To VPN or not to VPN?
TL;DR: skip to the conclusions to see what Alice learned.
The Privacy Problem
Alice and Bob recently met Mallory, who works at the cable company providing internet access to the neighbourhood. Mallory is a stereotypical member of the IT crowd. Empathy like a stone. The social skills of a toddler. An obsession with fixing everything by turning it off and on again. It can’t be said that he’s boring, but it is not safe to drive after listening to him for too long.
When Mallory saw Alice for the first time, his world lit up. Of course, he’d seen women before. Gigabytes of them, in fact. But when Alice smiled at him, she stuck a safety pin in his heart. Strangely enough, even computer scientists have a capacity to love another human being. Not all humans, however, have the emotional sophistication to deal with rejection.
The position of Alice’s significant other was already taken. Bob bragged about it all over social media, posting romantic pictures of them taking moonlit walks on the beach. Mallory tried to persuade Alice to replace Bob with him by posting weird long rants under said pictures. He also exhibited borderline stalking behaviour by showing up unannounced at random places and trying to be nice. He managed to turn her off, but was unable to turn her on.
Alice and Bob decided to change their social media privacy settings, but would it be enough? The broken-hearted sysadmin works at their local Internet Service Provider (ISP). He has advanced technical skills and a strong motivation to meddle. So, how could Alice and Bob organize their browsing to keep Mallory from intercepting, reading or modifying their web traffic?
Why You May Need VPN
ISPs (Internet Service Providers) have the ability to observe and manipulate all of your network traffic – when it’s not encrypted. TLS-protected connections (those for which a padlock appears next to the address bar) are designed for security more than privacy. TLS stands for Transport Layer Security. This is an end-to-end encryption protocol that we’ll explain in more details in the forthcoming episode. TLS will encrypt your traffic, but it will not hide the IP address of the web servers you are browsing. In some cases, that isn’t a problem. An eavesdropper will know that you’ve been on YouTube for three hours, but they won’t know exactly what you’ve been watching. But if you (hypothetically) spent three hours on a porn site, that fact alone is likely revealing too much.
Of course, under normal circumstances ISP employees have better things to do than to spy on their clients. But Alice and Bob’s circumstances were not normal. Alice assumed that Mallory could even follow her to the coffee shop she frequented and broadcast a rogue wifi network pretending to belong to said café in order to intercept and inspect her network traffic.
What The VPN Does
A classical solution to an untrusted ISP is a Virtual Private Network (VPN). A VPN provides an encrypted tunnel between your computer and a network that you trust. This is how people can safely work from home while using their company network just as if they were connected to it physically. The same technology is used by police in the field to connect to criminal databases.
There are commercial VPN products that offer a similar service. A VPN connection guarantees that your ISP is only able to see how much data is being sent between your computer and the VPN network, and when it’s being sent, but nothing beyond that. Also, when your connection leaves the VPN network, your private IP address is replaced with the IP of the VPN proxy. Therefore sites you visit see you as “someone using a particular VPN,” and not someone with a particular IP address. An IP address is considered private data by GDPR, as it can uniquely identify a person and their geographical location.
VPN Is Not A Silver Bullet
It is worth noting that anonymity from web sites is a much bigger problem. VPNs can help hide your IP address, but nothing beyond that. There are many other ways to be identified online, but that’s a story for another time. Right now we’re only concerned with protecting our lovely couple from an inquisitive ISP employee.
A VPN is the best way to deal with the untrusted ISPs, but most of the time you’ll have to pay for it. There are free VPN services (e.g. Opera has free in-browser VPN service), that will give you additional privacy as well. You also need to be careful while travelling. In some countries using VPNs that aren’t approved by the local authorities is illegal.
It is important to understand that a VPN is not a silver bullet. It is just a technology that allows you to choose the networks that you trust more to hide your traffic from the networks that you trust less.
- Your online activity can be seen by ISPs (the institutions whose networks you are connecting to). This could be your employer, school, cafes, airports, hotels, municipalities, cell phone companies, broadband providers, etc.
- A VPN hides your traffic from said ISPs. The only thing ISPs see is which specific VPN you are using, as well as when and how much data is being transmitted. If you feel your ISP isn’t trustworthy, go with a VPN.
- A VPN lets you hide your IP from websites. They only see the VPN’s IP, rather than yours. However, websites have other means of recognizing you.
- A VPN only encrypts the traffic between your computer and the VPN system, but beyond that you need TLS. In other words, a VPN protects your data from being seen by your local ISPs, but not from the ISPs of the websites you are visiting.
- Opera’s in-browser VPN is free: please note that it covers solely the traffic happening in the Opera browser.
What happened next? Did Mallory mend his broken heart? Maybe he tried to play the cello under Alice’s window? Did he figure out another way to spy on her? Or did he perhaps decide to target Bob instead?
Stay tuned for the next episode to find out.