VPNs May Not Be As Safe As You Thought
The internet is a much more secure place than it once was. Everything online — from banking services to online shopping and social media platforms — is encrypted. But the internet is also much less privacy-friendly than it used to be. Advertisers follow users around the web, tracking their moves across different sites and devices. The data collected from this intrusive mining is either used for targeted advertising or sold to brokers. Luckily, you can stop some ad personalization.
Here's where the recent VPN boom comes into play. VPN services have grown into a multi-billion dollar industry, built on bold promises of better safety and security from prying eyes (via Statista). Their marketing typically promises to anonymize users, hide them from prying eyes, and secure them against malicious hackers, but VPN services aren't the magic solution the companies would like you to believe. Commercial VPNs can actively compromise your security and privacy in some ways — in fact, outside of a few scenarios, you might not need a VPN, and that's not even touching on the issue of common myths about the technology.
How does a VPN work?
Virtual private networks (VPNs) work by creating a tunnel for your internet traffic. On one side of this tunnel is the user's device, and the other end opens into the servers that the VPN company operates, ones that may be located in a different part of the country or world. Traffic relayed through this tunnel is shielded from your internet service provider (ISP) and it shields your actual IP address so that the recipient only sees the VPN server's location (via CR Digital Labs).
Before commercial solutions arrived on the scene, VPNs were often only found in corporate and school settings; they let employees and students connect to the company's or school's network via secure tunnels, keeping sensitive data and accounts safe from the public internet. Modern consumer VPN services work on the same principle, but instead of keeping data contained within a secure network, they route your entire body of network traffic through a tunnel to their own servers and then send it out to the public internet. Unfortunately, this detour doesn't necessarily serve your privacy or security needs, and the tunneling doesn't even work perfectly for all devices at all times.
VPNs cannot always keep network traffic secure
Your data can leak out of the VPN tunnel, revealing your IP address and DNS queries. That's called DNS leaking, where instead of rerouting the requests to the VPN provider's servers, the DNS requests go straight to your ISP. DNS is a system that tells your computer the relevant IP addresses for websites — so, in effect, logs of DNS requests can reveal which websites you visit. The same can happen with your IP address if the operating system sends a request outside of the tunnel (via OverEngineer).
Apple devices running iOS are particularly vulnerable to this bypassing. Once a tunnel is established, all existing connections are supposed to be reset, and then they're encrypted through the VPN. But iPhones or iPads don't allow VPNs to tunnel established connections, which can stay open and continue to leak your real IP address for minutes or even hours, according to ProtonVPN, which first reported the issue in 2020 and most recently updated it in August 2022.
Because it's built into the OS itself, any app can bypass the VPN, and only Apple can provide a fix, of which no suitable one has been provided, according to Proton. Even if the VPN is working just as it is supposed to, there's no guarantee of privacy. The tunnel opens into the VPN servers, so the vendor can see and track everything you're doing online.
VPNs can compromise your online privacy
While most commercial VPNs promise not to keep logs, there's no way to verify those claims. You're simply shifting trust from one party to another (from the ISP to the VPN). Some popular VPN companies have been known to hand over logs when requested by authorities, despite supposed no-log policies. VPN apps can also leave logs on your device, which sometimes contain usernames and email addresses, as noted in CR Digital Labs' report. The Indian government even forces commercial VPNs to store usage logs linked to their customers' real identities (via Entrackr). Although not as aggressive, other governments also have data retention policies.
VPNs cannot keep you safe from advertiser tracking, either; they can mask your IP address, but modern data collection is far more sophisticated. At any rate, IP addresses cannot pinpoint your location. Tracking based on IP addresses usually marks your ISP's infrastructure, often located hundreds of miles away from your area.
Instead, companies leave cookies on your device that track your activity all over the web, create unique fingerprints for targeted advertising across devices, and track location via GPS. The cluster of information generates a hyper-detailed ad profile linked to you. VPN companies also have to work with third parties to, say, handle notifications or process payments. And they have to share your information with those parties — some vendors are more transparent in their sharing policy than others, but the majority give third parties access to user data, CR Digital Labs explains.
You probably don't need VPN security
VPN providers also promise to encrypt your network traffic, which is true, but it's not the kind of encryption you would think of right away. The data sent across the tunnel really is encrypted, but once it leaves the tunnel, it enters the public web (the same way your ISP would have thrown it out). So while they are secured, the packets will be decrypted if the next endpoint on the public internet isn't encrypted.
Fortunately, you will rarely run into an unencrypted connection on the web. Remember that the internet is much more secure than it used to be; more than 98% of the websites are encrypted anyway — in fact, Google tends to de-rank sites that aren't. When your browser shows a padlock next to a URL, the website is secured with HTTPS. Whether you're using a VPN or not, the data you send (passwords, billing, or other personal information) can only be read by the intended target server.
The security VPN services offer only extends to hiding your IP address, so it cannot protect you from phishing attacks, malware, malicious links, or social engineering hacks. Plus, big VPN companies host tons of private data, making them targets for criminal elements. Millions of leaked user records are floating around the web, and new VPN breaches happen frequently (via MalwareBytes).
When to use a VPN
Their advertising might oversell what they can do for you, but commercial VPN services serve a purpose. An organization can use it to communicate securely without exposing its data to the public web. Only users with the proper VPN configuration can connect to the network. A VPN will protect you from man-in-the-middle attacks if you don't trust your ISP. The data packets sent over open Wi-Fi at an airport or coffee shop can potentially be hijacked and analyzed. They're not as common anymore, but VPNs can provide an additional layer of security for such public Wi-Fi networks.
Some internet service providers also block access to specific websites and apps. You can sidestep those restrictions using a VPN by choosing a server in the applicable region. Regardless, it still ultimately leaves a trail that governments and companies can track. Streaming and media services have wised up to VPN-based circumvention and blocked VPN users, too, but it's often worth a try.