U.S. Markets open in 6 hrs 46 mins

Why VPNs won't always keep you safe online

Rob Pegoraro
Contributing Editor
This Thursday, May 24, 2018 file photo shows customers sitting around on cell phones and computers as well as sleeping at a local Starbucks coffee shop in Burbank, Calif. (AP Photo/Richard Vogel)

If only you could solve your online-privacy problems with the right three-letter abbreviation, things would be so much easier.

Sign up for a virtual-private network service, the sales pitch goes, and end online spying: Your browsing will once again be nobody’s business but yours!

But the reality of using a VPN is much more complicated. Sometimes—as seen in this week’s report by TechCrunch that Facebook (FB) has been using a relabeled VPN app to collect data on the online habits of teenagers—using one can actually leave you more exposed online.

Here’s what you should remember the next time somebody suggests that online privacy starts with using a VPN.

VPN FYIs

In the memorable phrase of the late Sen. Ted Stevens (R.-Alaska), you can think of a virtual private network as a series of tubes—but a VPN’s tubes stretch from your device to its own gateway to the wider internet and come protected by encryption that scramble everything going to and from your device.

Anybody snooping on your connection will see only gibberish, and sites will see you arriving from an Internet Protocol address that can correspond to a spot on the map thousands of miles away from your actual location.

The immediate upside of that: The source of your internet connection—your internet provider, a coffee shop, a hotel, your neighbor’s open WiFi router—can’t see what you’re doing online.

But a VPN does nothing to stop sites from tracking you there and across the rest of the web. Facebook, Google (GOOG, GOOGL) and other online ad networks can still use cookies and other web features to profile your browsing history. And showing up online at a different IP address, won’t confuse them. They learned long ago how to track people across different devices.

A VPN also won’t stop hacking attempts against your computer. If you open the wrong attachment or visit a hacked site with an out-of-date copy of the already-insecure Adobe (ADBE) Flash player, the VPN won’t block those malware sources.

It’s also important to remember that the absence of a VPN does not mean you’re left naked in the open. Most sites already encrypt their sessionsGoogle stats show that 82% of pages loaded in Chrome for Windows are encrypted—so your ISP or coffee shop would only see the domain names of the sites you visit, not distinct page content.

Transferring your privacy fears

Meanwhile, a VPN connection does leave one party in a privileged position to see all your unencrypted online data—the VPN provider itself. It’s essentially taking over your internet provider’s role in routing your data online, so in the bargain you must transfer your tracking fears from your ISP to your VPN.

Picking a trustworthy VPN is much harder than picking an ISP because a) there are so many more of them and b) so many of them leave you guessing about their virtues.

What you want to see—as the Center for Democracy & Technology, a Washington non-profit, laid out in a recent study of VPN privacy—are clarity about their ownership structure and business models, commitments to keep a minimum of data about your online history, and clear documentation of how they respond to legitimate law-enforcement queries.

What you may see instead are improbably generous prices that leave you wondering how the VPN service stays in business (beware of lifetime subscriptions for less than the price of an okay dinner), contact-us pages that leave no hint of where the company operates, and leaky data-management systems.

This industry also overflows with sketchy marketing ties, where VPN services pay for promotion on review sites that tout themselves as independent.

That CDT study includes detailed answers from five well-regarded VPNs; I would also trust the advice of Consumer Reports and the New York Times’ Wirecutter (a site I also write for occasionally). If you were curious about my own choice, I paid for a two-year subscription to Private Internet Access in 2017; I will consult those sites and others before renewing that.

When you should use a VPN

But awareness of all the risks of using a fly-by-night VPN service should not lead you to throw up your hands and assume nothing’s safe online. A good VPN will prove enormously helpful in three scenarios.

First, if you’re on a connection you shouldn’t trust too much—not even just the WiFi at a hacker conference, but at a hotel or a coffee shop—a VPN’s shroud of encryption will vastly lower the odds of an attacker peeking at your information.

Second, if your regular connection blocks access to some sites, a VPN’s encrypted tunnel should route you around those restrictions. The canonical example: going to China, where government censorship blocks access to many U.S. sites.

Third, if you can’t access sites because of your real-world location, a VPN can make it look like you’re getting online from thousands of miles away. Historically, that’s been useful for watching “geofenced” content—think professional sports games that are only streamed online outside of their teams’ home cities.

But the advent of the European Union’s General Data Protection Regulation has created a new use case. U.S. newspapers that decided not to enact GDPR’s strict privacy mandates, and instead blocked European readers from accessing their content can be viewed by setting a VPN to make it appear as if your connection is coming from within the U.S..

Yes, that can be the humble reality of using a VPN app: Instead of fending off spying ISPs, you wind up using it to read local news sites when you travel.

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.