No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.
Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.
- A Russian translation of this article can be found here, contributed by Timur Demin.
- A Turkish translation can be found here, contributed by agyild.
- There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.
Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.
There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.
And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.
I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.
Doesn't matter. You're still connecting to their service from your own IP, and they can log that.
VPNs don't provide security. They are just a glorified proxy.
VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).
Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.
When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.
Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.
Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.
There are roughly two usecases where you might want to use a VPN:
- You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
- You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.
In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.
However, in practice, just don't use a VPN provider at all, even for these cases.
If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.
A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.
Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.
So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.
This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.
Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.
If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.
@nukeop Your ISP knows your IP address. The site you go to knows your IP address or the IP of the server you're proxying through. Those are the only two parties that could normally track you by IP address. And neither does.
This is because your IP address is useless garbage information in the current internet structure. Clients have dynamic IP addresses, v4 uses NAT to combat the limited address space, meaning you can only identify a home or place of business at best, and IPv6 is currently poorly managed. Hell, my ISP gives me my own range of IPv6 addresses and somehow I still can't retain the addresses themselves. If a machine loses connection, or I lose internet connection, it's back to the drawing board and trying to set static addresses will just screw things up worse. Likely so they can sell a business plan that costs 10 times as much.
Servers often host multiple sites on one address, even sites owned by different people. So IP addresses are virtually useless for determining what site you connected to as well.
ISPs look for DNS requests and unencrypted client hello messages. They also source records from popular DNS providers. They also know if you're using a popular proxy service like NordVPN, and often are buying data from data brokers that own these proxy services.
That hello message, by the way, can still lead the people snooping between your proxy and the site back to you, to know you visited it. It's not as easy as if it came directly from you, but it still works.
Then there's the endpoint you're connecting to. They make a fingerprint of your browser, try to install cookies in your browser, and employ many other tricks to track you not only on their site but across sites and apps. Your IP address is not involved in that process.
Finally, a man in the middle cannot get the contents of your communication with the site. From the time you're done saying hello, to the time the encrypted connection is closed for good, an observer would need your private key and the site's private key to know what the hell you two are saying to each other. It's like listening to dialup. Just like how you'd need a demodulator to listen in on a dialup connection (even one that isn't encrypted), and without one you just hear noise, an observer cannot make heads or tails of a TLS connection.
With a private DNS server, either on your local network or over DoT/DoH, and a browser that will let you use ECH with a private server, nobody knows who connected to what site except you and the other party. And if you're worried about the site tracking you, don't worry, they already are, even if you don't have an IP address at all. It doesn't matter if you're communicating over TCP/IP or carrier pigeon. There's no turnkey solution to stop them tracking you. You have to use your brain, reject all conveniences, and leave your identity at the door. Only static webpages with JS disabled and cookies rejected for you, as well as a predetermined canvas size that makes you look like all the Tor Browser users out there.