Slashdot Mirror

← Back to Stories (view on slashdot.org)

Will VPNs Protect Your Privacy? It's Complicated

Posted by msmash on from the how-about-that dept.

From a CNET report: A VPN redirects your internet traffic, disguising where your computer, phone or other device is when it makes contact with websites. It also encrypts information you send across the internet, making it unreadable to anyone who intercepts your traffic. That includes your internet service provider. Ha! Problem solved -- right? Well, sort of. The big catch is, now the VPN has your internet traffic and browsing history, instead of your ISP. What's to stop the VPN from selling your information to the highest bidder? Of course, there are reputable VPN services out there, but it's incumbent on you the user to "do your homework," Ajay Arora, CEO of cybersecurity company Vera said. In addition to making sure the VPN will actually keep your data private, you'll want to make sure there's nothing shady in the terms and conditions. Shady how? Well, in 2015, a group of security-minded coders discovered that free VPN service Hola was selling its users' bandwidth to the paying customers of its Luminati service. That meant some random person could have been using your internet connection to do something illegal. So, shady like that. "I would recommend you do some cursory level research in terms of reputation [and] how long they've been around," Arora said, "And when you sign up, read the fine print." From a report on Wired: Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady." Haschek found that the other 79 percent of surveyed proxy services forbid secure, HTTPS traffic.

3 of 141 comments (clear)

  1. My VPN has no information. by snarfies · · Score: 4, Interesting

    What's to stop the VPN from selling your information to the highest bidder? The fact that my VPN of choice, Mullvad, collects no information.

    You click "create account," they give you an account number, and that's the end. They don't ask for your name, address, phone number, or anything. I pay via Bitcoin, so they don't even have my credit card info.

  2. Google doesn't care about VPN by yuvcifjt · · Score: 5, Interesting

    VPN's may only protect you from your own ISP, but what about the biggest spyware organisations, such as Google/Facebook?
    They all rely on browser fingerprinting more than anything else these days, and subtly transmitting information back in an encoded form, including mouse movement patterns to learn about the individual.

    Cookies/HTML5 storage are so last decade, as I've seen a growing number of companies (Cyberfend / iovation / iesnare / "cformanalytics", browser.id (navigator.io), etc) provide services specialising in tracking and individually identifying users - even surprisingly across devices, somehow.

    As far as I can tell, only Mozilla is attempting to reduce/fight this with their browser, especially as they recently removed the Battery status API, added disconnect.me to blacklist known trackers in v43, Font fingerprinting, etc.

    Sure, you can use addons like adblockplus, noscript, decentraleyes, etc to some degree, but many times they break websites as more and more sites are utilising javascript exclusively for a website to function, including third-party scripts, such as GoogleTagManager, etc.
    Just recently discovered that the popular London travel website TfL also contains a third-party tracker, without which their journey planner doesn't work, thus the website doesn't work with Firefox's disconnect.me privacy list.

  3. Re:Seems like it's somewhat worse than that... by sexconker · · Score: 4, Interesting

    Once the traffic reaches the endpoint (the other end of your VPN tunnel) its decrypted. The VPN provider and their bandwidth suppliers (The VPN providers ISP)can then see all your traffic :-)

    The VPN encapsulation layer is decrypted. If you've got HTTPS inside there it's still HTTPS.
    Further, you typically have many users connecting to one VPN. The VPN's ISP will have a harder time tracking any individual, and will not be able to associate traffic with a user at an address, a user of a certain age or sex, etc. The VPN provider could track in more detail, however, as they manage the individual connections, know who's paying for service (unless you're using fake info when signing up, paying with pre-paid gift card you bought for cash and NOT from a retailer, etc.).