30
Mar 17

Post-FCC Privacy Rules, Should You VPN?

Many readers are understandably concerned about recent moves by the U.S. Congress that would roll back privacy rules barring broadband Internet service providers (ISPs) from sharing or selling customer browsing history, among other personal data. Some are concerned enough by this development that they’re looking at obfuscating all of their online browsing by paying for a subscription to a virtual private networking (VPN) service. This piece is intended to serve as a guidepost for those contemplating such a move.

vpnOn Tuesday, the House approved a Senate resolution to roll back data privacy regulations enacted late last year at the Federal Communications Commission (FCC) that would block ISPs from selling to advertisers information about where you go and what you do online. President Trump has signaled his intent to sign the bill (S.J. Res. 34) into law soon.

As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.

Nevertheless, this hasn’t stopped news outlets from breathlessly urging concerned citizens to reclaim their privacy by turning to VPN providers. And VPN providers have certainly capitalized on the news. One quite large (and savvy) VPN provider even took out a full-page ad in the New York Times listing the names of the Republican senators who voted to repeal the still-dormant regulations.

I’m happy if this issue raises the general level of public awareness about privacy and the need for Internet users everywhere to take a more active role in preserving it. And VPNs can be a useful tool for protecting one’s privacy online. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process.

In case any readers are unclear on the technology, in a nutshell VPNs rely on specialized software that you download and install on your computer. Some VPN providers will supply customers with their own custom brand of VPN software, while others may simply assign customers a set user credentials and allow users to connect to the service via open-source VPN software like OpenVPN.

Either way, the software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. A VPN service allows a customer in, say, New York City, to tunnel his traffic through one of several servers around the world, making it appear to any Web sites that his connection is coming from those servers, not from his ISP in New York.

If you just want a VPN provider that will keep your ISP from snooping on your everyday browsing, virtually any provider can do that for you. But if you care about choosing from among VPN providers with integrity and those that provide reliable, comprehensive, trustworthy and affordable offerings, you’re going to want to do your homework before making a selection. And there are plenty of factors to consider.

For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers.

That’s because affiliate programs often create a perverse incentive for unscrupulous marketers to do things like manufacture phony VPN reviews by the virtual truckload, reviews that are aimed at steering as many people as possible to signing up with the service and earning them commissions. In my admittedly limited experience, this seems to have the effect of funneling search results toward VPN providers which spend a lot of money marketing their offerings and paying for affiliate programs.

Also, good luck figuring out who owns and operates many of these companies. Again, from the admittedly few instances in which I’ve attempted to determine exactly who or what is at the helm of a specific VPN provider, I can say that this has not been a particularly fruitful endeavor.

My bar for choosing a VPN provider has more to do with selecting one that makes an effort to ensure its customers understand how to use the service securely and safely, and to manage their customers’ expectations about the limitations of using the service. Those include VPN companies that take the time to explain seemingly esoteric but important concepts, such as DNS and IPv6 leaks, and whether they keep any logs of customer activity. I also tend to put more stock in VPN providers that offer payment mechanisms which go beyond easily-traceable methods such as credit cards or PayPal, to offering more privacy-friendly payment options like Bitcoin (or even cash).

Many VPN providers claim they keep zero records of customer activity. However, this is almost always untrue if you take the time to read the fine print. Also, some VPN services can’t truthfully make this claim because they merely resell network services offered by third-parties. Providers that are honest and up-front about what information they collect and keep and for how long carry more weight in my book.

Most VPN providers will keep basic information about their customers, including any information supplied at the creation of the account, as well as the true Internet address of the customer and the times that customers connect and disconnect from the service. I’ve found that VPN providers which collect the minimum amount of information about their customers also tend to offer little or no customer support. This isn’t necessarily a bad thing, especially if you know what you’re doing and don’t need or want a lot of hand-holding. For my part, I would avoid any VPN provider which asks for personal information that isn’t required by the form of payment I choose.

Then there are more practical, day-to-day considerations that may have little to do with privacy and anonymity. For example, some VPN providers pay a great deal of attention to privacy and security, but may not offer a huge number of servers and locations to chose from. This can present issues for people who frequently watch streaming video services that are restricted for use in specific countries. Other VPN providers may offer an impressive range of countries and/or states to chose from, but do not provide fast enough speeds to reliably satisfy data-intensive applications, such as streaming video.

These are only some of the many factors that are important to weigh when selecting a VPN provider. I asked my favorite source for online privacy — the Electronic Frontier Foundation (EFF) — if they had any recommendations for VPN providers. Alas, their press folks told me the EFF has not yet sought to vet the claims made by various VPN companies. Instead, their media folks referred me to this site, which covers many of the concerns raised in this post in greater detail, and includes what appear to be fairly straightforward reviews and side-by-side comparisons of many popular VPN services.

For personal privacy reasons, I’m not interested in sharing the name of the VPN service that I’ve paid for and trusted for years. But I can say with some gratification that they are one of the highest rated (greens almost across the board) providers listed here.

A quick note about “free VPN” services. Just as with “free” services like Facebook and Gmail, it’s important to know that with free VPN services you probably aren’t so much the customer as the product. Operating a business like a VPN service takes considerable effort and cost, and it’s very likely that anyone operating a free VPN service is also somehow monetizing your use of their service in some way — probably in an way that may be at odds with your reason for using the service in the first place.

Alternatively, if you’re looking for a free option, consider using Tor instead. Short for “The Onion Router,” Tor takes your communications and bounces them through a series of layers or “relays” around the globe, encrypting your data at every hop. The practical and privacy limitations of Tor are explained rather succinctly in this story at How-to Geek, but many of the traditional concerns about Tor are mitigated by the technical limitations that ship with the current Tor Browser Bundle. For most users, the principal drawback of Tor versus paid VPN services is that Tor is likely to be far slower than your average VPN (although, to be fair Tor has gotten quite a bit faster in recent years).

Finally, from the read-my-mind department, I fell asleep last night ruminating over what a grass-roots effort to lawfully and publicly resist this move by Congress might look like, and briefly considered that someone could even set up a site that would offer to purchase the Internet browsing records of the top lawmakers who voted for repealing the FCC rules (should those records ever go on sale by the major broadband providers). Incredibly, I awoke this morning to an email from a reader about exactly such an experiment — searchinternethistory.com — which has raised more than $170,000 so far toward a $1 million goal via GoFundMe.

As cathartic as this effort may be, I can’t recommend supporting it financially. However, if you’re in a generous mood I would wholeheartedly recommend supporting groups like the EFF, which orchestrates efforts to educate lawmakers on important technology policy issues and — failing that — to derail and sometimes overturn bone-headed policy moves in Washington, D.C. that endanger our security and privacy. KrebsOnSecurity supports the EFF with four-figure donations each year, and I would encourage anyone with the means and interest to likewise support the work of this important organization.

Author’s note: On any given week, I probably remove a dozen or so comments from people who appear to be shilling for various VPN providers. Any comments to that effect on this post will be similarly deleted without hesitation or explanation.

Tags: , , , , , , , ,

198 comments

  1. I agree with Nancy. What the _uck you you guys afraid of? Shady deals going around in your PC? If your worried you visited some porn sites, guess what? So do millions of Americans, Canadians, Israelis, Europeans, etc. Would the CIA, NSA, FBI, HSA, care? Millions go to them all the time!! If your stealing by hacking into businesses then I understand why YOU would care about your privacy. I don’t care about mine, as I HAVE nothing to HIDE.

    • … says the person posting under an alias. LOL

    • BlackHood22_hasnothingtohide

      Can you please e-mail me a past and present list of your medical conditions, sexual partners, monthly income, bathtub pictures of your children, personal nudes, social security numbers, bank account numbers, and amazon purchase history? I’m genuinely curious to see the information of someone who has nothing to hide. They never want to share… 🙁

    • @BlackHood22 Privacy isn’t the same thing as secrecy. I’m fond of Cory Doctorow’s analogy: what I’m doing in the bathroom stall isn’t a secret, but I’m still going to close the door.

      • Quoting Cory Doctorow is the same as saying “I have no idea what the real issues are but I love brainlessly following trends”. Cory is a science fiction writer (and a hack at that) and has NO technical background whatsoever and should be ignored as the opportunistic self-aggrandizing twat he is.

    • If you have nothing to hide, you have nothing to fear. the motto of this great entertaining spoof of the NSA, recommended by security experts as not just a joke but has real links to real security issues,

      https://nsa.gov1.info/

      Brian, thank for such a great and valuable post. VPNs are a way to defeat ISP privacy sales, but for me this is less of a threat than google analytics (Brian your web site uses this) and addthis, etc. cross-site tracking and sales (what the ISPs complained about). How about a companion article to protect people against these privacy collection and sales? Even if you use VPNs with random ISPs, your browser might enable google analytics or addthis, etc. trackers to monitor browsing across ISPs IPs and web sites.

      • Michael J. Ryan

        The big difference between what the ISPs gather and what Google/Facebook gather, is I can configure or add plugins to block third party traffic/cookies/trackers/widgets that get injected while I browse… Other than a VPN you can’t stop your ISP from gathering much of the information…

        I think it’s as important to request the sites you visit to use HTTPS for *ALL* traffic because of this, at least it will limit knowledge of specific pages you are visiting, and at least obfuscate to some extent the websites (a lot can be correlated via DNS query/response and connection traffic all the same).

      • Use the EFF’s Privacy Badger and turn off Google Analytics, works great. Tastes great, less filling! Between that and Disconnect my under-powered Netbook browses pretty well. YMMV.

        • As Michael J. Ryan says, also use EFF’s HTTP Everywhere, which prevents them peeking into your packets, and use OpenDNS’s Simple DNSCrypt to prevent them from peeking at where you’re going.

    • BlackHood22,

      If you have time, consider watching this excellent video that addresses why privacy matters: https://youtu.be/pcSlowAhvUk

    • Blackhood22, we would like to see your full federal tax returns for the last ten years, just as Donald Trump has done, since he has nothing to hide either. Oh, wait.

    • @BlackHood22 Your attitude scares the crap out of me and many others. Even if you subscribe to the “I am doing nothing wrong, so I have nothing to hide” view, that is actually you are doing nothing wrong that you know of and that standard can change in the future.

      You posted on the subversive site krebsonline.com in 2017 and today in 2020 that is viewed as an act of betrayal to the current empire. You will be placed in a work camp. Have a nice day

    • It’s hilarious that a person posting under an alias is saying this. Your a hypocrite also what we are afraid of is our browsing history being sold to say our employer who then decides that he doesn’t agree with the sites you visit and then fires you. And frankly I don’t want people knowing what bank I use, what online stores I frequent or even what porn i watch. All of those things are private and I should have a right to that privacy.

    • Not afraid of anything, but if you’re going to use my information without my consent for a profit, then give me a cut, or don’t use it. Since they won’t give me my cut, and the information isn’t theirs, we will make sure they can’t use it…

    • The problem is companies could discrimate you based on your search history. If company X only wants to higher religious people and you’re a hardcore atheist in your search history, they could discriminate against you . If they never meet you or ask you your religious beliefs (which is illegal to ask), then how can you sue them for discrimination?

      That is just one example on how your privacy matters, you can already be crucified for saying something taboo on social media, now its your search history like wtf.

    • Chris Torstenson

      https://en.wikipedia.org/wiki/Nothing_to_hide_argument

      Edward Snowden: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

    • You have an interesting take on this. By interesting I mean totally retarded and uninformed. The fact is that they ISP is “GOING TO, NOT MAYBE” gather all the info they can on you and sell it to anyone willing to pay. This will include anything of interest to you and anyone linked to you in any way. All of your private information is theirs to do with as they please. About 99% of the American public has nothing to hide. This does not mean that we are willing to give away every little bit of information about us to the scumbag corporations to use as yet another revenue stream.

      • Actually the rule never went into effect so if ISPs were going to collect info to sell — well, they already do that. The sudden interest in VPNs to solve a sudden problem that has actually been around for some time is what amuses me…

        oh and my internet activities are very different from my bathroom stall activities. So yes – if there is something I do online I would rather do in privacy, then I use privacy. Otherwise this is all a big flap about something that has been happening for years already

        • I don’t think the issue is about ISP and other service providers having a history of violating our privacy as much as it is about Congress making it legal to do so. It amazes me that anyone can be so desensitized to the increasing amount of business and government intrusion into our personal lives to not care about this issue.

          Besides, does anyone overlook the irony that a President and a party that claim to stand up for the little guy in the face of Big Government just sold us down the river?

    • This is a very foolish comment and belies a complete lack of understanding of the real issues at hand.

      The information about your browsing habits reveals where you shop, where you bank and where you frequent.

      Criminal types can then assemble a profile of you from the information they will obtain, from hacking the advertisers or ISP’s directly, and proceed to spearfish people.

      Privacy is most important for the least sophisticated users who just want to honestly go about their daily online lives.

    • “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” ~ Cardinal Richelieu

    • I’m not afraid of them seeing what I search/surf at all. If my browsing history is to be monetized I want to be the one who gets paid, not a corporation that I pay for a service.

    • It really should be up to people to decide if they want to share this type of information, not up to the government. It basically the same idea to me if you wouldn’t be able to turn off location services on your phone because the government doesn’t want you to. Sometimes people need privacy.

    • I’ll tell you what, guy lecturing about privacy under an alias… I’d like to check your bank account balance and help you find ways to save more toward retirement – I promise not to take anything. In fact, I super-duper promise. So kindly comment back with your routing/account numbers for all to see, since you don’t care about your privacy, and I’ll send you my detailed financial analysis/advice report in return.

      Fools like you remind me of the scene in Full Metal Jacket when GySgt Hartman finds the unlocked footlocker… “If it weren’t for di¢khe@ds like you there wouldn’t be any thievery in this world, would there?! Let’s just see if anything is missing…”

    • The issue is others using my name and personally identifiable information, which is protected by law, for personal gain. I can’t do that. You can’t do that, but these companies can. If Congress was all that gassed up about free enterprise they would include a clause whereby the ISP’s, Google and Facebook pay the consumer for each and every use of personally identifiable information.

      Finally, it is a principle behind the constitution that individual rights are prioritized and that rights not needed by the Federal Government are handled at the lowest level practical. Government is best that governs least. There is no security or governing need for my private information and hence it is my property.

    • It is not about hiding things. It is about the fundamental right to privacy. I wouldn’t expect you to understand or even care about that, but as citizens we have a right to keep stuff private if we so choose. I don’t have to tell people about myself just because I use the internet, and to force that on me, or anyone else, I think is wrong.

      …Just because you drive a car doesn’t mean anyone in the world should be able to buy your driving habits.

      …Just because you own a gun doesn’t mean anyone in the world should be able to buy your history of gun use.

      …Just because you have nothing to hide doesn’t mean other people in the world feel like opening up everything about them in a personal setting – and they shouldn’t have to. 🙂

      Besides, I am browsing the web, and paying a nice monthly payment to do so… For someone to take my browsing history, without my consent, and turn around and sell it to whoever they please, and make money off of me, is more than annoying. If anything, where is my cut? 😛

    • There are some sanctimonious countries, notably Italy, where during various trials for homicides with lack of other evidences the prosecutors used often successfully the surfing of porn sites as an hint of guilt, no matter that also the 95% of the rest of the population visit them, without admitting it.
      So yes, a VPN and Truecrypt folders can save you big troubles.
      Don’t forget that Italy is the country where during her trial, Amanda Knox had to explain the court why she owned a dildo, something that in north Europe you can find on the shelf of any drugstore.

  2. The reason this change was made is not what it appears…right now people who want to get information about your surfing activity can get it, but only from Google so Google has a monopoly now. The bill, once passed, allows for competition among various companies rather than allowing Google to be the only company with such information. Therefore, your “privacy” is not the issue because you do not have it if you do not take steps to hide what you see and where you go online. What is at issue is the availability of that information – does one company own it all or is it a free marketplace?

    The advantage of having multiple vendors involved is that Google cannot blackmail anyone by threatening to release uncomfortable information unless you pay them or what have you if everyone could have access to that information anyway. Correct?

    • @radar While I think there *should* be increased restraints on how Google, Facebook, et al are allowed to collect and retain data, your comparison of an ISP to a website is inaccurate. I pay my ISP $80 a month; I don’t pay Google anything. Google’s business model is to provide a service in exchange for data it can resell; my ISP’s business model is that I give it $80 a month.

      Furthermore, as far as Google’s tendrils may extend, it doesn’t know *every* website I visit. My ISP does.

      • ScottyTheMenace

        While I agree that Google’s reach isn’t quite as far as an ISP’s, it’s pretty freaking close. There are sites built on Google’s platform that you don’t know are built on Google, many sites use Google APIs, and any email sent to or from a Gmail address sucks up your personally identifiable data. I have no doubt that there are tracking cookies that are very difficult to identify as Google that we don’t even know about.

        I use Privacy Badger to block every tracker remotely identifiable as google and also block Google domains in my router (for what that’s worth). many site barely work.

        All this stuff needs to be opt-in, not opt-out. Opt-out presumes that they have a right to my data, which they don’t.

        • That is the real issue.

          Do we “own” the information about us, or does it belong to whoever has taken the trouble to collect it?

          The Direct Marketing Association (DMA) has successfully lobbied against “privacy” legislation for years using the argument the information they collect is theirs because they have paid to collect it.

          On the other had, rewards cards at least provide us with some benefit WITH OUR AGREEMENT (when we sign up) for allowing our information to be collected.

          This new legislation sets a precedent accepting the DMA position, nullifying any claim we have to control of information we claim to be our own.

      • If you browse logged into Chrome than Google certainly knows every website you visit. If you browse with an Android device, ditto.

    • Spoken like a true corporate shill! We have the option of turning off all cookies and not using Google or facebook. We have no such option with the ISPs as they are our only link to the internet and all traffic MUST transit their network before going to the internet proper.

  3. It should be noted though no new rules were actually implemented. In fact some new Obama rules that were going to go in effect were canceled. But ISP’s have no more capability after this revoke-bill was passed than they already have/had today. This detail is a bit overlooked.

    The vocal opponents of this revoking have not been completely honest on this. Now, I’m sad myself the new rules are cancelled, but on the other hand these new rules would have caused price hikes, which I also would not have liked. This as the vocal opponents of this revoking also forgot to mention, this would not have just forbidden ISP’s to do something, but also forced them to take extra measures (= cost) to protect certain data they already have.

    Now, again, I would gladly pay this, but I do believe the story that was out there on the internet was a bit onsided.

  4. I wrote to Apple and asked them to consider building their own VPN into Safari. With their world-wide presence, they could offer exit nodes through their local operations.

    I know setting up the same is easier said than done, not only on the technical side, but because of politics, but If Apple is serious about helping its customers protect their privacy and not become the product or the spied upon, then they need to at least consider this.

    For any one thinking to nudge them in this direction, here’s their feedback form:

    http://www.apple.com/feedback/safari.html

  5. t isn’t so much that both the senate and the house repealed a policy of the FCC (A group of non elected bureaucrats) that has not yet gone into effect but what they didn’t do that bothers me. They could have passed a simple law prohibiting any person, group, company or corporation from collecting personal information from any electronic device period. Actually this should have been done 20 years ago. BTW , it should include sharing personal information even from other countries.
    I don’t know what would be appropriate punishment for violating the law should be but thinking $150,000.00 per incident and 15 to 20 years in federal prison per incident. For repeat ed violations life in prison for the CEO of the corporation and confiscation of all their personal assets including house, automobile, air craft, bank accounts to include spouse and children.

    • I guess it’s too late once we start undeesood we all been conned in this con-game.then its late !!

    • James F. Pasquini

      It’s too late now for the FCC to pass a regulation as you stated. Because now for every new regulation enacted they have to abolish two old ones – no matter how good they are for our privacy, etc.
      That Congressional Review Act is the one that should be abolished! Too many good regulations can be wiped out with the stroke of a pen, and no new regulations that are remotely similar are permitted to be made. What a way to go backward!
      It’s not just a simple question of privacy (who and where you are), but of tracking your “movements” on the Internet by collecting and collating data on you over the course of time. They (governments) can build up quite a large file on someone in this manner. Think credit cards: The FBI has in the past, just by following the purchases made on a person’s credit card, developed a good idea of that person’s spending habits, including where they go. In this way, the can learn quite a bit about someone – even though they had “nothing to hide.”

    • PUNISH these CEO pigs?? HAHAHA. That’ll be the day. We’re supposed to be WORSHIPPING them! ….preferably in as mindless and unquestioning a fashion as possible. We’re also supposed to be drowning them in MONEY! Even if they do a lousy job. They’re better people than the rest of us, don’t you know?

  6. Dennis Freeze

    I don’t know who said it, but this:

    “It’s said that the honest man has nothing to hide. Not true. The honest man has to hide himself, because honest men are the prime targets of those who lie.”

    • Btw…hollywood and entertainment managers even actors are “secrer agents” trained agents trained to dupe your minds.
      X factor is latest kgb-mi5 joint project.
      thats just simple exanple

  7. Why is everyone saying it goes into effect in December? According to the text (https://www.congress.gov/bill/115th-congress/senate-joint-resolution/34/text) it nullifies `81 Fed. Reg. 87274`, which according to the full text (https://www.gpo.gov/fdsys/pkg/FR-2016-12-02/pdf/2016-28006.pdf) goes into effect early January (search Dates: or January; it’s the bottom of the left column of the first place).

  8. I understand openvpn, which some of the VPN services use. However I want to pay the VPN service anonymously with some crypto currency. Any suggestions for books, websites, howtos for getting up to speed on using digital currencies like bitcoin, dash etc. ??

  9. Personally, I’ve been using TOR for years whenever I need to browse privately. Never had had a problem, and recently with cell phone providers blocking SSH protocols, it’s become my go-to for secure browsing if I want to shell into my local server whose secure protocol is being blocked by cell network companies such as TrackFone.

    If you follow the rules of using TOR, you’re pretty safe. If you don’t, well, you’ll learn…

  10. Great article. However, I was disappointed that you repeated the tired myth of being able to buy individual web histories. That’s just not true and you ought to correct the article.

    http://www.theverge.com/2017/3/29/15115382/buy-congress-web-history-gop-fake-internet-privacy

    “To be clear, you can’t do this. Just because carriers are allowed to market against data doesn’t mean they’re allowed to sell individual web histories. The campaigns seem well-intentioned, but that’s just not how it works.”

    Your personally identifiable browsing history is not for sale.

  11. Make your own vpn. One can setup a ‘droplet’ vpn at https://www.digitalocean.com
    There are instructions on the internet, github, etc. There are places which will setup a secure non-logging vpn for $3, then you just pay $5/month to digitalocean. Get multiple people to use it and maybe your group of friends would pay less than $1/month, for a vpn service you control. One should check what kind of logging digitalocean does; I don’t know.

  12. is it true that foreign countries can legally kill people in the US with drones? What’s to keep those who fear your ideology from taking you out? What’s to keep wealthy law firms from buying your data, learning where you search, and then being able to prepare to fight your medical or workerscomp claim etc? The scenarios are many and even if you have nothing to hide it doesn’t stop people from jumping to wrong conclusions and it gives power and access only to those wealthy enough to purchase your info

  13. Hey Brian,

    There are tons of pitfalls in using hosted VPN services. They attract surveillance since so many people use them to hide criminal activity.

    Try hosting your own VPN instead. I maintain an open-source project that helps you setup your own personal VPN for free:

    https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/

    Algo VPN includes profiles for Apple and Android devices, uses the most secure defaults available, and works with common cloud providers.

    I’m happy to help you set up one of your own if you want. Email me or poke @AlgoVPN on Twitter.

    -Dan

  14. I’m curious if intentionally running traffic through an international VPN carries risks that people aren’t thinking about. For example, if I regularly use a VPN to access a gmail account, is it more likely that my data will get vacuumed up / flagged / whatever by legal NSA data collection programs b/c it appears that I’m a foreigner using gmail rather than an American? Not that the NSA necessarily flags all foreign users of domestic e-mail services, but since we don’t really know what they do or what actions or keywords trigger more aggressive surveillance…

  15. Kevin Mulhall

    Brian, interested in whether you imagine, as I do, that ISPs who are unhappy with more and more people putting their packets though a tunnel decide to punish VPN users by traffic shaping them into the slow lane. I believe some ISPs, esp ones that slow Torrent traffic, are doing that already with VPNs.
    Probably the only thing that will stop this is that many customers working from home must connect to corporate LANs via VPN, so impeding that service may generate more push-back than they intended.
    Do you expect ISPs to fight back like that?

  16. Dennis Kavanaugh

    I thoroughly enjoyed the article and most of the comments. This one was politicized just enough, but not too much. And most of the comments were civil.

    Here is what I believe: privacy is not what you make it, not what you want it to be. If it were, the definition would change daily and soon it would not be privacy at all, just some fanciful wish of how things ought to be.

    Your/our privacy *rights* ought to be extremely basic. The rest should fall into some category of desire, and we ought to treat privacy desires like all desires: find some way to satisfy those desires, but don’t go around expecting others to satisfy them for you.

    I think the real issue here is that people don’t like the fact that it is so easy for others to gather up tidbits of information about them, then use it to *their* benefit and not ours. My view: if I am going to use ‘public’ systems to conduct my life affairs, then I ought to expect zero privacy. And ISP’s and Google and the others are there in the public offering us those sweet treats, and we can’t resist, and then we whine because we didn’t.

    Don’t get me wrong, I am not happy about things, I just think that we, the people, need to solve this one ourselves and not make a bunch of laws telling others to solve it.

    • “My view: if I am going to use ‘public’ systems to conduct my life affairs, then I ought to expect zero privacy.”

      I disagree based on my view of what I consider a ‘public system’. The internet is not a system that exists without incorporated overview eg. ICANN. It’s a wholly regulated ecosystem.

      If McDonald offers free internet access it is still paid access from them, thus is is not a ‘public’ system; their sysops control access to and fro.

      You could expect ‘zero privacy’ if you conducted your life affairs on sidewalk, street, or anywhere in public view.

      Behind my walls in my home, my use of water, sewer, electricity, gas, garbage disposal, telecom, and internet are all paid service that have in some respects regulations that guard both me and public/private interest. If I don’t pay, I don’t have have a say in the matter of what gets disconnect. Since I do pay and these services come with contracts or Terms of Service; I have choice to agree, negotiate, disagree with the terms.

  17. RedTeam Security

    Fascinating story and comments by all. On a personal note, I’m a firm believer in VPN for security’s sake rather than privacy. But will the privacy advantage is one I’ll take.

  18. it would be cool if there was a way to generate bogus browsing histories and cookies to send back to isps along with the real stuff… is possible?

  19. Are there any VPN’s that you would recommend Brian or a review site that is trustworthy?
    Thanks
    J

    • I linked to a review site in the story.

      • I own a VPN service but will leave it up to Brian if he wants to fill in the website link to it or not.

        I would like to point out a few things that people should keep in mind. First Brian is right about affiliate marketers and to some extent that is to be expected. What is harder to detect are the sites that do not offer affiliate links but still do reviews on VPN services. Those reviews are bought and paid for 99% of the time. We even have a few of these phony reviews from a marketing service I hired to try to help us get more exposure on google. Once I found out what was going on I fired them but in my experience this is more common than affiliate websites.

        There have been a lot of services opening up that do not even encrypt your data. I just read a story on vice about one such provider. If they do not provide OpenVPN configuration files on their website I would be a bit worried.

        Finally the website Brian linked is a good starting point. However, that information is rarely up to date and you should always read the terms of service and then contact the VPN service and ask questions about who owns them and what technologies they have in place to keep abuse off their network. If they say none or they will not talk about it then its time to be skeptical.

  20. The next Obama wants your internet history so he/she can gerrymander your district and your vote will no longer count.

    In fact this guarantees that you will serve a lifetime of Obamas… kind of like southern states are now but in reverse LOL.

    Now are you interested in not being Profiled for Profit(TM)?

  21. Summarizing many posts here, those not objecting to the increased tracking powers of the ISPs are saying
    – ‘I have nothing to hide’ (may be troll, or parody)
    – ‘new rules don’t change anything’ (probably ISP shills).
    – some technical advice on ISPs, all very useful.
    Privacy is even more important if you communicate with dissidents abroad, whom you do not want to compromise by accidental release of information (even in the U.S.)

    Now I have my own snark to add:
    ” I am importing interesting electronics from Russia and China. The new rules allow us to buy useful information on sophisticated internet users to target in our marketing efforts. For some reason, the head offices in St. Petersburg and Shanghai are particularly interested in targeting users with .mil or .gov email addresses, or users accessing these domains often.”

    Perhaps even Republican law makers may see a problem here.

  22. I will continue to use VPN especially now that the new law has been passed. Glad Astrill works fine.

  23. Liked tis note:
    It’s very likely that anyone operating a free VPN service is also somehow monetizing your use of their service in some way — probably in an way that may be at odds with your reason for using the service in the first place.

    Personally I either use paid one (until I find some bugs and delete it to hell), or Tor. Some say it`s also not bad to simply use Proxy))

  24. I was excited to find this website. I need to to thank you for ones time for this particularly fantastic read!!
    I definitely really liked every little bit of it and I have
    you book marked to look at new stuff in your blog.

  25. Attractive component of content. I just stumbled upon your web site and in accession capital to say
    that I get in fact enjoyed account your blog posts.
    Anyway I’ll be subscribing for your augment and even I achievement you
    access constantly quickly.

  26. I know this website presents quality based content and extra material, is there any other website which gives these kinds of
    things in quality?