A very secure computer system
A very secure computer system - protected by my very own VPN service

You probably don't need a VPN for meaningful privacy

Pull up a youtube video from any channel with even a moderate sized audience and there's a not-insignificant chance you'll get an advertisement for a VPN service.

That advertisement will probably be filled with claims about your privacy and security and how their VPN will protect you from your ISPs/Hackers using lots of scary sounding words, coupled with phrases like "military grade encryption" meant to tell you how superior their product is.

The modern internet is built with some pretty good security and privacy fundamentals, with even more capabilities about to become ubiquitous. In this blog post I'll talk about when you don't need a VPN, when they're a good thing, and what you should know about VPN service providers.

You don't need a VPN when:

  1. You're using a public WIFI. Nowadays this little marvel called "Transport layer security"(TLS) is ubiquitous for communications. TLS means that in almost every case the content between you and the websites you're visiting is not viewable by other people on the same network as you, or anyone who might be listening out on the internet. Cases where that may not be true would be on devices given to you by your employer, or if you click past the big scary warnings you get in a modern browser if you try to browse to an insecure website. TLS is now applied to DNS requests (resolving names to IP addresses) as well, so no one besides the DNS server operator you're using can see them. As an aside, I typically recommend most folks use Cloudflare's DNS provider unless they know better.
  2. To stop your ISP from seeing what you're doing on the internet - Today, with ubiquitous TLS in use, ISPs can't see what you're doing on the internet. Today the biggest gap is that the current TLS standard can reveal what website you're visiting, but not what you're doing on it (so the government can see you're using facebook, not who you're talking to). This will improve in the future with the release a new TLS feature called "Encrypted Client Hello", which in many cases will make it impossible for anyone observing a TLS connection from knowing what server you're communicating with.

VPNs are very useful when:

  1. You want to watch streaming services from out of region to get access to other libraries
  2. You're trying to avoid government blocks of websites, and your government is not very competent at blocking VPNs. It's always been odd to me that government censorship is great at blocking websites, but doesn't seem to go the extra mile to block VPNs in most cases. If you work for a government, don't get any ideas reading this.
  3. You're trying to view content that is only available in specific regions.

What you should know about VPN service providers:

  1. They're run by companies that are subject to the same laws you would be in most cases. Adversaries who would be interested in surveilling you would have no problem sending a warrant over to a VPN service provider to get your information/activity. I wouldn't trust any of the providers who advertise on youtube to fight a government agency for your privacy
  2. The VPN providers themselves can see your traffic - and I would gamble that in many cases actually sell that data to advertisers. Some high profile VPN companies are actually owned by advertising companies.
  3. They are targets of hackers as well - imagine the massive treasure trove awaiting a hacker who successfully compromises a VPN provider. Lots of victims opened up to attack instead of just one. TLS is probably still used in most applications going over a VPN. This may allow an attacker to de-anonymize you or other more complicated attacks.
  4. Something that isn't secure isn't made secure by the VPN - if you're using some fundamentally insecure, non-encrypted application or website, the VPN isn't a miracle. It may protect your connection from attacks on your local network, but it would still be vulnerable to attacks originating anywhere between your VPN provider and the service you're using.

Special mention: End to end encryption in consumer applications is pure security theatre

Lots of applications talk about end to end encryption as a security benefit, but in large part it's a meaningless gesture. Sign into Facebook/Whatsapp on a new computer or device, and boom all your old messages are there and you can view them. Yes they were transmitted 'end to end encrypted' probably. The reality is they have to be decrypted to be used. So obviously any bad actor who compromises your facebook/whatsapp account can view them, and if a warrant is served to facebook they will absolutely be able to give someone a plaintext copy of your messages.

That is not to allege that Meta has that capability programmed in today, but with enough pressure it would not be trivial for them to introduce. Encryption is a powerful control for data at rest, and I would never say it's security theatre in general, perhaps just that you need to have a certain level of trust in your service providers. In the words of Rage Against the Machine, Know Your Enemy.


Final Caveat

If someone is actually trying to spy on you, maybe the contents of this post don't apply.


This article was updated on December 21, 2023