VPNs are not snake oil. They transfer the trust of your internet activity from a place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad, IVPN, or Proton. Among other benefits. If you don't like your ISP creating a profile of you and selling it to target ads to you, you should use a VPN.
>Should I use a VPN?
Yes, almost certainly. A VPN has many advantages, including:
1. Hiding your traffic from only your Internet Service Provider.
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
3. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
4. Allowing you to bypass geo-restrictions on certain content.
How is private company (VPN) is more trustworthy than an other private company (ISP) and how do you expect them to protect your identity in face of determined state actors that are afer you?
What power is in $2.99/month that it offers so much security?
Why is that at least 40% of sponsorship to YouTube Creators seem to be from VPN industry?
In many countries, a VPN provider can be significantly more trustworthy than an ISP. In Germany, for example, you can have your home searched simply for insulting a politician. The ISP will then immediately hand over the data to the authorities, which most VPN providers do not do. The same goes for torrents. If some random law firm sends a letter to Telekom saying, “Hey, your customer downloaded a movie please give us his data,” they’ll do it right away. Mullvad, ProtonVPN, or even dubious VPN providers like NordVPN don’t do that.
That's very simplistic assumption. If the German state machinery is determined to get you, ISP and VPN provider have a threshold beyond which they'll give up.
Many many examples out there. "We don't keep logs" is not good enough neither realistic because how else a VPN provider is supposed to protect itself if it doesn't keep a log of what's happening inside and through its own systems.
Specifically Mullvad operate completely stateless nodes, which was confirmed several times when law enforcement tried to access their logs. There are no logs. Mullvad are selling their location, with very good connectivity and with laws that strongly protect privacy. They are €5/mo, almost $6/mo, and likely acquire bandwidth very cheaply due to scale and likely peering agreements.
> How is private company (VPN) is more trustworthy than an other private company (ISP)
Well, my ISP sent me a nice letter saying they intend to monetize my metadata, and mullvad has demonstrated in court that they don't have user data to give up.
> and how do you expect them to protect your identity in face of determined state actors that are afer you?
That's moving the goalposts; your parent comment didn't say anything about determined state actors. And defending against commercial actors is useful even if it doesn't help against state actors. I tend to assume the NSA can compromise anything. I'd like to ensure only the NSA can compromise my stuff.
You fundamentally misunderstand what privacy means if you're replying to someone stating using a VPN will help you avoid getting spied on by your ISP for commercial purposes with state actor based worries.
One at least has open source software clients, and publishes audits from other 3rd-party audit organizations.
The other open source... nothing. Their client apps have dozens of trackers inside. And it's a dream to see any of the ISPs in my county publish any 3rd-party audits. Their other products (going with the service) have trackers and personalized targeting ads inside.
Yeah, in my 1 million alternate universes should I trust my ISP more.
> 4. Allowing you to bypass geo-restrictions on certain content.
In theory, but as someone who uses Mullvad in the UK on a day-to-day basis on my personal laptops (not my phone) - I'm using it now, I'm afraid there's quite an additional downside I've found, in that because Mullvad's (at least UK, but also French and Dutch ones I've tried) exit IPs are known, many companies (Cloudflare, Akamai) at the very least know about them, and several sites block access when using Mullvad, returning 403s.
Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise (using Firefox).
Sometimes using IPv6 in the Mullvad settings gets around this, but more and more recently I've found it doesn't, so there sites where I'm having to stop using Mullvad to actually access sites.
(I'm still a happy customer, and 1 to 3 are still true and why I use it otherwise).
>Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise
Rotating your VPN endpoint will resolve the issue. It might take two or three tries.
Making your traffic cross jurisdictional boundaries also adds a level of difficulty for tracking usage.
Local law enforcement can tap a local ISP for their records, but it would take a scale more effort to then tap a non-local service provider for their records. Each additional level of difficulty adds a cost, and at some point those costs aren't worth the potential results.
(assuming that the VPN provider doesn't just roll over due to an email inquiry, or isn't a front for very cooperative law enforcement).
Fair point, but I'm not sure if that was ever a boundary they wouldn't cross, but for 'a little while now' I'd say it doesn't matter.
From outside the US I should be using a VPN end-point within the US, so that my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does.
> my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does
I mean, let's be real.
All known US VPN servers and Tor exit nodes--and probably all US Tor relays regardless of exit policy--are going to be considered a totally legitimate "communications facility" target for the warrantless wiretapping system due to exactly the scenario you just posited.
From that perspective you'd be better off using US residential proxies. Of course, while they'll never admit it in court, NSA just does whatever they want, laws be damned, and are almost certainly logging everything. So while such a scheme might theoretically hinder the introduction of evidence in a court case, it doesn't really matter; NSA is still gonna see your traffic and they're still gonna either drone strike you or "parallel construction" your ass, anyway.
This depends on your treat model. If what you worry about is massive collection of Linux ISOs that you download and distribute over P2P then probably shady VPN ISP is what you need.
I'm a normal person who watches sports streams and maybe 2 years ago I downloaded a torrent of some art movie. My ISP is Comcast. How does your advice apply to me?
Marcus Hitchens (security researcher who blackholed the WannaCry ransomware domain) made a post on LinkedIn today comparing VPNs to snake oil. With regard to the way they're advertised in internet ads, they are. VPNs will not protect ordinary users from ad tracking or commercial data mining. They're marketed as a privacy tool when their privacy value is very limited.
> place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad
This is highly subjective statement.
Almost all commercial VPN services farm and sell your data. Just by that, my ISP is definitely high trust point while any commercial VPN is a low trust.
Most VPNs are untrustworthy, but unlike ISPs, you can choose from any VPN provider in the world, not just the two or three that are local to you. And there are VPN providers in the world that have been proven not to retain data by audits + actual court cases where the court determined that the VPN provider did not have the data authorities were seeking. Do your research and choose a court-proven VPN, it's that simple.
You probably won't find direct proof any more than you will find direct proof of any random VPN selling your data, it's just a given that commercial entities are liable to sell financially valuable data, and a list of all traffic, every website you visit and every service you use, tied to a specific identity is certainly financially valuable. Being in the EU doesn't change this; in fact the EU explicitly required that ISPs retain your identifying data with the Data Retention Directive, and though this was struck down after 8 years in court, many individual national governments immediately moved to impose similar requirements. I don't know if Germany was one of them but unless Germany has a specific privacy directive that goes beyond EU law I would see zero reason to place any trust in an ISP. In fact even if there was a law that's still not a reason to trust an ISP, because privacy laws are violated constantly; the most trustworthy source by far is a party acting opposite to the government, who has been investigated by the government and proven not to log the data that the government wants.
What gives you confidence that they aren't? I have confidence my VPN doesn't sell my traffic not because I implicitly trust what they say, but because if they had logs the courts would have found them when trying to seize data themselves. What makes you trust your ISP so much? Faith in the human goodness of businesses to look out for the best interests of their customers, even if it means passing up an opportunity to make a larger profit? Faith in their words, or faith in toothless privacy laws that have been violated time and time again?
What gives you the confidence that Bigfoot does not exist?
What gives you the confidence we're not ruled by Reptile overlords?
What gives you the confidence we're not just in the Matrix and nothing matters?
What gives you the confidence you're not just a dream by a dog in Sicily?
What gives you the confidence I even exist and you're not talking to yourself?
You're entitled to your conspiracy theories and paranoia of course, but it's not an argument.
It's a conspiracy theory to observe reality now? It is a known factor that ISPs in general sell data, even if there isn't smoking gun proof for every single individual ISP (...just as there isn't smoking gun proof for every individual VPN). If you want to take the piss, at least get it right -- you're denying the existence of one individual Bigfoot after 100 other specimens of the Bigfeetian species have been found and conclusively proven to exist. Jesus, the complete disregard for common sense and privacy of even the tech-inclined members of the general public never ceases to amaze me.
Even if it farms and only stores your data (which it does) without selling isn't good. YMMV between EU countries but I think even torrenting in Germany is way less safe than eg. in Poland where nobody bats an eye.
Sure, if you want to get crazy with it you put prepaid phone in another location, put it on your Tailscale VPN then proxy all traffic through the prepaid phone with something like: https://github.com/kost/revsocks
Phone doesn't even need data if you have access to wifi wherever you stash it.
Whole idea of "put phone in location X" alone is much harder to implement than to buy 5, 10 or 100 VPN account or servers with crypto and setup how you like.
Like you need to physically be there, need ability to connect phone it to electricity and somehow maintain if it e.g reboots. And stay anonymous while doing so? I'd say that Hollywood kind of solution.
I think they don't sell their VPN data, because if that ever came out, that would destroy their business. Selling the data would be far too risky for them.
Mullvad is a tiny world-famous ISP in Sweden that has zero KYC and explicit zero-log policy, specifically designed that way to enable mild abuses, that also accept PayPal, credit cards, and today I learned, cash in an anonymous envelope for payments. That doesn't scream US three-letter organization at all.
I do all my illegal shit over Mullvad and I've only been raided once.
(yes, I've been raided)
(I started using Mullvad after - because of - that)
(I don't do illegal shit, I just like some obfuscation of my trail because I enjoy fiddling with this stuff - which may have been why I ended up a raid target in the first place)
I was just talking to a friend who believes that the feds poison privacy communities by spewing nonsense like this. I don't think wg0 is a fed, and my friend didn't have any proof for his claim. My feeling is that it is probably people acting like regular humans. They hear things, they have opinions and they don't provide proof or adhere to community norms. Eternal september or something. Regardless of if it's federal agents disrupting the discussion or human nature, the response should be the same—push back with proof, and demand proof and avoiding logical fallacies.
>Also. This is how they ruined any meaningful talks about privacy
There is so much noise
"Use braive. Don't use braive. Use vpn. Don't use vpn"
Then the debate spreads to all other aspects
password managers, emails and etc
If people using some tool made my job harder id be vocally against it during off hours. But lets be real any powerful group interested in tracking people would just be working with or running vpn companies. Or perhaps providing free vpn. Either way I think its all moot as for tracking you have to question who you do and do not want to be tracked by and for other purposes vpn works just fine
VPNs as marketed to "normies" is absolutely snake oil. It won't improve anyone's "privacy" in any meaningful way to simply proxy all their regular traffic through a VPN.
VPNs are a technical tool for technical people. You need to know exactly why you need it in order for it to be useful.
The most generous way of reading that would be the fact that every YouTube pushing for a VPN as an essential tool just to use the internet outside of your house without getting hacked is a big exaggeration or fear mongering but there's good reasons for using a VPN for a lot of reasons and it's not snake oil.
VPNs are not snake oil. They transfer the trust of your internet activity from a place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad, IVPN, or Proton. Among other benefits. If you don't like your ISP creating a profile of you and selling it to target ads to you, you should use a VPN.
>Should I use a VPN?
Yes, almost certainly. A VPN has many advantages, including:
1. Hiding your traffic from only your Internet Service Provider.
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
3. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
4. Allowing you to bypass geo-restrictions on certain content.
(https://www.privacyguides.org/en/basics/vpn-overview/)
How is private company (VPN) is more trustworthy than an other private company (ISP) and how do you expect them to protect your identity in face of determined state actors that are afer you?
What power is in $2.99/month that it offers so much security?
Why is that at least 40% of sponsorship to YouTube Creators seem to be from VPN industry?
What is that they know and we don't know?
In many countries, a VPN provider can be significantly more trustworthy than an ISP. In Germany, for example, you can have your home searched simply for insulting a politician. The ISP will then immediately hand over the data to the authorities, which most VPN providers do not do. The same goes for torrents. If some random law firm sends a letter to Telekom saying, “Hey, your customer downloaded a movie please give us his data,” they’ll do it right away. Mullvad, ProtonVPN, or even dubious VPN providers like NordVPN don’t do that.
That's very simplistic assumption. If the German state machinery is determined to get you, ISP and VPN provider have a threshold beyond which they'll give up.
Many many examples out there. "We don't keep logs" is not good enough neither realistic because how else a VPN provider is supposed to protect itself if it doesn't keep a log of what's happening inside and through its own systems.
Specifically Mullvad operate completely stateless nodes, which was confirmed several times when law enforcement tried to access their logs. There are no logs. Mullvad are selling their location, with very good connectivity and with laws that strongly protect privacy. They are €5/mo, almost $6/mo, and likely acquire bandwidth very cheaply due to scale and likely peering agreements.
> How is private company (VPN) is more trustworthy than an other private company (ISP)
Well, my ISP sent me a nice letter saying they intend to monetize my metadata, and mullvad has demonstrated in court that they don't have user data to give up.
> and how do you expect them to protect your identity in face of determined state actors that are afer you?
That's moving the goalposts; your parent comment didn't say anything about determined state actors. And defending against commercial actors is useful even if it doesn't help against state actors. I tend to assume the NSA can compromise anything. I'd like to ensure only the NSA can compromise my stuff.
You fundamentally misunderstand what privacy means if you're replying to someone stating using a VPN will help you avoid getting spied on by your ISP for commercial purposes with state actor based worries.
Mullvad vs my ISP.
One at least has open source software clients, and publishes audits from other 3rd-party audit organizations.
The other open source... nothing. Their client apps have dozens of trackers inside. And it's a dream to see any of the ISPs in my county publish any 3rd-party audits. Their other products (going with the service) have trackers and personalized targeting ads inside.
Yeah, in my 1 million alternate universes should I trust my ISP more.
> 4. Allowing you to bypass geo-restrictions on certain content.
In theory, but as someone who uses Mullvad in the UK on a day-to-day basis on my personal laptops (not my phone) - I'm using it now, I'm afraid there's quite an additional downside I've found, in that because Mullvad's (at least UK, but also French and Dutch ones I've tried) exit IPs are known, many companies (Cloudflare, Akamai) at the very least know about them, and several sites block access when using Mullvad, returning 403s.
Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise (using Firefox).
Sometimes using IPv6 in the Mullvad settings gets around this, but more and more recently I've found it doesn't, so there sites where I'm having to stop using Mullvad to actually access sites.
(I'm still a happy customer, and 1 to 3 are still true and why I use it otherwise).
>Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise
Rotating your VPN endpoint will resolve the issue. It might take two or three tries.
Making your traffic cross jurisdictional boundaries also adds a level of difficulty for tracking usage.
Local law enforcement can tap a local ISP for their records, but it would take a scale more effort to then tap a non-local service provider for their records. Each additional level of difficulty adds a cost, and at some point those costs aren't worth the potential results.
(assuming that the VPN provider doesn't just roll over due to an email inquiry, or isn't a front for very cooperative law enforcement).
the counterpoint is that making your traffic cross out of the US gives the NSA (by their ass backwards reading) permission to spy on you
Fair point, but I'm not sure if that was ever a boundary they wouldn't cross, but for 'a little while now' I'd say it doesn't matter.
From outside the US I should be using a VPN end-point within the US, so that my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does.
> my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does
I mean, let's be real.
All known US VPN servers and Tor exit nodes--and probably all US Tor relays regardless of exit policy--are going to be considered a totally legitimate "communications facility" target for the warrantless wiretapping system due to exactly the scenario you just posited.
From that perspective you'd be better off using US residential proxies. Of course, while they'll never admit it in court, NSA just does whatever they want, laws be damned, and are almost certainly logging everything. So while such a scheme might theoretically hinder the introduction of evidence in a court case, it doesn't really matter; NSA is still gonna see your traffic and they're still gonna either drone strike you or "parallel construction" your ass, anyway.
> NSA just does whatever they want, laws be damned, and are almost certainly logging everything
When you share the evidence for this, it will be international news.
Did you miss Snowden or something?
Seems a bit optimistic to think they actually care whether they have that permission or not.
Unfortunately, the largest and most well-marketed VPNs are, in fact, less trustworthy than your average ISP.
This depends on your treat model. If what you worry about is massive collection of Linux ISOs that you download and distribute over P2P then probably shady VPN ISP is what you need.
I'm a normal person who watches sports streams and maybe 2 years ago I downloaded a torrent of some art movie. My ISP is Comcast. How does your advice apply to me?
Exactly. Most ISP are subject to local laws at least; where a lot of these ISP are overseas in shady jurisdictions.
Marcus Hitchens (security researcher who blackholed the WannaCry ransomware domain) made a post on LinkedIn today comparing VPNs to snake oil. With regard to the way they're advertised in internet ads, they are. VPNs will not protect ordinary users from ad tracking or commercial data mining. They're marketed as a privacy tool when their privacy value is very limited.
VPNs are useful for the reasons you mentioned.
> place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad
This is highly subjective statement.
Almost all commercial VPN services farm and sell your data. Just by that, my ISP is definitely high trust point while any commercial VPN is a low trust.
Your ISP farms and sells your data too.
Most VPNs are untrustworthy, but unlike ISPs, you can choose from any VPN provider in the world, not just the two or three that are local to you. And there are VPN providers in the world that have been proven not to retain data by audits + actual court cases where the court determined that the VPN provider did not have the data authorities were seeking. Do your research and choose a court-proven VPN, it's that simple.
Deutsche Telekom in Germany/EU farms and sells my data? Any sources?
You probably won't find direct proof any more than you will find direct proof of any random VPN selling your data, it's just a given that commercial entities are liable to sell financially valuable data, and a list of all traffic, every website you visit and every service you use, tied to a specific identity is certainly financially valuable. Being in the EU doesn't change this; in fact the EU explicitly required that ISPs retain your identifying data with the Data Retention Directive, and though this was struck down after 8 years in court, many individual national governments immediately moved to impose similar requirements. I don't know if Germany was one of them but unless Germany has a specific privacy directive that goes beyond EU law I would see zero reason to place any trust in an ISP. In fact even if there was a law that's still not a reason to trust an ISP, because privacy laws are violated constantly; the most trustworthy source by far is a party acting opposite to the government, who has been investigated by the government and proven not to log the data that the government wants.
"EU explicitly required that ISPs retain your identifying data with the Data Retention Directive"
And then sells it?
What gives you confidence that they aren't? I have confidence my VPN doesn't sell my traffic not because I implicitly trust what they say, but because if they had logs the courts would have found them when trying to seize data themselves. What makes you trust your ISP so much? Faith in the human goodness of businesses to look out for the best interests of their customers, even if it means passing up an opportunity to make a larger profit? Faith in their words, or faith in toothless privacy laws that have been violated time and time again?
"What gives you confidence that they aren't?"
You're entitled to your conspiracy theories and paranoia of course, but it's not an argument.It's a conspiracy theory to observe reality now? It is a known factor that ISPs in general sell data, even if there isn't smoking gun proof for every single individual ISP (...just as there isn't smoking gun proof for every individual VPN). If you want to take the piss, at least get it right -- you're denying the existence of one individual Bigfoot after 100 other specimens of the Bigfeetian species have been found and conclusively proven to exist. Jesus, the complete disregard for common sense and privacy of even the tech-inclined members of the general public never ceases to amaze me.
Once again an adherent of the corrupt EU blindly defends the regime.
Doesnt't surprise me that they're counting on gullible, useful idiots defending "Chat Control" and eIDAS.
Even if it farms and only stores your data (which it does) without selling isn't good. YMMV between EU countries but I think even torrenting in Germany is way less safe than eg. in Poland where nobody bats an eye.
Could you please provide proof for such findings about eg. Proton and Mullvad?
I can easily pay for a VPN service with crypto anonymously. I can also use a VPN run by a company outside my country of residence and jurisdiction.
Neither of those is possible with my ISP.
Paying with crypto does something to deindentify you, but does nothing about your traffic. It's still being watched.
prepaid 5g sim cards and 5g modem.
Yes and 5G provider knows your exact location while VPNs can be easily chained.
Sure, if you want to get crazy with it you put prepaid phone in another location, put it on your Tailscale VPN then proxy all traffic through the prepaid phone with something like: https://github.com/kost/revsocks
Phone doesn't even need data if you have access to wifi wherever you stash it.
VPN chaining easier though.
Whole idea of "put phone in location X" alone is much harder to implement than to buy 5, 10 or 100 VPN account or servers with crypto and setup how you like.
Like you need to physically be there, need ability to connect phone it to electricity and somehow maintain if it e.g reboots. And stay anonymous while doing so? I'd say that Hollywood kind of solution.
Make it a “tourist eSIM” for a good measure. Your phone will be in one country, your exit IP in another (because there usually use roaming).
That said, you might still want to use a VPN on top of that, depending on what you’re doing.
Most ISPs have invested big bucks in Deep Packet Inspection
That just helps them classify the type of traffic. They're not breaking the encryption to see the actual content.
Now try saying that wearing some Russian or Chinese shoes.
> Almost all commercial VPN services farm and sell your data.
Citation needed.
I understand it's not up to your (or anyone's) level of belief, but I am in intimately familiar with their modus operandi.
For everyone in the industry it is le secret de Polichinelle.
I think they don't sell their VPN data, because if that ever came out, that would destroy their business. Selling the data would be far too risky for them.
Thats like saying there is no corruption in government because it would undermine public trust in it.
Of course there is, and to huge extent. They know they canget away with it, so they do.
My ISP is in a communist country, they sell other products like TV boxes, cameras, clouds and have ads/trackers on all of their products too.
Should I trust my ISP than Mullvad? LMFAO.
Mullvad is a tiny world-famous ISP in Sweden that has zero KYC and explicit zero-log policy, specifically designed that way to enable mild abuses, that also accept PayPal, credit cards, and today I learned, cash in an anonymous envelope for payments. That doesn't scream US three-letter organization at all.
I do all my illegal shit over Mullvad and I've only been raided once.
(yes, I've been raided)
(I started using Mullvad after - because of - that)
(I don't do illegal shit, I just like some obfuscation of my trail because I enjoy fiddling with this stuff - which may have been why I ended up a raid target in the first place)
> That doesn't scream US three-letter organization at all.
They have their own tools + tor, they do not need mullvad.
Interesting handle to make that comment. I'm assuming you mean commercial VPN providers, and not wireguard (or other such VPN implementations).
I was just talking to a friend who believes that the feds poison privacy communities by spewing nonsense like this. I don't think wg0 is a fed, and my friend didn't have any proof for his claim. My feeling is that it is probably people acting like regular humans. They hear things, they have opinions and they don't provide proof or adhere to community norms. Eternal september or something. Regardless of if it's federal agents disrupting the discussion or human nature, the response should be the same—push back with proof, and demand proof and avoiding logical fallacies.
>Also. This is how they ruined any meaningful talks about privacy
There is so much noise
"Use braive. Don't use braive. Use vpn. Don't use vpn"
Then the debate spreads to all other aspects password managers, emails and etc
If people using some tool made my job harder id be vocally against it during off hours. But lets be real any powerful group interested in tracking people would just be working with or running vpn companies. Or perhaps providing free vpn. Either way I think its all moot as for tracking you have to question who you do and do not want to be tracked by and for other purposes vpn works just fine
VPNs as marketed to "normies" is absolutely snake oil. It won't improve anyone's "privacy" in any meaningful way to simply proxy all their regular traffic through a VPN.
VPNs are a technical tool for technical people. You need to know exactly why you need it in order for it to be useful.
> VPNs are snake oil
The most generous way of reading that would be the fact that every YouTube pushing for a VPN as an essential tool just to use the internet outside of your house without getting hacked is a big exaggeration or fear mongering but there's good reasons for using a VPN for a lot of reasons and it's not snake oil.
> Exit IPs are a public information.
Yes, obviously.
> VPNs are snake oil
Huh?