Beware of VPNs

I’ve seen quite a few smart people recommend using a VPN service in the wake of the U.S. government’s decision to repeal privacy rules for ISPs. Unfortunately, I find this advice to be a bit misguided, or at least ill-informed. You can move your risk around, but in the end this comes down to an issue of trust, and avenues of recourse.

A VPN is a Virtual Private Network. It creates an encrypted tunnel between your computer and a remote server, and then optionally routes all of your Internet traffic through that tunnel. The case for using one for security against your ISP is that if your traffic is encrypted, they can’t see what you are browsing to and your data becomes useless to them to sell. Once your traffic reaches the other side of the VPN, it’s aggregated with all of the service’s other customers. That’s fine, and mostly makes sense, but if you are going to use a VPN service it’s important to come to an honest conclusion about how much you trust the company.

If your VPN server is outside of the United States, you are effectively giving up any legal recourse against the provider, meaning they can do whatever they want with your data, regardless of what they advertise or what they tell their customers. A single gateway for all of your traffic has a tremendous amount of power. They can inject code into any (non-SSL encrypted) web page. They can read all of your email. They can see all of the URLs you visit. All of the power of your ISP, you are transferring to your VPN provider, but if you choose a company outside of the United States, you lose whatever protection or recourse you have now.

What the ISPs are doing is not right, but at least we know what they are doing. If you pick a fly-by-night VPN service and send them all your traffic, there’s no telling what they’ll do with that data. It doesn’t matter if they post good things on their website if you can’t verify their claims.