The Pros And Cons Of Using A VPN
You don't know and can't know if you're being watched. The point is that you could be.
Since long before the Wikileaks and Edward Snowden events, credible information had trickled into the public eye about governments' electronic surveillance of citizens. Do some reading on ECHELON. Look up Carnivore and its less threateningly named successor, DCS1000. The technology to monitor your online communications is real; only the knowledge of whether those communications are being collected and examined remains in dispute. Of course, that's just the government. The question of whether and how much companies, from your ISP to discount retailers, examine your activities is a whole different can of worms.
Your privacy is under threat. That may not be an immediate reason for alarm, but if the thought makes you uneasy, you may want to turn to a virtual private network (VPN) service for help. Like most things, there are good and evil ways to use a VPN, and even the good ways may not always be legal. We're not here to judge or advocate, only inform. In the following article, we'll examine the technology of VPN services, assess their role in today’s world, and examine a few of the market’s top subscription-based contenders.
Nuts, Bolts, And Why You Want A VPN
You know that the public Internet is not secure. It's like a public highway system. Any compliant traffic can hop on or off at will. To see what's inside of a car, all you have to do is look through the windows. A LAN is a private network, like driving inside of a gated community. Consumers, with their basic home routers, typically implement just enough security to deter curious onlookers -- a wooden fence, if you will. Businesses employ more serious measures, with dedicated firewall appliances, IT staff trained in security practices, and so on. LANs are essentially pockets of security dotting a landscape of open, insecure data traffic.
Many years ago (and to a lesser extent, still today), companies might opt to install a leased communications line from a provider, such as a T-1 or ISND line. This provided a new, private road between two points. In most cases, though, a VPN offers a drastically more cost-effective approach. A VPN is a sort of secure tunnel between a client (PC, laptop, tablet, etc.) and a LAN. The traffic between those two points still travels across the open Internet, but encryption provides a sort of shroud around the connection. Those who want a peek can't see inside the connection, and even if they manage to break in, the traffic packets are still encrypted and thus gibberish when examined.
Additionally, by manipulating the header information in your packet stream, an intermediary VPN service replaces your computer’s IP address with its own. If that VPN service's server happens to be in a country beside your own, then it appears as if you are generating traffic from within that server’s country. Illicit uses of this location spoofing abound, but think of it this way: You want to get hired by a company that is only recruiting from the town next to yours. You're willing to accept the commute to get the job, so you convince a friend in the neighboring town to let you send mail from his address. You correspond with the employer from this second address, get the job, and the employer is none the wiser. (Whether you get busted and fired in an audit later is a different story.) Is this how people get around regional DRM restrictions for streaming content? Sure. Every day. It's illegal, but it happens. To be fair, this is also how people in oppressive, Internet-blocking nations manage to receive exposure to the outside world. For one recent example, check out VPN provider TorGuard's blog post on China's recent blocking of Gmail service.
Legitimate and semi-legitimate scenarios for VPN use abound. What if you're a student whose college requires a secure connection to the school's costly subscription databases? What if you're using BitTorrent to download legal content (of course) but don't want to run the risk of getting accused of downloading something you may not have intended? What if you're an American paying for a music streaming service and you travel abroad for a month to a country that restricts your content? (Note that streaming service providers, such as Netflix, may be getting more aggressive about limiting geoblocking work-arounds.) And naturally, there's always the pursuit of privacy and shielding your traffic from everyone simply because that's your right. As we said, VPN technology can be used for good or evil, and deciding which is which may be a matter of perspective.
VPN Or Proxy?
Often, the terms "VPN server/service" and "proxy server/service" get used interchangeably. That's not quite accurate. While both are similar in function, their differences can decide which is better for your given needs.
A VPN is essentially a secure wide area network (WAN) comprised of two or more end points, at least one of which will be a server. VPNs use any of several protocols to perform their tunneling; PPTP, L2TP, IPSec, and SSL are the most common. (It is beyond the scope of this article to talk about the inherent advantages and disadvantages of each approach, but there are plenty of resources for doing so.)
VPN technology is cheap, but it still suffers from the same congestion and latency issues as the public Internet because, after all, it's on the public Internet.
A proxy server acts as a middleman, fielding requests from clients requesting resources from servers. If you've seen Galaxy Quest, you might recall how Sigourney Weaver's character would field requests for information from the captain and then convey them to the ship's computer system. Then, when the computer supplied an answer, Weaver would repeat it back to the captain (even though everyone could hear the computer first-hand)? Weaver was acting as a proxy server. In real world computing, the client (the captain, in our analogy) wouldn't be in the same room. The end server can only see the proxy server and has no idea what client is doing the requesting, thus preserving anonymity.
"A VPN provides the highest level of privacy because it applies encryption to the entire session, protecting all applications that access the Web," notes Jason C., a TorGuard administrator. "A proxy simply tunnels the traffic with no encryption. However, it can be applied to specific applications that support proxies."
According to Ted Kim, interim chief operating officer of London Trust Media, maker of the Private Internet Access VPN service, all software will work with a VPN service. This is not true of a proxy service. The latter will take your request, perform any necessary processing (such as authenticating your user status), then send out your request as if it were its own. If a software application is written to work with this forwarding arrangement, then all is well -- and many do. Most Web browsers, Torrent clients, and so forth work very well with proxy services. But proxy forwarding falls flat when, for instance, needing to mask DNS requests such that they appear to come from another country. Proxying also struggles with games, VoIP, and other traffic types that flow just fine on a VPN.
"A VPN service adds a virtual network adapter that your PC is then told is the primary network adapter for the computer," explains Kim. "All traffic, whether it's designed to be proxied or not, will go out on the VPN to your end-point. This allows for traffic such as DNS, gaming, and VoIP to be routed out via that network with surprising ease. Our servers then take the traffic, anonymize it, and send it out to its destination. The client can relax in security, knowing there’s no identifying information about their personal IP address visible to the end-node at the network level."
Compatibility aside, the critical difference between these two service types generally boils down to security. Proxy services do not tend to be encrypted; VPN services do. With encryption in place, your ISP cannot see what is happening within your VPN connection. This may not be the case with a proxied connection. Caveat emptor.
On the other hand, encryption can slow things down, and therefore proxy services process streaming media and file downloads faster, TorGuard founder and CEO Ben Van Pelt tells us. Also, he adds, "a proxy server can be configured to provide IP masking for a single application or device that may not normally support VPNs."
For the ultimate in privacy control, you can use a technique called layering, or using both a proxy and VPN. This helps "prevent against accidental disconnects or IP leaks," Van Pelt says, adding that TorGuard provides discounts to customers who add connections.
Can You Trust The VPN Service?
VPN services can shield your identity from service providers, but can the VPN providers themselves see your identity? If so, can they be forced to turn it and your activities over to authorities when legally demanded to do so?
"We try our best to ensure that proper legal process is followed for all law enforcement requests," says London Trust Media’s Ted Kim. "Further, we do not know your IP address nor ask for any other private information about you when you sign up at Private Internet Access, except for an email address to confirm your account. While service providers may have your specific IP address, the systems Private Internet Access has in place makes it virtually impossible for a service provider to prove a particular IP address definitively accessed a separate destination point through our network."
What about in situations where a new deanonymizing tool arises, such as the brouhaha that blew up recently over Cisco's Netflow being able to identify Tor users with disturbing proficiency?
"IP traffic is very difficult to trace, but, given sufficient resources it can be done," says Kim. "However, there are ways to stay more anonymous and therefore be untraced if, by the same token, sufficient resources are deployed to anonymize oneself."
A note about privacy: TorGuard CEO Ben Van Pelt notes that one of the big misconceptions about privacy is the assumption that those employing it must be hiding something. "This statement couldn’t be more inaccurate," he says. "If this was true, then I assume just because you are a law abiding citizen there should be no problem with installing a camera in your shower. Pivacy is an essential human right, one that reinforces our very own humanity through dignity, freedom of speech and freedom of association."
Key Purchasing Considerations
All VPN services are not created equal. If you're in doubt on this point, try paid and free VPN services side by side and look at the differences in advertising, performance, and privacy policies. You do get what you pay for. Apart from obvious factors such as price and a user-friendly interface, you will want to compare subscription VPN providers based on several criteria that matter most to you and your applications. We recommend at least investigating the following variables.
Personal Data Retention
For many users, this may be the most important criterion of all. You're not truly anonymous if the VPN provider logs your identity and activities. A VPN provider that takes privacy seriously should get right in your face with assurances and details about how they do not monitor traffic, record session activity or IP addresses, or even capture time stamps. This way, if the government or other authority should come knocking, the VPN provider will be largely powerless to sacrifice the user's identity or actions because no record of such doings exist. For instance, TorGuard has gone on record saying that the best (or worst, depending) it can do in the face of a DMCA notice is to filter specific content. This is generally sufficient to appease bandwidth providers.
Supported Client Diversity
With so many apps migrating to the cloud, it's easy to forget that some software, including VPN clients, need to run locally. Thus you'll want to check if your devices and OSes are covered. Windows, Mac, Android, and iOS versions should be a given. Dig deeper to find out about Linux and unconventional platforms, such as smart TVs and game consoles, if these apply to your desired use.
Total Number, Speed, And Location Of Servers
All other things being equal, more servers is better. You want fast servers, and you want them as close to your client as possible to help reduce latency. You also want a provider with a relatively low per-server load count, since a customer base hammering only a handful of servers will naturally lead to congestion and paltry bandwidth allocation. Also be aware that secondary market servers may not offer the same bandwidth speeds as those in primary developed nations. Backbone and trunk speeds will vary widely. Know your bandwidth needs and run speed tests accordingly.
Supported Ciphers And Protocols.
Security buffs will likely know the difference between OpenVPN, AES-256-CBC, SHA3, and plenty of other encryption methods. VPN providers may offer users a range of ciphers from which to pick for their connections. If this matters to you, check out your prospective provider’s list of supported algorithms.
Hopefully, you're running anti-malware software on all of your clients, but some providers will offer additional security by running anti-malware scanning on their traffic.
Accepted Payment Methods
Obviously, credit cards can be tracked and represent a privacy weakness. One path around this is to use pre-paid cards, which require little more than an anonymous email address, but this can be a hassle. You may want to inquire about alternatives, such as PayPal, Bitcoin, Plimus, and even cash. Keep in mind that PCI (payment card industry) requirements (if your provider is PCI-compliant) prohibit the storing of payment data with customer records, but that doesn’t bypass the fact that providers need some way to record payments to user accounts for simple accounting. However, knowing that you paid for a service in no way indicates what you did with that service.
VPN Location, Location, Location
The discrepancy between VPN server location and IP location can be jarring when you first encounter it, as we did. To the uneducated eye, it seems to be a case of bait-and-switch. But is there more to it? We asked the crew at IPVanish and received back this admirably thorough reply from its Digital Community Team:
Geolocation, the method with which websites determine the location of someone accessing their site, is a service provided by third-party entities wherein the website provider purchases access to a database that supposedly has the latest, most accurate information. When someone visits a company's site, the company just references that IP against the database, and the result determines what you see. In these cases, it is important to note that for all VPN providers:
A geolocation company is allowed to misrepresent the actual location, and there is no current legal course that can be taken to have that corrected.
Owners of websites often pay once for a copy of the database, and, to save money, do not pay for regular updates. Thus in the event a correction is made, there is no guarantee that it will affect that website.
Most geolocation providers use crawlers to see what IPs regularly access a server with their database and correlate that with the content being accessed (among other things). They use this automated method to determine a location.
If they get enough conflicting data, providers will simply put the IP address in the middle of the ocean and call it a day. Other times, they will just correlate it to the greatest similarity and determine location based on that. Take, for example, our Atlanta c-server. Some providers say it’s in Blountville, others in Bloomington, others in Stone Mountain, a few actually in Atlanta, and a few that have us in the middle of the ocean.
Ultimately, we have to ask ourselves: What can you do when you physically purchase a server that is physically hosted in a location but others decide that they don't want to report it accurately? To date, and every month going forward, we go through the process of requesting corrections from the affected providers. All of them have a threshold of "if we get X-number of requests from the same people within Y-number of days, we will permanently ignore them." So we have to be careful of that, as well.
That's where we are at with this issue. I apologize for any inconvenience, but you can rest assured that it’s a thorn in our side, too, and we are continuously trying different ways to get our servers reported correctly by these companies.
Tom's Hardware VPN Ratings: You Be The Judge
Tom's Hardware would like your input on the top VPN services. Specifically, we would like you to rate the services you have experience with as a customer and tell us what you like and dislike about them. Our plan is to use your ratings when we review some of these services ourselves.
We are going to follow up this article with an assessment of four of the leading VPN players. Depending on the volume and quality of written feedback, we may even use your commentary within our upcoming VPN article.
The idea here is to augment our own experience with that of the Tom's community in order to present some of the diverse feedback we often get. We aren't looking for full-fledged reviews here, just a 1-5 star rating and short comments on what you like and dislike about the service. Most important, please only rate the VPN services with which you've had direct experience.
We also realize that our list represents only a handful of VPN services, so feel free to add the VPN service you'd like to review in the "Other" box. Thank you in advance for helping out. You're not just helping us, but inevitably also other Tom's readers.