My Issue with VPNs

VPN use is becoming extremely widely used, the number of companies offering VPN services at a premium has exploded in the past decade and every man and his dog keeps telling us we should be using one; but I don’t use one. I used to. I was the unthinking consumer who thought he needed a VPN to give security and privacy online, then I started thinking and reading about and ultimately I decided that I really don’t need one and that I actually don’t trust the VPN industry. Why? Well, I shall attempt to explain.

First a disclaimer, I am not a security expert. I can read and digest information and form opinions but I don’t know everything; so take my opinions with a grain of salt. Now that is out of the way, let’s get to it.

The first red flag, and a major one, is that VPN companies love to make big bold claims of total security/privacy to impress you into stopping your search for a solution and hand them your money. Firstly, no one can guarantee total privacy or security, there simply is no single cure all solution to all of the problems in that arena. Network security is a massively complex area, hence why there are a plethora of certifications that network security professionals need to go through. Secondly, a VPN only provides extra security if the data you want to access is on the same network as the VPN you are using. This is why many businesses use VPNs to enable remote working. Outside of that there are no guarantees.

Another red flag is the bold claims of “military grade encryption”. It sounds great on the marketing copy but it is pretty much nonsense because there is no such thing. The truth is HTTPS is pretty much everywhere nowadays, DNS over HTTPS is increasingly becoming standard, pretty much every chat app uses end to end encryption, Android and iOS both use app encryption now and mobile device encryption is normal now. The security landscape is much much better than VPN companies will have you believe. The only potential security hole may be public wifi hotspots if it is being run by a bad actor so I concede that a VPN can be useful in that case.

The next thing I grew to become wary of is the no logs claim. The truth is every single VPN company will keep logs of some description, they have to for troubleshooting and support purposes at the very least. Whether it is initial connection logs, public IP address or something else, the real question is what logs do they keep and for how long to they keep it. It may be that they wipe the logs after a day or a few minutes but they are still maintaining logs in some way. The problem with being honest about that is that it probably isn’t great marketing given how much people freak out about data logging.

The next big red flag is that the entire industry is rife with bought reviews and affliate marketing. How can I possibly trust a glowing review knowing this? This is not unique to VPN services of course but, damn, is it widespread in the industry. It does not inspire trust in a product.

A VPN can be useful though. It does obfuscate your IP address (which doesn’t make a difference to companies that build advertising profiles on you thanks to cookies and fingerprinting) which is useful if you live in a country where censorship is a massive problem. They do let you appear to be coming from outside of the country so you can access blocked sites and that is very useful, but I remain unconvinced that they are the one stop shop solution for privacy and security they are made out to be. If anything they may give the illusion of security due to the suggestion that all you need is this app and the job is done. Sadly there is a lot of money to be made from fear, uncertainty and doubt as we learned in the 90s with anti virus software and it would appear that VPN companies, just like anti virus companies, are expertly exploiting people’s fears to make a fortune.