Opinion: Does a (paid) VPN Service really protect your Privacy?

In a time of growing concern over online privacy, many individuals are using virtual private network (VPN) services as a means to safeguard their personal information. However, a question remains: Is using a paid VPN service truly useful for privacy, or is it merely a false sense of security?

In a time of growing concern over online privacy, many individuals are using virtual private network (VPN) services as a means to safeguard their personal information. However, a question remains: Is using a paid VPN service truly useful for privacy, or is it merely a false sense of security? In this article, I want to show you my point of view (POV) on this topic, explain it and hopefully can help you or others to decide, if its still a useful service for you or not.

ℹ️
Remember, this is just my opinion, it may differ from your needs and your threat model. This article just reflects my point of view on this topic, as I think that it's important to have a look at the promises popular VPN providers make. It also depends on your personal situation, in which country you live, how privacy is regulated by law and how invasive your personal data gets grabbed and shared.

What's a VPN? And how could it add Privacy?

To begin, it is essential to grasp the fundamentals of VPN technology and its relationship with privacy.

💡
Virtual Private Network"A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet."Source: wikipedia accessed 2023-05-15

So, a VPN establishes a secure, encrypted connection between your device and another network by routing (tunneling) all your internet traffic through a server, which is part of the other network. Because of the built in encryption, many companies are using a VPN for example, to let their workers access their files remotely, without the need of making insecure copies (USB-Stick) which could get lost.

I'm using an own VPN too, to securely access my homenetwork remotely, to have access to my homeservers via SSH, my NAS data, my printer, and other stuff without the need to expose all ports for each service, because they can still just run in my local homenetwork (I'm becoming a part of this network, when using the VPN).

Privacy relation

The VPN you connect to can also not just give you access to the locally based services/files in an encrypted way, it can also share its internet-connection with you. So it basically hides your own internet IP, while using the VPN's internet access.

This can add privacy in some situations, for example, if you are sitting in an internet-café with a unencrypted public wifi and you also just want to access unencrypted websites (http), because your traffic to the VPN is always encrypted. So you don't have to fear, that the nerdy looking dude next table sniffes on your traffic. And as already mentioned, it hides your IP from the services you use.

And this is the exact point where the era of the paid VPN services arose. Forget all the companies usecase for a VPN to remotely access files and stuff like that, their service advertises their mission of hiding your personal data, preserve anonymity on the internet.

Some typically advertised promises and my Opinion:

The following statements aren't quoted from one specific Provider, I rather used that stuff I read everywhere and recapped them.

Enhanced Security:

Paid VPN services provide robust encryption protocols, making it harder for anyone to intercept or decrypt your online activities.

Well, we have 2023 and most of the web is already encrypted (https as an example). So it's already hard for someone to decrypt your internet activities at all. You can also set your Browser, like Firefox for example, to only allow https. If a website doesn't provide encryption the browser will notify you and ask for permission to access this insecure website. Therefore your web-usage is, for most of the time, already end-to-end encrypted.

You also have to keep in mind, how a VPN works. It just tunnels all your traffic. So if you use an insecure connection, for example http, the VPN will just change the sender IP from yours to their IP address. But their server will still establish the insecure connection. It can't add encryption to a webserver which doesn't support it.

Anonymity and Privacy:

By hiding your IP address and routing your internet traffic through our servers, we enable you to browse the web more anonymously, preventing websites and online services from tracking your online behavior.

Browse the web "more" anonymously, yes. You hide your IP and also your DNS-queries get sent through the VPN service. So you hide all that from your ISP. If your ISP is known to act totally bad in terms of privacy, a VPN can help.

Preventing websites / companies from tracking you? - A big nope. To understand this, you have to think about how tracking works nowadays, because to think that your IP-address is the only thing which identifies you, is just wrong.

Cookies for example, include most of the time some type of identifier to let you stay "logged in" on specific services. So these companies behind the service can succesfully identify you as a person, without the need of your IP. Tracking companies use these identifyers too (Facebook/Meta Pixel / Google Analytics) to profile your online behavior. This tracking is used for example to show you personalized ads. As you see, disabling cookies (or deleting them regularly) is far more important, as using a VPN service, if you want to avoid tracking.

Device-Fingerprint-Tracking is another thing, which companies use to identify your device without the need of a cookie or your IP-address with an accurancy of more than 93%. It's not widely used nowadays, but I still want to tell you, that identifying you is possible in many, easy to implement, ways.

(Kinda easy to read: "Web Tracking and Fingerprinting" by Vitaly Shmatikov)

No Logs

The VPN service offers a no-log policy. And because we don't log anything, we also can't share information with third parties.

Ok, first of all, to know, if they actually log something or nothing, independent audits are necessary. Some services offer that or own transparency reports, but again, you should think about wether to trust these own reports or not, because of course their interest is to look "clean".

You should also be clear on which country the service is based on and under which laws they running their service. Some governments for example, can order a backdoored access to live data and log this data as well.

Also many providers actually do save personal information, like your profile / credit card (if used) or other payment methods related to your subscription. The "No-log" policies mainly refer to traffic-logs. And because of that, it's important to read through the privacy policy of the VPN provider as well.

Access to Geo-Restricted Content / Avoid Censorship

Our services offer the ability to bypass geo-blocking restrictions, allowing you to access region-specific content that may otherwise be unavailable in your location and also bypass censorship of your home country.

This is mainly the only statement I can completely agree with. A paid VPN service can be really useful to access geo restricted content and can also help people to access the web, even if their country has applied censorship.

Risks of using a paid VPN?

In my opinion, under some circumstances, it could also be risky to use a paid VPN service with their advertisements. Here are some points to think about:

  • In certain countries, it is prohibited to utilize a VPN tunnel (or the TOR network) as a means to bypass local censorship. If you attempt to use a VPN despite this restriction, you may attract the attention of government authorities.
  • Trustworthiness of the Provider: It is essential to research and select a trustworthy provider with a solid privacy policy, independent audits and transparency about their company's decisions and/or current processes with inquiries from state organs. It's also good to keep an eye on the background of the Provider. Maybe this company is owned by a third party which actually makes their money with selling data. I wouldn't trust a VPN Provider at all, if that's the case. Btw. it happened before, that a VPN service got abused by a big data collecting company, which acquired a VPN selling company. Read here.
  • Jurisdiction of the company: Keep in mind, that even if the company wants to act like they are advertising it, under some circumstances they can get forced to actually hand over data or let third parties (government/intelligences) listen.
  • You route ALL your internet traffic to ONE company. It's related to the first point, but I felt like pointing it out again. It's not the same as using a web-proxy for example in your browser... all your traffic is sent to one company. Yes, encrypted, but of course the company holds the keys it needs to decrypt it back in order to send your internet queries right. Bound with the VPN's own DNS, the provider is theoretically able to profile your complete internet behavior, of all your devices.
  • Centralization of information: For example, if your home ISP differs from your mobile ISP, both doesn't share the same value of information about you. But if you use the VPN Service on all of your devices, you can potentially increase the informations collected by one instance.
  • Using the internet like "nothing can happen to me": What most VPN services promise you is just false or far from reality. They can't promise total anonymity as I've shown you. You can still get tracked / identified. The VPN Provider maybe shares data with gov/intel (forced or not) or third parties. And of course you are not safe of getting hacked or grabbing other malicious stuff to your device. A responsible internet usage is always needed!

Conclusion:

A paid VPN Service can not (I relate to many advertised statements used by VPN Providers here):

  • offer anonymity on the web
  • hide your location by design (it needs settings on the devices as well to not share their GPS location as an example)
  • protect you from tracking
  • protect you from fraud/scam/phishing
  • totally encrypt your data (just the traffic to the VPN server is always encrypted)
  • protect you from identify theft

A paid VPN Service can:

  • bypass censorship
  • hide your IP from the servers you reach
  • minimize your ISPs data about your online habits (but you give all the data to the VPN Provider)
  • give you access to geo-restricted content
  • add a little bit of privacy/security under certain circumstances, like public wifis.

Do I use a paid VPN Service?

As you might have thought, I don't use a paid VPN service myself. The only reason I would use one, would be to bypass geo-restrictions. For all the other advertised reasons to use them, they are in fact useless.

What do I do to add Privacy?

To add Privacy to my network, I'm using a selfhosted DNS solution with Pi-Hole and dnscrypt-proxy. My DNS queries are sent through a relay (DNSCrypt Relay or Oblivious DoH Relay), so no DNS resolver gets my private IP combined with my DNS queries. Pi-Hole blocks tracking URLs on the DNS Level.

My browsers have plugins like uBlock Origin to filter stuff, which got through my DNS (though it shouldn't happen)

I don't mind, that my ISP can see the IP connections I establish, because they don't get the DNS query.

On my mobile Phone, I'm using an always on wireguard (VPN) connection to my homenetwork, so when I'm on the go I still can benefit from my DNS setup at home.

Well, that's it for now. Thanks for reading!

Feel free to contact me on my socials on the bottom, if you have feedback or questions.

Comments