Wait. So you’re telling me that this program will protect all of my internet privacy, I can be anywhere else in the world, and I can watch any show in the world?
– NordVPN advertisement on a sponsored video
This is the quote that caused me to write this article. VPN companies, especially NordVPN, have been using creators to promote their content. It seems to be working. Services like NordVPN and ExpressVPN have built themselves into household names through influencer marketing. However, they almost always make exorbitant claims or straight-up lie. They only seem to tell the truth on tech channels or places where the consumers are knowledgeable about VPNs.
Table of contents
- My Stance on VPNs
- What is a VPN
- VPNs Give SOME Privacy
- VPNs ≠ Security
- Geo-Blocked Content
- How to Improve Privacy and Security
- VPN Marketing is a Lie
- Invest in Privacy
My Stance on VPNs
I should probably start this out by explaining my stance on VPNs. I like VPNs, and I use them often. Currently I use a paid service, though I am considering switching to my own server. In general, I support consumer privacy and security on the internet. However, the marketing for VPNs has gone from dramatized to intentional deception. Furthermore, it may be excessive and a worse value than other security products for the average consumer.
What is a VPN
A virtual private network (VPN) allows traffic to be routed through a specific server. It popular in businesses so that remote workers can connect to the internal network. Often, these internal networks will have local applications (like Sharepoint and Exchange) or separate licensing (like Altium). They also allow IT to add extra security onto corporate devices when they are not in the office.
Why I Use a VPN
VPNs make a lot of sense in a corporate setting. I also use them, ironically for the exact opposite purpose. When I am at school, our network is locked down. This means that many of the systems that I maintain are blocked behind layers of configuration. For the most part, this doesn’t impact students. Some students, myself included, do often have problems accessing information that we need for school. This ranges from RDP connections with a render server to accessing my email through Outlook.
VPNs Give SOME Privacy
VPN companies do not lie when they say that they give privacy. A consumer VPN can let users hide their destination up until the server. Therefore, your network admin and ISP don’t have as much info. They also offer some protections on the other end of the server. It makes sense when you could face reprocussions for your internet searches, such as in deeply religious institutions or controlling countries. However, I would argue that most Americans are not in a situation where it matters too much.
Privacy is Complicated
Internet privacy is complicated. IP Addresses and HTTP packets are only a small part of it. Facebook, Google, and Adobe track every click that you take. Hotjar analyzes your viewing habits. Chrome, Edge, and Windows have detailed diagnostic data sent to servers. Many devices and browsers have a unique identifier for advertising. VPNs do not change these.
If I am logged into Google and I make a search, regardless of whether my IP address comes from California or Switzerland, Google will track it to me. Facebook still builds the graph of people that you may know, regardless of your location. Even if I am not logged in, click trackers still can tie info back to me, creating little privacy benefit.
VPNs are not the ultimate solution to privacy. It takes widespread changes to enhance privacy on the internet, and there is no perfect privacy. I have tips on how to enhance your online privacy later in the article. The claims that it solves all internet privacy is outrageous.
VPNs ≠ Security
Using a VPN has some security benefits. It is super effective at protecting against an attack where public networks are spoofed. However, a VPN alone does not provide sufficient security for a user. On the scale of attack vectors, VPNs actually prevent or minimize a fairly small number of them.
Many attacks begin with an email that contains a malicious attachment. A VPN does not protect against the vast majority of these attacks. Another common attack is stealing passwords from a server. Again, VPNs have no affect on these types of attacks. While VPNs can help mitigate risks on certain types of attacks, they are not the be-all-end-all solution like the companies claim. I have some suggestions on better security later in the post.
This is not a problem with false marketing, but rather immoral marketing. I do not support attempts to violate copyright and content licensing laws. VPNs make a huge deal about the fact that you can bypass geo-blocked content. Among people that I know, this is one of the most common use cases for a personal VPN.
There are some legitimate uses for a VPN. If you live in a country with a restricted internet, VPNs can be a valuable tool to get access to international information. However, I tend to suggest using TOR or TOR over VPN instead of a standard consumer-grade VPN because it is much more secure and less likely to be identified by government censors.
While there are legitimate uses, when VPN companies market to Americans, they advertise piracy. The quote at the beginning of this article makes that clear. Piracy is a crime. I find it morally reprehensible to sell a product on the basis that you can easily commit crimes with it. When a person uses a VPN to access geo-blocked content, they are committing piracy.
A great example of this is BBC content. UK citizens get free access to iPlayer because it is paid through their taxes. Lots of BBC content is distributed internationally through a paywall or local distributor. I, as a US citizen, am not paying the tax for the BBC. Is it fair for me to use a VPN to pretend to be in the UK and access iPlayer?
I would argue not. I am getting something for free that other people have to pay for through taxes or a paywall. The BBC is losing potential revenue because of me. Even worse, movies and TV shows are not cheap to make. So when I watch for free, I am stealing an expensive product.
How to Improve Privacy and Security
Now that you know that VPNs aren’t the ultimate solution, you probably are wondering what works better. I have a set of tools that help me maintain privacy and security.
Countries to Avoid
Some countries have laws that make it difficult to impossible to have security and privacy. If you care about security and privacy, I would recommend that you would avoid these countries.
The Five Eyes are a set of countries that have agreements with each other for spying on citizens in the other countries. It is a way to circumvent domestic surveillance laws. These countries are:
- Australia (Encryption Banned)
- New Zealand
- United Kingdom
- United States
An extension of the Five Eyes, these countries also have mass surveillance agreements.
An extension of the Nine Eyes, these countries also have mass surveillance agreements.
While these countries are some of the most famous countries to have mass-surveillance treaties, there are other countries that have concerning policies. A large component of this is personal judgment. If a country bans VPNs or has domestic surveillance laws, I would suggest avoiding them. Key disclosure laws are a good place to look as well, and a list has been compiled of some countries with key disclosure laws.
I mentioned it before, but TOR (The Onion Router) is widely considered to be one of the best tools for privacy and security on the internet. I use it often, and I always bring it on a USB stick with me, wherever I go. It was developed by the US Government for secure communication in other countries. The way that it works is that data is encrypted and sent between multiple servers. This means that no server knows both the origin and destination.
TOR has widely been considered to be one of the best methods for connecting in a secure manner, especially in restricted countries. Journalists often use it, even in countries without a free press. If you need secure networking, it is one of your best options.
ProtonMail and ProtonVPN
Proton Technologies AG is a Swiss company that specializes in secure and private software. They have an email service and a VPN. If you need a VPN, I would recommend them. My experience with them has been very positive. It also has VPN over TOR and Secure Core, both of which help people in restricted countries access the global internet.
I am a huge fan of their email service as well. It offers much more protection than Google or Exchange offer. It is very well-respected in the security world, and is a great option if you want to move away from privacy-violating services.
One of the things that annoyed me so much about the NordVPN ad is that it said that it helped protect your password and bank account. It only does that in a very specific situation.
The most common attack on accounts happens when a database is hacked. Then, the attackers have a username and password. Once they have those, they can try other services to see if they can abuse your account. The only reason why this works is because
If you want to protect them as much as possible, you should have a password manager. I use LastPass Premium, which I could not be happier with. It lets me generate random passwords and automatically saves them. I can also log in easily with only a couple of clicks.
LastPass stores more than just passwords. You can have everything from SSH keys, database passwords, and even government IDs in LastPass. It is an awesome solution to keeping your passwords and information safe.
Browsers like Chrome, Edge, and Yandex Browser, are notorious for playing a huge role in privacy violations. Not only do website track users, but some also have personal information sent to external servers. This usually is detailed diagnostic information or a unique identifier.
Brave fixes many of these problems. The built in ad blocker and tracking protector help reduce the tracking of your information across the internet. It doesn’t send large amounts of personal info to their servers, and is often recommended by privacy advocates. Best of all, it is based on the open source version of Chrome, so Brave will work with most sites that you use.
Authy is a mobile app that helps you add an extra layer of protection to your accounts. A common comment in data security is that you need something that you know, have, and are. What you know is your password. Authy helps you with the have aspect.
It displays a code on your phone that you can use as a second layer of protection when logging in. The code changes on a regular basis, so it can’t easily be hacked. The best part about Authy is that it works with many websites.
Authy is great, but there is nothing like a YubiKey. A YubiKey is a 2FA key (like a USB drive) that you can use to log in to certain accounts. I use mine with Google, GitHub, Facebook, Windows Hello, and more. It is easy to use and super convenient, while offering amazing levels of security. According to a customer testimonial, Google has not experienced any account takeovers since they implemented YubiKeys.
Remember that good security needs something that you know, have, and are. Well, Yubico is working on a new YubiKey that uses fingerprint authentication. This means that all three aspects of security are addressed. While it is not available yet, I think that it will be a huge benefit for security, and likely a worthwhile investment.
VPN Marketing is a Lie
VPNs base their marketing on the basis that it provides absolute privacy and security. While it offers some benefits, the companies have exaggerated it to the point of being lies. VPNs can be a valuable tool, but in order to be safe and secure, you need an arsenal of tools.
What Should They Do?
In my opinion, VPN companies should represent themselves in a more accurate manner. They should say that they provide added security and privacy, not “all” privacy and security. Furthermore, I wish that they would place less emphasis on the ability to circumvent copyright, since I find it immoral. They do seem like a good opportunity to partner with other privacy-oriented and security-oriented companies to sell a wider suite of products.
I do not like false advertising, and they are using influencers to falsely advertise. They should give their influencers guidelines to accurately represent the value of VPNs, or not use influencers at all. You need to trust your VPN company, and many influencers do not understand cybersecurity well enough to evaluate them personally.
My biggest concern is that it causes people to not implement better security and it encourages illegal behavior. If you believe that a VPN will cause nobody to ever be able to get your password or bank account info, then you don’t need a password manager. However, a VPN only protects against a small subset of attack vectors, while a password manager helps with a much larger variety. When it comes to the other main claim with geo-blocked content, it is a nicely phrased way to say violate copyright laws. The marketing creates an unhealthy and false sense of security, and I therefore find it indefensible.
What Should the Government Do?
Most influencer ads that I have seen for VPNs are sponsored content by creators in the USA, Canada, or UK. However, most VPNs are not from these countries, and I would not recommend using a VPN from a five eyes country. This creates an interesting legal situation.
Many VPNS are incorporated in countries like Panama (NordVPN), BVI (ExpressVPN), and Switzerland (ProtonVPN). Many of these countries, especially Panama and BVI have greater problems than influencer marketing. The United States, nor other governments, should impede on the sovereignty of these countries.
For this reason, I think that the US, UK, and Canada should directly regulate how these VPNs market. However, if these VPNs are paying citizens of these countries for sponsored content, then the sponsorship claims should be regulated by the FTC. Making claims that VPNs keep all snoopers away or protecting all privacy should not be allowed.
The one flaw with this system is that it puts a lot of responsibility on the influencers. The FTC should not sue these people out of oblivion. But even if the FTC only held one influencer responsible for the amount of sponsorship from one video, it would create change. “**VPN influencer faces FTC complaint” would be a headline on every news outlet in the country. People would be concerned to work with sketchy VPN companies. The companies would then be forced to change their marketing.
Invest in Privacy
Privacy is worth different amounts to different people. Private software is almost always not free. I fully support people investing in online privacy and security, and my privacy is worth a lot to me. However, I don’t think that a VPN is the right investment for most people.
I would start with LastPass, followed by a YubiKey. These help protect you against some of the more common attacks, where passwords are repeated. After that point, it is more up to you. Some people may value the anti geo-restricted content benefits of a VPN. Honestly, I am a big believer that some of the most important info that someone has is their email, so I would suggest that people take a look at ProtonMail or the ProtonMail/ProtonVPN bundle instead of just a VPN.
If you are more of a technical person, self-hosting can be a great alternative to many services where you have control over the privacy and security. You could deploy Mailinabox, NextCloud, and Wireguard fairly easily on a decent VPS (again avoiding the five eyes) or a Kubernetes cluster at an inexpensive rate. It does take work, so I would not suggest that you do this unless you are willing to put in the time and have Linux experience.
There are two videos from creators that I respect about VPNs. I highly recommend you check them out.