Web

VPNs: What They Are, and Why You Need One

    Adrian Try
    Share

    Are you concerned about your online privacy and security? The first thing you should do is use a VPN service. They’re effective, affordable, and easy to use. There are plenty of effective options that cost between $3 and $10 per month.

    If you’ve been thinking about using one, now’s the time. Privacy is an important issue that we become more aware of as it’s taken away. You’re losing more of it day by day, and today you can do something to take it back.

    In this article, I want to let you know how precarious your online privacy has become, outline how a VPN can help, and examine how well popular VPN services are doing with the issue.

    Let’s get started by looking at the fundamental concepts of VPNs.

    What Is a VPN?

    When you use the Internet, you are identified by your IP address. It’s assigned to you by your internet service provider (ISP) and used by them to send back the information you request, such as web pages. They can also use it to make a record of every website you visit.

    As you surf the Web, each packet you send contains your IP address. When you realize how much about you can be learned from that simple piece of information, it’s scary!

    An IP address can reveal your location and ISP. It’s logged by most of the websites you visit, and over time, they can associate it with other personal information you supply, such as your name, phone number, and address.

    When you type in the address of a website, a DNS server is queried so that you can be directed to the IP address of that website. By default, that DNS server belongs to your ISP. They create a log of all of your DNS queries to create a complete history of your web activity.

    As you can see, the Internet is not a very private place.

    A virtual private network, or VPN, protects your privacy by routing your traffic through a third-party server. Everything still goes through your ISP, of course, but it’s encrypted.

    That means they can see that you’re connected to a VPN, but that’s all. Even your DNS queries go through the VPN server so they don’t know which sites you visit.

    On the other side of the connection, all traffic is associated with the VPN server’s IP address, not your own, and that address is likely to change on a regular basis. Your web activity is visible, but your identity isn’t. There’s no way to trace that activity back to you.

    Privacy Is the Primary Reason to Use a VPN

    Maybe you feel like you have nothing to hide, but that doesn’t mean that others should be able to create a complete log of everything you do. You wouldn’t be comfortable if I followed you around recording everything you say and taking photos of everything you do. You’d find that creepy.

    The same goes for our online activity. We shouldn’t feel that Big Brother from George Orwell’s Nineteen Eighty-Four is looking over our shoulder.

    The way most of the Internet works today would be considered intolerable if translated into comprehensible real-world analogs, but it endures because it is invisible. — Signal.org

    But that sort of tracking has become pervasive. In fact, in some parts of the world it’s a legal requirement. Some governments require ISPs to log your entire web history and provide government agencies and other authorities controlled access to it.

    What’s the situation where you live? Let’s look at the mandatory data retention laws in four parts of the world.

    The UK

    The Investigatory Powers Act was passed by the UK government in 2016 and requires web and phone companies to store the browsing histories of all of their customers for 12 months. They are required by law to share these records with the police, security services, and government agencies.

    Chris Yiu, who leads the Technology & Public Policy program for the Tony Blair Institute, compiled a complete list of who can see where British web surfers have been. I counted 48 different agencies. Since this information is stored online, Chris also wonders how many malicious actors have also got their hands on the information.

    Can things get any worse? Unfortunately, yes.

    The Register reports that the list is set to expand considerably. They reference a 2020 government memorandum (PDF here) that recommends adding even more agencies.

    They feel that the environmental agency, department of health, pensions regulator and others deserve to see which websites Brits are accessing. It’s comical and ridiculous that the UK National Authority for Counter Eavesdropping is included on the list.

    The European Union

    Browser history tracking is less of a concern in the EU. The Data Retention Directive of 2006, which allowed police and security agencies to access users’ IP addresses, email metadata, phone calls, and text messages, has been annulled.

    After a landmark court case in 2014, it was found to violate human rights. “The blanket retention of data of unsuspicious persons generally violates the EU Charter of Fundamental Rights” (a legal opinion quoted by Wikipedia). The Data protection and online privacy page on Europa.eu outlines new rules that protect your personal data, and you can learn more from the Blueprint for Free Speech’s “EU Court Rules Users’ Data Can’t Be Collected by ISPs for Surveillance”.

    While that’s encouraging, it’s not all good news. There are major concerns on another front: censorship.

    The EU is planning to launch a content filter in 2022 with the goal of protecting press publications. We don’t yet know how it will be implemented, but it has the potential to break the Internet. In recent news, an upload filter passed into German law (details here in German). Fortunately, VPNs are also an effective way to bypass censorship.

    Australia

    The Australian Department of Home Affairs summarizes the data retention obligations Aussie ISPs are under, and Aussie Broadband and Comparitech spell it out a bit more clearly. Here’s what they need to retain for two years:

    • Who you called, texted, and emailed
    • When you made those calls, texts, and emails
    • Your location
    • The volume of data exchanged
    • Information about the device you use
    • Your email address
    • Your IP address

    One thing’s clear: ISPs aren’t required to log our browsing history. That government web page states that “Internet service providers are not required to retain a person’s web-browsing history or any data that would amount to web-browsing history.”

    But before you breathe a sigh of relief, The Guardian reports that they’re doing it anyway, quoting Michael Manthorpe, the Commonwealth Ombudsman. He warns that some telecommunication companies are logging our web browsing histories and handing it over to law enforcement when their customers are under investigation. ITNews confirms this.

    The United States

    There are no mandatory data retention laws in the United States, but they’re probably doing it voluntarily. Ars Technica and Proton Mail report that a law passed by Congress in 2017 (S.J.Res.34) allows ISPs to sell and share users’ browsing history with advertisers without their knowledge or consent.

    As scary as that is, ISPs are not the biggest threat to privacy in the USA. There are bigger players tracking you.

    The first is the National Security Agency (NSA), who store the whole world’s internet metadata in their enormous database. US tech, communications, and finance companies are legally obliged to share customer data with them when presented with a National Security Letter (NSL). ExpressVPN’s helpful article, “10 ways the NSA is spying on you right now”, clearly enumerates the concerning details.

    There are also big tech players like Amazon, Google, and Facebook. They know everything there is to know about what you buy, where you browse, and what you like. A VPN won’t stop you voluntarily sharing your personal information with them, but it can make it harder for them to connect the dots by tracking every site you visit.

    Which VPN Services Are Most Committed to Protecting Your Privacy?

    Using a VPN entrusts your privacy into the hands of a single entity: your VPN provider. They alone know which websites you visit. It’s crucial that you choose one that you can trust.

    • What is their business model? If they’re not making money from the subscription fees they charge, they may be monetizing your web history.
    • Where are they located? They will often (but not always) be under the same data retention obligations as ISPs in that country.
    • What personal details do they collect about you? Do they allow you to pay for the service anonymously by using cash, gift cards, or cryptocurrency?
    • Does their privacy policy state that they won’t log your activity? How do you know that they don’t? Are they audited by third parties? If they’ve been taken to court, did they have any logs to share?

    Let’s look at how some leading VPN providers protect your privacy.

    1. ExpressVPN

    When it comes to privacy, ExpressVPN is one of the most highly respected VPNs out there. Their most affordable plan is $99.95/year (equivalent to $8.32/month) and anonymous payments via bitcoin are possible.

    They’re not as fast as some of their competitors, or as successful at streaming geo-protected content. But their servers use RAM-only servers, so once the power is turned off, no data is retained.

    They’re located in the British Virgin Islands, where your data can legally be kept private, and their no logs policy has been tested in court.

    As reported by Techspot, Turkish authorities failed to force them to provide customer data in one case. They rightly pointed out that they’re not subject to US and EU laws. When they couldn’t obtain information, they decided to seize hardware — an ExpressVPN server located in Turkey — but recovered no information because there were no logs.

    Screenshot of ExpressVPN

    2. Surfshark

    Surfshark provides many of ExpressVPN’s privacy benefits as well as faster servers, reliable media streaming, and no limit on the number of devices you can connect. Their most affordable plan is $59.76 for two years (equivalent to $2.49/month). Anonymous cryptocurrency payments (CoinPayments, CoinGate) are supported.

    Like ExpressVPN, they’re located in the privacy-friendly British Virgin Islands and use RAM-only servers. Their no logs policy has been independently audited, and the source code of their Chrome and Firefox extensions have been analyzed by Cure53, a German cybersecurity company. VPNInsights summarize the findings.

    Screenshot of Surfshark

    3. NordVPN

    NordVPN is fast, secure, and easy to use. It has a good privacy policy and offers additional security features. Its most affordable plan is $89 for two years (equivalent to $3.71/month) and this can be paid for with cryptocurrency if you want to remain anonymous.

    You can trust their no logs policy. They are located in Panama where there are no mandatory data retention laws, and they’re audited by PricewaterhouseCoopers AG in Switzerland, an independent company who verify they keep no logs.

    Screenshot of NordVPN

    4. Private Internet Access (PIA)

    Private Internet Access is a company whose no logs policy has been verified in court. It’s a service with an easy-to-use app suited to non-technical users, and its most affordable plan costs $69.95 for two years with a bonus two months (equivalent to $2.69/month).

    While the company is based in the Unites States, Techspot reports that their no logs policy has been tested and verified in two different court cases, one in 2016 and the other in 2018. They had no information to hand over to the court or FBI.

    Screenshot of PIA

    5. ProtonVPN

    ProtonVPN is a company that places a strong focus on privacy. Their service costs $159 for two years for the Plus plan (equivalent to $6.63/month) and a limited free plan is also available. Payments can be made via bitcoin.

    They company is based in Switzerland, which has strong privacy laws and remains outside of US and EU jurisdictions. Their apps are open-sourced and independently audited.

    Screenshot of ProtonVPN

    6. CyberGhost

    CyberGhost is fast and affordable, and offers excellent security and privacy. Their most affordable plan is $99 for three years (equivalent to $2.75/month), and this can be paid using bitcoin.

    They’re based in Romania and have a UK parent company. They have a strict no logs policy and also offer “NoSpy” servers for an additional fee. These are housed away from third parties in a special data center.

    Screenshot of CyberGhost

    7. TorGuard

    TorGuard allows you to choose the balance between speed and security with easily-accessible settings. Their most affordable plan is $139.99 for three years (equivalent to $3.89/month), which can be paid for anonymously with gift cards or cryptocurrency.

    They’re based in Germany and claim to keep no logs at all, though their policy could be clearer. According to PCMag Australia, company representatives report that there are constant security audits and a bug bounty program, though none of the audits are publicly available.

    Screenshot of TorGuard

    8. PureVPN

    PureVPN is a popular VPN service that was unfortunately found to be keeping records of which IP addresses clients access while claiming to have a no logs policy. The most affordable plan is $79.92 for two years (equivalent to $3.33/month), but there’s no way of paying this anonymously.

    Restore Privacy reports that, in a court case, they were able to attain enough information from PureVPN to arrest a suspect on cyberstalking claims. They are obviously keeping some record of user activity, but they’re not the only VPN where “no logs” means some logs.

    The company, which is based in Hong Kong, has since tried to clean up their game, and their no logs policy has been audited and verified by Altius IT.

    Screenshot of PureVPN

    9. Mullvad VPN

    Mullvad VPN is a lesser-known VPN with a good reputation in privacy circles. They have a flat monthly rate of €5/month and one-time payments can be paid anonymously using cash, gift vouchers, or bitcoin. However, they have servers in fewer countries than most of their competitors.

    They do have strong privacy policies and don’t ask for any personal information (not even an email address) when you set up an account. They’re based in Sweden where VPNs are not required to log their users’ activity, and they hire lawyers to keep abreast of changes in legislation that affect privacy. The only personal information they’re required to keep is your payment method.

    Screenshot of Mullvad

    Final Words

    If you’re concerned about privacy, I hope I’ve convinced you to do something about it. Start protecting your online privacy today by signing up with a reputable VPN service. They cost as little as $3 per month when you pay in advance. You can’t afford not to use one!

    Privacy is just one benefit. I cover more in The Best VPNs for Developers and also explore each VPN provider in more detail. Check it out so you can make a more informed decision.