Do VPNs Really Guard Your Privacy?
Key Points
- A VPN (virtual private network) encrypts your internet traffic so sensitive data like credit‑card numbers or personal IDs aren’t exposed on public networks.
- Without protection, attackers can eavesdrop on your connection or set up “evil twin” Wi‑Fi hotspots that intercept packets before they even reach the internet.
- When you use a typical personal VPN, client software encrypts your data, sends it to the VPN provider, which decrypts it only to re‑encrypt and forward it to the destination site.
- This setup hides your traffic from local snoops, but it shifts trust to the VPN provider, which could potentially see or log the decrypted information.
- Evaluating whether a VPN truly safeguards privacy depends on the provider’s policies, jurisdiction, and technical implementation, as it may be a “wolf in sheep’s clothing” if mismanaged.
Sections
- Do VPNs Really Protect Privacy? - The speaker explains how VPNs work, the eavesdropping threats they aim to counter, and critically assesses whether they truly safeguard sensitive data or could inadvertently compromise privacy.
- Trust Issues with VPN Providers - The speaker contrasts corporate VPNs, which prioritize security over user privacy, with third‑party VPN services that decrypt traffic and thus require users to place full trust in the provider.
- Pros and Cons of Third‑Party VPNs - The speaker outlines how third‑party VPNs conceal your IP, location, and encrypt data, but cautions that they do not grant complete anonymity, expose all traffic to the VPN provider, and fail to block cookies or fingerprinting.
Full Transcript
# Do VPNs Really Guard Your Privacy? **Source:** [https://www.youtube.com/watch?v=zMahtD8TIwc](https://www.youtube.com/watch?v=zMahtD8TIwc) **Duration:** 00:14:01 ## Summary - A VPN (virtual private network) encrypts your internet traffic so sensitive data like credit‑card numbers or personal IDs aren’t exposed on public networks. - Without protection, attackers can eavesdrop on your connection or set up “evil twin” Wi‑Fi hotspots that intercept packets before they even reach the internet. - When you use a typical personal VPN, client software encrypts your data, sends it to the VPN provider, which decrypts it only to re‑encrypt and forward it to the destination site. - This setup hides your traffic from local snoops, but it shifts trust to the VPN provider, which could potentially see or log the decrypted information. - Evaluating whether a VPN truly safeguards privacy depends on the provider’s policies, jurisdiction, and technical implementation, as it may be a “wolf in sheep’s clothing” if mismanaged. ## Sections - [00:00:00](https://www.youtube.com/watch?v=zMahtD8TIwc&t=0s) **Do VPNs Really Protect Privacy?** - The speaker explains how VPNs work, the eavesdropping threats they aim to counter, and critically assesses whether they truly safeguard sensitive data or could inadvertently compromise privacy. - [00:05:58](https://www.youtube.com/watch?v=zMahtD8TIwc&t=358s) **Trust Issues with VPN Providers** - The speaker contrasts corporate VPNs, which prioritize security over user privacy, with third‑party VPN services that decrypt traffic and thus require users to place full trust in the provider. - [00:10:28](https://www.youtube.com/watch?v=zMahtD8TIwc&t=628s) **Pros and Cons of Third‑Party VPNs** - The speaker outlines how third‑party VPNs conceal your IP, location, and encrypt data, but cautions that they do not grant complete anonymity, expose all traffic to the VPN provider, and fail to block cookies or fingerprinting. ## Full Transcript
A VPN or virtual private network provides a way to send sensitive information over the public
internet. You've probably seen the ads for them in all sorts of websites, apps, yes, and even YouTube
videos. Well, let me put your mind at ease. I'm not trying to sell you one. That said, what about the
claim that they protect your privacy? Do they really? Or could they actually make the situation
worse? Let's take a look at VPNs and see what they are, what threats they're trying to guard against,
and the different types of VPNs that exist out there, and ultimately, whether they deliver what
they claim in terms of protecting your privacy, or are they the proverbial wolf in sheep's clothing?
Okay, let's take a look at what VPNs are and what kinds of threats we're trying to guard against.
We'll take a scenario where we've got this guy right here who wants to send information to a
website over here, and he's going to send maybe a credit card number, a Social Security
number, or some other kind of form of ID. Something that's sensitive. Something might be valuable, like
intellectual property, but the problem is it's going out over a public network. This is like
speaking it out into a public space. Who is listening? And we don't know exactly. In fact, there
could be a number of people listening. There are tools that allow people to eavesdrop on other
conversations that go over the internet. And, and that could happen as it's going over the internet.
It could also happen right here. In an attack known as an evil twin, we have, if this person,
let's say, is at a coffee shop or a hotel where they're using the local Wi-Fi, it's not their own
home Wi-Fi. Well, someone might set up an evil twin Wi-Fi that goes by the same name, but it
doesn't go to what you think it's going to. It's going to this particular attacker. So, they could
then see all of your packets that are going before they even get onto the internet. So, the
information that this guy is wanting to send over here could have already been looked at by a
number of different people, which is not the idea if you're trying to protect sensitive stuff like
this. So what are we supposed to do about that? Well, one solution is a VPN. So,
a typical VPN, if you're going to get one for your own personal use, is basically going to set up a
connection between you and the website you're trying to go to. And I'm drawing these as
pipes to visualize that, because that's sort of how we think about this. What's happened is you've
installed some client software, usually on your system, or it could be that you're going through a
website, but we'll assume that the case where you installed some client software on your system and
everything that's going to go to the network doesn't go directly to the internet. It goes, in
fact, first gets encrypted, then it gets sent down to your VPN provider. The VPN
provider then decrypts the information, figures out where it's supposed to go to, and then
encrypts it again and sends it over here. Now, what's the value of that? Well, among a number of
different things, this website may, in fact, in some cases this is desirable. You don't want the
website to actually know who you are. You want to be able to go there anonymously. Now, if you're
sending this information, you've already blown that case away. But sometimes, maybe you live in a
country where free speech is not particularly valued, and you need to be able to get to certain
information. You might also want to hide your location. Because there may be blocks for certain
types of things. So if you're not coming from a particular space, then you might get blocked. Well,
what happens is this website only sees the VPN provider. And the user
only, their system only sees the VPN provider. And the ISP and the eavesdropper and
the evil twin only see that you have encrypted traffic going to this VPN. They don't know where
it goes beyond that. The ISP can't be violating your privacy, it would seem, in this case, because
all they know is you're just sending a lot of traffic to this particular address, and they can't
even see what the traffic is. So by encrypting the information first, then decrypting it, then
encrypting it again and decrypting it again, and then doing the same thing as it traverses back
the other way. Now we have a way where each side of the of the equation is limited in terms of
what it can see. And this is where some of these privacy protections and in some cases security
protections can come from. Okay. We just took a look at what a VPN is. Now we talked a little bit
about what some of the threats are. But let's drill into that a little bit more because it
might not always be obvious. Bob Dylan has a song that says you've got to serve somebody well. I'm
going to say, you've got to trust somebody. No matter what you do, you're going to have to end up
putting trust somewhere. And VPNs are essentially a way of transferring trust. So let's take a look
at what the different VPN options are and what it is that you're trusting in each one of those
cases So in the first case, let's assume we have no VPN. So none. Then who are
we trusting in that case? Well, we're basically trusting your ISP that they're not going to leak
the information because they're seeing all of your traffic as it's leaving and that they're not
going to keep that themselves or sell it to someone or give that information up. Or you're
having to trust also, I shouldn't say or, but also the internet and all the people that might be out
there that might see the packets that are going around. So in that case, you're having to put a lot
of trust in some, some players that in some cases you have no relationship with at all. Another type
of VPN that I really didn't describe in this example, but I'll do a little more later, is a
corporate VPN. So maybe your company wants to let you work from home or for some remote location.
And in that case, they want to provide a secure tunnel, a pipe between your system and their
system. So something that's going to go directly. Now, in that case, you're obviously entrusting your
employer because they're the ones being the VPN provider in that case. They may not be interested
in your privacy, they're interested in their security. And those two are not the same thing.
Another type of VPN, which is the one that I illustrated here, which is what most people tend
to think about when they're, when they're thinking about VPNs. And the ones that you see all the ads
for is a third-party VPN, and in this case, a third-party VPN is basically you're having to trust
the provider of that VPN. So, in this case, the VPN service provider would be here. Since
the information is coming in, it's encrypted here. So I'm not having to trust these folks, but I am
having to trust this one. Because they have now decrypted the traffic. They're going to see where
all of my where all of my traffic is going, the IP addresses and things like that, the frequency of
it, all of that. Whereas my ISP would just see I'm sending everything to this place. In this case,
it's going to see all of the information because it's going to decrypt it. It's going to have it in
the clear when it's right here. So it could see any of that stuff and examine it, and then it
encrypts it as it sends it on. So now that means all of my trust is here In this case, how
trustworthy is that organization? Well, we hope it is. But we know not all of them are. In some cases,
they might be trustworthy. They might, they might intend to do the right things. But there are
things that they can in. Like if you're getting a free VPN, look, the old saying is if you're not
paying for it, you're the you're not the customer, you're the product. So if you're the product,
you're not paying for a free VPN. What? How could you be a product? Well, they might be using your
data and selling it to someone else. So they're monetizing your data, which means your privacy may
not be their first priority. Another case is this site could get hacked. So even
though they don't mean to do anything wrong, if a bad guy hacks into their site, now they have
access to your records and all of your traffic. And another case is that law enforcement, or
through a court order, may compel this VPN provider to hand over your records if they think
there's been a crime. So all of this depends on how much you trust this VPN provider. That's why
some of these are in different legal jurisdictions in order to get around some of the,
you know, hey, we don't want to respond to your legal requirements for our particular service, but
there's not always a lot known about who these organizations are. But the point is, we're putting
all of our trust. We've transferred our trust from the internet to this VPN provider. Now, the other
thing that you could do if you're really sensitive about privacy is you could do bring
your own VPN. In this case, you're going to provide your own infrastructure. You're going to provide
your own server. You're going to provide your own client. So maybe if I'm coming in from another
place, another location, I tunnel into my VPN server and then it goes out to wherever it is I
want it to go. So I could do that as well. But in this case, I'm putting all the trust in myself,
which you might say, well, if you're really sensitive about privacy, that's who you ought to
be trusting. But the other part is you're still trusting something else. You're trusting the
software that you're using to run that VPN. So you're going to download that. It might be open-source
stuff and you might say, well, I think that's trustworthy. But the point is you're still
trusting something else. So you're either trusting the internet and your ISP, your employer, your VPN
provider or the provider of the software. But you got to trust somebody. Okay, so there is another
look at the threats. And we've also looked at the types here now. But now let's talk about the
privacy protections and what they do and what they don't do. Well, in particular, I'm going to
focus on this one, these third-party VPNs, since that's what most people are thinking about. The
employer VPN, as I already said, is really not designed to protect your privacy. It's designed to
protect the company's security. Now, they may have a thing called a split tunnel, where some of your
information goes directly to the internet and some of it goes to the company network. That's
another way of doing that. But in no cases is it really protecting your privacy, I don't think.
However, these third-party VPNs. Let's take a look at some of the pros and cons of these. So one of
the pros that's here is that it hides your IP. So if you look back over here remember the website
doesn't see what your source IP address is. It doesn't even know your exact location. In fact,
it's a way to make it look like you're somewhere else because the VPN, wherever that server is,
that's the ID, that's the IP address, that's the location that's going to be surfaced. And again,
the ISP doesn't see this either because all it sees is if you're going to that place. Another
thing, as I said is hiding your location And another thing is it's hiding your data. So because
of this, information is encrypted as it's going down to the VPN provider. We call this a tunnel in
this tunnel. The data is encrypted, so anyone that sees this just sees encrypted data. And the same
thing over here. So those are the pros for this. Now how about some of the cons? Because everything's
got pros and cons it seems. First of all, there's this belief that a VPN gives you
anonymity. Well yeah, kind of, but not full anonymity. Because after all, the
VPN provider sees all. They see all of your traffic coming in, all of your traffic going out
there.They're seeing your IP address, your location and your data. So it's anonymous from the standpoint
maybe of some of these other actors, but the VPN provider now sees all of that. Also, it doesn't
stop tracking cookies and, and browser fingerprinting and things like that, which a
website might do. So, and especially if you've logged into the website, well, then obviously it
knows who you are. that's not going to be anonymous. So some people have a naive notion that
if I'm going through a VPN, I'm anonymous. Well, you may or may not be. It depends on on some of these
other aspects that might still be violating some of your privacy. Um, and as as I mentioned, if
you're logged in, then you're not. You're not going to be able to guard against that. And then, finally,
the last one is it adds some latency, latency, meaning it adds some delay because I've got to
encrypt my data. Then I have to send it to a third party, which is going to decrypt it, who is then
going to encrypt it again, and then it's going to get decrypted over here. So it's going through a
third party with multiple encrypts and decrypts. All of these things again are potentially slowing
the system down. Typically, one of these types of VPNs will run slower than you would get if you
just went directly. But if you just went directly, you might not have the protections you want. So
again, the bottom line is you're trusting this. And is that where you want to trust? Not all VPNs are
created equal. In fact, given that most websites these days implement encryption automatically.
Some might argue that the need for a VPN is not as critical as it once was, but if a VPN is well
implemented, it can improve security and protect privacy. If not, it could actually make matters
worse by handing over your data directly to a bad actor. In some countries where free speech is not
protected, they may be the only option to counteract censorship, as I experienced firsthand
when I was living overseas. But these countries might also legally compel providers to reveal
your records. A VPN can't stop malware, despite what some ads claim, and they aren't a guarantee
of privacy. But a good VPN can, in the right hands, be an excellent tool or
in the wrong hands an expensive fraud.