Sign in Subscribe
7 min read

VPN is not your saviour

VPN is not your saviour
Photo by Victor He / Unsplash

The topic of VPNs often comes up when we speak to people about secure online practices. A lot of people know about, and often use, VPNs at work and at home but there is a misunderstanding of what exactly a VPN does for your online security and privacy. This blog will define what a VPN is in simple terms, look at what security/privacy it provides, and lastly take a look at some of the risks associated with VPNs.

⚠️
This is a high-level non-technical description of VPNs. If you're looking for a technical explanation this is not the writeup you're looking for.

What is a VPN?

VPN stands for "Virtual Private Network" but the expansion of the acronym doesn't really explain much of what a VPN actually does. To put it simply, when you use a VPN you are establishing an encrypted connection between your device and the VPN server. Once you have established this connection, your internet traffic will flow through this connection. Let's consider a user browsing the internet before and after a VPN.

Before

The before VPN scenario is the default behaviour. When browsing the internet without a VPN, your device makes requests via your internet service provider (ISP) directly to servers on the internet, such as web servers, email servers, web servers and a whole range of other services. These servers then respond with the content that was requested.

Traffic between the device and the servers may or may not be encrypted, but that is up to the server and client to decide. Although, these days, most of the internet traffic is encrypted between you and the server. You've probably been taught to use HTTPS rather than HTTP - the S stands for "secure" and means your traffic is encrypted.

After

Now what does this look like when we turn on our VPN? As was mentioned, we establish a secure connection between your device and the VPN server and subsequent traffic flows through this connection.

If at this point you are starting to question the magical protections your VPN provides, you're not wrong. But before we get too cynical let's look at some of the benefits this setup has for you.

How does a VPN protect me?

Untrusted Local Networks

An "untrusted network" is generally any network that you don't trust, most commonly things like public Wi-Fi networks in airports or cafes. When you are connected to an untrusted network your traffic is at risk of being monitored and potentially listened to. The untrusted network can at a minimum see which services you are connecting to and at worst snoop on your communication. The risk of snooping is much lower these days as most modern web services use encryption (HTTPS) to protect your data.

So by turning on your VPN, your traffic on that untrusted network is secured by the encrypted communication channel between you and the VPN server.

Partial Anonymity

VPNs also help you be less identifiable online. When you browse the internet without a VPN, all the services you interact with will know your online location (IP address). Think of it like a caller ID, when the server receives your request they will receive your ID which A) can give them an approximate location of where you are in the world and B) can be associated with any accounts or identities you are using.

By using a VPN your online location is hidden from the online services - all your traffic appears to be coming from the VPN server (not your home network).

Prevent Passive Surveillance

To access the internet you have to use an internet service provider or telecommunication provider (telco). All your internet traffic passes through the telco's equipment and any information that is not encrypted on these links can be collected and viewed. Your telco might do this for a variety of reasons including to "improve services" or due to a warrant being issued for your data.

Depending on your jurisdiction your service provider might be required to collect and retain certain data about you. In Australia, your "metadata" is required to be stored by your ISP for 2 years even after your contract with them has ended.

Access to Private Network

Your workplace will often have a VPN for staff to use from their corporate devices (i.e. your work laptop). Using your corporate VPN is often required to access certain applications or internal company web pages. Your organisation is using the VPN as a gateway into their private network..

As mentioned earlier, when you connect to a VPN you are establishing an encrypted connection to the VPN server, this VPN server is often made available by the different VPN providers (e.g. Proton VPN, IPA, Nord etc). A corporate VPN is one managed by your organisation and hosted on your organisation's infrastructure.

As you can see in the corporate VPN scenario all your traffic now flows through your company's VPN server and infrastructure. So all your traffic appears to be coming from the corporate VPN server and that's how you are able to access internal services.

Is that it?

Yep, that's it. But what about all the security? To clear the air, lets first start by getting a few questions out the way:

  • Does a VPN protect me from viruses? No.
  • Does a VPN help prevent phishing attacks? No.
  • Does a VPN make me anonymous online? No.

As I hope you can now see, the VPN doesn't really provide that much protection. It is worth noting that some VPN providers do offer protections like blocking malicious websites or by using a corporate VPN you will benefit from some of the other security protections offered by your company, however a VPN in itself does not offer much protection.

The Risks

Like everything, VPNs and VPN providers are not immune to cyber attacks and there is always the risk that these services or protocols can be exploited or circumvented by malicious actors. But for this section we will consider the risks when the VPN is operating correctly.

A false sense of security

The layer of abstraction can give people a false sense of security when using a VPN. Our IP address and location on the internet is hidden and we can browse freely. However this is far from the truth, most of the services we use online track us in multiple ways and we are often willingly allowing this tracking. For example, if you are logged into your Google account you are tracked. Yes, they may not know your IP address but that's only if you never logged into your account without your VPN. So we should assume that even with a VPN if we are using the internet as normal we are trackable.

Trusting you VPN provider

Your VPN provider is not to be trusted. As you know by now when you use a VPN your traffic is going through a VPN server often managed and owned by someone else. Who that is can greatly affect the security of your VPN. Different VPN providers have different policies on data retention and logging. Simply put the VPN provider knows your IP address and they then know all the websites you visited.

What about the corporate VPN? Your corporate VPN is great for protecting your business related activities or giving you access to company resources but it's not there to protect your personal online activity. Remember, all your traffic will be flowing through your employer's network and would be able to see all your traffic.

No longer a needle in a haystack

If we assume most people do not use a VPN, then by using a VPN you may no longer blend into the large sea of internet traffic. For example, if a specific VPN is known to be used by criminals it may be heavily monitored (in contrast to your personal IP address). And this can be monitored passively, through a warrant being issued to the VPN provider, or a warrant to the telco that provides the infrastructure for the VPN provider.

What should you do?

Whether you use a personal VPN or not really depends on your risk appetite and privacy concerns.

A VPN is just another tool in the arsenal in helping protect yourself online, for some a robust VPN is essential to protecting themselves online and for others its nice-to-have feature that helps provide a level of abstraction and anonymity online. Where you fit on that spectrum depends on your risk profile and online habits.

What do I do?

I use an always on VPN on both my mobile device and my workstation. I choose to use Proton VPN because of their focus on privacy protections including; a strict non-logs policy, open source application, and hosting in Switzerland which does not require them to retain data and is not part of foreign intelligence coalitions such as the 5-eyes.

I use my VPN to make identification of who I am harder for companies online and prevent the collection and storage of my traffic by my service provider here in Australia. While service providers are not obligated to retain the "content" of my traffic, they can. I also personally find it hard to imagine that service providers built systems to parse and redact content to comply with this legislation when it was enforced - it would have been much simpler to store the data as it is especially since there is no requirement to minimise the data.

Conclusion

As you can see a VPN provides some important protections but only in a very limited scope. It is important to realise these limitations and if you want more protection you can't simply rely on your VPN.

Need more guidance on securing your online environment? Learn more about our consulting services.

Published by:

Samir G

Member discussion