It looks like we are halfway through the Cybersecurity Awareness Month of October already, and I thought it might be the appropriate time to talk about VPNs. Again. Haven’t we talked about them enough, you might ask? Every time KuppingerCole analysts bring up the topic of Zero Trust, we feel obliged to mention how VPNs have long outlived their purpose, and how organizations have to finally get rid of them and move to more modern solutions. I’m fairly certain, there will even be a bunch of sessions at the upcoming Cybersecurity Leadership Summit talking about them.
So, in the enterprise world, VPN is already on the way out, there is no doubt about that. However, today, I’d like to focus more on the applications and implications of using a VPN service as a private individual. Judging by the number of ads on YouTube and elsewhere, it looks like VPNs are being aggressively pushed towards consumers as a universal solution for all security and privacy problems. Let’s have a look at some of those claims and find out whether you really need a VPN in 2022…
VPN stands for “Virtual Private Network”. Originally, this technology was developed to allow connecting remote users or entire offices to a main corporate network via a point-to-point tunnel over the public Internet. The first VPN protocol, PPTP, was developed back in 1996, and it was, to put it mildly, not very secure; even encryption was just an optional feature. Modern, much more robust and performant protocols include OpenVPN, IPsec, and WireGuard.
It is worth stressing that VPNs were never designed with privacy, anonymity, or security in mind – their primary goal was to enable remote workers to do their job without commuting to their offices. The idea of repackaging VPN services and selling them to consumers for protection against online threats came much later, just as businesses started replacing VPNs with modern alternatives. Unfortunately, like every other industry with such a low barrier to entry, this market is overcrowded and highly competitive, with companies often making outrageous claims about their services and sometimes even engaging in shady activities behind their customers’ backs.
The Internet is indeed full of hackers lurking around and trying to steal your credit card information, perform identity theft, leak your personal photos, or plant a virus on your device. Unfortunately, a VPN service will be entirely useless against almost every kind of cyberthreat. Even when you’re connected to an unprotected public Wi-Fi, your browser will still establish a secure encrypted connection to almost every website (including your online bank, favorite retail store, or online service). As long as the address starts with HTTPS, your data is safe from snooping even without VPN.
On the other hand, VPN alone will never protect you from other risks: not from a phishing mail, not from a malicious download, and definitely not from a fraudulent online service. Only a combination of a reliable antivirus (nowadays, they are called Endpoint Protection, Detection and Response tools, by the way) and your own common sense will prevent you from falling victim to threats of that kind.
One of the most common claims you hear from VPN service providers is that your online activities can be monitored by government agencies or commercial organizations like your Internet provider. In some countries, like Germany, telcos are even required by law to keep logs of their customers’ connection data. Supposedly, using a VPN will hide your activities from them, thus improving your privacy.
In reality, this claim is wrong on multiple levels. First, even though many VPN providers claim that they do not keep logs of your activities, they might in fact still collect quite a lot of data about you, even more than your internet provider does. Why would they do it? Because they can, and you have no way to verify their claims. And also because your browsing data can be sold to third parties like advertisers. In the end, it is up to you to decide, whom you would rather trust: a telecommunication company operating under your local law, or a potentially shady business based in an offshore country way out of your reach.
However, even when you are using a reputable and truly logless VPN service, there are still many possibilities to leak your true identity. Sometimes, your VPN connection can drop, and you would continue surfing while exposing your real location; to protect against this, some VPN clients come with a kill switch, which will detect such situations and block your entire internet activity until you reconnect.
You should also keep in mind that VPN does not protect you from snooping via other methods: cookies, active sessions on third-party sites like Facebook, or just you absent-mindedly typing your real name in a chat. In fact, not even a multi-hop connection through servers in multiple countries (a favorite plot device in movies about hackers) can ensure your complete anonymity online. If you absolutely must protect your identity from an oppressive government or malicious hackers, you must rely on more sophisticated methods: from end-to-end encrypted messaging clients to burner phones…
This is perhaps the single most popular use case for VPN if you’re not a criminal or a dissident. Regional restrictions are often found on movie streaming and gaming platforms, online shops, or just sites that don’t like your country’s government. Using a VPN and spoofing your IP address to appear connecting from a different country is an easy way to get past those restrictions and in most cases, it’s not even illegal (still, please check your local laws first!).
However, one has to keep in mind that popular VPN services are well-known to all intelligence agencies and large organizations that do their business with digital content. Just because Netflix does not block you from watching your favorite show today does not mean they don’t know you’re cheating. In fact, those companies are planning to tighten their restrictions to compensate for lost revenue, and blocking VPN services would be their first step towards that goal.
And when it comes to intelligence agencies, just the fact that you’re using a VPN service might attract their attention as surely as if you were walking around the town wearing a balaclava.
So, does all this mean that consumer VPN services are completely useless? Not really, they still have their applications, but you have to be fully aware of their potential disadvantages as well, especially when choosing a specific provider. Do not trust every online review of VPN services – in reality, many are fakes paid by less reputable vendors. Avoid relying on free services - the only free cheese is usually found in the mousetrap. Finally, always try to find a more modern or reliable alternative for your use case, especially when it involves your online privacy and safety. And do not hesitate to reach out to experts for advice – including us at KuppingerCole!