Earlier this week, the Senate voted to repeal privacy measures that would stop internet service providers from sharing their users’ internet activity with third parties. Those rules were passed in October, but not only does this vote undo them, it prevents the FCC from reinstating similar rules in the future. This is great for broadband companies, but if you’re one of these companies’ users, what are you supposed to do?
One popular recommendation you might have heard is to use a virtual private network, or VPN. You can find a lot of comprehensive online explanations of what VPNs are, but in the simplest terms, they create a secure, encrypted connection between your computer (or phone, tablet, &c.) and a private server somewhere else, preventing anyone else from seeing or modifying that traffic. When you browse the internet, data goes to the server, which passes it securely back to you. When you send data out, it appears to come from the server, not your computer. While it doesn’t make you anonymous — the VPN can see your traffic, and law enforcement can request information from VPN companies — it obscures what you’re doing online.
If you want some more background on all of this, read on.
What do I need out of a VPN?
It depends on who “you” are. Here are some of the many uses for VPNs:
- Avoiding government surveillance or censorship
- Remotely connecting to your company’s private network
- Protecting your data on public Wi-Fi
- Hiding BitTorrent piracy
- Watching movies from another country’s Netflix library
All of these things present different challenges and security risks, and a VPN isn’t even a good choice for some of them, since it doesn’t make you anonymous.
But here, we’re talking about a very specific problem: how to stop internet service providers from mass-collecting information about perfectly legal things you do online. This is actually one of the simpler scenarios. You’re not worried about an oppressive government targeting you for a sophisticated hack, or the VPN giving up information to law enforcement. You’re not connecting to an unfamiliar Wi-Fi network that somebody could be siphoning data from. You’re just trying to make your browsing history hard enough to see that an ISP won’t automatically scoop it up and sell it to advertisers.
For this particular use, the central question is who will keep your data safer: an internet service provider, or a VPN company. “VPNs are essentially a way of moving your trust,” says Jacob Hoffman-Andrews, senior staff technologist at EFF. “Normally, you trust your ISP not to snoop on you, but if you can’t trust your ISP anymore, you can pay somebody else.” An untrustworthy VPN could turn around and sell your data, just like an ISP. In fact, it could do much worse things, like use your bandwidth as part of a botnet. Many of them don’t have a reputation to protect the way that ISPs do, and they’re under significantly less scrutiny.
Which VPNs can I trust?
“It’s very, very hard to make recommendations about VPNs,” says Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology. Journalist Yael Grauer has a great, detailed rundown of the problems at Ars Technica, but one of the biggest issues is simply that VPN companies can be vague and non-transparent. They might oversell what their service does, obscure how their security works, or hide nefarious caveats in the terms of service. In the Ars Technica piece, security expert Kenneth White calls it “Pinky-Promise-as-a-Service,” because there’s often no outside evaluation. “It’s really hard to know how to trust a given VPN provider,” says Hoffman-Andrews. “Some of them say that they don’t log data or snoop on you in various ways, but it’s hard for individuals to verify that.”
A good VPN will also protect you from malware on public networks, but not every service is up to the task. White has also complained that many VPNs — including relatively well-known services like NordVPN, IPVanish, and PureVPN — connect their users using a single pre-shared key, which someone who controls a Wi-Fi network could use to decrypt their traffic. But if you’re only planning to use it at home, Hall says the pre-shared key issue might be moot, since it’s highly unlikely your ISP will outright try to hack you. (He’s a fan of the service Astrill, which appears on White’s list.)
A free VPN should always raise a big red flag. “If it doesn’t cost you anything, wow, how are they making money off of routing your bandwidth?” asks Hall. Evidence of external audits is also a good sign, although that’s rare. VPN service Cloak — which costs around $10 a month for one person — is one of the rare examples of this. It announced an audit in early 2016, although the results weren’t publicly released. Co-founder Dave Peck says that’s because the audit applied to system architecture that has since been rewritten, and that it found the old system safe from their highest-priority threats, like the theft of customer data. He says a new audit will be conducted in the future.
The safest option is to set up your own VPN server and connect to it. “We recommend that if you have any technical capability whatsoever, you look into like Streisand and Algo,” says Hall, listing two systems that let you “roll your own” VPN. You’ll pay for the nominal cost of a server, and have complete control over what happens to your data. But that’s still a lot more trouble than just paying a monthly fee.
What else can I do?
If you’re really committed to total privacy but don’t want to set up a server, you could always use something like Tor, which has the added benefit of anonymizing you. But it can be a much slower, less convenient browsing experience than most people are used to. Much more conveniently, you can make sure to use encrypted apps for individual services like chat — which is good practice for preventing all kinds of surveillance.
While it isn’t a perfect solution, sites that use HTTPS also limit the amount of information that ISPs can see — they can collect the general domain name and when you’re visiting it, but not which individual pages you’re on or what information you’re sending. Additionally, if you’re worried about ISPs gathering data, you should also take steps to minimize what actual websites and advertising platforms can track.
But there’s no totally safe and super-simple technical way to have the same internet service you’re used to while keeping ISPs in the dark. “We shouldn’t have to buy trust as an add-on service,” says Hoffman-Andrews. “That should be a default part of internet service just as it’s a default part of phone service.”