If you watch anything on YouTube, you’ve probably heard paid ads for various VPN services. To listen to these ads, it sounds like a VPN is necessary for any sort of privacy or security online. Let’s examine that claim, and whether or not you really need a VPN.
What is a VPN?
VPN stands for “Virtual Private Network”. Though we’ll go into more detail later, a VPN makes it seem as if you are using a different network than you are. It can hide what you’re accessing from your ISP, and can hide your home network from whatever service you happen to be using.
Connecting without a VPN
To better understand, let’s start with how a normal internet connection works.
Your computer doesn’t connect directly to whatever website you’re accessing. Then your computer talks to your router, which talks to your modem, which talks to your ISP’s router. Your ISP’s router talks to another device in your ISP, which talks to your ISP’s outbound router, which talks to another device and another. The data moves across the internet until it reaches its destination. This game of telephone can make several “hops” as the data traverses the internet. Whoever is running the equipment at any of these “hops” can examine who you are talking to, and if your data is unencrypted, they can even look at what your actual data is.
Not all of these hops are controlled by either your ISP or whatever service you might be using. Since third parties control some of these intermediate routers, some sort of added security is in order.
What a VPN does for you
So what does a VPN do?
From a technical standpoint, a VPN takes your internet connection and encrypts it. Then it sends all your connections through the VPN. Your ISP and all of the hops before your ISP can only see that you are talking to your VPN. They can’t examine any of your data because it is also encrypted.
The VPN then connects to whatever websites or services you were trying to access as if it were the ISP. From the perspective of the ISP, all you are doing is looking at the VPN. From the perspective of whatever website or service you are using, you appear to be coming from the VPN. They can’t tell where you actually are. One major problem is that there are still several hops between your VPN and whatever website or service you’re using. While your data is encrypted, and they may not be able to tell where you are, they can still see which websites you’re using.
VPNs claim to do three main things.
- The first is to encrypt the data so that someone can’t spy on it.
- The second is to hide all of your activity from your ISP.
- The third is to obscure your actual location.
The first two sound useful, but aren’t nearly useful as you might think. The third is useful in some limited circumstances, and for some people could actually be vital.
Encryption
Let’s address the first claim: encryption. Encrypting your web traffic is a very good thing. Unless what you’re accessing is completely innocuous, it is actually extremely important. In fact, it is so vital to your security that nearly all of your web traffic is already encrypted by your browser, and is encrypted all the way to whatever site you are using. Modern browser encryption is called Secure Sockets Layer (SSL), or more recently Transport Security Layer (TLS). I don’t want to do a deep dive on what all that means here, so I’ll just call it “SSL”.
How to tell if you’re using SSL
If you look at a URL and it starts with “https://” or if you look in your location bar and see a little lock icon, you can generally be assured that your data is encrypted all the way from your browser to the server it is talking to. With this encryption, who you are talking to is still visible since each machine in each hop needs to know who to send your message to next. However all of the data you are sending and receiving is encrypted so someone eavesdropping has no way to know exactly what data you are sending or receiving.
Do I need a VPN for encryption?
A decade or two ago, SSL browser encryption was fairly rare. Now it is the rule rather than the exception. As I write this I have about 13 tabs open in my browser. All 13 are encrypted. I looked at a few other sites I frequent regularly, and only one offered no form of encryption. However it was just a blog that doesn’t ask for any personal information, so it isn’t a big deal.
There may be a few sites that do not have an SSL certificate, which really should, but those sites are so rare that they aren’t really a problem these days. If you’re concerned, you can easily check by looking at your screen. Generally speaking, a VPN isn’t really worth it just for the encryption, particularly when encryption is almost always already there.
There is also one other issue with the VPN’s encryption. It can only encrypt between you and the VPN. It will keep the ISP from eavesdropping, but it cannot keep someone sitting between the VPN and the website from eavesdropping. If the website is not using SSL, the connection between the VPN and the website will be unencrypted.
Do you need a VPN for encryption? The real answer is probably not. Almost everything is already encrypted now, so adding encryption on top of encryption really adds no value. If there is a particular site that you MUST access, that offers no SSL encryption, and that site requires you to enter personal information then a VPN might be useful. Of course, you would be paying a monthly fee so you could safely access that one site. If there is something else you can do, it would generally be better.
Hide your activity
Now for the second claim: hiding your activity from your ISP. How does the VPN hide your activity from your ISP? The simple explanation is that the VPN wraps your internet requests in its own headers and encrypts them. Nobody between you and your VPN can see anything. It can’t see what data you are sending or receiving. Nor can it see where the data is ultimately going. It sees nothing. As far as your ISP is concerned the only other computers your computer is talking to are those at your VPN.
The problem is that there are still several hops that your data has to take between your VPN and whatever service you’re using. Every computer on the other side of the VPN can still see every website you’ve requested. So in reality, you’re just shifting who has access to your data.
When it comes to trusting someone with that information you have to weigh who you can trust more: a corporate ISP who would give you up in a hot minute if doing so suited their business needs, or a corporate VPN service that would give you up in a hot minute if doing so served their business needs.
The simple truth is that, from a security standpoint, VPNs are not much different from an ISP in this regard. Security is about trust. Who do you trust? A trustworthy ISP will probably protect your privacy better than an untrustworthy VPN, and vice-versa. Hackers have breached both. Governments have compelled both to give up personal information. Most VPNs claim not to log such data. Even so several have suddenly come up with the data they claim not to log in order to avoid severe legal action. In some countries, the penalties for failing to do so could be extreme. For most people, the risk difference will likely be a wash.
One exception might be for people who travel a lot and must use untrusted networks often. In such cases, a VPN might offer a little better security, but unless one must do so frequently, it generally isn’t worth it.
Hiding your location
Now for the third reason: making it look like you are somewhere else. This is actually useful for a lot of people. While simply obfuscating your location isn’t hugely helpful in most cases, appearing to be in a particular location can be very useful.
Due to rather complex legal and licensing issues and contracts, some content on some services is only available in certain countries. This is called geo-blocking. A person can use a VPN to get around this geo-blocking and access material that may not be available in his or her country.
For example, Netflix or Hulu may have very different content available in Japan or Canada than in the United States. A VPN would allow you to appear to be someplace like Japan or Canada to access content only available in that country.
Likewise, someone who travels frequently may wish to access his normal content, but when traveling abroad, may not be able to without a VPN.
Do you need a VPN?
For most people, a VPN would be a waste of money. The encryption is already there in most cases, and hiding your activity from your ISP is just trading who you’re trusting.
So is there ever a reason to get a VPN? Actually yes. If you don’t have much of a choice on your ISP and they’re not trustworthy, then it might be better to get a VPN and use that. If you travel internationally a lot, a VPN can be useful to make it appear that you are in your own country. That way you can make it appear to whatever services you use as if you are still at home. Likewise, if you want to access location-locked material in a country without access to that material a VPN would suit your needs.
One other thing to consider is that a VPN will increase the number of hops and the amount of processing that happens to your traffic. Translation: your internet speed will be slower. Depending on your connection, and the VPN’s connection, you may or may not notice the decrease in speed.
All in all, VPNs are of some utility in some limited cases, but unless you are traveling a lot, or needing access to geo-blocked content, they are generally a waste of money. For that reason, I tend not to recommend a VPN to most users.