, seemingly random numbers are not. Not only that, but sometimes the IP address needs to change, for example, if I have servers both in the US and Europe but I don’t want to tell my customers different domain names or if I blow up my server with TNT and now I have to point my domain name to a new server.

The simplified version on how this works is that you enter a domain name somewhere, such as example.com in your browser, then if your device does not know where that is (or it has been a “long” time since it saw it) it needs to go ask a DNS server where that is. If the server doesn’t know, the request goes up the DNS hierarchy until it reaches a server that does.

One thing a VPN service provider must do is to push their own DNS servers (resolver) configuration, otherwise DNS requests may not go through the VPN and while your web traffic will still be encrypted and going through the tunnel, you’re still giving away the domain names you’re going to.

There are online sites that can help you detect if your configuration is leaking DNS requests, one such site is browserleaks.com/dns.

It protects you from… tracking?

Pretty much on the same boat as claiming a VPN protects your privacy is to claim they protect you from companies tracking you. The thing is, IP-based tracking is not much of a thing anymore as is not as reliable as it used to be, considering:

• If your house has an internet connection, pretty much everyone’s on it. That means several people behind the same public IP address. Same goes for businesses, schools and any other setting where several people use the same internet connection.
• Even worse, some ISPs have to resort to Carrier-grade NAT, which sucks (but so does running out of IPv4 addresses). This means many houses can be behind a single public IP address.
• Even cookies are old and busted, browser/device fingerprinting is the new hotness. The EFF has a nice site that explains what this fingerprinting is all about, in addition to providing a quick tool to test your browser for digital fingerprinting.

In other words a VPN doesn’t do much (or should I say nothing?) to stop ad networks and other big tech companies from tracking you, especially if you’re still going to use their services even behind a VPN.

So what can you do instead? The solutions are quite radical and even then not perfect. Disabling JavaScript would be the “atomic bomb” approach but there’s barely any site that doesn’t require JS to run properly these days.

The Brave browser claims to have protection against browser fingerprinting however (as of 2020) it has been shown to not be perfect, the fingerprint will remain the same until you close and re-open the browser. It’s been 2 years since, things might have changed. I’m too lazy to install it and try-it myself. Also, it’s hard for me to trust a company after their scandal were they used creator’s likeness to collect donations for them, without the creator’s consent (which they eventually resolved).

You can deploy a Pi-Hole, which does a good effort of blocking ads and trackers but that’s no good outside your house unless you run it locally (which isn’t practical at all) or you make it accessible from the internet (which also has it’s cons).

Even then, resistance is futile when half of the apps and services you rely on a daily basis are owned by the same three or four companies. I got rid of my Facebook account ages ago, but that means nothing when I still rely on WhatsApp and somewhat still use Instagram (although the latter has become a piece of shit lately). And you can try to move away from Google Search and GMail but are you also ditching YouTube, Google Chrome, Chromecast or even your Android phone which will still track you after you tell it not to do so?

Sadly, it seems that as consumers we’re losing not the battle but the war against online tracking. We’re going to need some strong international legislative effort which honestly I have no hopes I’ll ever see in my lifetime. The European Union has all of the best intentions but I feel things like GDPR are too little too late.

Not everything is web browsing

While most people put “internet” and “web” together, they’re not the same thing. There are services other than websites available on the internet. Examples are: DNS, Email, Instant Messaging and P2P File Sharing. Yes, a VPN provider can help you hide this activity, however you must put the effort to make sure you’re not leaking any identifiable information that may link to your identity.

Again, for the people in the back: understand that VPN providers are a tool to be used as part of your identity and privacy protection, and not the be-all, end-all solution these companies often claim to be.

It protects you from… hackers?

Another selling point is that VPNs protects your personal information from “hackers”, which honestly I’d like someone to explain me how. Once it reaches the VPN provider, your traffic then goes to the internet as it would going out straight out of your router.

There is, truth to be told, one scenario where I could see this being somewhat of a thing: which is public unsecured WiFi access points. Think of hotels, coffee shops, terminals or restaurants that offer free internet to visitors. Some of them still don’t use any encryption at all, I guess to make it easier to get online without people needing to ask for the password. Under this scenario it is trivial for an attacker to see your traffic as it leaves your device.

Note: there's a whole discussion to be had regarding HTTPS (Hypertext Transfer Protocol Secure) and HSTS (HTTP Strict Transport Security) which goes beyond the scope of this post. While most sites now enforce HTTPS, only 24.5% adopted HSTS as of August 2022 (link allegedly updated daily).

Simply put, these are mechanisms that help mitigate man-in-the-middle attacks, which is when a malicious 3rd party "sits" in the middle of a connection to secretly listen or alter what's being transmitted.

What’s done most of the time instead is to use WPA2 and openly share the WiFi password with any customer that asks for it. The thing is, even if the WiFi password is widely known, your device and the access point automatically negotiate a pair of keys to keep communication private even to other computers on the network. An attacker’s best shot under this scenario is to capture the initial exchange between your device and the AP (handshake) to get the keys needed to decrypt your packets. And if they missed it don’t worry, there are means to force the handshake to happen again.

So you could make the point that a VPN service does provide you with some “protection” over public shared networks, as it would give you security equivalent to what you get when connected directly to the internet.

A side note on public WiFi which has nothing to do with VPNs: some devices, mostly computers, might be configured in a way that leave services such as file-sharing open to networks on private IP address ranges but closed to networks with public IP address ranges. That's why Windows asks you (or at least it used to) if the network you're connecting is private (trusted) or public (un-trusted) when you connect to a WiFi it hasn't seen before.

Because of this some argue that using public WiFi is even more dangerous that plugging your computer directly to the internet if your device has services listening for connections from local/private addresses, as this is the equivalent of letting random strangers into your home network.

It protects you from… malware?

A VPN per-se does not protect your device from malware, unless they’re scanning and/or blocking such traffic on their end which counts as monitoring your traffic, and that’s the opposite of what VPN service providers are supposed to do.

However, some providers bundle anti-malware products with their subscriptions, which I guess that’s OK but you should also look into reviews of competing solutions (including free or even open-source ones such as ClamAV).

Note: I did mention ClamAV only because it's been trusted for several decades now and has been open-source since day 1. I'm not comfortable recommending any anti-malware review/testing site as they all give me the same vibe as VPN review sites as mentioned at the beginning of this post.

Do your own research.

It protects you from… data breaches?

Nope. A VPN provider can’t do a damn thing about a third party being compromised, it can only protect the data while being transferred from your device to them. Am I missing something here?

As with the claim of malware protection, some providers bundle services that will regularly check if your accounts appear on data breaches, you know, like what Firefox Monitor offers for free (and yes, I did notice that banner about an upcoming Mozilla VPN… ugh)

The reality is that once you hand over your data to a third party, it’s out of your hands. What you can actually do at the very least, and regardless of your VPN subscription, is:

• Learn proper password discipline and get a password manager. By having strong and unique passwords for each site (or groups of sites) you will mitigate the impact of having your credentials for one site compromised affecting accounts on other sites.
• Enable Two Factor Authentication (2FA) on every single thing that supports it.
• Don’t use your credit card on sites that you don’t trust. Don’t give your address to sites you don’t trust. Period.
• Pay attention and be wary of information you’re filling in when signing-up for websites and/or online services, because there’s a chance that info. will be leaked if the site is ever compromised.

The elephant in the room: file-sharing

Finally, let’s address what some VPN providers are uncomfortable mentioning while others do without restraint: a VPN can protect your privacy while file sharing.

In some jurisdictions, downloading copyrighted content might be totally fine under the right circumstances (most notable, to obtain private copies and not seeking profits). Spain and Switzerland are often mentioned as being very permissive in regards to file-sharing. The Netherlands considers “home copies” to be perfectly legal, in return they charge a tax on any media and/or device that can be used to produce these home copies.

Note: to my understanding, this includes file-sharing as long as you're not the uploader. If I just said something stupid let me know, I can't Dutch.

Other jurisdictions have shown to be really strict with individuals sharing files online via “peer-to-peer” (P2P) networks/protocols, regardless of wherever sharing the content in question is legal or not. Australia, the US, France and the UK are some of the strictest, having Internet Service Providers (ISP) monitoring any kind of P2P activity and then issuing warnings to customers, throttling their connection, cancelling their service, tipping off law enforcement or a combination of all of those.

Here in Uruguay, there have been some small cases some time ago but they were going for exemplary punishment and, in my opinion, it didn’t do much. Nowadays they seem to be more focused towards people selling TV boxes bundled with pirated IPTV signals on the not-so-black market and things like that.

Regardless, depending on where you live this might bring some unnecessary attention. The following article from Reuters mentions media companies in Canada extorting individuals:

The issue surfaced on Thursday, when University of Ottawa law professor and respected industry blogger Michael Geist posted a letter from a rights holder that threatened civil liabilities of up to $150,000 per infringment.

Canadian law caps liability for non-commercial infringements by individuals at $5,000.

“Stop threats to Canada’s online pirates, rights holders told“, Reuters

Or at the very least some unfortunate throttling of your internet connection. In that case you may justify the cost of using a VPN.

That said, some VPN providers block ports of popular file-sharing protocols such as BitTorrent, so check their terms of service and look at reviews. Others proudly claim they allow P2P. Do your research before your shopping.

Conclusion

In the end I don’t want you drawing the conclusion that VPN service providers are either good or bad. Rather, you should treat them as another tool in your privacy toolkit at your disposal. Whatever you want to chose them or not you must be aware of what they can truly do for you and what they cannot. Hopefully, this post might clarify some of the outrageous claims I’ve seen online.

If all you need is a secure way to browse the internet while connected to public WiFi, say, if you travel a lot, then they might be worth it. Your home router might be able to run a VPN server on its own or you can leave a low-power single-board computer like the Raspberry-Pi running an OpenVPN or tinc server 24×7 but most people either don’t know or don’t want to bother setting that up. Also, it might not perform as well as even the slowest VPN providers.

If for some reason you need to hide your tracks from an ISP or your government, using a VPN server on a country different than yours (or even better, different than your country’s allies) can be an important part of your privacy toolkit. It might also involve using separate accounts and devices which can’t be traced back to you, using communications apps which are open-source and often audited and using additional encryption layers when dealing with insecure protocols just to name a few.

The Freedom of the Press Foundation has a better page to get you started on this, if you’re curious.

But for the average of us, who are not journalists or dissidents, or neither wear a tinfoil hat all the time, I fail to see much use for VPN service providers other than “I want to get some overseas Netflix and don’t want to have my ISP know I’ve been torrenting“. Again, all I want you to take from this is there’s more to online privacy than just getting a VPN. Whenever it is justified is up to you, but at least know what it is and what it isn’t.

Of course, If you feel this is not the case or that I’m missing something, please leave me a comment to let me know.

Further reading

Some people have already voiced concerns on these kind of claims, years ago. If you’re interested on this topic, here’s some further reading/watching for you:

• “Don’t use VPN services“, Sven Slootweg (GitHub Gist). A bit more radical and too cynical for my taste but it does make some great points on the false sense of security/privacy a VPN provider may lead you to if you don’t really understand what they can and cannot do.
• “This Video Is Sponsored By **** VPN“, Tom Scott (YouTube). Initially intended to be a honest video on Tom’s channel about VPNs, sponsored by a VPN company. The sponsor (allegedly) backed out of it because it was too honest. That’s quite telling.
• “VPNs are digital ‘snake oil,’ expert claims — here’s why“, Paul Wagenseil (Tom’s Guide). Despite its click-bait title, it offers a quite honest take on claims made by VPN providers and reality.
• “Is A VPN Worth It?“, Michael Gargiulo (Forbes). While I’m not Forbes biggest fan, the article makes some good points not mentioned here.