On the Use of Consumer VPN Services

Virtual Private Networks (VPNs) were originally created as a way to set up private corporates networks over the shared wires of the Clearnet. While the institutional uses of VPNs are still prevalent, consumer VPN services have been popping up over the past few years, and there are many misconceptions about the benefits and use cases of these services.

What are VPNs?

VPNs are a secure way of creating private networks over public infrastructure. They operate by creating a secure connection between your machine and the VPN server (a process known as tunneling). The VPN then either directs your connection to a private internal resource (such as a corporate email exchange server that is not accessible to the public), or forwards your connection to the clear net. When browsing the internet on a VPN, your internet protocol (IP) address is not shared to the websites you visit. Instead, the request appears to originate from the VPN server.

Consumer VPN Services

Consumer VPN services offer connection to a VPN server for a monthly cost. These services are used to change one’s browsing location, IP address, and hide browsing history from an internet service provider (ISP). The rise in popularity of these services is due in part to the advertising campaigns of these services on various social media platforms such as YouTube(R). These services adopted an aggressive advertising pattern bolstering vague claims of internet security and privacy, branding their product as the “solution” to hackers.

Why Should I Use VPN?

When using a consumer based VPN service, a few use cases come to mind:

  • Change location to get around geo-restrictions
  • Hide IP from sites that you are browsing
  • Hide Browsing Data from ISP
  • Circumvent Network Blocks / Firewalls

This list is non-exaustive, however provide a list of common use cases.

Why Should I NOT Use a VPN

There are claims that consumer VPN services make that are not true. It is important to keep in mind what VPNs can and cannot do. VPNs cannot:

  • Prevent you from being hacked
  • Allow you to access the dark web
  • Allow you to commit cyber crimes (especially if your account is linked to a credit card).

Towards Privacy-Aware VPN Usage

A large selling point of VPNs is that it “keeps you private” while surfing the web. This claim, while partially true, really depends on the VPN provider. Many VPN providers claim to not keep connection logs, however there has been proof of the United States government forcing VPNs to start keeping logs and continue advertising that they don’t. Therefore, VPN services that use propreitary code and not autited by an independent 3rd party cannot be trusted with data.

Many VPNs do not accept anonymous forms of payment, so an account is often linked to an identifying payment method such as a credit card. This payment front is a problem as every account is linked to a specific person. Many individuals do not take this into account when buying VPN services for privacy. They often link their own credit card and personal email to the account, so any activity theoretically can be traced back.

One VPN provider, Mullvad(R) seems to stand out from the rest in terms of privacy. Mullvad does not create user accounts that are linked to email addresses. Instead, they generate a random payment token. Mullvad offers various anonymous payment options, such as the ability to mail in cash. By using cash and not linking an email, the user cannot be identifed by account token. Additionally, Mullvad does not keep logs and is audited independently by a 3rd party.

Conclusion

VPNs are a great way to remain safe and secure when browsing on public WiFi, or when trying to remain anonymous. However, VPNs are not a catch-all in terms of safety. The key to remaining anonymous is good OpSec. Users must decide when and where to implement security measures, and must consistently reevaluate their threat model as new systems arise.