This article was written by IVPN’s CEO Nick Pearson.
IVPN is a virtual private network (NPN) and an Electronic Frontier Foundation member and is dedicated to protecting online privacy. While I usually don’t promote businesses on this site, VPNs are an important, yet little-understood activist tool, so when IVPN proposed the article to me, I accepted. Psiphon is an alternative free VPN option. – Mary
What You’ll Learn in This Post
Many digital activists have good reasons for wanting to protect their online activity from prying eyes. Many turn to commercial Virtual Private Network companies in order to do so. But there are also a great deal of misconceptions around what a VPN can and cannot do. In this article we’re going to explain:
- What VPNs do
- How they benefit activists,
- Their limitations
- What you need to look out for when choosing a VPN service.
What Does a Virtual Private Network Do?
1) Obscures user location Firstly, as the name suggests, privacy-focused VPN services allow their users to send data across a public network (such as the Internet) as if it were being sent across a private network. So from the perspective of a website, or online service (such as Skype or Facebook), the user’s connection originates from the VPN server’s location, and not the location where the user actually resides.
2) Encrypts data (with limitations) Secondly, a VPN can encrypt any data being sent between the user’s computer and the VPN service. This can prevent eavesdroppers from, for instance, spying on your activity over a public WiFi connection. However the last leg of traffic, from the VPN server to the web service, can be monitored, unless end-to-end security such as HTTPS is used. Nevertheless, even if the traffic is monitored, it would derive from the VPN server and not your actual location – thus protecting your identity.
3) Obscures online activity Thirdly, when using a VPN your Internet Service Provider can no longer view, log, or control your internet activity. The ISP can only determine that you’ve connected to the VPN’s server. Instead the VPN now becomes the entity able to record your activity. This obviously has its benefits and potential drawbacks, which we’ll cover below.
Why Do Digital Activists Use VPNs?
So what are the benefits of using a VPN for activists? For many activists living in censorious regimes, a VPN (or similar proxy service like TOR) is essential, as it gives them the ability to circumvent local internet filters, so they can access prohibited content and services.
The other major benefit is that activists can avoid being monitored by eavesdroppers and can avoid having their internet activity logged and stored by their ISP. Such anti-surveillance precautions are vital if an activist wants to protect their identity online.
It’s already a legal requirement for all EU ISPs to log and record user data for the entirety of a user’s subscription and up to two years after the subscription has been cancelled (although there are still a few EU countries fighting this law).
In the US, there currently is no legal requirement for data retention for ISPs, although the Obama administration has pushed for it in the past. However, US ISPs still voluntarily retain customer data in order to cooperate with law enforcement. This data will include logs of what web services and websites you are accessing, though it doesn’t (or shouldn’t) contain the contents of emails, or social media activity (that’s what PRISM is for of course).
The ability for authorities to access your entire web history via mass surveillance programmes therefore poses a genuine risk to activists in all countries, not just those living under oppressive regimes. There have been countless times throughout history where activists in democracies have broken illegitimate laws in order to protest effectively, just as there’s also been times when the establishment has attempted to publicly discredit activists in whatever way they can.
What’s the Difference Between a VPN and TOR?
If you’re looking for a simple way to protect your privacy online then you’re usually faced with two options: VPNs or TOR. The Onion Router (TOR) is a very popular anonymizing tool amongst privacy-conscious internet users. Like VPNs, TOR allows a user to make websites and web services believe they are accessing the internet from a different location and it also encrypts traffic, making it difficult for any evesdroppers to access your data. However the last leg of traffic, at the final exit node, can be monitored, unless end-to-end security such as HTTPS is used.
Although not completely secure, Tor is designed to provide strong anonymity. It does this by relaying traffic through a series of random TOR nodes, setup in such a way that the last node the traffic exits from cannot tell from which node the traffic entered from. This removes the necessity to have to trust any single entity with your anonymity (unlike a VPN service) and is the most suitable for dissidents and activists who’s lives depend on their anonymity.
So when using TOR you have to trust the – often anonymous – people setting-up exit nodes not to monitor your traffic, while with a VPN you have to trust the company itself not to do the same.
TOR has the benefit of being completely free-to-use, while most VPNs will charge a subscription. The fact you have to pay for a VPN also introduces another security risk (as most forms of payment can reveal your identity). However, while TOR is free, is can also considerably slow down your web browsing, and is not really suitable for downloading large files or streaming content. A VPN on the other hand will usually be fast enough to allow you to use the internet without changing your browsing habits whatsoever.
What VPNs Can’t Do
This is because PRISM involved creating “backdoors” into the servers of web services such as Google and Yahoo. So it doesn’t matter whether your traffic is encrypted, or if your location is obscured. If the government can read the emails in your Gmail account, then the only way to stop this is to not open a Gmail account in the first place.
The one area where using a VPN might help, is that the emails you send won’t be linked to your actual IP address. But this is only useful if your identity cannot be confirmed by other information that may be stored in your Google account, or elsewhere.
So remember, even if you’re using a privacy tool, you still have the ultimate responsibility for protecting your identity. Information gleaned from tweets, blog posts, Facebook pictures, etc, could easily give away who you really are and perhaps put your work at risk.
What are the Dangers of Using VPNs?
Relying on a VPN to protect your privacy requires a degree of trust between you and the company running the service.
It’s entirely possible for a VPN company to be subpoenaed by the authorities and forced into monitoring a user. Just as it’s entirely possible for a TOR node to be set-up by the very authorities you’re trying to avoid.
It’s also possible that a VPN company is not really serious about its users’ privacy in the first place. As we mentioned, one of the core benefits of using a VPN is that your web activity is not being stored by an ISP. If a VPN company is wiping its data logs regularly, then any demands to hand over logs cannot be met.
What to Consider When Choosing a VPN
So if you’re looking to sign-up to a VPN service, what should you consider? Here’s a brief run down.
Payment options – If you don’t want anyone to know you’re using a VPN then Bitcoin – while not completely secure – is probably the best option when it comes to payment.
What if laws change? – Trying to determine what VPN to choose based on where the company is headquartered isn’t straightforward, as VPNs in nearly all countries are susceptible to being undermined by the authorities. But it is reasonable to ask a VPN what it will do if laws change in its country regarding the legal status of the service offered. Will it notify customers of any changes in relevant laws? Will it relocate to a different jurisdiction? Will it give you a refund? Ideally these issues should be covered in its terms and conditions, but if not, ask them directly.
Image: Flickr/Susan Melkisethian