Pour another one out for online privacy. Then do a half-assed job of mopping it back up with a virtual private network.
In what is only the latest assault on the right not to be creeped on, both the House and the Senate voted to permit internet service providers to sell customers’ browsing history to the highest bidder — all without the customers’ knowledge. In response to this, virtual private network (VPNs) have become the talk of the digital town.
VPNs work by encrypting your traffic and running it through a third party server. To make this happen, users download software provided by the VPN company or an open-source alternative. When it’s up and running, anyone snooping on your web browsing would theoretically just see an encrypted connection to your VPN provider — not mashable.com, not plannedparenthood.org, and definitely not Pornhub.
Ideally, your ISP wouldn’t have any of your data to sell.
However, if you’re not careful, using a VPN can actually make things worse. That’s because there is an entire spectrum of service providers out there ranging from the decent to the awful, and it’s not always immediately clear which is which.
on one particularly shady case back in 2015. Hola, a VPN with millions of users, sold off non-paying users’ idle bandwidth. What this means is that people looking to get a little bit of added online privacy ended up being used as part of a criminal botnet.
What’s more, as Krebs on Security rightly points out, VPNs can see your traffic — so sketchy ones could collect and sell that data just like a crummy ISP, and you’d be right back where you started.
How did it come to this?
We find ourselves at the crossroads of trash policy and questionable tech following the March 28 vote by the House to erase a landmark 2016 FCC ruling protecting users’ privacy. All that now stands in the way of this privacy train wreck is the signature of President Donald Trump, and you can guess how that’s going to go.
Importantly, the FCC protections never actually went into effect — meaning that the garbage lack of privacy you’ll have online after Trump signs the measure into law is the same garbage lack of privacy you had before. In fact, companies have been allegedly monetizing your so-called “clickstream” — all the websites you click on — since at least 2007.
So what’s changed now? For one, people are finally aware of the practice. And as more and more of our lives move online, the stakes become correspondingly higher.
What’s more, once signed by Trump, a terrible practice will be codified into law. “S.J. Res. 34 strips away some of the last remaining privacy and cybersecurity protections Internet users had left to protect them from exploitation,” the non-partisan Institute for Critical Infrastructure Technology explained in response to the vote. “Once again, consumer privacy and cybersecurity protections were unquestioningly sacrificed in favour of profit margins, to the detriment of our National Security.”
What to do?
With the politicians clearly not on your side, a technical solution seems like a good approach. And indeed, one such solution stands out: Tor. Initially developed by the U.S. government, Tor is a free service that “[wraps] your traffic in encrypted layers” and routes it through various relays around the globe. If you use a properly configured Tor browser, not even your ISP should be able to see what you’re looking at. (Although, a warning: The government has an exploit they have so far refused to reveal.)
However, there are some drawbacks. Tor can be a bit slow, and the modified browser can break some sites. Using a VPN with your browser of choice gets around these issues, but as we explained above, this offers a minefield of potential dangers.
So, how to avoid those privacy mines and pick a good virtual private network? It’s complicated. Ars Technicaattempted the task last year and essentially came up empty handed.
“Using public VPNs for anonymity is foolish and potentially dangerous, no matter how securely it’s configured, simply because the technology was not designed at all for anonymity,” security researcher Kenneth White told the publication. “VPN services require that you trust them, which is a property that anonymity systems do not have.”
Trusting a VPN could theoretically be possible (as much as it is possible to trust a company, anyway) if it was an above-board business, and there are sites dedicated to side-by-side comparisons to help customers determine just that.
One mostly well-rated VPN, Private Internet Access, has insisted that it doesn’t log users’ information.
“What this means,” a company press release explains, “is that even when we are served with government requests, warrants, or subpoenas, we respond with the truth: We keep no logs.”
In the end, that might be the best assurance you’re going to get — from a human, anyway. The promise of Tor’s open-source platform carries a lot more weight, and the service just so happens to be free. In the end, if you don’t want to risk getting into bed with a shady VPN, Tor’s slow browsing experience is just the price you’ll have to pay to keep your internet provider’s greedy hands off your data.