No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.
Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.
- A Russian translation of this article can be found here, contributed by Timur Demin.
- A Turkish translation can be found here, contributed by agyild.
- There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.
Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.
There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.
And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.
I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.
Doesn't matter. You're still connecting to their service from your own IP, and they can log that.
VPNs don't provide security. They are just a glorified proxy.
VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).
Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.
When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.
Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.
Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.
There are roughly two usecases where you might want to use a VPN:
- You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
- You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.
In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.
However, in practice, just don't use a VPN provider at all, even for these cases.
If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.
A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.
Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.
So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.
This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.
Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.
If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.
It's not to trust VPNs for sure. It's a tool to tunnel through blocked gateways. Not all is guaranteed however so.
Certainly corps would not accept VPN access through their domains. It's always about identifying the user with their accounts by their true location via their recorded IP ADDRESSES in their registration with them. Any other change that diverts from what was recorded and the user gets 'questioned' before acceptance. Any server connected IP tunnels recorded/registered to be false or deceptive would easily be blocked.
It's not something of an unknown that these are some of the security measures they take to ensure users connect the 'right way'. CGNAT and whatnot.... they all started from IP adds. Then they developed 'fingerprints'. Excuse me, your f'ingerprints' come from the codes used from your device programs. Your device has addresses. Though you may think it's no more important, that IS the basic identification to begin with still.
However, an experienced user will know better what, how, why, when and where to use a VPN, so it could give a less punishing deal to mole about. (I said "less".)
A little debate over the statements:
Why should one worry about traffic when they don't have a website? Not everyone has to survey their own traffic. That's an overreation and biased look to say VPNs can't encrypt your traffic. That's only for those who want it done. That's a business want. Users will need to know what they could get before jumping in to something they're not sure what could be offered. That's their risk but is not from everyone's needs that describe here what bad VPNs give instead.
For godsakes, it's not trackers as people who want to identify you right away. They have the machine for their work. They're called programs. People only want to track you when you have information they need and then they use the programs they have. So if you have less valuables to share out in the open, do you need to worry about trackers?
Why buy or subscribe to VPN premiums when you could choose the free ones? (knowing first how you fare in terms of what valuables you have with you in your system and knowing how destructible the VPN you chose is.)
Which VPN you choose is by your own risk. How you keep monitor of the processes for personal security purposes within your system or device is on your skill and knowledge when you use VPNs. What you use the VPNs for is also up to you. If you could bear with offering your data over for perhaps sale to another party, you should at first also know how secure your system is or how well you could maintain your focus over any suspicious processes within and as well as knowing how secure your personal data is from being read by outsiders. Also, you need to know why you intend to offer them your data and what benefit you may receive by doing so. Without those precautionary know hows, of course you'd be opening yourself to fall victim in various ways.
Why should beginners find a reason to use VPNs? Because they just read stuff over the internet or through their friends and thought it was just cool to use?
No. You'll find that those who learned what a VPN is and uses it, has that reason to dwell into it further and balance the risks before taking the step to engage. If a wayward beginner were to just hop into VPNs, there'd be no safety and there'd be no proper reason for them to use it either.
Sound childish for a layman's explanation?
Now, back to WHY VPN to me.
Because there is such a tool that gives us enough freedom these days. I don't have to talk about what was from the past because the past was where I learned lessons too to eventually land into HAVE to use VPNs now.
Because we can't just keep saying we should trust some company, some providers and such with our data for a long time. If you're like of my age, you'd know how those companies were before when you surfed. They were bad. They're 'professionally' bad this time. There's no space for them to brainwash me into trusting them for one. They've paid huge fines for breaching rules on privacy policies. Yet they're still huge. I'm not one to keep up with their 'legacies' even.
Why should I keep supporting them when they start fixing up walls when I refuse to provide them my data by force? Why should i allow them to monopolize the internet by owning our data? Why should i help them eliminate their competition?
Because I weighed the risks taken and did tests over various VPNs to see how efficient and professional each were before acceptance. So you see, I took the exact but basic precautionary measures corps take against users to attain some freedom.
Because the internet hasn't much thrills as before. It has become less to communicate than viewing ads, more products on sale, more useless past documents, there's just way too much of unnecessaries, worthless points that required your verification/authentication/identification and you're told to be just gated at one location and do your stuff on your seat. That's not for me. I want to open more doors and be accepted too when i throw out no harm to another system/user.
Because the sole purpose of the Internet was for communication. Not businesses. If it was business thrown out on me, it will be another door i show them out.