This super long article has five parts. This is the first part, it introduces personal VPNs and their intended purposes.
The other parts cover practical aspects of using a VPN (part 2), anonymity and global surveillance (part 3), traces that you leave on the Internet (part 4) and finally a step-by-step plan of connecting to the Internet anonymously (part 5).
Although this text was written to be read through, you can always skip to the part you are interested in.
Contents of part 1:
1. Introduction
2. Real world analogy
3. Security and threats
4. The biggest threat of all
5. Threats that VPNs address
Historically, VPNs had nothing to do with personal privacy. Virtual Private Networks, they were used to establish private encrypted connections across open Internet, used by the companies to securely exchange corporate data.
Today, with the raise of totalitarian governments and corporations, personal rights to privacy are unconditionally sacrificed, and we have to utilize VPN technology to get some personal privacy back. Personal VPN business is booming, providers advertise with the most prominent political talk shows and commentators, but the technical inaccuracy of those advertisements is abysmal.
I write this in hope that it helps you better understand how VPNs work, how to use them properly, and how anonymity can be practically achieved on the Internet.
First, I will introduce an analogy, which is used throughout the article. It will informally present some of the problems that VPNs address, and hopefully make the discussion easier to understand and follow.
Let’s say you live in a small town in a quiet neighborhood but your neighbors are extremely nosy. So much in fact, that you cannot leave your home without someone watching. You cannot drive anywhere without the entire town knowing where you spent last night. You even have reasons to believe that they have had a GPS tracker installed in your car.
Making things worse, every time you drive far from home, you notice that people look at your license plates funny. There are whispers behind your back and sometimes there is even a couple of unmarked cars escorting you to the border.
And you are sick and tired of it. So, what do you do ?
You decide that every morning as you leave your home, you drive not to your destination directly, but to a huge mall next to a busy interstate. There you drop your car in the underground parking, blend with the crowd, wander around for a while, then go to a rent-a-car booth, pick a random car from the lot and drive to where you initially wanted. In the afternoon you return the car, take your own and drive home.
Now if you think about it, all the neighbors could see is that you are driving to the mall, and anywhere you drive from there, you are in a neutral fleet car, not associated with you or your original residence.
That’s how a personal VPN works.
Now let’s talk about security to establish the framework required for the future discussion. What does it mean to be in a state of security ? The definition is to be protected from a danger or threat. You cannot be secure in an abstract sense. Security is always defined in terms of actual threats that are mitigated. So, you can be secure from such and such threats, but never from all possible threats.
For example, take home security, fire is a likely threat, therefore we take preventive measures, buying insurance and fire extinguishers, and then we say we are secure from fire. But your home being hit by a meteorite is not so likely. Does it mean it could not happen ? No, and technically we are unprotected from such a disaster. But we don’t care, because it’s perceived as impossible and also because the costs of protecting against it would be unimaginable. It therefore lies outside of our threat model.
Every time you hear the word “security”, you should ask “from what ?”. Does VPN make you secure ? Yes. But from what and how exactly, that’s what we are going to discuss.
There is one threat that no VPN or other technology can protect you from. That’s the biggest problem, impossible to solve, and it gives headaches to security and usability specialists from the beginning of times.
It is us, ourselves, the users.
Ideally, we, the users, would know everything we need to know to make all the informed decisions and never make a mistake. But that is, of course, impossible.
On the other hand, ideal security products would configure themselves and make all the decisions automatically without bothering us with questions which we are incapable of answering. But it’s also not possible.
You have to understand very clearly upfront that security is so complicated and fragile that a single wrong turn could leave you exposed. If you even hope to stay safe, it is in your own interest to exercise a significant amount of discipline, or the threats will come to realization.
I’m specifically refraining from giving any concrete example before I have introduced any actual threat, but as you read on, simply pause and imagine what would happen, should this or that threat come to realization. For the most part, it will not be the meteorite, but nothing good either.
Finally we arrive at the actual good that VPNs can do for you.
Here I will cover only threats that do not relate to anonymity, as it is a massive topic in itself and will be discussed separately later.
Threat №1: Your local Internet provider is spying on you
Your Internet provider is exactly those nosy neighbors who watch your every move, write it down, and report it to the police. It is a very real and widespread threat. Internet providers are legally obliged to collect all sorts of data on their users.
You can be absolutely sure that they keep record of at least every site you visit. And the moment you visit a site unpopular in current political climate, be sure that there appears a red flag next to your name in a list somewhere. And just as you could expect, that list is exactly the source of potential criminals, terrorists and other enemies of the state, whenever they need them.
Depending on how focused on you the Big Brother’s eye is, your actual traffic can also get inspected, and if it is not encrypted, they could collect the words you search, actual documents you read and so forth.
This threat VPNs handle with ease. A typical VPN will simply encrypt all your traffic and route it through a server somewhere far (which is of course the mall through which you drive). All that your local Internet provider is left with is a useless stream of encrypted bytes.
Yes, they can see that you are using VPN, the same way your neighbors could watch you drive to the mall. But as soon as VPNs are legal, there is nothing they could do about it.
It is important to note that all your traffic must go through VPN. While it is possible to carefully separate data that needs to be encrypted from data which doesn’t, it is complicated and a potential cause of error.
Threat №2: Your local Internet provider is imposing traffic restrictions
Net neutrality ? What net neutrality ?
Depending on where you live, certain types of traffic can be illegal. A typical example is BitTorrent. You can argue to death that BitTorrent is a generic peer-to-peer data transfer protocol, but the public is conditioned to believe that it’s a piracy vessel, hence anyone who is using it is a pirate. Whenever you are using BitTorrent in such environment, you risk getting a cease-and-desist letter, being extorted by a legal threat out of a sizable amount of money, and possibly facing a crime charge.
Again, this threat is local in nature, and VPNs provide an easy solution. As soon as all your traffic goes through the encrypted tunnel, all BitTorrent activity also becomes undetectable.
Threat №3: Wi-Fi spoofing
Your local frauds noticed that every Friday you go to a bank to cash a check, and had an idea of a heist. They went for a little Truman show.
As you leave your house one Friday morning, you have a subtle feeling that something is not quite right. The street looks different and there was no road construction there just yesterday. As you turn and drive around to the bank, your satellite navigation keeps beeping and claiming no road is supposed to be here at all. When you get to the bank, its front wall looks like cardboard. You reject all suspicions and enter. There is just one counter and the guy behind it you never saw before. Still you hand your check over. Puff ! Everything disappears and you find yourself standing in the middle of a field, the bank is gone and so is your check.
That is how spoofing works.
Your devices will gladly connect to any Wi-Fi network in range, and there is no way of knowing whether it is legitimate or not. When you are at a public place, and you see an unprotected Wi-Fi network with Free in its name, of course you click it. But who’s running it ?
With some technical expertise it’s possible to set up a public Wi-Fi network, which would pass everything through, except for a certain banking site. Or Google Mail. Or any other. Requests to such a site would be intercepted and redirected to its partial copy, hosted by the same hackers, which would look like the original one, behave the same, and gladly take your password. And if you click “Login”, congratulations, you just gave your password away.
Moreover, with some more technical expertise it is also possible that this password is immediately used to log in to the original site, and you receive an authentic SMS or whatever second factor notification that you have, only enforcing your belief that the site is in fact genuine. Then as you type in the one time code, click “Submit”, congratulations, you gave someone everything they needed to log in to your bank account.
Now that sounds terrible, and there is seemingly no protection. After all, how do you know which site is real and which is spoofed ? They look and feel the same after all.
So how does it work at all and what does it have to do with VPN ?
Actually, it’s not as awful as it sounds, and dealing with spoofing is not even VPN’s specialty. In fact, VPN provides only a tangential protection against spoofing — by the fact that it is also a local threat, just like the previous two — since all your traffic bypasses the local network, spoofing does not stand a chance.
In case you wondered how spoofing problem is solved without VPN, the answer is a cryptographic protocol called SSL, and its ubiquitous application HTTPS, a web surfing protocol. Every HTTPS site must have its own certificate of authenticity, presented to your browser as you enter. And that certificate cannot be spoofed. Your browser will warn you loudly if you are entering a web site, whose certificate is not authentic, just like that beeping satellite navigation. If you pay attention, you will know that the site is fake.
And even with VPN you must always pay attention to the browser warnings, because how do you know that you are not being spoofed after driving out of the mall, by the VPN provider for example ?
Threat №4: Regional restrictions
This is not so much a security threat, as it is a nuisance. With your small town license plates they don’t allow you to enter big city limits.
Every IP address can be associated with its presumed geographical location. It’s not always accurate, but most of the time by looking at the IP address you can figure out at least a country where it is placed. Sites of all kinds use this information. Some of them automatically switch to the language of the presumed country, some put up special discounts and quote different prices for visitors from different countries, while some refuse access to content, when you are not from a proper country. The usual suspects are the streaming services, which deny access to videos depending on the country from which you came.
Pretty much all of the big VPN providers have a lot of servers from which you could choose, scattered all over the globe. With a click of a button you could have all your traffic appear to have come from any major country. This way, you can at least in theory get access to any such restricted content.
Threat №5: Everyone knows where you live
Look at the license plate, duh !
This is again not so much a threat, as a privacy concern. As soon as you are not using VPN, every site you visit knows your location from your IP address. And they will keep it on record and openly use for “better targeting” you. Precision with which you could be located varies. It is the least precise when you are using a cellular network — then it’s down to the city. When you are working from home via a residential lease line, your IP can be located down to perhaps a block. And if you are working from your office, chances are it has its own public address and you can be located down to the company.
And I don’t know about you, but I feel more comfortable when YouTube sends me advertisements in a language that I can’t understand.
• • •
Thank you for reading !
In the next part of the article:
6. Problems that VPNs bring
7. VPN for everyday use
8. Which VPN provider to choose
9. Making your own VPN
10. Claims that VPN providers make in their ads