I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".
Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."
But that was long ago. Now, HTTPS is the norm. The only use cases for consumer VPNs today seem to be (1) "pretend I'm in a different geography so I can stream that show I wanted to see" and (2) "torrent with slightly greater impunity".
I live in Seattle and Mullvad VPN seems to have bought approximately all of the ad space on public transit over the past couple months. Their messaging is all about "freeing the internet" and fighting the power. It's deeply silly and, I worry, probably quite good at attracting new customers who have no need for (or understanding of) VPNs whatsoever.
- protecting your privacy from your local ISP, WiFi, school, government etc
- protecting your privacy from some forms of online tracking
- circumventing censorship
- circumventing geographical restrictions
If you combine masking of your IP address with a web browser that protects you from various types of browser-based fingerprinting, you are more in control of your privacy online. You get to decide, to a greater extent, who you share very personal information with. That doesn't seem very silly.
(disclosure: I'm one of the deeply silly cofounders of Mullvad)
Sometimes circumstances force one to connect to a public WiFi (e.g. airports, where WiFi is always super dodgy).
Why? In almost all countries ISPs are at the very least legally required to block websites and even surveil there customers. I trust mullvad about 100 times more than any ISP beholden to governments and profit incentive.
1) I like Canadian shows in Netflix more than American
2) People in Silicon Valley get charged more on certain travel sites than people in Detroit.
VPNs work. I never got another single nasty letter from Suddenstink.
A few months back, I sat down for a week with a free trial of an obscure webapp, downloaded all of their data and formatted it into json via the javascript console, and pirated by first webapp. Since it's not making xhr calls constantly, it's even snappier than the official one. I'm inventing new piracy methodology. Some of us are more dedicated than the rest of you.
I always assumed that was like head shops selling water pipes for "tobacco smoking"
A fig leaf, to keep their business respectable and the credit card processors off their backs.
It's the technical users whose myriad VPN use cases rather baffle me which in most cases eventually achieve little to none other than some sort of feeling of satisfaction or maybe placebo.
[1]
UNIVERSAL-->SECURE CONNECTION
If you think they sell millions of subscriptions to "prevent identity theft" I have a bridge to sell you.
Your friends and relatives aren't going to tell you that they are using it for p0rn, online dating, to buy taboo things online, etc. That's the main use case for VPN software and that's why people are buying it. Doesn't matter if it works the perception that it works is more than enough.
In my estimation the main reason people use VPNs is for pr*n and piracy and they may not want to just flat out admit it.
I get the piracy part, but why would someone want/need VPN for pr0n? That's not a gotcha or snark, I don't understand why folks would "need" vpn for that (assuming it's not* non-consensual, which includes hidden cameras and/or animals or children -- neither of whom can actually provide meaningful consent) as long as it's legal.
For those of us that are technical but unschooled, what resources would you recommend we learn from?
Sending all our data through an untrusted intermediary is a bad idea. Installing software from an unknown company (that hijacks the machine's entire network stack) is not a good way to protect data.
It all really depends on what you are protecting against. For the average person wanting to protect data and avoid being tracked, setting up thoughtful DNS infra, and a basic firewall, is probably more effective than using a commercial VPN from your home network.
For public networks, it's probably safer to set up a VPN server on your home network and use that in case you need to connect to public wifi or some other potentially hostile network.
I'm not aware of any authoritative article on this topic but I generally share writings by Schneier. This one touches on the subject: https://www.schneier.com/blog/archives/2021/06/vpns-and-trus...
Or run Tailscale (and a self-hosted DERP relay).
Worse, some of these are tied to foreign nation state intelligence, who are now analyzing your data when before they couldn't because they didnt have a relationship with your ISP. Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.
Weird technical issues happen because a lot of services don't keep vpn's in mind. I saw a lot of people were having issues connecting to multiplayer game servers. The vpn provider broke something, maybe it was on a blacklisted IP, maybe increased latency, maybe the IP is in the wrong region and people are connecting to a NA server but are in LATAM, etc.
I really dont know the use case for a vpn, not to mention advertising snooping happens on the application level anyway. Its javascript running on my browser and html5 and heaven knows what else analyzing me for ads, not "what IP did you connect from."
Lastly, there are privacy tools like onion and running a browser with no js active. These vpn types dont do that. They're actually not getting the privacy and security they want because tor is slow and a no-js firefox is unfun. So this weird cargo cult of VPNs has appeared, similar to stuff like "disable UAC" and other "computer enthusiast" knowledge you see in gamer or low information forums. Its the blind leading the blind here and these capitalist opportunists absolutely are taking advantage of that. "I'm safe I have a vpn," is a normal thing to say even though its almost entirely wrong.
The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.
1) I do believe it is quite private
2) the socksv5 proxy is useful to prevent qbittorrent connecting to the internet at work by mistake
3) if the network is spotty or a bit unstable the vpn hides the instability from apps
4) I don't trust my isp DNS
5) geoblocking (mullvad is not the best at this though)
> Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.
Even the "friendly" international ones aren't in the clear. Sweden isn't in FVEY, but they're in Fourteen Eyes. And we know from the XKeyscore leaks that the NSA hoovers up metadata like there's no tomorrow. I'd bet my house that anyone who connects to a commercial VPN or _especially_ to Tor lights up like a Christmas tree on the NSAs board – so they might not know for sure what you're doing, but they know you are possibly doing something.
Apple's Private Relay is probably the best chance to actually blend in, but estimates are 1-2% usage for "average users" and 3-5% for Wikimedia editors who I'd assume to have a technical slant. That's an order of magnitude too low for a crowd to exist to blend into, and with two friendly US entities on both sides of the privacy equation, I wouldn't rely on it to stand up against significant scrutiny.
> The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.
My analysis tends towards this: there's a gradient of behavior that is "tolerated" at each step. If you want to torrent, a cheap VPN is tolerated and your crimes will be overlooked... because it's far better to catch serious criminals through that VPN. If you want to buy LSD from a dark web site, Tor lets your crimes be overlooked, because the big fish are the sellers. If you want to commit a significant crime, TLAs know everything about you already and the DEA/HSI/FBI/USPIS/IRS-CI or your local equivalents are ready to parallel construct your ass to the wall when you become noticeable enough.
But maybe I'm not as pessimistic as you – the vast majority of people aren't at the far end of the spectrum, so if you want to infringe copyrights, $60 to Mullvad for a year is what you want.
On the other hand, as far as privacy from the end point is concerned, users can be identified regardless of IP addresses. Visit fingerprint.com, you will get an identifier, then connect to a privacy VPN and change servers once in a while. The website will identify you, tell you are the same user visited last week from such location, and the number of times you visited.
Browsers (except Tor) send so much data that accurate identification is possible without IP address. And services could refuse to work if users don’t provide the required information, although that info could be randomized.
I would call that self censorship. If I want to insult a politician I will do so from a network location that won't get me put in legal trouble.
>I can think like this because I have the privilege of living a democracy
This has less to do with the political system than free speech which is nonexistent or limited even in most western countries that are democracies
You said you have to be mindful of what you say and how you say it, in order to comply with the law. In other words, your legitimate speech is being chilled. Why do you think that's okay?
Also ISPs are shady and will sniff your DNS and SNI and they know your name, address, and phone number, and will sell it all as a bundle.
https://coveryourtracks.eff.org
I had no idea about "Canvas fingerprinting" or that my browser tells sites how many CPUs I have installed.
It greatly improves on the existing VPN trust model by separating the "who" (connecting IP, potential payment info, etc.), from the "what" (IP traffic). You no longer have a trust a single entity not being malicious or compromised.
Disclaimer: I run obscura.net, which does exactly this with Mullvad (our partner) as the Exit Hop.
This makes me feel a little uneasy of their unstated longterm goals (corner the entire market), but I do think they are the most trustworthy out there right now
As for our long term goals, take a look at our owner's directive: https://mullvad.net/en/blog/ownership-and-future-mullvad-vpn
We want to make online mass surveillance and censorship ineffective. Mullvad is political action through entrepreneurship. We're reinvesting a lot of our profit into open-source software and hardware projects that benefit both Mullvad and the wider community.
I really don't want us to "corner the entire market" because that would make us a single point of failure. I would like to think that our hard work help push the market to keep improving.
May you continue to be the beacon of trustworthiness and hope that we all need right now
(I read somewhere a while back that they don't refresh their IPs (unlike some other VPNs?) but I have no special insight into this.)
Consider-- people bring their traffic to you to monitor, and particularly people who are trying to conceal their identity or activities. They pay you for this, which means that if you get collateral benefit you can run at a small loss and undercut any legitimate players (if there are any!) or run levels of advertising that a legitimate business couldn't sustain. -- while its simultaneously one of the most cost effective surveillance plays you could imagine, since it's still primarily funded by the victims.
VPN services also have good deniability for their surveillance. Although (maybe!) your ISP can't surveil the VPNed traffic the VPN provider's ISP can as well as your counterparties ISP (and any other parties brought into the mix by things like third party content). And like any other electronic surveillance, parallel construction can be highly effective.
They can also be stood up by anyone, you can run any number of services. They don't require extremely extensive physical infrastructure, investment, large numbers of employees like running an ISP. You can even target particular actors or populations by using targeted advertising, though it's still most effective as a data hoovering operation.
Particularly for the intelligence actors they also have the benefit that issues like getting harassed by the state are among the complications of this business, but that is potentially less of an issue if you are the state.
And if there were an actually honest provider, they'd be a prime target for infiltration... all that interesting traffic in one place.
VPN providers all run the same two or three VPN protocols, all with similar security guarantees and privacy limitations.
I've been playing with MASQUE relays over the last year. Apple's iCloud Private Relay is a MASQUE relay (two, actually). MASQUE can offer genuine privacy improvements via traffic separation, preventing any single party from correlating the traffic source and destination.
Some of the privacy concerns of VPN users can be mitigated with better technology. And relays are built into Apple operating systems today. I'm surprised that they aren't very widely deployed yet.
Stop trusting companies. They only care about 3 month profits.
https://docs.google.com/spreadsheets/d/1ijfqfLrJWLUVBfJZ_Yal...
Like reverse VPN :) on one side makes client look like he's accessing internet from VPN exit location, and on the other end allowing for money someone to pretend that he's a residential client.
> Bright Data is the World’s Largest Residential Proxy IP Network providing companies the ability to emulate a real user in any country, city or carrier (ASN) in the world. [...] Bright Data has an SDK (software development kit) that is implemented into applications. Bright SDK provides an attractive alternative to advertisements by providing the app user with the choice to opt-in to Bright Data’s network instead. For every user that opts-in to the Bright Data network, Bright Data pays a monthly fee to the application vendor, who passes that value on to the user by not displaying ads.
I haven't heard of any of the VPN providers doing this, but it wouldn't really surprise me.
There are however a fair number of commercial proxies that do exactly that, sometimes via consumer malware. I know several startup founders who have used them as a way to scrape lots of data and not get banned. Usually the interface they provide to the customer is just a normal SaaS “pay us money and give us a list of URLs and we will give you the page content”, and the interface they provide to the end user is a game or marginally useful utility, and nobody but the company realizes they’re doing something dodgy.
And it's not even illegal, not even shady. I see nothing wrong with getting paid to help big companies compete with/destroy each other.
As a bonus you help rid the world of Cloudflare. Cloudflare serves more captchas to ISPs with more proxies. When every ISP is captcha'd, every user will hate Cloudflare.
It's not a get rich quick scheme - there's low demand for proxying at that kind of price.
I'm not going to shill specific companies, so just Google 'get paid to share mobile data' or something.
Operates more transparently. No concerning findings identified.
• Mullvad (Mullvad)
• TunnelBear (TunnelBear)
• Lantern (Lantern)
• Psiphon (Psiphon)
• ProtonVPN (Proton VPN)
Operates more anonymously. Potentially concerning, but no definitive findings.
• HotVPN (HotVPN)
• LetsVPN (LetsVPN)
• Astrill VPN (Astrill VPN)
• CookieDevs (Cookie, Ciao Proxy Pro)
• VPN Super Inc (VPN - Super Unlimited Proxy)
• PureVPN (PureVPN)
• Potato VPN (Potato VPN)
Concerning and suspicious findings (users should avoid).
• Innovative Connecting (Turbo VPN - Secure VPN Proxy, Turbo VPN Lite - VPN Proxy, VPN Monster - Secure VPN Proxy)
• Autumn Breeze (SnapVPN, Signal Secure VPN - Robot VPN)
• Lemon Clove (SuperNet VPN, VPN Proxy Master Pro, VPN Proxy Master Lite)
• Matrix Mobile (Global VPN)
• ForeRaya Technologies (Melon VPN)
• Hong Kong Silence Technology (Super Z VPN)
• Yolo Mobile Technology (Touch VPN - Stable & Secure, VPN ProMaster - Secure your net)
• Wild Tech (3X VPN - Smooth Browsing, VPN Inf, Melon VPN - Secure Proxy VPN)
I assume similar Wikipedia entries will appear in the future about some, if not most of today's VPN providers.
Almost everyone I know use VPNs only to bypass restrictions, not for fear or privacy.
Must be that these so-called "tech" companies have no problem figuring out who is the ad target behind each VPN IP address, fingerprinting them and tracking their online behaviour acrosss every computer they use
TIL VPNs actually have _no impact_ on the data collection and ad services "business model"
I don't know anything bad about Mullvad! That being said I, as a small business owner in this space, will not use any of them, ever. I know it sounds like a "yeah right" because I sell the services but I know better.
Where do you get residential proxies? I ask because I'm always reminded of https://sponsor.ajay.app/emails/.
Also, relying on its VPN for illegal activities is incredibly foolish since they log your IP and probably have your payment info.
You mean the one owned by an Israeli billionaire? Hopefully they don’t find a way to make your monitor remotely explode.
https://hackread.com/private-internet-access-pia-vpn-sold-is...
IPSec perhaps less so since it is more complicated and open to insecure configurations (transport mode).
The evil regime doesn't need to have a popular evil VPN that everybody uses... it may be enough to operate (or hack) a smaller VPN which can unmask enough dissidents that their friend-groups can be found by other means.
If I was the US government, I'd push Google Play to offer compromised updates of Signal silently to a few people I was interested in. Even among the highly-technical, who is going to be inspecting binaries installed on a phone regularly?
Does Signal even have reproducible builds? How do I know the code matches the binary?
I'd make my own messenger.... but I don't have the money for that at all.
I wish these risks could be split up and handled separately - Suppose I run a private dark network for me and my friends, and then the GUI for chatting over it runs in a sandbox where it can only message servers that I control, using public/private keys that I control.
Conflating a million lines of Java GUI code with "Noise is a simple and secure protocol" seems like a big attack surface.
This is also coupled with the crypto and NAT occuring in-enclave with various timing/obfuscations. It's verifiably private.
Whomever is responsible for your exit nodes actually gives you this functionality.
If it's tailscale itself then they use mullvad nodes as exit nodes which I welcome very much.
That's why I said tailscale lol. But I understand, I guess I said it in a confusing manner.
> If it's tailscale itself then they use mullvad nodes as exit nodes which I welcome very much.
You can also set on of your devices as an exit node for your Tailscale network. Kind of cool.
That said, the few implementations I have test before seemed leaky and not as useful as they claim.
CyberGhost, Private Internet Access (PIA), ZenMate, ExpressVPN, and Intego
I mean, this seems like the company name equivalent of the yellow and black stripes on a wasp. It is a _warning_.
i mean, those companies are so popular they’re almost normie household names. the couple i looked at from the papers list have a small fraction of downloads compared to the above.
i agree that we absolutely need a deeper dive and a lot more transparency on who owns these companies but i’m curious why they chose to avoid the elephants in the room.
VPN companies often overpackage their offerings and overcharge -- this truism doesn't apply when shopping for VPNs.
