Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Can You Decide Which VPN To Trust? (slate.com)

Posted by EditorDavid on from the it's-complicated dept.

Slate's senior technology writer reports that his hunt for a reliable ISP "led me on a convoluted journey through accusations and counteraccusations, companies with shadowy leadership and those with conflicts of interest, and VPN ratings sites that might be even shadier than the companies they're reviewing." Many VPNs appear to be outright scams. Others make internet browsing sluggish. Free versions bombard you with ads. It's a world so thicketed that the leading firms and experts can't agree on the basic criteria for what counts as "reputable," let alone which companies best meet that description. The CEO of one top VPN company, Silicon Valley-based AnchorFree, told me in a phone interview that he suspects one of his top rivals is secretly based in China -- which would raise a red flag for many privacy advocates because of the Chinese government's aggressive surveillance regime... [But] many VPN users consider offshore providers preferable to U.S.-based firms. AnchorFree, for its part, has been dinged by reviewers for running a free, ad-supported VPN, which some privacy experts consider a conflict of interest. (It also offers a paid VPN service.) The two companies point to dueling trust reports by outside groups, each of which appears to reflect well on the firm that's touting it, thanks to different methodologies. "It is fascinating the amount of sniping that goes on" between VPN companies, said Joseph Jerome, who has closely studied VPNs in his role as policy counsel for the Privacy and Data Project at the nonprofit Center for Democracy & Technology. "They are very quick to pull out knives and shiv each other...."

If it's so hard to assess the credibility of the industry's top names...you can imagine how difficult it might be to suss out the myriad lesser-known alternatives. A January investigation by the site Top10VPN found that more than half of the top 20 free VPN apps on the iOS and Android app stores either have Chinese ownership or are based in China. That's all the more suspicious given that China officially banned VPNs last year. The concern: If China is allowing them to continue operating, it could be because they're sharing data on their users with the Chinese government. When you use a VPN, you're trusting that VPN with the same deep level of access to your online activity that you'd normally give your ISP. In other words, now they can see what you're up to whenever you're using the internet. VPNs may be more privacy-focused than big, corporate ISPs, but they're also smaller, more opaque, and less publicly accountable.
"I just wanted internet privacy. I hadn't bargained on a knife fight..." the author writes, concluding that "Several weeks, dozens of calls, and thousands of words later, I can't say I'm much closer to a clear-cut answer... One of the only definitive takeaways, besides 'steer clear of free VPNs,' is that your choice of VPN should depend on what you're using it for.

"If you're just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company that's clear about both who owns it and how it treats your data."

19 of 134 comments (clear)

  1. Ones you by oldgraybeard · · Score: 4, Insightful

    setup, manage and monitor yourself!

    Just my 2 cents ;)

    1. Re: Ones you by Anonymous Coward · · Score: 2, Insightful

      It really depends on the threat model you are working from.

      Use to hide from communication tracking. This sort of thing happens on open free WiFi networks, as well as home internet connections in countries with draconian monitoring of internet use (like Australia and UK). This kind of VPN requires anonymity at the end point, which must operate without tracking or logs.

      Use to avoid geolocation fences around online content. This is a clear advantage offered by many VPN companies.

      Use to avoid state level monitoring. The problem is to do this you need to basically hack the end point, since no commercial provider can be trusted. If you rent a VPS and set up the VPN yourself then you need to be damn sure the payment cannot be tracked. This is why hacking nodes and dropping a VPN (of any kind) end point is basically the only way to do this safely.

    2. Re:Ones you by Aighearach · · Score: 3, Insightful

      Never trust. Never.

      Even if I set it up myself, I don't trust it. It still might have been compromised.

      Even if I set up the VPN myself, I still need to encrypt the traffic. Because trust is for fools.

      And if I already encrypt the traffic, I still need a VPN. Because trust is for fools.

  2. I'm behind 7 proxies by rsilvergun · · Score: 2

    you insensitive clod!

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  3. SSH on a remote server by phantomfive · · Score: 2

    If you have SSH on a server you can set up a proxy using SSH: ssh -D 8080 user@server -p 443 You can configure your browser to go to your local port 8080 using SOCKS. The remote server can be something at home, or on AWS, or on Cloudflare, etc. More info. Don't trust any proxy, build your own.

    --
    "First they came for the slanderers and i said nothing."
  4. Opera by darkain · · Score: 2

    "Free versions bombard you with ads." Opera Browser has a built in VPN without any ads whatsoever. *shrug-emoji*

    1. Re:Opera by williamyf · · Score: 4, Informative

      Opera is Owned and run by a Chinese company. If you trust them, fine, but chinese ownership was a concern raised in the article.

      I live in Venezuela, and for what is worth my choice is ProtonVPN

      JM2C, YMMV

      --
      *** Suerte a todos y Feliz dia!
    2. Re:Opera by Anonymous Coward · · Score: 2, Interesting

      What a fucking retarded response. He has the most to lose if his government finds out, asshole.

  5. Comment Subject: by Falos · · Score: 3, Informative

    https://thatoneprivacysite.net... is an attempted chart of jurisdictions, practices, etc. so reference away. I think torrentfreak or such also do a top-ten or something, every few (12?) months.

    I went PIA (supposedly keeps no logs, has anonymous payment models) but for casual use, don't come to me if your drug/human trafficking gets busted. Service is mostly stable, occasionally sites are inaccessible (or just blacklisting). They got bonus points for calling out repu- er, congressmen voting on ISP tracking bills and such.

    It's a sick joke that I have to pay two web-connecting services to connect to each other, but here we are.

  6. Chinese VPN ban by Solandri · · Score: 2

    That's all the more suspicious given that China officially banned VPNs last year. The concern: If China is allowing them to continue operating, it could be because they're sharing data on their users with the Chinese government.

    Isn't that obvious? The Chinese government doesn't want its citizens using a VPN, because they'd probably pick one hosted outside China and thus pierce the Great Firewall. But it's more than happy to let people from other countries pipe their traffic through Chinese VPN servers, so they can figure out who's visiting where..

    Remember, with most of the web switching from http to https, most of your traffic is already encrypted. So a VPN doesn't help in that regard. What a VPN does is obfuscate you as the source/destination of that traffic, by making it appear as if the traffic is coming from the VPN server instead of your computer (acting as a proxy). But the company running the VPN obviously knows who you are, and has to know which traffic is yours in order to function properly. If the VPN provider is logging that info or handing it over to the government, that defeats the purpose of using a VPN.

  7. More than ads by xlsior · · Score: 3, Interesting

    Many of the 'free' ones don't just throw ads at you, but work by a reciprocal agreement -- your traffic has an exit point in a different country, and you become a random other user's exit point in return... So even if you are on the up-and-up yourself, who knows what shady shit other people are doing and which now appears to originate from your IP address.

  8. you're better off with a foreign VPN by edris90 · · Score: 2

    Your own government that's much more incentive to utilize your information against you. better that your information is stolen by China who doesn't give a f*** about you personally, then by your own government who may use it to take action against you.

    1. Re:you're better off with a foreign VPN by jwhyche · · Score: 2

      This exactly. I really don't believe the Chinese government gives two shits and a Popsicle if I'm leaching the latest season of The Flying Nun or some shit. But that being said, I'm not really worried about my government. I figure that if I'm on some list to be watched it wouldn't matter if my internet traffic is going through vpn or not.

      I use a vpn to keep my local isp from seeing what I'm doing. I don't want them seeing what I'm leaching, if I'm leaching, then turning me over to MPAA or some shit. I also use a vpn when I'm on the road and using some coffee shop or airports wifi. These I trust less than my ISP. An a good vpn can get you around unreasonable blocks that some people place on their wifi.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
  9. None by Artem+S.+Tashkinov · · Score: 2

    You shouldn't trust any except the one you've set up on your own and then you still need to use TOR over VPN 'cause otherwise the company which is renting you a server will know all the IP addresses you ever connect to. And then the same company still has full access to your server, so consider yourself burnt.

    In short, use TOR over VPN if you want to remain incognito, or/and chain several VPN providers and hope they are not under the same jurisdiction.

  10. VPN where you don't control ... by janoc · · Score: 2

    VPN where you don't control both endpoints is not a VPN, by definition.

    What these companies are offering are only glorified traffic tunneling services and proxies, not a true private network. Good for bypassing region restrictions on stuff like Netflix but not for anything where privacy is actually required.

  11. DIY VPN is not a solution... by bradley13 · · Score: 4, Insightful

    A DIY VPN in not really a solution, at least, not beyond the trivial case of dialing in to your home server. If you want an encrypted connection with an exit point in country X, are you going to buy and pay for a server in country X? What about country Y? How are you going to pay for and maintain those exit points anonymously? And anyway, if only you and maybe a few friends/family are using it, traffic analysis can make the VPN encryption pretty much useless.

    The point of a commercial VPN service is not only the encryption, but also the anonymity that occurs when your traffic is mixed with thousands of other users.

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:DIY VPN is not a solution... by Yaztromo · · Score: 2

      If you want an encrypted connection with an exit point in country X, are you going to buy and pay for a server in country X?

      Why not? With cloud-based services like Amazon EC2 you can setup a cloud computing instance suitable for running a private VPN in various data centres around the world in minutes. Heck, Amazon provides t2.micro instances free for the first 12 months to new accounts -- so this is neither difficult nor expensive to accomplish.

      I agree with your other points concerning traffic analysis -- this isn't exactly a great solution for privacy (although more than sufficient for bypassing georestrictions), but you make it sound like setting up or paying for a server in another country is something that is difficult or expensive, when it is neither these days (at least if your overall utilization is fairly low -- 8 core instances with 64GB of RAM and several TB of storage are going to cost you an arm and a leg, especially if traffic and utilization is high).

      Yaz

  12. Re:I also use PIA by jwhyche · · Score: 3

    I use NordVPN myself. It's based out of Panama and has a no log policy. I really don't believe that but it has a policy. I also don't use it for anything super illegal but I'm not above poaching a video or two over p2p.

    I don't believe for a moment that a vpn makes me untrackable but it does throw extra road blocks in the way. If I'm leaching something out of South Africa then any US based warrant has to be brought up in South Africa. Which will make it more difficult to spy on me.

    All a vpn does is make you higher fruit on the tree. It's the low hanging fruit they go after. If all the MPAA has to do is serve a search warrant to your US based ISP to get your traffic logs, then you are low hanging fruit. If they have to serve a search warrant to a company based in Panama to get the logs off a server, if they exist, in South Africa, then its more complex. Doesn't mean it can't be done, but it does make it more complex and more expensive.

    --
    I read at +2. If your post doesn't reach that level I will not see or respond to it.
  13. Re:I also use PIA by jwhyche · · Score: 3

    You may want to read a world atlas. Panama is in Central America (continent of North America). It is not in South Africa.

    You might want to bone up on the subject and your reading comprehension. VPNs, like nordVPN, have servers in countries all around the world. The company is headquartered in Panama, but the physical server is one located in South Africa. So to obtain any logs an entity must deal with South African legal processes as well as Panama's. And which I believe Panama does have a habit of telling outside agencies seeking such logs to take a hike.

    --
    I read at +2. If your post doesn't reach that level I will not see or respond to it.