It's been clear for a long time that every single commercial VPN service is a waste of money. At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations. At worst, it's a government agency honeypot or someone like Facebook.
If you think you want a VPN for "privacy", use Tor Browser. If you want a VPN for any other reason that "normal people" think they want a VPN, you're probably wrong.
Why do we even give these companies the time of day?
(Small clarification - Most people who want VPNs should use a proxy instead. It fits the use case better. Those still exist and don't route ALL of your device's traffic over the tunnel.)
It's far from a waste of money. They help with things such as skipping geoblocking, able to deceive ISPs that send mail warning users about pirated content, can in some cases help with gaming ping, allow users to trick sites that rely on IP logging and many other applications besides cybersecurity and privacy.
The main issue is that they all seem to advertise themselves as these privacy and cybersecurity services first, while ignoring all the other added benefits.
Meanwhile, a lot of users really can't trust their ISP: your "ISP" might be coffee shop, or someone renting on AirBNB, or your friend (as you are at their home or office). If you are in any of these circumstances, I would probably first recommend "tether off your phone or something", but if you are finding yourself needing or merely wanting to use someone else's internet connection (maybe for speed or because you don't have a good cell signal), it totally makes sense to use a VPN.
(Also: I don't think anyone has mentioned this yet, as maybe it is somehow "gauche" to do so, but one of the top reasons people use VPNs around the world is because they want to browse porn and they don't want people around them to know. At some point, the people in the apartment next door to me figured out my wi-fi password and seemingly felt the correct solution to this issue was to use me for their porn browsing, but it was then all the more awkward when I figured out why my network was slow and knew all of the porn sites they were browsing. Most people seem more OK with the idea of paying a company like ExpressVPN--even if they are legitimately run by "spies"--to be their dedicated porn access point than hoping that someone else more locally won't find out what sites they are browsing.)
> Meanwhile, a lot of users really can't trust their ISP: your "ISP" might be coffee shop, or someone renting on AirBNB, or your friend (as you are at their home or office).
Or your ISP may be one of the big ones - Comcast, Time Warner, etc or whatever they are in other countries, and you may legitimately not trust them either.
My wi-fi password was loudly spoken often and our windows were open constantly. Honestly, if they had asked one of us for the password, I am sure we would have given it to them also (and for all I knew at the time that was how they got it: I am just saying they figured it out, not that they stole it). (It wasn't designed to be secure or anything... is yours? I do not even think I changed the password once they started using it... I just upped my cable modem plan so I wouldn't get affected by it ;P. I might have, though... this was like 15 years ago (I have been using the same wi-fi password at least since right after that, certainly?)
I leeched off my old neighbors’ WiFi for a few years until everyone in the complex upgraded to routers which weren’t vulnerable to the pin key attack (or whatever it was called).
Totally agree. The geoblocking is the most common reason a lot of people use VPNs, even if that isn’t always how they are directly marketed. A friend’s mom asked me a few weeks ago for VPN recommendations so she could watch British TV easier. She’s 70. Her concern isn’t about safer browsing stuff but watching GBB more easily.
*Disclosure: ExpressVPN has sponsored my podcast in the past (tho I don’t handle ad sales fwiw) and I’ve always chosen to do the “this is how I watch X service in X country” use case in ad reads, b/c that’s the value in it for me vs rolling my own Wireguard/Tailscale setup (I actually have Tailscale setup for my home network).
It’s funny express has you advertise as being able to watch X service considering when I used express I couldn’t watch Netflix because they throw an error saying they know I’m using a VPN. Same with Amazon prime. I’ve switched to nordvpn but they are no different I can’t even use fast.com to check the speed when the vpn is on.
Netflix has been particularly vigilant as of late to combat VPN usage so it is a cat and mouse game. I haven’t had an ad from them in months but last time I did, it worked with the services I’ve used without a problem. For all VPN services, the geoblock stuff is a moving target so what works one day or week, won’t necessarily work the next. It’s unfortunate but it is what it is.
Browser fingerprinting works much better than checking IPs. With multiple devices being behind the same IP, it's necessary to distinguish between users.
I'm not saying VPNs are worthless - I'm on one right now for work. Commercial VPNs, for most people who purchase them, are completely worthless.
And I very much doubt that tunneling your connection through a VPN can improve ping.
Just for a moment close your eyes and imagine a world where you have to fill-in a mildly complicated form before you visit a website (or blindly sign away whatever rights you might have had).
A world where every second funny video you might have found on Reddit leaves you with a cryptic message that some "rights holder" doesn't permit you to see it (and denies you from joining the fun everyone else seems to be having in the thread).
A world where you cannot buy half of the cool stuff you want (and everyone else seems to be having) because you cannot even see the online store where it is sold.
A world where you're even denied access to old and seemingly public domain e-books.
Open your eyes. This is the world most of us live in.
We're not on commercial VPNs because we love to, but because often there is no other way. They are in a sense invaluable when it comes to geo-restrictions, even though I agree with you that they are worthless for many of the reasons they claim to exist.
Ok. Use a proxy, or set up your own Proxy/VPN on a VPS? Then you also have a VPS - you can host your own website there, use it to download stuff and rsync it back to your local machine, deploy nextcloud, etc., all for less than the cost of ExpressVPN. And bonus points, you can use unlimited devices.
Less of the cost sure but you are saving a couple bucks a month tops and replacing that with work on setup and maintenance instead. Moreover that way you get a single IP rather than the 40 different countries with multiple IPs my provider gives me.
Set up your own Proxy/VPN on a VPS, is bad for fingerprint perspective. You get static IP in rare IP range for consumers. Pirating is also meaningless unless you use special hosting provider.
Browser fingerprinting does not work for geofencing. Browser fingerprinting and IP geotags work, but fingerprinting just tells you if a user is the same person, on a different IP address. I run a website to monitor bot traffic, and really all something like a Picasso fingerprint can get you is visibility into who's spoofing their IP.
You get a hash value that's roughly unique to the browser-device configuration. You don't know from that hash where the user is located. You have to pair the hash up with geolocation services to get that info. Once you do that though, you get a decent idea of if the person is changing their IP, but there's still no way to tell what the 'real' IP is. You just end up with a unique ID that's associated with a handful of different IP addresses.
As a frequent international traveler, using VPNs as a method to change routing absolutely can improve the results. Routing is not always done to get your specific packets someplace as fast as possible, particularly when submarine cables are involved.
Yup, I was going to say the same thing. I’m also a frequent international traveler (tho not in the last 20 months, alas, but before pandemic I averaged 2 international trips a month) and one of the benefits, security or not, of a commercial VPN service is the access to different nodes that can drastically improve speeds vs whatever routes the network you’re on is using. It’s not a guarantee but I’ve had it come in handy quite a few times.
> And I very much doubt that tunneling your connection through a VPN can improve ping.
Surprisingly this can be the case as long as the combined link to VPN + target is better than the direct link to target. Keep in mind that the target might be geo distributed.
Like driving, going over 2 highways might be fasted than going over a direct dirt road, or a longer road might be faster because the direct road is congested.
One case where I saw this was a friend who for some reason was being routed to game servers around the world when trying to connect to an Overwatch game, and a much closer server with the VPN.
Was this a bug in Overwatch? Almost certainly, but the VPN was an effective workaround.
I've seen it happen. Blizzard is quite notorious for having some weird network links, where a VPN is known to be a workaround. Example [1], and I've heard the same from WoW players.
It can improve bandwidth too! Network operators LOVE to mess with traffic based on service type: prioritize it, throttle it, cap it, the games don't end.
"Turn on VPN, network performance improves" is a regular occurrence these days.
Yeah, but unless you are blowing the VM away all the time (and maybe you are, but that takes a certain amount of effort, even if you try to automate it), you’re still going to have a fingerprint tied to that VM and browser(s). Will it be linked with your other devices? Maybe not, but depending on what accounts you are signed into (Google, Facebook, etc), there could still be a more robust profile associated with your various locations and devices, even if the fingerprints are different.
And no wonder! All of those things you listed as benefits sound shady and illegitimate to people who aren't very tech savvy or have a poor understanding of their rights to a free web. Notice you're using words like "Trick" and "deceive" good luck selling that!
This. I'm an occasional customer of ExpressVPN because they're pretty good about getting past the Great Firewall. When we go visit her family I want access to the same things I have in the US. It's not going to be any real protection if the government is after you.
True. I use VPN to get behind the geoblocking on my banking app which is prohibited to work in my African country. Also viewing movies banned in my country.
> you replace trusting your ISP with trusting a different group of unknown people with similar motivations
I've always seen this argument but it's never made sense to me.
For starters I absolutely don't trust my ISP. I know they are collecting, storing, likely selling my data and that they are 100% going to comply with any government requests from my government (I don't even trust that they would only respond to legal requests).
Years ago I used to use AirVPN. They claimed:
> AirVPN started as a project of a very small group of activists, hacktivists, hackers in 2010, with the invaluable (and totally free) help of two fantastic lawyers and a financing from a company interested in the project and operated by the very same people.
Maybe they're lying but at least there's some chance they actually care about privacy.
But even if they don't care about privacy at all and are lying, at the very least they are based in Italy and have their servers spread throughout Europe. Additionally you can pay via crypto (which gives you more anonymous payment options than your ISP). Simply being in another country then the one I live in makes it much harder for my government to arbitrarily request my data.
Yes if I want to do highly illegal activity that is going to get my government interested in me I absolutely don't think that would be enough. But if I want privacy from routine surveillance this seems like a fantastically better option that 100% giving up.
Use an alternative DNS server, Firefox/Brave/Ungoogled Chromium, uBlock Origin, and disable JavaScript everywhere you can possibly help it. As far as reclaiming some privacy from routine surveillance, this is probably better advice than "Pay Unknown Company X $9/mo to maybe be slightly better than your ISP in terms of privacy".
Well, except that disabling js doesn't prevent you from having a browser fingerprint. In fact, it will make it even more unique and therefore easier to trace.
So not sure what you are referring to
>*are collecting, storing, likely selling my data and that they are 100% going to comply with any government requests from my government (I don't even trust that they would only respond to legal requests).*
The first one would know that you are talking to the second VPN. The second VPN would know that VPN1 User is talking to facebook.com. In principle, neither of them has the full picture. In practice, you may leak enough information that both of them could get the full picture.
That seems like a great technique if it is correct.
Seems obvious to me that many of the top VPN providers are operated by intelligence agencies or have ties to data brokers: they can afford to operate the services at an initial loss for the benefit of information learned later.
For example, touting that a VPN is operated outside of a country with ties to the “five eyes” doesn’t seem like a benefit, it likely means they can operate with impunity on your data.
But VPN A has to relay the request for facebook.com to VPN B, meaning that VPN A has to be aware of the user's final destination. If my interpretation of this is incorrect, then how does VPN B become aware of the request for facebook.com?
VPN A knows there was a request to VPN B, that's it. The request is encrypted on twice the client. VPN A removed it's encryption but is only left with an encrypted request to VPN B. VPN B then removes it's encryption and then forwards the request to fb.com.
VPN A only sees a request to VPN B. Because of that they don't need to know anything about the final destination or even that there is a final destination beyond VPN B.
VPN A receives a packet that says "carry this (encrypted_ payload to VPN B Gateway IP". VPN B Gateway receives that packet and decrypts the payload. The payload says "send this (encrypted) payload from VPN A customer IP to facebook.com".
> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations.
When one party with auditors says they will protect your privacy, and the other openly spells out in their stated policies that they will run roughshod over your privacy, cataloging and trading your data as much, as long, and as insecurely as they like...
You don't have to trust the former party a lot to recognize the lesser evil.
> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations. At worst, it's a government agency honeypot or someone like Facebook.
My ISP is required by law to be an informant for government agencies, so the VPN can only be equal or better than my ISP.
Honest question: it's still a consensus that they do have value in situations such as airport Wi-Fi, correct?
Separately from that, I still do wonder whether, if you subscribe to a VPN that has well-examined security practices and whose reputation depends on such practices, whether it still may have value over relying on the security over a local ISP which may not have as much expertise or reputation investment with respect to security.
I'm not arguing, just trying to understand the issue better.
Argument is the spice of life! An argument doesn't have to be angry. But nonetheless I appreciate your earnest kindness.
It's less of an issue when every site you connect to uses https, and every app you use employs ssl/tls for its connections. That is common practice these days. Getting man-in-the-middle'd on airport Wi-Fi is less feasible these days than it was 10 years ago. The attacker would have to also install a certificate on the user's device. I welcome corrections if I'm wrong.
VPNs aren't obligated to tell you the truth. They don't have to have good security or even honor what they say on the front page. People trust marketing, not actual policy or actions - just look at Apple. Still waiting on "HMA" VPN to go out of business because they handed over users to the FBI. They're still around and claim No Logs just like everyone else, just like ProtonMail did until this month.
> Honest question: it's still a consensus that they do have value in situations such as airport Wi-Fi, correct?
No. I don't think this was ever a consensus. When is the last time you've used a (sensitive) website that is not run over HTTPS? Unless the CAs (or the certs) are compromised, you have no reason to use a VPN when on public Wi-Fi, because it is encrypted with this so-called "military grade encryption" that VPN providers love to mention.
Edit: forgot to add, if the CAs or the certs are compromised, VPNs won't help anyway.
Same here with multiple different VPN providers. Once I get through the TOS screens I can activate the VPN and have no issues. At one hotel chain (rhymes with a moldy British cheese), I have to activate my VPN first since my DNS provider won't resolve their login page.
> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations. At worst, it's a government agency honeypot or someone like Facebook.
You're starting with the (completely correct) observation that any VPN is not guaranteed to be secure, confidential, or private, and then making an argument as though it were the case that every reputable VPN is equivalent to every untrustworthy ISP. I think that's why your argument doesn't make sense to me: I don't think there's an equal chance that a VPN provider with a good reputation is going to sell me out as my ISP.
It's axiomatic in risk management that there is no way to completely remove all risk. Running a proxy and Tor is not a guarantee of security any more than running the world's shadiest VPN is, though it's obviously more secure by far. But, it's a question of what the acceptable level of risk is, and what the marginal cost to reduce that risk is. For many people, a $5-10 (non-shady) VPN is a perfectly reasonable step to take.
They are, it's just in very rare circumstances (monitored public wifi + possibly unsecured connection, for example). Most people should do fine and thanks to https, public wifi is far less of a threat than it used to be (plus, some started blocking VPNs).
Essentially the only valid use of a VPN. That, or masking your location from other users online.
I find YouTube in my country is just filled with content being pushed because it's local to my country. Some VPN exit points have less local content pushing, which gives me more options. Eastern European content is really good, but also completely missing from American YouTube suggestions.
Then either do without (because, come on, nobody's gonna die if they can't watch reality TV), buy it on disc, or pirate it? Netflix is blocking IP ranges so hard that residential space is getting caught in the blast radius. It's a cat and mouse game that you'll only win by refusing to play.
https://torrentfreak.com/netflix-intensifies-vpn-ban-and-tar...
I'm convinced that you can get most of the privacy "benefits" of a VPN with an encrypted DNS, which a pihole can be configured to provide for your whole home network.
Your ISP could still figure out which sites you are visiting by what IP addresses your traffic gets pointed to, but I'd be willing to wager that the bulk of their data collection for the purpose of advertising comes from logging DNS requests, since it is far easier to do and captures 99.99% of their customers habits.
This won't do anything to protect your IP from being sniffed out by media companies when seeding copyrighted torrents, but that has never been a major concern in my house. This is probably also meaningless if you are being targeted for surveillance.
It is - they know their market and they serve them well. One of the few VPNs that actually don't log traffic.
That said, I've had websites flat-out refuse me because of using Mullvad (not just because it's a VPN, but a supposedly "disreputable" VPN). Meaning blackhats love it. Meaning it works.
> One of the few VPNs that actually don't log traffic.
How can one be so certain that this is the case? The only thing that's for sure is the claim they do not keep any evidence. I don't have anything against this VPN, it's really just an inherent trust problem with any provider. You take their word for it and be smart/ethical enough not to have any sketchy activity when you use it because there's a pretty good chance logs are being kept.
I don't mean to make this personal to you but it's weird seeing a tech-literate crowd like HN act naive when it comes to VPN usage, based on arguments like "oh X is shady you should use Y instead, it's 100% private!".
My point being, don't expect that doing extremely dumb shit online means any service, no matter how reputable, that may aid you do so will have your back.
The only ones you can trust are the ones that have actively fought court orders. That is a reasonable show of certainty that they do what they say otherwise there are real legal consequences.
You still don’t know if they’re feeding your data to an intelligence agency or data broker.
For example, why wouldn’t China run a few top VPN companies — or at least compromise them? The benefit would outweigh the costs. So they shield you from piracy lawsuits and the like, they gain data to blackmail and compromise key figures later on.
Tor is practically unusable in 2021. Tor is blocked or is very difficult to use for a growing number of sites. Google is the big one (whether one should use google at all is a different story).
Plus ISPs can detect tor use by its customers just from packet patterns. I don't want to be flagged as a tor user by either my ISP or the sites I visit.
The only other option is to set up your own ISP either in a colo rack or on a cloud VM. That's going to cost $50-$100 month plus your time fiddling with it and any network overages
I think there’s been good criticism of your arguments so far and I don’t want to pile on; but I see _a value_ in commercial VPN companies.
I, a tech savvy person, have no issue creating an SSH proxy server in any country in seconds.
But I also make online video games, and the US sanction system means I must block people from accessing our services; even if they have a copy of the game.
They did nothing wrong, my company isn’t even US based: we just used a cloud provider and all of those are US based.
So, I encourage those users to use a vpn if one is available to them.
> If you think you want a VPN for "privacy", use Tor Browser.
What about Tor over VPN, so that your ISP can't see that you're using Tor? That is, the VPN hides your usage of Tor from your ISP and Tor hides your browsing from the VPN (and since many VPN services even advertise Tor support, its not like it would be suspicious, plus you can pay for many VPN's with cryptocurrency while I definitely can't hide my identity or location from my ISP).
> It's been clear for a long time that every single commercial VPN service is a waste of money.
This is nonsense. It depends entirely on your goals. It's important to me that my ISP doesn't know what I'm doing while I couldn't care less if my VPN provider does. I also need to circumvent geoblocking from time to time.
> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations.
I'm not sure what country you live in, but in the US, all the big ISPs might as well be run by the government, at least when talking about privacy. Private VPN companies are far more trustworthy, all else being equal.
I believe Mozilla's contract with Cloudflare to provide Firefox Private Network provides great value, and I've been happy with it service for quite some time. Mozilla and Cloudflare are both well known organizations, and Mozilla acting as a buyer's agent is a good position to be in.
1. my threat model is not my government. It seems that the TLAs have thoroughly pwned our privacy for a long time now. (please note that I am in no way advocating for this mass surveillance, but I don't see that I have much choice in the matter)
2. My threat model includes my ISP. I am forced to use a scummy ISP who would openly steal my data if I let them. Same with my mobile provider.
3. My threat model includes the data thieves who have obvious business models built around selling my stolen data to the highest bidder.
4. My threat model includes black hats and script kiddies.
5. Do I trust my VPN provider? Eh. A little. For now. The thing is, I trust them more than #s 2,3,4 above. What other choice do I have?
I wouldn't say commercial VPNs are waste, It depends for what purpose do you want to use the VPN. Privacy? Yeah maybe not the best for that but these are extremely useful to bypass geoblocking of content. Moreover, many ISP do not like you downloading content via torrent. How do you propose we solve it? User experience with Tor is not always the best as well. Tor network does not have lots of bandwidth, It is okay for browsing but the moment you want to download something using Tor you'd notice that its actually very slow. I'd bet my money that using Tor would attract lot more attention by your ISP than using a regular VPN.
To make it slightly more expensive for the adtech industry to spy on all my internet traffic. I have little illusions that any tech measure whatsoever can thwart government entities.
We use a commercial VPN at our company because it provides a mechanism for traffic encryption for employees who might be connecting from insecure networks. Sure most sites use HTTPS but there is still some unencrypted traffic like CDN or similar.
It’s not a cure all or some privacy guarantee, it’s just that for us, the risk of our employees browser history being stolen by that VPN for some nefarious purpose is just less than the risk of information leaking via insecure network.
The main reason that I use (and many around here) VPNs is to access sites blocked by the government. And these blocked sites even included Wikipedia until recently.
The utility in a VPN is in travelling, not at home. I’m not sure if I trust ProtonVPN more than I trust my ISP, but I sure as hell trust them more than I trust the little hotel I stayed at in Brooklyn.
Long term I’ll probably just solve this by setting up a VPN server at home, so I can tunnel through to my local services and protect myself from wifi endpoints I use on the go.
> Why do we even give these companies the time of day?
My understanding is that most people use a VPN to either watch the foreign catalogs of streaming services or insert a third party in a foreign country to make themselves less tempting targets for random enforcement of copyright laws.
Obviously they don't advertise like this because these activities are illegal.
Kevin Poulsen's book Kingpin, about the takedown of CardersMarket, describes how the FBI ran a VPN service as a honeypot for quite a while as part of the operation, logging everything that passed through it. As you say, it could be anyone on the other end of that connection.
> VPNs do not effectively solve this issue. Most modern browsers can detect the geographic location of a device based on data from GPS, available Wi-Fi networks and GSM/CDMA cell IDs and will submit this information to websites requesting it.
Did I miss something? Even the ad-tech browser will ask the user before sharing that?
I block the Mozilla positioning trackers. They were getting over a million request per month from my household. It’s just a regular API call from any website and doesn’t need any browser permissions.
Everything you mentioned goes back to my point that it's an anonymity service, not a privacy service. Tor exit nodes don't know who sent traffic, but they do see all the traffic that passes through them.
HTTPS can mitigate some of that, just like it can for VPNs, but the site you're going to is still very much visible.
Don't get me wrong, Tor is a very useful service if anonymity is your goal, but it requires a solid understanding of what can go wrong, which torproject provides a decent list for: https://support.torproject.org/faq/staying-anonymous/
> HTTPS can mitigate some of that, just like it can for VPNs, but the site you're going to is still very much visible.
Not in a sense that defeats privacy, since the exit node doesn't know the sender.
With Tor and HTTPS, no Tor node sees the cleartext data, and no node can associate me with the server I'm contacting. That sounds very much private to me.
With Tor the site you are going to is visible, but not who you are (there actually are some quibbles with this, but those don't seem to be your better argument); that someone--somewhere out there--is accessing a specific site doesn't seem to be particularly secret information. I think Tor might tend to use a single circuit for all of your traffic, which allows for correlations, but that is trivially fixable (you can hash the websites you are accessing to multiple circuits that egress with separate exit nodes, so you don't provide the attacker that information).
Diversification. Theoretically most of the nodes are owned by different people, and every connection will randomize your node list route between them, making it difficult to track, unless most of the nodes were owned by one organization. With VPNs, all of your connections are through servers owned by one company, identified by an account ID.
Tor is almost certainly a government honeypot, but if you're just trying to hide from Google and other ad companies, it'll help. Except that it's cripplingly slow.
You are right that most people are just signing up with the same credit card and details as their isp and even if they claim they don't keep logs the vpn needs to link the use of their service to your details for billing just like your isp.
That said if you live in the UK the government logs your internet history to be used against you at their convenience. Using a vpn like mullvad.net that you can buy with bitcoin and no details prevents the government logging my history, thats worth the £5 a month.
Accounts can be completely decoupled from the payer. As long as the account is paid for, it should work. If there are no speed or time limits imposed, then why worry about who is using the VPN? If you allow a reasonable number of connections to the account at any given time, the rest shouldn't matter.
Making someone with a history of doing exactly the thing that a company purportedly stands against the CTO seems like an absolutely baffling choice... unless the company is doing that thing (enabling surveillance).
If I were to use a VPN service, this news would certainly disqualify ExpressVPN from my list of possible options.
I imagine that if I were working for a company like that out of belief in the mission that this news would be difficult.
In the field of legal representation oftentimes the best defense lawyers that specialize in defending against federal probes and investigations have years of prosecutorial experience leading those government teams.
That idea of insider knowledge turned to the client's benefit might be utilized here - but yes it is a bit less comforting in contexts where the legal duty to client does not apply.
If that was the case I would expect it to be disclosed. The reason there is a reaction from customers and employees is that they were not forthright with this info.
Besides that, I think Kape is highly suspect, and the whole VPN space is filled with marketing of false promises and FUD.
Get a VPS, they are actually cheaper than VPNs (if you only need one country location).
You will have one single IP and you won't share IP with hundreds of other people thus being flagged.
I have never been blocked from a site when using my VPS, including sites that otherwise block VPNs, I think they don't care for whatever reason.
Doesn't mean they can't know, they will, but they seem to not care?
Some websites might do.
Only way you can get a completely "native" experience is for someone to set up a VPN in a computer connected to a residential connection in the country you want appear in.
The problem is a VPS isn't anonymizing because your traffic isn't pooled with others. So if your goal is to bypass geoblocking, etc. then sure a VPS is a good choice. If improved anonymity is what you're after then a VPS isn't going to do that.
Popular VPS hosts like Digital Ocean, Linode, etc are all going to smack you down if you do anything remotely fishy on their networks. They have to have a pretty good idea of what's happening with their VPS systems, and I've seen them (DO/Linode) smack down everything from specific VPN connections to web scraping.
If you're going to use a VPS for anything remotely sketch you probably don't want to go with a reputable provider - they're reputable for a reason.
What strange ToS clause would those fall under? Skimmed the DO ToS and found nothing, while they also have a separate page promoting the deployment of your own VPN
A lot of people in the Cybersecurity industry are solely motivated by money. This is an egregious case. In milder cases, I've seen US SAS Cybersecurity providers being casual about customer protection, only caring if it starts hitting their reputation. Protecting people's privacy is much lower on their list of priorities. Human rights activists , and other vulnerable people of human-rights-abusing - they're not even on the horizon.
He must've made a nice packet of money. Must have taken care of his retirement - the company's even promoting him. Some citizen's family is now at risk, or already imprisoned without a legal process. This must've come as a shock to the Human Rights community. VPN usage is universal there. And this is the tip of the iceberg - surely we know how fine of a dragnet the FBI has. Iran, China, Saudi Arabia, UAE, there's a long list of nations that'd like to snoop on their own people wherever they may be living. Like someone said, Tor is the way to go (tails).
I can't believe that employees and customers are falling for the Big Lie technique. "Yes, our CTO is an ex-spy that we never revealed, but he's totally not doing it anymore! We promise!"
Honestly, how stupid do you have to be to believe this?
It [ExpressVPN] said it had not known of the federal investigation or the details of Gericke's work in UAE
Seriously?
So either he lied or they are lying. I'm not an expert in American employment laws but would have assumed that one of the conditions of employment would be disclosing/reporting being under a federal investigation.
I think there's a potentially valid argument in saying "who better knows how to protect us from these people than one of their own?". It's perfectly valid to doubt their motivation (and I do), but there's a reason defectors are valuable.
For any company, ask why they'd actually care about doing the right thing.
Is it reputation? Integrity? Is the reasoning purely financial?
Then ask whether the company operates in a way that suggests they'd do the profitable thing over the right thing if they think they might get away with it. Does that picture look realistic?
As an example, look at Apple. Leaving the tangential discussion about scanning iCloud photos for CSAM aside, they are a company that claims to care about users and about privacy. Whereas every other company is literally trying to send all data to the cloud, Apple is telling us they're working to process everything they can on the device itself.
What would happen if they were caught selling location data? Caught allowing companies direct access to data aggregated from users that they explicitly say they're not collecting? They'd stand to lose literally many billions of dollars of sales because the thing differentiating them from everyone else would be erased.
Which is greater - those billions of dollars of sales as a premium device maker, or those scraps of money they'd make from underhandedly selling data?
Now look at the same scenario but with Facebook, or Google - is it the same? No, because we have no realistic expectation of privacy with either company. They're in the news quite often because they're doing nefarious things, allowing access to data most people didn't even know they're collecting, yet people aren't really doing things differently because of the news.
Imagine the same with companies like ExpressVPN. How much would a disclosure hurt them? How much money could they possibly make by selling private data? Do they employ the kind of people who'd take the gamble between the two?
Proton logged IPs in response to Swiss court order and handed over that data after the order was received. They do not log IPs otherwise. And bear in mind, the specific request in question here had the involvement of the French state as well.
How is this a bad faith argument? Proton's claim was they didn't log IPs and then it turns out that in certain cases they do – regardless of the reason, they reneged on their claim.
Because the way it was phrased might imply that Proton had always been logging all IPs, despite their claim, when in reality the breach was of a much smaller scope than that. They only logged IPs for a particular user after a particular legal demand was made, and not otherwise (as far as I know).
I have never in my life met anyone that has an iPhone or a Mac because Apple is processing everything on the device itself. People have iPhone and macs for 2 reasons. iMessage and because Apple is a premium brand that even that richest of richest people use. The money Apple would lose if they started mining your data like Facebook would be indistinguishable from random noise.
Privacy online or anywhere is an absolute psyops. Everything is logged recorded and stored. Every website visited, every email opened or sent, every text message sent or received. No matter who the company is.
I'm more comfortable with Apple's decisions than some on Hackers News, so take this with a grain of salt... but the difference between what Google/Facebook does and Apple does is a difference. It may not be as vast a difference as Apple claims, but it's also not nothing.
Ok, so there doesn't seem to be any benefit to this "alliance", so I am personally not sure why anyone is a part of it, much less us ;P... but like, frankly, "to be real about this" for a moment, the Sentinel community is so actively hostile--in a kind of nasty "personal" way that involves stuff like them "bullying" (their term) people who work at Orchid or posting memes constantly of stuff like Sentinel users as soldiers marching through the bloody carcasses of dead Orchid defenders (somewhat hilariously to me one of their favorite images for this is a specific re-drawn painting that I can't imagine they know the origin of, as I would not want to be affiliated with those particular attackers)... and like, this is in addition to adamantly insisting false things about our project (such as that we somehow aren't open source?! we literally do all our development in public and have GitHub CI doing reproducible builds of all of our assets!)--that there is very little interest in having any involvement with them (particularly so given the lack of any real benefit to this alliance).
I have no idea and wasn't even aware of its existence. I have no affiliation with either dVPN Alliance, Mysterium or Sentinel but I have used both of the latter two as well as Privatix. Mysterium is my go to choice but there's an issue with split tunneling which prevents me from using it right now.
FWIW, I do not believe that either Sentinel nor Mysterium (though I don't bother looking at their product often; I am very confident about this for Sentinel, though) currently have any support for "multiple hops" through VPNs, and so for the complaints people are talking about here I would consider them "somewhat actively dangerous".
(To be fair, Orchid has for some reason decided to hide multiple hops behind an advanced settings panel currently; I feel like this must have been some kind of miscommunication internally, and I annoyingly-to-me don't directly do the development on the front-end app; but it is supported, if slow.)
Like, if you want to, right now, you can run a Sentinel node... and then you just get to "be the spy" and collect all of the information about the users who select your node. They claim this isn't possible, but that makes no sense and I can tell you from first-hand experience that it is... they seriously seem to think that because their code is distributed using a docker container that no one can either edit its behavior or add logging around it? It is really awkward, actually :(.
And, worse, part of the goal of these "decentralized VPN" projects is to let you not care so much about which node you are using... which means that, over time, you are likely to eventually use an attacker as your exit node (which is actually somewhat intrinsically "dangerous" anyway, even with multiple hops, as, if you allow any non-authenticated--in the cryptographic sense of that term--traffic to go through your tunnel, as even with multiple hops the final node can edit the traffic).
(I am very curious, BTW, what your specific use case is with split tunneling that isn't being supported currently by Mysterium.)
The machine I tend to use for connecting runs headless and a recent change in Mysterium has made it so that once I connect to their network I'm disconnected from that machine on the local network. Not sure if it's a feature of split tunneling that normally allows this behaviour. I might have my terminology wrong.
Ah ha! Ok, I wouldn't have called that split tunneling myself (but maybe I should have: I am totally willing to believe that I should). (That sane issue happens with Orchid's tooling by default--on a desktop it is somewhat easy to fix with another manual route, which you can probably also use with Mysterium, but on mobile as a user you don't have many options. I was actually going to be fixing that for our next update because one of our key people told me they don't run it on their phone because of this; in his case, it disconnects his phone from his baby monitor.)
I gave the manual route a go with Mysterium but it didn't help. Thanks for the tip anyway. I'll wait until they've fixed the issue. I'd try out Orchid but I can't see a Windows client.
I think WARP is a great value proposition for the use case of avoiding ISP sniffing. I use Firefox Private Network which leverages WARP, and as an added bonus, does not disclose my IP (unlike plain WARP).
If you don't like your job you can always quit. Something I don't get is present employees denouncing their employer while expecting to keep their job.
no team disclosed,
no ownership information,
no real privacy policy,
no real terms of service,
no info on infrastructure and provider partners,
promises "complete privacy" and "anonymity" (as if attainable, especially with no traffic mixing and BTC payments)...
don't trust services that promise things they can't deliver and you cannot vet properly.
The use cases for a single IP not associated with your person are numerous: avoidance of ISP retribution for your use of certain network connections (ie torrenting), avoidance of direct targeted attack, avoidance of geofencing, avoidance of censorship by IP location, as a few examples. All the better if the private static IP can be changed on demand and adjusted for location.
Does the IP on the instance change on a regular interval? Or do you have to request it? I use VPNs to protect against tracking. If the IP is mostly static then using it as a defense against tracking is useless.
If you think you want a VPN for "privacy", use Tor Browser. If you want a VPN for any other reason that "normal people" think they want a VPN, you're probably wrong.
Why do we even give these companies the time of day?
(Small clarification - Most people who want VPNs should use a proxy instead. It fits the use case better. Those still exist and don't route ALL of your device's traffic over the tunnel.)