March 30, 2017

Many readers are understandably concerned about recent moves by the U.S. Congress that would roll back privacy rules barring broadband Internet service providers (ISPs) from sharing or selling customer browsing history, among other personal data. Some are concerned enough by this development that they’re looking at obfuscating all of their online browsing by paying for a subscription to a virtual private networking (VPN) service. This piece is intended to serve as a guidepost for those contemplating such a move.

vpnOn Tuesday, the House approved a Senate resolution to roll back data privacy regulations enacted late last year at the Federal Communications Commission (FCC) that would block ISPs from selling to advertisers information about where you go and what you do online. President Trump has signaled his intent to sign the bill (S.J. Res. 34) into law soon.

As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.

Nevertheless, this hasn’t stopped news outlets from breathlessly urging concerned citizens to reclaim their privacy by turning to VPN providers. And VPN providers have certainly capitalized on the news. One quite large (and savvy) VPN provider even took out a full-page ad in the New York Times listing the names of the Republican senators who voted to repeal the still-dormant regulations.

I’m happy if this issue raises the general level of public awareness about privacy and the need for Internet users everywhere to take a more active role in preserving it. And VPNs can be a useful tool for protecting one’s privacy online. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process.

In case any readers are unclear on the technology, in a nutshell VPNs rely on specialized software that you download and install on your computer. Some VPN providers will supply customers with their own custom brand of VPN software, while others may simply assign customers a set user credentials and allow users to connect to the service via open-source VPN software like OpenVPN.

Either way, the software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. A VPN service allows a customer in, say, New York City, to tunnel his traffic through one of several servers around the world, making it appear to any Web sites that his connection is coming from those servers, not from his ISP in New York.

If you just want a VPN provider that will keep your ISP from snooping on your everyday browsing, virtually any provider can do that for you. But if you care about choosing from among VPN providers with integrity and those that provide reliable, comprehensive, trustworthy and affordable offerings, you’re going to want to do your homework before making a selection. And there are plenty of factors to consider.

For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers.

That’s because affiliate programs often create a perverse incentive for unscrupulous marketers to do things like manufacture phony VPN reviews by the virtual truckload, reviews that are aimed at steering as many people as possible to signing up with the service and earning them commissions. In my admittedly limited experience, this seems to have the effect of funneling search results toward VPN providers which spend a lot of money marketing their offerings and paying for affiliate programs.

Also, good luck figuring out who owns and operates many of these companies. Again, from the admittedly few instances in which I’ve attempted to determine exactly who or what is at the helm of a specific VPN provider, I can say that this has not been a particularly fruitful endeavor.

My bar for choosing a VPN provider has more to do with selecting one that makes an effort to ensure its customers understand how to use the service securely and safely, and to manage their customers’ expectations about the limitations of using the service. Those include VPN companies that take the time to explain seemingly esoteric but important concepts, such as DNS and IPv6 leaks, and whether they keep any logs of customer activity. I also tend to put more stock in VPN providers that offer payment mechanisms which go beyond easily-traceable methods such as credit cards or PayPal, to offering more privacy-friendly payment options like Bitcoin (or even cash).

Many VPN providers claim they keep zero records of customer activity. However, this is almost always untrue if you take the time to read the fine print. Also, some VPN services can’t truthfully make this claim because they merely resell network services offered by third-parties. Providers that are honest and up-front about what information they collect and keep and for how long carry more weight in my book.

Most VPN providers will keep basic information about their customers, including any information supplied at the creation of the account, as well as the true Internet address of the customer and the times that customers connect and disconnect from the service. I’ve found that VPN providers which collect the minimum amount of information about their customers also tend to offer little or no customer support. This isn’t necessarily a bad thing, especially if you know what you’re doing and don’t need or want a lot of hand-holding. For my part, I would avoid any VPN provider which asks for personal information that isn’t required by the form of payment I choose.

Then there are more practical, day-to-day considerations that may have little to do with privacy and anonymity. For example, some VPN providers pay a great deal of attention to privacy and security, but may not offer a huge number of servers and locations to chose from. This can present issues for people who frequently watch streaming video services that are restricted for use in specific countries. Other VPN providers may offer an impressive range of countries and/or states to chose from, but do not provide fast enough speeds to reliably satisfy data-intensive applications, such as streaming video.

These are only some of the many factors that are important to weigh when selecting a VPN provider. I asked my favorite source for online privacy — the Electronic Frontier Foundation (EFF) — if they had any recommendations for VPN providers. Alas, their press folks told me the EFF has not yet sought to vet the claims made by various VPN companies. Instead, their media folks referred me to this site, which covers many of the concerns raised in this post in greater detail, and includes what appear to be fairly straightforward reviews and side-by-side comparisons of many popular VPN services.

For personal privacy reasons, I’m not interested in sharing the name of the VPN service that I’ve paid for and trusted for years. But I can say with some gratification that they are one of the highest rated (greens almost across the board) providers listed here.

A quick note about “free VPN” services. Just as with “free” services like Facebook and Gmail, it’s important to know that with free VPN services you probably aren’t so much the customer as the product. Operating a business like a VPN service takes considerable effort and cost, and it’s very likely that anyone operating a free VPN service is also somehow monetizing your use of their service in some way — probably in an way that may be at odds with your reason for using the service in the first place.

Alternatively, if you’re looking for a free option, consider using Tor instead. Short for “The Onion Router,” Tor takes your communications and bounces them through a series of layers or “relays” around the globe, encrypting your data at every hop. The practical and privacy limitations of Tor are explained rather succinctly in this story at How-to Geek, but many of the traditional concerns about Tor are mitigated by the technical limitations that ship with the current Tor Browser Bundle. For most users, the principal drawback of Tor versus paid VPN services is that Tor is likely to be far slower than your average VPN (although, to be fair Tor has gotten quite a bit faster in recent years).

Finally, from the read-my-mind department, I fell asleep last night ruminating over what a grass-roots effort to lawfully and publicly resist this move by Congress might look like, and briefly considered that someone could even set up a site that would offer to purchase the Internet browsing records of the top lawmakers who voted for repealing the FCC rules (should those records ever go on sale by the major broadband providers). Incredibly, I awoke this morning to an email from a reader about exactly such an experiment — — which has raised more than $170,000 so far toward a $1 million goal via GoFundMe.

As cathartic as this effort may be, I can’t recommend supporting it financially. However, if you’re in a generous mood I would wholeheartedly recommend supporting groups like the EFF, which orchestrates efforts to educate lawmakers on important technology policy issues and — failing that — to derail and sometimes overturn bone-headed policy moves in Washington, D.C. that endanger our security and privacy. KrebsOnSecurity supports the EFF with four-figure donations each year, and I would encourage anyone with the means and interest to likewise support the work of this important organization.

Author’s note: On any given week, I probably remove a dozen or so comments from people who appear to be shilling for various VPN providers. Any comments to that effect on this post will be similarly deleted without hesitation or explanation.

198 thoughts on “Post-FCC Privacy Rules, Should You VPN?

  1. ScottytheMenace

    Funny you mention this Scott S. I’ve always wondered if someone could create a browser plug in or other software that would, rather than obfuscate data or block trackers, would actually generate random data to send to them. That would pollute their database and destroy their business model. I’d pay for that. 🙂

    Sorry if this is a DUP post. I didn’t see the previous version show up.

    1. Brian Krebs

      Apologies in advance for hijacking this comment thread, but I wanted to leave this comment prominently up top here. While “Nancy” appears to have generated a great number of indignant responses below, I now suspect that she is a fabrication created by someone who has been leaving countless troll-ish comments here over the past few weeks.

      I’ve deleted probably a couple of dozen of this individual’s comments so far, mainly because they attempt to incite anger or derision and seem to always support Donald Trump in a way that appears to foment hostile responses.

      I apologize for these inflammatory and apparently engineered comments. Guess I’m going to have to up my game to counter the trolls. Perhaps these comments are part of a larger campaign to sow unrest and to dilute the quality of the otherwise great discussions that spring up around posts on this blog.

      For further reading about what may be going on here, I’d suggest:


    2. Scott S

      well the data is only worth something if it is “true” and totally useless if “false”. If the data collector can not have faith in his data then they are out of business… So programs that can adulterate the data set in a way that destroys data end user value would eventually bring a halt to this practice..We have fake news so why not fake data….

      1. ScottyTheMenace

        Exactly. I’d like to get my hands on that kind of add-on — better yet, maybe a VPN provider that does it? — if for no other reason than to make tracking me more difficult.

  2. AJ North

    Brian, let me second your plug for the EFF (which I have also supported for the past several years).

  3. Ben

    Thanks for this very good article.

    Nevertheless, I’m wondering whether setting up an openvpn on a cloud server like amazon, google, ovh, digitalocean, etc. would increase my privacy? Or I will somehow be traceable via the IP address of this server which could be linked to me?

    1. DanM

      I had this question too, specifically with respect to AWS.

      As I understand it, if you set up a VPN service in AWS, you’ll have to associate it with a public IP, most likely an Elastic IP. I don’t think that the IP address can be traced back to you personally without cooperation of Amazon. There doesn’t seem to be a public mechanism to query AWS for who’s renting an IP address. A reverse DNS lookup on an AWS IP return a name in domain.

      Don’t associate the address with a DNS name, though, since ownership of that name would likely be traceable to you. E.g. if you already have a public server on AWS that’s addressable by a domain name, don’t put the VPN service on that – put it on its own EC2 instance with its own Elastic IP.

      Of course, Amazon will be keeping some record of your traffic, and might be induced to share it e.g. via a subpoena. And someone could still analyze traffic originating from that IP and make inferences about you, maybe even identifying you. Periodically recycling an Elastic IP might help to mitigate this risk.

      It’s not perfect security by any means. But if you set it up right, with _all_ your traffic, incl. DNS lookups, going through the VPN, you would quite effectively hide traffic details from your ISP.

  4. Dave

    Using a VPN to hide your goings on from your ISP simply moves the threat upstream to an even less regulated entity. The VPN provider sees all that the ISP would and is bound by no FCC regs.

    As much as I despise my ISP (Comcast) I somehow trust them more than some random shady VPN provider who is in bed with god knows who.

    I was dismayed with the media coverage of this issue. Yesterday NPR had a segment where they said that ISPs can now know what you post, etc. It shows a profound misunderstanding of the technology they are commenting on as HTTPS makes this impossible.

    I suspect that they were fed this information by one or many VPN providers looking to drum up business.

    1. Mahhn

      Dave, this is incorrect “HTTPS makes this impossible.” I am responsible for monitoring our web filter at work. I can tell what you typed, where you went, what credit card was used.
      The data that can be collected is “everything”.
      At the company this is used to monitor for data exfiltration (by users or hackers on their way out), malicious sites, abuse and so on. It is very easy to see how it can be abused, and there is nothing preventing a VPN from doing this also. At work its a “filter”, in the criminal world its a Man in the Middle attack.

      1. Martijn

        To be fair, that kind of interception of SSL/TLS traffic is only possible if your company installs (or requires installation) of their own CA in the user’s client. As you probably know, the company’s firewall device will generate self-signed certificates for each HTTPS site that you visit, in effect MITM-ing the users.

        For regular consumers (or at my company) that doesn’t happen. Their traffic is hidden, except for the domain names of the sites they visit. The URL-path, content, search parameters, etc. are encrypted.

      2. Dave


        The only way I can see this happening is under one of 2 circumstances:

        1. The client and server negotiate the NULL cipher suite. Not impossible but kind of pointless unless you only want to prove identity of the server and then go out of you way to expose traffic in clear.

        2. Your company is using an HTTPS proxy whose root certificate is trusted by the machines talking through it and the proxy issues site specific leaf certs on the fly. In that case your proxy fakes the origin server, decrypts, does what it wants to and routs the traffic through a different TLS channel between it and the origin. You would also have to circumvent browser certificate pinning.

        I can see that in a corp environment where the corp can install whatever it likes on their machines but not in a non-corp ISP scenario. Well, that discounts people being stupid and allowing the installation of malicious certificates on their machines. I also seem to remember that Lenovo did something like this years ago with one of their bloat ware programs.

        If there is another way to do what you say I’d love to hear about it. If you want to talk privately let me know and I’ll give you my personal email.

        1. Dave

          Also: Since I have outlined a way to MiM HTTPS I guess that I was incorrect in stating that it is “impossible”. Just HIGHLY unlikely for an ISP to do this. The bad press it would cause would be nasty.

    2. Aztech

      HTTPS does not make it impossible for your ISP to read your web traffic. Google HTTPS fingerprinting and or look at Gibson Research GRC website and learn something. Your ISP can easily intercept your https traffic and decrypt it using a simple method. My god the ability for any employer to do it is built into Windows servers. It is not “impossible”.

      1. Martijn

        It’s quite a bit harder than you make it seem, and yes, I read GRC’s page.

        For ISPs it’s virtually impossible to MITM your HTTPS traffic. Simply ‘decrypting’ isn’t feasible. They’d need to get their own CA or intermediate cert installed on your device. On a company network it can easily be done if the company rules require employees to install a CA certificate (or are provided with preinstalled hardware).

        Even then, the popular modern browsers have ‘pinned’ the certificate fingerprints of common popular websites. If an ISP or company succeeds in MITM-ing the connection the changed certificate will ring bells, blocking the connection and reporting (optionally) to the browser vendor.

        Particularly Google has been active in their followup. Received reports, combined with data from their Certificate Transparancy program, have led to the ‘disbarment’ of several malpracticing CA’s. In other cases Google has warned users when they’ve detected MITM attempts by dubious governments.

  5. Sam

    There is some degree of false equivalency to compare what an ISP collects to what Facebook and Google collect. Nothing new? Well, an ISP is in a position to collect everything you search and visit. Including what you type directly in the browser’s address bar. Not so with Facebook and Google.

    Let’s consider where this legislation is heading. An ISP could track any communications, email, file transfers, WebEx, Voice/Skype, custom applications…referenced from an individual’s workstation. Another level that Facebook and Google can’t touch. I believe (check this?) the FCC bill restricts the ISP to browser tracking now. Maybe not later.

    Shock was expressed with the revelation that the NSA was gathering call metadata on American citizens for national security purposes, but it’s OK to allow public/private (non-government) companies to profit selling a list of every communication an individual has had over the last days/months/years… (lifetime?) as long as it isn’t used for national security I guess.


    1. Jim

      Sorry, disagreed. shocked,no. And check out the foreign press on what vault seven has to say.

  6. nancy

    If you are not involved in bad actvity on internet then you got nothing to hide !! What is this panic over …you guys are fraid of your shady deals ??

    1. Ryan Coake

      It’s not a matter of “if you’re not doing anything bad you have nothing to hide.”

      It’s a matter of “if you’re not doing anything bad, nobody needs to look, let alone record, package, and sell to the highest bidder.”

      Nobody should have to justify their actions on the strength of “I’m not doing anything bad.” Quite the contrary, those who would creep around spying on others, *SHOULD* have to justify their actions.

    2. Austin Clark

      Nancy. Your comment is disgusting. Please rethink your argument and send my your email address credentials if you have nothing to hide.

      Please and thank you.

    3. DM

      Nancy – Kindly put, EVERYTHING you do on the internet will only EVER be used against you. Ever. And if you didn’t pay attention to the NSA gathering of all TRUMPS activities for the last 10 years, that Obama used and gave to he opponents, then you really need to up the low information game your involved in.

      Its about the basic constitution that protects all rights equally. And yes the world isn’t Black and white, its grey with shades of black and white. Like that one time you ran that Red light or perhaps sped to make that important(whatever) at the time thing.

      You must stand your ground always and keep these things separated, so blanket monitoring by a monopoly entity of your personal data should be against the law. This is a confusing bit, and sadly a 70 year old man would not know the details enough about the internet to know he should be VETOing this bill.

      BTW the next step is to allow all ISP’s to insert into your traffic whatever you they want, such as that targetted ad while your browsing, or redirecting you whenever they want to make a few bucks. Its kind of like the 2012 bill that allowed all media to lie to us full time legally. Look at the false flags going off all over the world, not a bit of truth to be found anywhere. Just one Lie to the next.

      1. DavidD

        Do you have credible sources for your claim that Obama used the NSA to spy on Trump?
        Note:, Infowars, etc. are not good examples of a credible source.

    4. John

      The example often used when people ask “What have you got to hide” is the postcard. People put letters in envelopes because they prefer privacy over publicly displaying their words, not because they have something to hide. We expect a certain amount of privacy.

      1. Mr. Wizard

        This reminds me of Edward Snowden’s quote, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

    5. zackis

      Let me alert you to the problem with this thought. Activity X (make up a current legal activity) is currently legal, you are recorded doing Activity X. Then Activity X becomes illegal, and you are prosecuted for breaking that law using the first recording.

      You might think this isn’t possible, however laws change and interpretation to those laws happens all the time.

      Ignorance of recordings offer 0 protection.

      So you need to make sure

    6. Dave

      Should I also not care about free speech if I have nothing to say?

    7. Troy Plumer

      Nancy: I, like most people, don’t feel drawn to live in a glass house.

    8. Nick

      A complete misunderstanding of the principles of The Enlightenment and American civil rights. I weep for these poor, dad products of public education.

    9. Nick

      And two more words “industrial espionage.”

      I’m sure there’s an interesting market for, say, purchasing a competitor’s web traffic history to see if you can mine it for interesting bits of intel.

    10. Jimmy G

      Am I the only one who read Nancy’s comment as tongue in cheek?

    11. George

      Please post your complete search history for the last three years.

    12. James Clements

      But if I’m not doing anything wrong why are you watching me? Isn’t that a little perverse on your part? Also, if you have a physical or mental illness, or have been assaulted or threatened or hurt in some other manner and are seeking help do you want anyone/everyone to know about it? How about if the person that hurt you was watching what you are doing online, might they enjoy the distress they’ve caused you or act against you if they think what you are doing can cause them harm? What if what you are doing today is both socially acceptable and legal but becomes unacceptable and/or illegal at some future time. Is it ok that a person or organization can retroactively review your online history and possibly act upon what they find? What if someone just doesn’t like you or wants your job is simply a petty jackass how likely is it that what they know about you will be revealed in the most harmful way possible, even if no laws are actually broken? There are many, many ways that information about you can be used against you even if you have never done anything “wrong” or illegal. I believe that while the odds of any one person being impacted in a severely negative manner because of a lack of online privacy are low they are certainly not zero and in certain situations the result can be, for you or your friends or your family, quite horrible.

    13. Martijn

      Nancy, the country of The Netherlands had one of the best civil registries in the world in the 1930’s. Many things were stored, including everyone’s religious affiliation. Unfortunately, when the Nazi-party gained power in neighbouring Germany, declared war and The Netherlands was invaded it was this registry that allowed them to round up and exterminate the Jews more systematically and effectively than in other countries.

      You may have nothing to hide now, but cannot yet know what may become sensitive data in the future. And history shows that once you’ve given up some amount of privacy it takes a lot more effort to get it back, if even possible.

      1. radar

        Well said! I don’t worry about having web activity to hide right now. However, if our government was taken over by a dictator like Erdogan (Turkey) then my love of free speech and religious freedom might well get me jailed or shot someday.

        Big Brother is always a threat…This legislation just keeps one company from having a monopoly on our web activity. For now, living in the USA still makes it unlikely that we will be persecuted for rather ordinary beliefs and activities. But beware the 21st Century attacks on our Constitutional freedoms from the left OR the right!

    14. Ross Archer

      The attitude of “nothing to hide” presupposes a government operating honestly and in good faith with their citizens. The Trump regime has already, with remarkable speed and clarity, displayed such an alarming lack of integrity and disregard for the norms of democratic governance that the term “fool” best describes one who puts any trust in them.

    15. David Thompson

      We should be able to find our way to Nancy’s house quite easily. It is the one with no curtains on the windows because she has nothing to hide.

  7. John S

    If your concerned about privacy the internet has a lot of places your going to find that your losing the battle. Google for one was a huge invasive company collecting data on you much like a Comcast, Verizon, Facebook etc. Knowing what you do on the internet is big business. Not saying oh just give up on protecting privacy. But people seem to say one thing and do just the opposite. If anything is going to be done about privacy its going to have to come from the end user. My personal belief is that while some fear this loss of privacy, many actually don’t really care enough to do much about it. In fact ISP’s offer the customer to opt out of collecting and selling their information. But how many even the paranoid even bother to request it? How many even know what Apps they use collect data and sell it. Free apps too make money the old fashion way. Selling data collected from you.

    1. null

      I had no luck finding privacy setting options for Charter a few days ago. As far as I can tell, there are policies, but there are No options. If anyone know where to opt out, please post.

    1. Sasparilla

      Back before Net Neutrality at the FCC, if you folks remembered, Comcast was causing user links to Netflix to be “unreliable”, legally. Not too worried they’d do that to Netflix now, but you never know. The real question is would they cause those same problems accidentally on purpose for VPN addresses in the future?

  8. DM

    I found this, I thought I’d share:

    “Who was at the door?”
    “Oh, just a nice man doing a survey. He wanted to know if we had a pet dog or a burglar alarm and what nights we aren’t at home.”

    Who has your w2 info? how about that ssn and pin? MS, your ISP? What you have some assets in another bank account?

    Just something to think about.

  9. Andrew

    As much as I like the idea of anonymizing one’s traffic via TOR, operating a TOR exit node is risky. Mainly because non-technical folks can’t understand that an IP address is not an identity, and so police departments raid sites of TOR exit nodes thinking they’re going to catch kiddie porn purveyors.

    Personally, I find the risk of a flash-bang setting my curtains to fire to be a higher risk than someone finding out I’ve visited some web site….

  10. Bob

    “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

    Who said it?
    Ben Franklin,
    Ed Snowden?

  11. Mahhn

    This might be the motivation I need to stop using the internet and get out of the chair permanently. There is nothing on the internet that I “need”. I’ve always paid my bills in person, so it’s not a big leap. I will miss interacting with friends across the country in FB if I do…

    1. Nick

      No, not even close. They’ll still know everywhere you actually go.

      Only ways to avoid that are Tor or VPN.

      1. Jim

        And what services are they on? The same wires as feeding the data services. So how is that more secure? Mitm attacks can record that traffic also. The only difference will be a delayed commercial in your stream.

  12. yake

    Personally i think this new law it’s problem only for those who are going to use their own identety like google.mail.facebook instagram and etc. Coz now vpn providers will sell your information to corporations who will know exacly what type of person you are and can sell what ever they think u might be interested about it.
    needless to say everything is on sale and hackers will get hands on that information too.
    so if you dont use usa ip isp for your own needs like online bank facebook and etc im sure you are safe.

  13. nancy

    Ok..but our goverment is here to protect and serve us.
    i think let them do their job and we do our own everyday acitivities.
    and due the terrorism and things like that Goverment must know who doing what and when.
    i got nothing to hide so i can’t see any problem
    i think rest of you are just too paranoid.. i guess so

    1. Nobby Nobbs

      Why do you wear clothes?

      Why do you shut the door when you go to the bathroom?

      Why do you close the curtains when you have sex?

      If you feel like everything you do should be as private as these things, you are not paranoid, you just have higher standards.

    2. Sasparilla

      America was founded partly because the British could and did search your communications back at that time (mail), could come into your home and look for anything they wanted and take anything they wanted (unreasonable search and seizure) and as an asside torture people (George Washington demanded his troops not torture people and it was something this country didn’t do until George Bush / Dick Cheney after the year 2000). This is why a right to privacy is part of our heritage & partly why we gained independence.

      However it is much more profitable for these companies if customers / citizens to not have these rights – same goes for the govt if they decide or want to check if you are a problem…a lifetime list of all your internet usage and google questions will have something troublesome for nearly anyone or loved ones / kids / grandkids. You don’t want to set the deck so someone can come in and be a dictator – whether it was Senator McCarthy of the 50’s, Hoover of the FBI blackmailing politicians with their secrets or folks like former Pres Nixon wanting to spy directly on opponents…bad people will come into power and abuse these tools for ill or profits. They (people and companies) need to be blocked so they don’t have the chance…cause it will be abused and we should have privacy anyways – its a big part of why this country came into being. JMHO…

    3. VER1TAS

      Nancy, the problem is that this is a right to privacy issue. This is your Constitutional Right.

      The First Amendment protects the privacy of beliefs.

      The Third Amendment protects the privacy of the home against the use of it for housing soldiers.

      The Fourth Amendment protects privacy against unreasonable searches

      The Fifth Amendment protects against self-incrimination, which in turn protects the privacy of personal information

      The Ninth Amendment says that the “enumeration in the Constitution of certain rights shall not be construed to deny or disparage other rights retained by the people.” This has been interpreted as justification for broadly reading the Bill of Rights to protect privacy in ways not specifically provided in the first eight amendments.

  14. Algorythm

    Offhand if you’re really bothered by snooping look for VPN vendors that are located in places where the snooping remains illegal. Germany for instance. For the lazy, give some $$ to Opera and take advantage of their Canadian VPN that’s built in.

    For my money, I’d instead pay the $10/mo for a German VPS and set up my own softether or openvpn gateway. You’ll own the logs, which recommend you set go to /dev/null 🙂

  15. Sasparilla

    Minnesota passes law forbidding ISP’s from selling users data.

    Illinois is working on something much more token but better than nothing (the ISP has to show you what they’re sharing on you if you ask) – I’d rather take MN’s choice. Nice to see this and makes me wish to move there despite the winters.

    The ISP / telecom industry (they’re rapidly merging) have a pretty good corruption choke hold on legislatures at the state level, so I’d be suprised to see much more of this – but you never know. California a ballot initiative on this is calling….

  16. Troy Frericks

    Consumer privacy should be regulated by the FTC, not the FCC. This action makes that shift. That shift is in flight as the FTC has the regulations in place to offer protection, but they can not take action against (sue) offending ISP. Look for Congress to take action shortly to close that “loophole”. This is just about streamlining government, not about reducing privacy.

    1. Sasparilla

      That is certainly what the ISP’s (Comcast, AT&T, Verizon etc.) and their paid lobbyists and paid votes in Washington say. I don’t believe them. I want the better privacy rules of the FCC – citizen privacy rights should trump rights to enhanced profits for these mega corporations who pushed this through, IMHO.

      The FTC doesn’t have a history of actively doing anything regarding privacy and these ISP’s and the rules it does have are very lax and out of date. There is a big difference between what a single website (that you don’t pay) can know / catalog about you and someone who tracks your every move on the internet that you pay to use in the first place.

    2. Robert.Walter

      If what you say is true, the responsibility minded GOP team* would have legislated a step change that would have ended FCC responsibility as FTC picked it up w/o introducing a gap.

      Instead we get a song and dance alluding to a 2 part approach before proper protections are back in place.

      Also, IIRC, the killed legislation carried penalties for data breaches.

    3. TM

      That is a blatant lie and you know it. Who’s paying you?

  17. Thomas G.

    Just a quick THANK YOU for taking the time to write such a thoughtful and informative article on the subject. I am one of those people now educating myself on ‘next steps’ for ways to protect myself from this new law-to-be (I’m almost certain Trump will sign it). So, thank you for including your thoughts on the matter. It’s much appreciated.

  18. Ismael

    Nancy, we need the internet privacy.
    It’s protects our one personal information. Plus it won’t stop terrorism.
    1-Would you allow any stranger into your house and take whatever they want free to resale and make profit.
    2-would you let a stranger read your mail and then make profit of what he read.
    3-would you like all you medical information to be know by every person/stranger and then sold for profit.
    4-information not only can be sold but use to blackmail and make fun of people bad situation.
    5-plus other different situation. That you can imagine.

    I know I will never allow any of that, but at the speed everything is going we will be losing not just internet privacy rights but privacy in every thing we do at our house and outside.

    This is why we need privacy, to protect our feeling who we are and not get exploited for money making the rich people more rich

  19. Jeremiah Talamantes

    The data collected by Internet Service Providers, including sensitive information, will be breached at some point and that poses risk to everyone.

  20. leotg

    On surface it would seem that it would help stop terrorism but it wouldn’t guys. imagine an influential, rich organization in cahoots with enemy of state, buying all our data for them. my data, your data. i think that has the potential to do more harm. that’s why this bill shouldn’t have made it past the house. free market? cool. one where my data sells? no thanks. i wish it never would have come to me feeling so unsafe in the country that was founded in the name of freedom. but i’m being forced to seek alternatives like vpns.

  21. Privacy Watcher

    (The info below is credited to & quoted from the Cornell University Law School)

    “The Fourth Amendment originally enforced the notion that “each man’s home is his castle”, secure from unreasonable searches and seizures of property by the government. It protects against arbitrary arrests, and is the basis of the law regarding search warrants, stop-and-frisk, safety inspections, wiretaps, and other forms of surveillance, as well as being central to many other criminal law topics and to privacy law.”

    “Amendment IV

    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

    Certainly seems the 4th Amendment is being circumvented in any and every way possible. It’s easy to have the ‘mindset’ the privacy issues being discussed don’t affect you because you’re not engaged in any illicit activity. Remember the adage, “Silence give assent”.

    So, don’t be surprised when you wake up one day only to discover you no longer have ANY Constitutional rights at all.

  22. Dan. R.

    I would like to comment, that I find the use of VPN tunneling rather a flawed logic approach to protecting your privacy. You are essentially explicitly putting a great deal of faith and trust with the end point provider with your data as it leaves their network and on to the destination site. This is no different then the way the internet works today. If you value your privacy and security, then you control it no one else does. What you type into a Google Search or post on Social Media is in your control. Google or any other company is not holding you at gun point to type in your queries. So one needs to use their smarts and determine if what you are searching for is going to get you negative attention from law enforcement officials. If you feel that a company is overcollecting on you, then maybe you need to evaluate your use of technology and determine if you really need it. I have more faith and trust in Google or Microsoft with my data then some random end point at the end of a VPN Tunnel.

    1. Larry Gellar

      That’s not actually true.

      VPN Provider
      – Can pay anonymously via bitcoin or similar if truly paranoid
      – Willing to publicly commit to log retention policies. Many keep no logs at all. If they lie about it, they go out of business, so they’re likely telling the truth.
      – Can pick a provider in a different jurisdiction. The best jurisdiction may surprise you– for example, the USA does not have legally mandated data retention while Sweden (which you would naively think to be a much better jurisdiction) does.
      – Will state their policy as regards to data requests from authorities. Good VPN providers will only respond to legal court orders.

      Your ISP
      – Is never anonymous.
      – Can legally log everything, and won’t commit to not doing so.
      – Very likely to hand over your info at a simple request from authorities, not requiring a court order.

      1. Dan. R.

        I think you missed the point of my comment entirely. Again you explicitly trust the end point with your data regardless of who it is you are connecting to and from. Do you trust that your VPN Provider actually adheres to their Terms and Condition, and that they are 100% honest in their dealings with data and your privacy? I know I wouldn’t put blind faith into a VPN Providers ability to protect my privacy unless it is my companies VPN Tunnel. Would you trust a Chinese End Point over one in the United States or Canada where there are better ethics being practiced? Again its the big word “TRUST” that comes into play. For me to trust a VPN Provider I would have to know their user base.

        1. Larry Gellar

          I directly addressed your point.

          Here it is again– if a VPN provider sells your info contrary to their promises, they’ll go out of business because that runs contrary to their core service offering.

          Everything is a calculated risk. If you won’t accept anything less than a complete assurance, you’re unlikely to be satisfied by anything, even running Tor on something like Tails.

          1. Dan. R

            You put far to much trust into the activities of online companies and providers of telecommunication services. Would you spend thousands of dollars investigating each and every VPN Provider and their Employees with back ground checks to assure yourself that you wouldn’t be burnt? I know I wouldn’t, and trust my ISP more then some random VPN Provider on the Internet.

            1. Larry Gellar

              I trust every party to act in their own best interest.

              That means your ISP will probably sell your online activity. It will be anonymized to dull criticism, but we all know how easy it is to correlate anonymous activity to a real name given a sufficiently large corpus and context.

              It also means your VPN service will probably adhere to its privacy policies, because everybody paying for a VPN does so _specifically_ to protect their privacy.

              Again nothing is certain, that’s just how the universe works. But if you assume everybody is a rational actor you can act accordingly. If they aren’t rational actors, it’s like playing poker with amateurs– there’s no way to predict how they’ll behave.

  23. Bernard

    “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”

    –Cardinal Richelieu

  24. Ctrl_Alt_Pasta

    You’re absolutely right with what you said about free vpns. Everyone should avoid them like the plague. But your affiliate rant, no. There is nothing wrong with a VPN company having some type of reward program in order to entice new customers.

    The more people on trust worthy vpns the better. AirVPN for example is a excellent VPN company and they have a affiliate program. This doesn’t make them any better or less than the service they offer. Which is rated as one of the best. Hopefully people take what you said with a grain of salt and don’t judge a VPN company by their affiliate program.

    And then you mention tor as a viable alternative to a VPN. Really? TOR? Anyone and their mother can run a exit node and completely capture your data. Whether its a foreign entity or government . Nor can you choose what country that your data flows through. You get that with using a VPN service. You can openly choose a company you deem safe. Tor, not so much.

    It would’ve been great if you mentioned the security that OpenVPN provides which has been considered nearly bulletproof. With excellent encryption and speed.

    Keep up the great work you provide.

    1. BrianKrebs Post author

      As I said in the story, the point about mentioning affiliate programs wasn’t to categorically discount VPN providers that offer them, but to remind readers that those with affiliate programs often show up more prominently in searching for VPN reviews.

  25. Mike

    Brian, I was looking at the VPN chart you mentioned in your article. I use Freedome. According to the chart, they log bandwidth and IP addresses. I was wondering if you had checked out their methodology since F-Secure says that they don’t do any logging. Not that a company wouldn’t lie, but I was just wondering how One Privacy got their information

    1. BrianKrebs Post author

      No idea. Maybe ask the author of that site who did the review? He’s fairly responsive.

  26. Jeff

    “The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.”

    For a long time ISPs were regulated under the FTC. Regulation switched to FCC once ISPs were classified as common carriers. Did the FTC also allow for ISPs to collect and sell browser history without the consent of the customers? I’ve read elsewhere that while it’s true the FCC rules were not yet in effect, it was more of an attempt to return to the same type of regulatory environment under the FTC.

Comments are closed.