What The Hell Is A VPN?
Jan. 3, 2019
Virtual Private Network. Honestly, the spelled out name might be even less useful than the initialism. What the hell is a virtual network? I guess privacy is good, right? Again, I have to be clear, I'm not a networking expert. I'm just a person that makes stuff on the Internet. Still, I'll do my best.
Let’s imagine for a moment that we’re some big wig executive. Every day, we leave our office building and walk down the street to the nearby bodega and buy a sandwich for lunch. This practice is sort of like normal internet usage; when you want to look at, say, Wikipedia, your computer directly asks your ISP for Wikipedia’s address, and then asks the computer at that address for Wikipedia’s homepage. It’s very simple, but it’s also not very private. What if we don’t want our ISP to know every address we’re looking for? What if we don’t want Wikipedia’s server to know who’s asking for its homepage?
More to the point, what if we don’t want everyone in the office to know that we like eating at Papa John’s every single day? Well, our first approach might be to introduce a single layer of obfuscation; instead of going down to said greasy fast food court ourselves, we can ask our assistant to do it. This is called a “proxy”. Our assistant can buy our lunch for us, acting as our proxy. Sure, now it looks like Michael goes to Papa John’s every day for lunch, but he can always say he’s buying for someone else.
This is a little better, and might even work some of the time, but it’s not foolproof. Michael is, after all, our assistant. It wouldn’t take all that much investigation to find out that he was buying lunch for his boss. But the great thing about proxies is that if enough people use them, it becomes very difficult to figure out which sandwich is going where. So all we have to do is get all of our food-embarrassed co-workers in on the plan. Now Michael is taking 5 or 6 orders for lunch every day. It’s not always for the exact same set of people (sometimes people have meetings, or are on vacation, etc.), so it becomes very difficult to figure out whose order is going where.
We’re very close to creating a totally private lunch-purchasing system. There’s only one remaining issue: in order to keep all of the orders straight, Michael has to write them down. That means anyone who looks at his notes can still see who ordered what (the horror!). So, like any sane person deeply concerned with their lunch order privacy would do, each executive develops a secret code with Michael that only he knows. Now even if someone snoops on Michael’s notes, they’ll learn nothing but gibberish. This final step is called encryption.
This bizarre lunch system we’ve cooked up is actually very much like how a VPN works. Requests from your personal computer are encrypted and sent to the VPN, which makes requests on the internet on your behalf, along with all of the other VPN users, and routes them back to you. Once the VPN connection is set up, internet usage appears exactly the same to the user. So what actually changes?
Some things don't change at all. If you're logged in to Facebook, for example, Facebook still knows every website you visit with a "Like" button. If you give a company your phone number, they'll still likely be able to learn a huge amount about you from all of the other companies you've given your phone number to.
But some types of spying become all but impossible. Your Internet Service Provider (or ISP, like Comcast, Verizon, Time Warner, etc.) can no longer see which websites you visit, or how often you visit them. Various government agencies, domestic or otherwise, can't trace Internet traffic back to your personal computer, because everything seems to be coming from your assistant, instead of you. Man in the middle (MITM) attacks, where the owner of an access point (like a Starbucks WiFi network, for example) intercepts your request and steals information like credit card numbers, are impossible, because all requests are encrypted in a way that only the VPN can read.
Sounds Great, How Do I Get One?
Great question! There are a few important things to consider when choosing a VPN provider.
From a security standpoint, there are two very important features to look for. The first and foremost is to choose a service that is not based in one of the 14 Eyes Countries. During the Cold War, a number of countries (starting with the US and the UK) entered into contracts agreeing to share intelligence with each other (and often conveniently circumventing laws forbidding them from spying on their own citizens). The countries include Australia, Canada, New Zealand, United Kingdom, United States, Denmark, France, Netherlands, Norway, Germany, Belgium, Italy, Sweden, and Spain. A large number of these countries (notably the US, UK, and Australia), have laws that allow them to force companies to retain data that they obtain from users and hand it over to the government. Simply put, if the idea is to keep your internet usage private, it’s best to avoid anything to do with these countries.
The other important security feature is a “no logs” policy. VPNs allow you to access the internet via a proxy, which keeps your information out of the hands of organizations you might not want to see it. However, it also hands that information directly to the VPN provider. If that provider turns out to be a bad actor, giving them your Internet history directly could be even worse! A no logs policy is a promise by the VPN provider not to store any information about it’s users’ Internet usage.
There are other, more practical features to consider as well. Bandwidth, uptime, number and location of servers, and number of simultaneous connections could all be important. Some services additionally offer features like proxies, Tor over VPN, dedicated P2P servers (for torrenting), etc. If these mean nothing to you, that’s fine, too. Most likely you’ll care the most that your Internet usage appears normal; that is, that there are no slow-downs and you can use all of your devices. Most paid services will meet these requirements nicely.
Alright, Alright, Gimme A List Already
I use NordVPN. It’s located in Panama, which has no data retention laws, and they’ve recently had a third party audit to verify that they were properly keeping their “no logs” promise. If you really want to, you can pay with BitCoin and never provide them with any identifying information. They also have well over a thousand servers for various purposes, and very nice, frequently maintained native apps for every operating system and computing platform. They also allow up to 6 simultaneous connections, which means I can have all of my and my SO’s devices connected. Honestly, I love it.
If you want to do some more research (and you should!), bestvpn.com, despite the uninspired name, is a good place to start. Ignore the temptation to use a “free” VPN; if they’re not charging you for usage, they’re almost certainly selling your Internet usage data to make money (how else could they afford the server maintenance?).