Forums > Talk > Technology
Oct 9th, 2022 at 4:41 pm
#1112
If you watch YouTube often, you have almost definitely seen an add for PIA, Express, or NordVPN at some point. All of these promises about anonymity and encryption... it sounds too good to be true, right? That's because it is. In this thread I am going to break down the common misconceptions about VPN software and hopefully educate a few people into making better decisions when choosing which internet services to trust.



First, lets go over some of the common claims:
"VPNs protect your privacy"
VPNs by themselves do not protect your privacy on the internet. There is a lot more to tracking user activity than an IP address. Data such as user agents, cookies, browser resolution, Javascript engine version, and even leftover cache can be used to fingerprint your computer and completely deanonymize you. If you sign into a website or post, say, or access anything that is linked to you, that activity can be used to guess who you are.

Combining this with an anti-fingerprinting browser such as Librewolf and also performing good opsec habits online can help a lot with this and make VPNs an actually viable privacy option, but data retention gets in the way of that. Data retention is AWFUL for VPNs, and the worst part is that you can never know if and when it happens because the servers are owned by a big company and you can't control it. VPNs can only protect you from tracking from your ISP, but that isn't necessarily any better since you are now prone to tracking from the VPN provider itself. This brings me to the next part:

"No logging policy"
This is 100% a lie. A VPN provider runs their proxies on servers all owned by them, and they control each of them. You don't know if your VPN provider is breaking data retention rules or not. Many businesses will cite past refusals to give up data to governments as "proof", but this does not prove anything for a few reasons, one of which being that the CIA has a habit of contacting computer security companies to try and secretly turn them into honeypots (silly tin foil hat shenanigans, I know). Data retention is bad for VPNs because it means that a data breach can immediately deanonymize all of your activity, and it also makes these VPNs awful for people living in oppressive countries. The cloud is just someone else's computer. If a VPN says they have a no logging policy, they are lying. Do not use VPNs to do things that you do not want tied to your real identity.

"VPNs encrypt your traffic"
VPNs are not needed to encrypt traffic. Stuff like this is what TLS/SSL was invented for. If a VPN is trying to claim that it "encrypts" your internet access, they are either lying, or they are trying to sell you something that is pointless. They can, however, hide what websites you are visiting from others on the network if someone on a public network attempts to sniff your packets.

"VPNs help you access region locked content and bypass firewalls"
This is probably the only real true claim that VPN advertisers talk about, but it's only half-true. Yes, using a proxy as a disguise can circumvent some basic restrictions, whether it be a blocked website or region locked content, but that won't do you any good when the VPN itself is blocked. This isn't a perfect solution because VPNs are still centralized and their list of IPs is known. If you're trying to access a movie or other product that is not sold in your country, you are better off just pirating it. Tor suffers from the same issue, but it is community run and has numerous bridges to help get around firewalls set up by authoritarian governments, and it's much better at it's job, making Tor the ideal solution for those under threat living in a non-free country. That doesn't mean VPNs can't work around IP restrictions, it just means that you shouldn't rely on them to guarantee a good connection. Many VPN providers don't mention this. If you are away from home and absolutely have to bypass a firewall at work or something, you could try hosting your own proxy server at home with your computer left turned on, as this will use your home IP address and won't look suspicious to VPN-blocking filters. This won't solve the region locking issue, but it is more reliable than paying for a public proxy server.



Okay, so why do VPN providers lie about this stuff? Well, it's easy: money.

Around the late 2010s, less tech savvy individuals finally became aware of (some) of the shady business being done by social media companies. Of course, many of these people still might not fully understand the extent or technical details behind these bad practices, or why it is bad. Things like the history of monopolistic abuse from Microsoft, or the dangers of proprietary software, are still not common knowledge. The dangers of data retention have not been taught to everyone--many of us are still focused on what companies are doing with our data directly rather than what governments and infiltrators want to do with it, because that is what the news outlets are interested in.

Because of this fear that has sprung up in the general public, without the knowledge that lead to this fear, it is easy to manipulate people and sell them something they think can protect them. VPN providers are like the hot new thing on the block right now. Everyone and their grandma is doing it, because they believe it will magically ward away the zuckerburgers. This has lead to blatant false advertising, and even worse data collection BS than we were dealing with before.

So, who can you trust then?



When to use VPNs, and when not to use them.
VPNs are okay for bypassing IP bans and other restrictions. They're just proxy servers, after all. But they have their limitations.

If you are looking to protect your privacy, look for other options. You need a combination of things:
- A connection to Tor
- The Tor Browser (Brave will not protect you from fingerprinting, that line of misconceptions is a whole other can of worms)
- Good opsec and an understanding of what is and is not safe

Opsec (operation security) is the idea that you should never tell anyone who you are, what you are doing, or give any hints away. You should always be aware of what others can find out about you. This means not logging into any social media sites, always using a fingerprint-resistant browser, and just generally being secretive about your identity or only using an alias when naming is necessary. The term comes from the military and was originally intended to prevent confidential information from getting to the enemy, but the same concepts can apply to the internet.

Unfortunately, Tor is not perfect either. It can be very slow, as there are only about 6,000 Tor nodes currently available. If you aren't concerned about your privacy, and just want to unblock access to something, then a VPN might be a better option in specific cases. There are VPN providers out there that are, believe it or not, not hellbent on screwing over their customers. Unfortunately, you will not find them in a Youtube ad. You have to do your own research. Luckily for you, I have put everything you need right in this thread.

If you are looking for a VPN, check out privacyguides.org/vpn. They have a list of recommended providers as well as a detailed explanation on what VPNs are actually used for. ProtonVPN is the one I personally recommend. You can also combine Tor with a VPN, which can help when used with Librewolf or the Tor Browser, since it will hide your IP from your Tor entry node. Tor entry nodes aren't really an issue when it comes to fingerprinting, and it is one of the few instances where an IP address is really all you have to worry about. As long as the site itself is being restricted by your fingerprint-resistant browser, this is okay.

And just to make the Youtube sponsors roll in the dirt one more time, I'm going to drop a Reddit thread exposing PIA for starting a smear campaign. Yes, companies are willing to go that low: https://old.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/

I hope this thread was educational and that someone finds it useful one day.
Oct 9th, 2022 at 5:21 pm (edited)
#1113
I personally use Windscribe. It has a no-logging policy that has actually been tested in the real world: Ukrainian server seizure — a commentary and state of the industry
They also confirmed their no-logging policy in their update post, mentioning it alongside the incident: OpenVPN Security Improvements and Changes
We have no reason to believe that the servers were compromised or that there was any unauthorized access before seizure. As we do not log VPN traffic, no customer data from those servers while in operation are at any risk.
One of their social managers also put together this page that is community contributed. I think the only reason they aren't on privacytools is because they are based in Canada, and thus apart of the 5-eyes.
Oct 16th, 2022 at 10:14 pm (edited)
#1138
One thing I'd like to add to this is the common argument that data breaches and subpoenas have "proven" privacy focused services truly don't retain data. This is logically flawed because it assumes that not having the data is the only reason it would not be found outside, when it isn't. There are many reasons why it might sound like a breach proves "no data was logged":

- The hacker could be inexperienced or have a broken entry point. Both internet forums Doomworld and Kiwifarms were hacked but little to no valuable information was stolen other than maybe a few hashes, despite the fact these websites had it in order to operate.
- Governements can force companies and journalists to lie about a subpoena
- Journalists could spread fake news or simply take someone's word for it without verifying the information.

If the data goes to someone else's computer, there is always an opportunity for that computer to save all of it. People naturally will lie about data retention if it means sales.
Guest posting not allowed
Please log in to post a reply.