23
votes
Does a trustworthy VPN provide privacy? If so, how do you know if a VPN is trustworthy?
It's hard to get a straight answer on this because there are allegations of shilling everywhere when it comes to VPNs (particularly when you discuss specific providers). There's also this post which gets linked pretty frequently and which seems to throw a wrench in the whole idea.
For context, I ask because I have two main concerns:
- I have been the subject of a mild internet stalking/doxing, and I have no wish to relive that experience.
- I live in the United States and, if I am understanding things correctly, my ISP now has the right to sell my browsing data without my consent.
I have no love for my ISP and am all about the idea of blocking them from gathering data about me, but it seems the only other option is to hand all of my data over to another company who simply promises not to do anything with it. While I'm sure some of them are legitimate, how can you tell the difference between a genuine privacy tool and a honeypot?
VPNs simply shift trust, they don't give you immutable privacy. Uses for a VPN vary based on who you are trying to protect yourself against. In my case, I don't like my home ISP seeing my internet traffic, for this I use a high bandwidth, low latency VPN on my router. In other cases, like public Wi-Fi, I also use a different VPN. There are different use cases for everyone, these are simply mine.
My guide to choosing a VPN is mostly based around transparency, ethics, technology and location.
With location I tend to compromise, for my home VPN, I use a domestic VPN because I'd like the decreased latency associated with that. For other uses, I try and use a "offshore" or non-14 eyes VPN.
I've not mentioned any specific VPN providers, because as @kfwyre pointed out, shilling in the VPN business is quite common. These are just some of the factors I use in choosing a VPN.
Oh, another thing, if the longer the company has been around, the better.
I work in networking. My position happens to grant incredible insight into how the internet works because I bridge two departments. There's a lot of things I'm not legally allowed to discuss or disclose (or in some cases am not allowed to say that I can't discuss or disclose).
I think you nail some really important things. Good advice. Especially regarding services that have a pedigree and clearly identified owners/leadership. And also regarding allowing many different types of encryption/security. If they only allow one or two, stay away.
I'm not sure whether I agree with where you land on all the different things to consider though, depending on where you land in specific questions.
No logs-policies are often not legal in the location a VPN claims to be in. Like with Tildes, clear and reasonable rules that match the jurisdiction of the service is always best. Actual day-to-day data handling is way more important than written publicly-exposed policy.
In offshore localities, what privacy guarantees do you have? What is known about surveillance in that jurisdiction? If the answer is very little, stay out. A VPN located in a 5-eyes country with good data protection policies and practices is the devil you know in the jurisdiction you know where you have actual legal recourse.
Stay away from any service located in an authoritarian country or country where the legal system isn't internationally recognized for being fair and free (if open court is bad, what happens in closed/secret court?).
Be skeptical of all VPNs that cater to, or advertise services that facilitate illegal activity, like illegal p2p filesharing. These are the services governments will clamp down on and extract your information from. Even if you aren't using a VPN to protect personal crimes, your data is more likely to be collected too.
How much can you really hide from modern governments? VPNs are primarily useful for avoiding malicious sites or companies get a hold of your details.
Does your VPN not block access to content it is legally required to block access to in its jurisdiction ( say if it's Norwegian and it circumvents the Norwegian police childporn-filter)? Stay away. This is a huge flag for scrutiny and information being handed over.
I'd be interested in knowing what sort of position you hold, what do you mean you bridge two departments? Don't feel pressure to go into too much detail, I'm just curious. :) I'd like to respond to some of your points if you don't mind.
Yeah, the main reason I use one is because I don't like my ISP to see my traffic. My ISP is a very crappy company, but only high speed here and only ISP my house gets.
I use IPVanish because it has apps and just works. But also because you can log in and download a file that has every single cert for every server and set up openvpn with any of them and your creds. I think it's like $70 a year and this is year 3 for me.
They also claim to not log.
I'll just leave this here https://thatoneprivacysite.net/vpn-section/
From everything I’ve read, it’s impossible to know. You are moving your trust from your ISP and putting it into the VPN provider.
My thought process is that I know my ISP is screwing me over as hard as possible, hopefully within the laughably weak (in the US) digital data laws. I would expect that a decent VPN provider, who’s business relies on a reputation for privacy, would not be screwing me as hard. At the end of the day it’s mostly blind trust.
My personal opinion is that you should never trust a 3rd party VPN service.
One of two things is going to happen to every VPN service out there, sooner or later. The first one is that they're going to sell your data, spy on your traffic, etc. The second possibility is that the VPN service gets compromised and those people sell your data or spy on you. The internal servers that run the VPN are huge targets for anyone with malicious intent, because if they can break in to those they can potentially snoop on the traffic of thousands of people.
If you're technically inclined, it's fairly easy to set up a self-hosted VPN. You pay ~$5/month to a shared hosting provider somewhere (Digital Ocean, Linode, and Vultr are a few of the more well-known ones), then set up a Linux VM running OpenVPN (or Wireguard, if you want to live on the bleeding edge). Install the VPN client locally, if you're using OpenVPN do the ritual goat sacrifice at the full moon involved in generating X.509 certificates, and then you're done.
It's not perfectly secure, because nothing is, but it is substantially better, at the cost of more time getting it set up.
It’s tough, and I’m not sure there’s even a way to prove it for sure.
I know Private Internet Access has been proven in court to not keep logs several times, but I’m not sure now much that actually means, especially since they’re a US-based company.
Well, my personal opinion is that a VPN provider is the ideal Kompromat gathering tool for an intel agency. I would bet that in a few decades it turns out that VPN providers were created or bought by the major intel agencies. Not only could it gather comprising info on you, but also make black money at the same time.
Due to now erased info, I don’t trust PIA at all. I kind of trust TorGuard, which I personally use. There is no ideal solution here. I suppose it depends on what you are trying to get away with. If it’s just privacy, then using an EU based VPN provider might be best.
I use TorGuard(DE) for, umm personal things I don’t want corporate entities to know about, and I set up an OpenVPN server on AWS for work, for things I don’t want foreign agents to know about.