Oddbean new post about | logout
 VPN Mistakes to Avoid

VPNs are a great tool for privacy, but they are often misunderstood and misused. Sometimes people believe that they are getting more privacy or anonymity than they actually are. Or other times, a user’s goals are possible, but were not executed correctly.


Who sees traffic?

First of all, there are many different participants who can view different types of information about what you’re doing online. These include, but are not limited to:

1) Your Internet Service Provider (ISP)

2) The website itself

3) The government

4) Microsoft or Apple (unless you’re on Linux)

5) Google if it’s an Android phone or you’re using Chrome Browser

6) Search engines

7) Cross Site Cookies such as Facebook, Google, Twitter, Amazon, and more which can track you even on a different website.

8) Your router manufacturer, unless you specifically put open source firmware on it

9) Database brokers, such as Oracle, which get contracted to fingerprint your device by some websites and services and then resell that data to advertisers

10) Browser Add-ons may report data back

11) Your DNS or Domain Name Service. Often your ISP will pass this off to Cloudflare or Google

12) Many Websites use Denial of Service (DoS) from Cloudflare and Captchas from Google. These can be sources of tracking.

13) Companies such as Silverpush use ultrasonic audio sounds, which are invisible to the human ear, that are emitted from your computer desktop speakers and picked up on your smart phone, to track you across devices.

So now let’s talk about what a VPN does and does not hide (and what other techniques can be used to help).

______________

VPN Basics

A VPN forms an encrypted tunnel between you and the VPN company. Then whatever you do, is executed from the IP address of the VPN company.

A VPN does hide the following:

1) Your IP address from the website

2) Your traffic from the ISP

3) If properly configured, the VPN should have their own DNS, which will also hide your traffic from the DNS provider that the ISP uses, such as Cloudflare

______________

A VPN does NOT hide the following:

1) The Operating System’s company (e.g., Microsoft, Apple, or Google) phones from knowing the traffic and your true location (IP address)

2) Any type of cross site cookie tracking, such as Facebook

3) Any type of browser fingerprinting from the website or from its third party database broker, such as Oracle. Fingerprinting data include your timezone, your screen dimensions, and operating system version.

4) The government forcing a VPN company to track you in real time

How to Mitigate these issues

Now the cookies issue can be solved by properly modifying your browser settings (and using a good browser).

We covered this in this article.

The browser fingerprinting issue can be solved by Virtual Machines, which we covered in this article.

The Operating system issue can be solved by using Linux or degoogled phones. We covered how Linux works in this article. But if you are insistent on using Microsoft Windows or Apple, then a VPN on the router (instead of the computer itself), could help in some ways, such as hiding your real location.

______________

VPN on a Router

Putting a VPN on a router (instead of the computer itself) hides your IP address (and thus your real location) from Microsoft/Apple. But they can still see the traffic.

Now in theory if you never sign in to any account associated with your real name or known nicknames on that device, then it could potentially hide your identity. But in practice, this is highly prone to mistakes in execution, and it’s far better to just use Linux, using Windows or Apple only for specific software you need Windows or Apple for.

Also putting a VPN on most retail routers will slow down the internet connection, since the processing power on a router is less than real PC CPUs. However, there are more expensive ($500+) firewall routers that can match a computer’s speed because they have real CPU chips inside.

No Logs?

Now let’s talk about logs. Most VPN companies advertise a no logs policy.

This may or may not be true in practice. One can evaluate how the logs policy compares to their other policies.

For example does the company accept cryptocurrency? If the traffic data is tied to your real world financial identity, then the company is clearly less committed to keeping you anonymous.

Also, free VPNs that don’t cost anything to use should be avoided. They have no profit motive to protect you and usually store and sell data. Why else would they want you to use the service for free?

Not only should you only go with VPN providers who accept cryptocurrency, but also make sure they allow sign-ups through Tor. Do they process payments themselves or use a third party like Coinbase which blocks Tor?

Even though you may not use Tor to connect to the VPN, you want to see that they allow customers to actually be anonymous while in compliance with their legal department. This makes it much more likely that their legal structure is set up to resist third party attempts to de-anonymoize users because if the customer used Tor and cryptocurrency, then they can’t identify you.

What is the legal history of this VPN company? All of these factors can help you evaluate if you should believe their logging policy.

I hope you learned something, Subscribe on Nostr for more content!