That github note doesn't really disagree with the article, which points out that you need to trust your VPN provider.
My general position is this: I don't trust my phone provider. At all. Just a week or so ago there was an HN post demonstrating how an ad provider can get your full name, cellphone plan details etc just by calling an API from a page rendered on your phone. But I also don't really have a choice - AT&T or Verizon or T-Mobile, they're all different flavors of the same crap.
Do I trust my VPN provider unequivocally? No. But I trust them a hell of a lot more than my phone provider, and they can't sell my personal info against my browsing history because they don't have it.
A VPN isn't the answer to everything, but nor is it useless.
It's a bit like how "stranger danger" isn't a thing kids get taught about anymore, because random strangers aren't risky if you go up to them, only if they come up to you. (Or, in more statistical terms: bad actors are a small proportion of the pool, but they have an incentive to self-select into interacting with you that good actors do not. If you just draw randomly from the pool, you won't get a bad actor. If you let the pool show the initiative, you'll get mostly bad actors.)
Your VPN provider is just some random company. You went up to them. They're randomly selected (insofar as your choices are random) from the space of all VPN providers, and most providers aren't malicious.
Your ISP is, at least in the US, almost always a monopoly. They're self-selected: they went up to you.
A VPN provider can tell you they're not logging your traffic because they think they aren't but really they are because there's a box somewhere that your traffic passes through that has logging enabled (for example -- and don't hyperfocus on the example, I know how you programmer types like to pick up the example and play ping pong with it for six hours).
So incompetence is a reason to not trust a provider as well.
Partially, at least, they don't need to earn my trust as much. They don't have my name, address, date of birth and social security number/credit data, like my phone company does.
The only positive point of trust a VPN provider has is that no-one has exposed them selling browsing data. Definitely not great, but also better than my phone company by default.
* My VPN provider explicitly states that they do not collect user information or store logs of user activity. Unlike my ISP that has a No Privacy Policy.
* My VPN provider has not done anything to lose that trust.
So which is worse, your VPN provider telling you that they don't store logs of user activity and then very well doing it (as has been proven in multiple cases), or your cell provider telling you they're going to fuck you, then fucking you?
> Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?
Which is basically also saying you can't trust a commercial VPN provider. I suppose it does differ in that it says it's still an option, though.
My general position is this: I don't trust my phone provider. At all. Just a week or so ago there was an HN post demonstrating how an ad provider can get your full name, cellphone plan details etc just by calling an API from a page rendered on your phone. But I also don't really have a choice - AT&T or Verizon or T-Mobile, they're all different flavors of the same crap.
Do I trust my VPN provider unequivocally? No. But I trust them a hell of a lot more than my phone provider, and they can't sell my personal info against my browsing history because they don't have it.
A VPN isn't the answer to everything, but nor is it useless.