30
Mar 17

Post-FCC Privacy Rules, Should You VPN?

Many readers are understandably concerned about recent moves by the U.S. Congress that would roll back privacy rules barring broadband Internet service providers (ISPs) from sharing or selling customer browsing history, among other personal data. Some are concerned enough by this development that they’re looking at obfuscating all of their online browsing by paying for a subscription to a virtual private networking (VPN) service. This piece is intended to serve as a guidepost for those contemplating such a move.

vpnOn Tuesday, the House approved a Senate resolution to roll back data privacy regulations enacted late last year at the Federal Communications Commission (FCC) that would block ISPs from selling to advertisers information about where you go and what you do online. President Trump has signaled his intent to sign the bill (S.J. Res. 34) into law soon.

As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.

Nevertheless, this hasn’t stopped news outlets from breathlessly urging concerned citizens to reclaim their privacy by turning to VPN providers. And VPN providers have certainly capitalized on the news. One quite large (and savvy) VPN provider even took out a full-page ad in the New York Times listing the names of the Republican senators who voted to repeal the still-dormant regulations.

I’m happy if this issue raises the general level of public awareness about privacy and the need for Internet users everywhere to take a more active role in preserving it. And VPNs can be a useful tool for protecting one’s privacy online. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process.

In case any readers are unclear on the technology, in a nutshell VPNs rely on specialized software that you download and install on your computer. Some VPN providers will supply customers with their own custom brand of VPN software, while others may simply assign customers a set user credentials and allow users to connect to the service via open-source VPN software like OpenVPN.

Either way, the software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. A VPN service allows a customer in, say, New York City, to tunnel his traffic through one of several servers around the world, making it appear to any Web sites that his connection is coming from those servers, not from his ISP in New York.

If you just want a VPN provider that will keep your ISP from snooping on your everyday browsing, virtually any provider can do that for you. But if you care about choosing from among VPN providers with integrity and those that provide reliable, comprehensive, trustworthy and affordable offerings, you’re going to want to do your homework before making a selection. And there are plenty of factors to consider.

For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers.

That’s because affiliate programs often create a perverse incentive for unscrupulous marketers to do things like manufacture phony VPN reviews by the virtual truckload, reviews that are aimed at steering as many people as possible to signing up with the service and earning them commissions. In my admittedly limited experience, this seems to have the effect of funneling search results toward VPN providers which spend a lot of money marketing their offerings and paying for affiliate programs.

Also, good luck figuring out who owns and operates many of these companies. Again, from the admittedly few instances in which I’ve attempted to determine exactly who or what is at the helm of a specific VPN provider, I can say that this has not been a particularly fruitful endeavor.

My bar for choosing a VPN provider has more to do with selecting one that makes an effort to ensure its customers understand how to use the service securely and safely, and to manage their customers’ expectations about the limitations of using the service. Those include VPN companies that take the time to explain seemingly esoteric but important concepts, such as DNS and IPv6 leaks, and whether they keep any logs of customer activity. I also tend to put more stock in VPN providers that offer payment mechanisms which go beyond easily-traceable methods such as credit cards or PayPal, to offering more privacy-friendly payment options like Bitcoin (or even cash).

Many VPN providers claim they keep zero records of customer activity. However, this is almost always untrue if you take the time to read the fine print. Also, some VPN services can’t truthfully make this claim because they merely resell network services offered by third-parties. Providers that are honest and up-front about what information they collect and keep and for how long carry more weight in my book.

Most VPN providers will keep basic information about their customers, including any information supplied at the creation of the account, as well as the true Internet address of the customer and the times that customers connect and disconnect from the service. I’ve found that VPN providers which collect the minimum amount of information about their customers also tend to offer little or no customer support. This isn’t necessarily a bad thing, especially if you know what you’re doing and don’t need or want a lot of hand-holding. For my part, I would avoid any VPN provider which asks for personal information that isn’t required by the form of payment I choose.

Then there are more practical, day-to-day considerations that may have little to do with privacy and anonymity. For example, some VPN providers pay a great deal of attention to privacy and security, but may not offer a huge number of servers and locations to chose from. This can present issues for people who frequently watch streaming video services that are restricted for use in specific countries. Other VPN providers may offer an impressive range of countries and/or states to chose from, but do not provide fast enough speeds to reliably satisfy data-intensive applications, such as streaming video.

These are only some of the many factors that are important to weigh when selecting a VPN provider. I asked my favorite source for online privacy — the Electronic Frontier Foundation (EFF) — if they had any recommendations for VPN providers. Alas, their press folks told me the EFF has not yet sought to vet the claims made by various VPN companies. Instead, their media folks referred me to this site, which covers many of the concerns raised in this post in greater detail, and includes what appear to be fairly straightforward reviews and side-by-side comparisons of many popular VPN services.

For personal privacy reasons, I’m not interested in sharing the name of the VPN service that I’ve paid for and trusted for years. But I can say with some gratification that they are one of the highest rated (greens almost across the board) providers listed here.

A quick note about “free VPN” services. Just as with “free” services like Facebook and Gmail, it’s important to know that with free VPN services you probably aren’t so much the customer as the product. Operating a business like a VPN service takes considerable effort and cost, and it’s very likely that anyone operating a free VPN service is also somehow monetizing your use of their service in some way — probably in an way that may be at odds with your reason for using the service in the first place.

Alternatively, if you’re looking for a free option, consider using Tor instead. Short for “The Onion Router,” Tor takes your communications and bounces them through a series of layers or “relays” around the globe, encrypting your data at every hop. The practical and privacy limitations of Tor are explained rather succinctly in this story at How-to Geek, but many of the traditional concerns about Tor are mitigated by the technical limitations that ship with the current Tor Browser Bundle. For most users, the principal drawback of Tor versus paid VPN services is that Tor is likely to be far slower than your average VPN (although, to be fair Tor has gotten quite a bit faster in recent years).

Finally, from the read-my-mind department, I fell asleep last night ruminating over what a grass-roots effort to lawfully and publicly resist this move by Congress might look like, and briefly considered that someone could even set up a site that would offer to purchase the Internet browsing records of the top lawmakers who voted for repealing the FCC rules (should those records ever go on sale by the major broadband providers). Incredibly, I awoke this morning to an email from a reader about exactly such an experiment — searchinternethistory.com — which has raised more than $170,000 so far toward a $1 million goal via GoFundMe.

As cathartic as this effort may be, I can’t recommend supporting it financially. However, if you’re in a generous mood I would wholeheartedly recommend supporting groups like the EFF, which orchestrates efforts to educate lawmakers on important technology policy issues and — failing that — to derail and sometimes overturn bone-headed policy moves in Washington, D.C. that endanger our security and privacy. KrebsOnSecurity supports the EFF with four-figure donations each year, and I would encourage anyone with the means and interest to likewise support the work of this important organization.

Author’s note: On any given week, I probably remove a dozen or so comments from people who appear to be shilling for various VPN providers. Any comments to that effect on this post will be similarly deleted without hesitation or explanation.

Tags: , , , , , , , ,

198 comments

  1. Missing a big one. The DIY version. Complete control of your VPN destiny. One click version from Algo: https://github.com/trailofbits/algo

    • I’ve been banging my head against the keyboard on and off for months trying to make a ikev2 VPN work on my DO VPS. This is much appreciated. However it should be pointed out that using a VPS doesn’t exactly hide your identity since your IP is static. But it does stop your ISP from easily gathering your traffic. That is good enough for me since I don’t do anything illegal on the interwebs.

      While on the topic of VPNs and VPS, on my own web server I block many data centers which VPNs use due to hackers. More sophisticated webmasters will put up captchas. I also block the major VPSs again due to hacking.

      Anyone going the VPS as a VPN route should look at tools to protect SSH. I use the open source sshguard. Trust me, you will generate a blocking list of around a thousand IPs in no time. I also use PKI rather than a password for SSH to the VPS.

      • Gary,

        They algo model is to create and destroy VPNs all the time. So it’s not a static IP forever. But your point is accurate.

      • > blocking list … 1000 IPs

        If you are already using key-based logins exclusively, the only thing you’re doing with the block is keeping your logs a little less cluttered. That’s not a bad thing, but I wouldn’t consider it a best practice for *security* reasons.

        “Real” (non-lazy) hackers aren’t using the same IPs to scan open SSH listeners as they are for more intrusive hacking. If you are actually worried about script-kiddie attacks, fixing those problems before messing with auto-creating firewall rules would be a better idea.

        Also be aware that if your legit network access can be DOSed by someone forging packets with your client IPs to get them on the block list. (unless you whitelist them, which leaves your server open to “attack” from the spoofed packets)

        IOW – sshguard isn’t something I’d consider essential, even for beginners.

      • There is also docker + https://github.com/kylemanna/docker-openvpn. May be other container choices out there. Found it fairly easy to get going after struggling and failing with a conventional install.

  2. DelilahTheSober

    I have found that conducting even a basic Google Web search while I’m signed into my Google account unleashes the hounds of hell when I try to do this using a VPN service. All of a sudden, I’m getting real-time warning messages from Google suggesting that perhaps my account has been compromised – and then I am forced to do one stupid Captcha after another. Once the VPN is turned off or completely uninstalled, the stupid error messages go away.

    I believe whoever invented the Captcha technology should be deported immediately to North Korea.

  3. Brian,

    Great article! I think all users of US ISPs should be gravely concerned about this pending legislation. There is a huge privacy issue with this. The ability to gather and build a profile of every site you visit could have enormous privacy consequences where the information is bundled or packaged for sale to all and sundre for use however and whenever they want to use it and for whatever they want to market to you or to use against you. I hope this issue will catch the concerns of a wide base who can lobby their congressional reps to vote against it.

  4. Excellent piece. This has been a huge topic on so many tech blogs lately, but this is by far the best summary of all of the issues surrounding it.

    With a VPN, you’re essentially just shifting your ISP. Maybe Comcast won’t be able to snoop on and sell your data, however nothing is stopping a VPN provider from starting to monetize your data or history, changing DNS responses, injecting ads, etc. If it becomes lucrative enough, they will.

    I’ve been using my own custom SSH based set up to tunnel my traffic to a VPS. I do strongly believe in encrypting as much as I can in this fashion. I just realize that there are limitations, and the data leaving my VPS looks just like it would leaving my cable modem.

    Also, one other thing I’d mention about a downside of Tor is that lots of sites block it, send you to endless CAPTCHAs, or just drop your connection.

  5. I’ve used VPN for years to counter MITM attacks on public WiFi, but this is another reason. If I really want privacy, I pick up the phone (landline) and call. If I have reason to believe that I’m being watched (I don’t) then face to face is a better option. Still, no one is truly alone unless your closest friend is Wilson.

    • Midnight Rider

      I hate to break the news to you, but landline is one of the most easily surveilled games in town. It’s almost trivial to get a warrant to monitor compared to cell phones even.

  6. If the ISPs are smart, they will pledge not to sell non-aggregated data as a marketing strategy. Or charge you to guarantee no logging.

    • Big telco ISPs, the ones who fought the FCC tooth and nail, aren’t that smart. They don’t care if their monetization breaks the ability of their customers to use the internet connection they’re paying the ISP for. Because they know their customers are, for the most part, have a choice of dealing with the broken connection or going back to 3Mb/512Kb DSL. Monopolies do not behave like The Invisible Hand Of The Free Market (man) says they should.

    • Al,
      One of the reasons I didn’t get AT&T’s gigabit service when it was first offered was it would cost me 50% more if I didn’t want them to monitor my traffic and send me targeted ads based upon that.
      A co-worker ordered it the first day it was available, saying, “I have nothing to hide”. Sigh.

  7. It means? people who work as carders on forums can not access to their carders websites anymore ??

  8. Disclosure: I don’t have time immediately to finish the whole article. This comment is not in the same direction that the article is changing, but is on the topic of ISP’s selling our info to advertisers.

    Here’s my prediction. Right now, when my ISP wants to send out a message, my browsing to certain sites will be interrupted with a bar across the top of my window. My script/ad/cookie blockers seem to interfere with this, as I sometimes got weird alerts that something from an unknow/weird address was trying to load, which turned out to the the ISP interfering with my browsing. So, I’ll get a little redirected before going where I was going when they have a message. Once they can sell our browsing habits to advertisers, what’s to stop them from posting directed advertisements using the same mechanism and claim it’s to “offset costs.” Perhaps they’ll offer discounts on your rate if they can advertise in the middle of your browsing sessions–randomly every 10-15 minutes, you get an ad on your next page load. Perhaps ISP’s need to considered Utilities and thus heavily regulated.

    However this ability to sell our information goes, it’s gonna suck.

  9. Some VPN providers like Privateinternetaccess have been blocked. I could not visit Target when using it!

    Use the free trial period and test, test, test.

    Perhaps we need to use a lesser known one.

    • I have also noticed that VPNs are blocked on Target’s free wifi, as well as other stores. I assume this is because they want to see your browsing history to see when you comparison shop. If this happens I switch to cellular if possible rather that let them (the store) watch me.

  10. This decision is so disappointing and those involved both in governance and business such morons. An ISP is the epitome of a utility and should clearly be regulated as such. Heck it has ‘Service’ in the name and is supposedly providing a paid service that they work very hard to recruit customers to but still these companies display such contempt for their “customers” (make that “assets”).

    Last year I left Verizon as cell service provider because of their poor privacy practices and clear vision of becoming a media company and data broker instead of a phone/network service provider. However, options are limited, especially for home ISP market, and I assume they all are suspect and destined to completely sell out. At moment we have a smaller regional ISP for home and they are still behaving more like the traditional phone company from which they arose but I am suspect perfect they are not and worse they will become with time.

  11. How much will going to VPN cost us out here? And do you know if the telcos and comcast now will also be able to sell our history from the past?

    This is horrendous.

    Many thanks for your work.

  12. Well, it is not that hard to set up its own VPN server as of today.

    I used these scripts on a Mac to set up a VPN server at Digital Ocean. Took me 30 minutes. Server costs are around USD 5 per month.

    https://github.com/jlund/streisand

  13. For home networks, is it as easy as using an alternative DNS providers such as OpenDNS? Or does that not go far enough?

    • Using an alternate DNS server doesn’t solve the problem. Your IP address and the IP address of your target site still go through your ISP. The DNS simply translates the URL to an IP address.

  14. Hi! I work for [insert VPN here] and there’s a new limited-time offer to save on your next VPN subscription. Insert the promo code “KREBZ” at [insert VPN here].com and win a trip to the Algerian Royal Palace and meet their prince while browsing safely!

    More seriously, I’m still ticked that my rep gave in to the local ISP monopoly.

  15. Everyone who is criticizing this, does not know what it is actually about. Get the facts before you start looking at VPN providers who slow down and funnel your internet traffic, who take your personal info anyway.

    This action doesn’t change or lessen existing consumer privacy regulations. It is intended to block an attempt by the FCC to expand its regulatory jurisdiction, and impose data restrictions on internet service providers. These restrictions have the potential to negatively impact consumers, and the future of internet innovation.

    It’s not about “internet privacy” at all. That should be the FTC’s job anyway – not the FCCs!

    • It’s amazing that every single Republican senator, all but 15 Republican representatives, and all of the Republican FCC members believe EXACTLY what you posted word for word. I’m sure the folks back home are calling them by the hundreds telling them that they can’t wait for their ISPs to come out with innovative ways to track their every word, thought or activity without even bothering to tell them about it. NOT!

      The folks paying for internet access understand that internet access is a communications service and that providers of that service should pay no more attention to what you say and who you say it to using that service than a phone company should.

      The FCC is exactly the right place for regulation of ISPs.

  16. Hmm… if the internet truly is full of scam-ish VPN services using fake reviews and other dubious tricks to get users, where should people go to do their research to help them decide which legitimate VPN service to use?

  17. IRS iTunes Card ( VPN)

    Good article keep them coming

  18. So Mullvad has the most greens on that website right? Just has Yellow in the Jurisdiction column. All the rest are green.

    • Mullvad now has a lot more servers than they did at first including several in the United States and some in the British Virgin Islands.

      It was interesting checking some of the sites with their popup ads and attempts to intimidate people by showing the city and state where they live. Those tactics immediately tell me they are not ethical so who needs them?

  19. ‪Every day VPN usage at home? Nah. When I’m on a sketchy Motel 6 open wifi? Yeah I use a VPN then. ‬

  20. I’ve found that when using some VPNs certain sites, such as message forums, just don’t work. It’s like they know it’s a VPN and say, “Nope, no anonymization here.”

    At the risk of being deleted I’ll say I use TunnelBear, which has that issue sometimes. I didn’t want to vet all the VPN services and went to it via the recommendation of a couple professional Wi-Fi installers I know. They use it on unsecured Wi-Fi links. It’s easy to use but doesn’t rate so highly on the thatonerivacysite.net site. I’ll check out some others. But, if they’re not easy to use they aren’t going get used so much.

  21. torrentfreak reviews multiple VPN services yearly, here’s their 2017 review link
    https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/

    good insight into what you should look for in a VPN provider

  22. I would like to suggest an alternative approach for protecting your privacy from search engines and your ISP. As a long-time tech support person I know that many of you would be frustrated trying to use a VPN and the approach I will recommend is more air-tight than a VPN.

    First, use Google Chrome browser. It is the most secure. Avoid Microsoft browsers.

    Use Ublock Origin Chrome extension to block ads and tracking companies. This will speed up your browsing and protect you from malicious software served up by the ad networks. Whitelist any site you want to support or use their Patreon account.

    Use HTTPS Everywhere Chrome extension. This extension tries HTTPS first and falls back to HTTP only when that fails.

    Make Startpage.com your browser homepage and search engine. Startpage proxies your web searches and shields you from the search engines, maintaining your privacy and offering you unfiltered search results. (Search engines tailor their responses to your user profile.) You can click “Proxy” on Startpage search results to have Startpage visit the website on your behalf (proxy) for free. Use Proxy when browsing new or sensitive sites. It likely won’t work well for your bank or email provider and you don’t want Startpage seeing that anyway.

    Lastly, you can install DNSCrypt to hide your DNS queries from your ISP. DNSCrypt requires the latest .NET framework on Windows and is available on OSX for Macs. You have to manually set your DNS servers on your Internet connection and there are instructions on the web for how to do this.

    If you do these things, your ISP will not see your DNS queries, your Google web queries, or any Startpage proxied web site visits. All they will see is google.com, gmail.com, amazon.com and the like. Anything you don’t want them to see, proxy through Startpage.

    Ask on reddit for more help if you need it. I’m kwereddit.

  23. Consumer’s Union has a political action arm that helps folks who want to contact their representatives and regulators on such issues. They were instrumental in getting some of the privacy laws and regulations implemented in the first place, and a working hard to block congress from weakening these laws.

    If you really want to do something effective on this subject, I highly recommending signing up for their news letters. They make it easy to contact your law makers, and they don’t spam you for donations very often. I’ve seen a lot of good come out the CUs action group.

  24. Excerpt from The Verge: HTTPS won’t prevent ISPs from tracking what websites you’ve visited, it does prevent them from seeing what specific section of the website you looked at

  25. EFF has “HTTPS Everywhere” extension for chrome, works well but will break some sites. The Verge quote was regarding Porn Hub & You Porn using HTTPS re encryption limiting granular results to ISP’s. This would apply of course to all HTTPS sites. An easy alternative to VPN I think.

  26. Great article. Yesterday I created an AWS EC2 instance for the sole purpose of of running a OpenVPN server for myself. prior to that I was using TORGUARD from VPNetworks. which is a great VPN/Proxy provider with alot of support and great apps for andriod/ios and chrome/firefox plugins. For those that want good anon payment options they also accept giftcards from 100+ stores through paygarden.

  27. privacytools.io

  28. Could another option to web data collection be to adulterate the data available to be collected?

  29. ScottytheMenace

    It’s my experience that most of the people I talk to about Internet privacy don’t really care. They’re getting services “for free” and “have nothing to hide.” That’s why companies like Google, Amazon, Facebook, et. al — not to mention advertisers and now ISPs — will get away with this. Unless online tracking becomes opt-in instead of opt-out or people wake up and discover privacy again they will continue to get away with it. So very sad.