VPN Service Providers - Are they overpromising?

By Michael Spalter
August 2020
vpnserviceprov1

About the author

Michael Spalter

Michael Spalter


Michael Spalter has been a networking technician for over 30 years and has been the CEO of DrayTek in the UK since the company’s formation in 1997. He has written and lectured extensively on networking topics. If you’ve an idea for a blog or a topic you’d like explored, please get in touch with us.

This blog article is brought to you by...actually, just us, but if you watch online vloggers or any volume of online content, you're likely to have seen adverts for "VPN Services". These adverts might be video clips or, increasingly, content sponsorships where the presenter will interrupt his or her main content to read a script explaining why you should use a VPN service.

The problem is that, whilst VPNs can and do work well for some specific services, the claims these companies are now making and the paranoia they may be generating is getting excessive. The target audience is often not technically aware so more vulnerable to misleading claims.  In this article, I'm going to explain the benefits of using a commercial VPN service but also what they don't and can't do, and why.

Many of our users will be familiar with VPN technology. In the case of hardware products, a VPN is commonly used to link remote offices or teleworkers through a secure tunnel using the public Internet. Strong encryption is applied so that data within the tunnel cannot be viewed in-transit and is decrypted at the router or remote device's end. This enables remote working and office-links using low cost Internet connections where, in the 'old days' an actual private network would be necessary. If you're sending private or sensitive data over the public Internet, encryption is essential. Instead of (and before) VPNs, some companies operate private networks using technologies such as MPLS. These private circuits are more secure, avoiding the Internet, but costly.

VPNs over the Public Internet

If you didn't want the cost of a leased line and the locations that you wish to connect have Internet connections you could send data directly between them, but then anyone in-between can intercept and look at your data. You simply can't do that for client or server communication so you can create a VPN which connects between the sites and encrypts your inter-site traffic within a secure 'tunnel'. The VPN might be created between two routers, each of which is set with the identity and credentials of the other or a software client running on a PC or other device, generally used for teleworkers or mobile remote access. In later years, the use of SSL (superseded by TLS) has made web site connections secure but those technologies are just types of VPN; a type where the connection is automatically negotiated and encryption applied in real time for every connection using a PKI (public Key Infrastructure). The main difference between a regular VPN and a TLS web-site connection is that a VPN will only allow connections from authenticated users, whereas a TLS web connection can be accessed by anyone.

As well as securely connecting sites, VPNs can also serve to centralise traffic. For example, in a corporate environment, the router at each remote office, and all teleworkers can forward all Internet traffic via the HQ. This means that HQ can monitor all traffic but also centrally filter against bad or inappropriate web sites. If you're connected to your corporate network, your company has an interest in blocking sites which are more likely to contain malware or be incompatible with the company's activities. In this circumstance the effect is also that every user connected 'location shifts' - when you browse the web, your source address appears to be the exit point of the VPN and not where you're actually located. If that exit node it in another city or country, then you'll appear to be coming from there, masking your real IP address.

Is this what Tor does?

Tor is a privacy protocol/service and browser and its primary purpose is to mask your real IP address, which is what a commercial VPN also does. Before reaching the exit node (effectively your 'on ramp' to the Internet) your packets bounce around several other nodes, in encrypted form, in such a way that it becomes (apparently) impossible to trace your original address. So, unlike a regular VPN service, with Tor, there is no central organisation who you connect to and the anonymisation is part of the protocol, not simply an alias at the exit node. Additionally, the Tor browser (a stripped down and specialised version of Firefox) provides only generic telemetry to the host and it sandboxes every site so that fingerprinting and profiling users becomes much harder. 

Tor is often mentioned in the context of people accessing the dark web or the deep web but it is most commonly used to access the 'regular' web, perhaps by criminals and trolls but also those concerned for their privacy and safety and for those who live under governments who ban content or access to the free web.

Commercial VPN Services

A few years ago, companies started offering commercial VPN services. These were not for inter-site or teleworker links, but for users who wish to anonymise or location-shift their source IP address or encrypt their data beyond the reaches of their own ISP - but only that far (an important point which we'll come onto later).

Someone may wish to anonymise their IP address, perhaps, because they are a persecuted dissident, a journalist fighting to expose truths, a spy, hacker or someone wanting to do some unlawful activity such as Torrent download (software or media piracy). To be clear, Torrenting itself isn't illegal, but few people would claim that it's used for anything other than unlawful media sharing. That list isn't exhaustive and it's not all about nefarious activity - there are legitimate and decent reasons why one might want to protect one's identity, especially when your safety is at risk. Taking a very serious example, someone troubled with violent or illegal sexual urges might wish to seek help but in doing so fear that they might get 'noticed' or exposed. Anonymising them could enable them to get help in confidence and prevent them acting on any urges.

IP addresses are registered to specific localities by most ISPs. It's not entirely accurate but when you see a spooky advert/clickbait on a web page saying "People in Edgware are saving 100's" and you think, "Wow, I'm in Edgware..I better check this local news!" then it's likely every other user is getting a different town shown. That information is automatically inserted by matching your IP address. Of course, it's possible that Edgware does occasionally have some genuine news of its own.

More commonly, location shifting is used in order to access services which are not available or banned in your own region. For example, if your country bans gambling or social media sites, tunnelling through a VPN may enable access, assuming that your ISP or government doesn't also ban or block VPNs.

The most common purpose for location shifting to access regional services, most notably streaming services such as Netflix, Amazon Prime or Disney+. These services may be available in your country but due to regional licencing, local laws or release schedules the movie, programme or series may not be available in your region. Turn on your VPN and your PC, TV or other device appears to be at the location of whatever server you've selected from your VPN provider.

You can connect to these VPN service providers using an app on your smart device, software on a PC or directly from your own local router. Streaming services are trying to counter the use of VPNs for this purpose. Countermeasures include tracking common VPN exit nodes (and blocking them) or measuring suspiciously high latency (ping times) or the traceroute hops. It might take 10ms to get to your nearest streaming company's server, but the USA, 3500 miles away might take 100ms. Ping time isn't very reliable as a metric as many other factors can lengthen it.

I travel regularly (our factory is in Taiwan, for example) so I use a VPN back to the UK directly to our own router endpoint. As well as enabling me to access company resources when travelling a beneficial side effect (for me) is that I am also able to view the BBC web site 'British' front page and news pages. In other countries, they redirect you to bbc.com and you get the commercialised front end of the BBC which contains adverts (subcontracted to clickbait farms) and a different layout.

Overpromising

The reason I started this article was that, having seen so many adverts for VPN services (I really do watch far too many online videos) the claims of what these services can do seem to be getting less accurate and potentially misleading to less technical users. That could lead to people believing that they are more secure than they think or paying for services which provide them with no benefit. Let's look at the most common claimed benefits:

 "Risk of your passwords being stolen"  

Almost every web site which requires login or transfer of user data now uses TLS/HTTPs encryption (see the padlock symbol next to the web address above) so no passwords are at risk of being stolen, and if they are, they're still at risk if you're using a VPN service because all you've done is move your point of egress (see below).

"Military Grade Encryption"

Almost all web sites use TLS encryption which is what gives you the 'padlock' symbol on web pages. It uses AES cryptography with either a 128 or 256-bit key length. 128-bit key lengths are used by banks and other sensitive online providers and a 256-bit key length is often called 'military grade' but, to be clear, modern computational power makes cracking either of them through brute force, unfeasible. Estimates of how long it would take to crack a 128-bit cypher are longer than the age of the universe. If there were a flaw in the cryptography method itself, the key length is likely irrelevant. 'Military grade' is a marketing term and refers to the fact that the American NSA use NIST's recommend 256-bit key lengths for the 'most secret' data though, in real terms, 128-bits are adequate (and will provide better performance).

Whilst the focus is on the number of bits in the key, other factors can make more of a difference. There are different encryption modes, such as ECB, GCM and CBC (in order of security) and it's generally accepted that encryption with 128 bits and GCM would be more secure than 256 bits under ECB mode. As I alluded above, all of this security assumes that the code and execution itself is robust - no-one's cracking AES by brute force, so an attacker is going to have to attack the key exchange, implement some sort of MitM (Man-in-The-Middle) attack, attack the PFS (Perfect Forward Secrecy) mechanism, find a weak password ('1234', 'password' etc.) or find a flaw in the code  - 128, 256 or 512 key bits won't help against any of that. It's like having an 8-cylinder lock on your house - 8 cylinders is a lot, but if it's easy to pick because the designer didn't use security pins (spools or serrated) then it's really not very secure despite its headline claim of "8 cylinders".

Older encryption and hashing protocols (SSL, MD5, 3DES, SHA1) are considered (relatively) insecure and obsolete - though, in low sensitivity applications or where obsolete hardware/software can't support newer protocols - they may still be in use. There are still completely unencrypted application protocols which can be used over the open Internet such as telnet, syslog, POP3, SMTP, SMTP or NNTP. In all cases, you should use an encrypted equivalent or site-to-site VPN tunnel to use these across the Internet.

 "Without a VPN, third parties can see your internet traffic"

The above title is the headline claim from another well-known VPN service provider. It's simply disingenuous. Yes, it's technically true, but then it's also true with a VPN. I cannot emphasise this strongly enough. If you connect to the Internet via a VPN (i.e. we're not talking about site-to-site or teleworker VPNs) then all of your data still ends up on the regular open Internet. The VPN service's encryption only goes so far as their endpoint/node - the point at which they connect you to the Internet. From there, your data is just as open, visible and unencrypted as it would be if you were not using the VPN at all. Encryption on an Internet VPN is does not provide the promises made and could be entirely pointless except for moving your point of egress.

As an analogy, imagine you want to get onto the motorway (highway) in your car but you don't want anyone to know where you're going or what's in your boot (trunk). So, instead of entering at junction 1, you put your car inside a big truck and that truck drives you to junction 3, where you get the car out and continue on your journey. Sure, you had 'encryption' for a couple of hops, but then you were fully visible. Furthermore, if the truck operator gets a warrant from the authority, they're going to provide access to your car anyway.

A benefit of a VPN is moving your point of egress beyond a geographic or political boundary. If, in your case, you are moving that point of egress from one jurisdiction to a safer one then the encryption would be beneficial if you are a foreign dissident, democracy protester, persecuted minority, political prisoner, spy or any other example of where bypassing local restrictions would be useful. A VPN might also be used in industrial espionage or data theft by an employee to bypass company restrictions. For this reason, companies may wish to consider blocking VPN tunnels from being created through their firewalls and only permitted authorised applications. A robust system in this respect is difficult to implement and a continuously moving goalpost; Edward Snowdon allegedly just copied files onto a USB memory stick and walked out with it.

Another benefit of VPN encryption can be where you're using public Wi-Fi, a hotel or another untrusted network where other users have access. Whilst it's likely that most of your actual data is encrypted with TLS (HTTPS web sites etc.) anyway, in such a scenario, another user or someone with access to that network could still see telemetry of which IP addresses you're communicating with. Whether that's an issue depends on which sites you're accessing and your level of concern. Nearly all of my web surfing is to video sites, news sites and social media so I'm not worried about people knowing which sites I visit and all of those sites use TLS encryption (HTTPS) so you can't see what I'm consuming.

 "We don't log"

If you are using your VPN service for anonymity, then that would be entirely pointless if you're just shifting your connection logs from your ISP to the VPN provider. A government, law enforcement agency or copyright holder wishing to take action against you could demand your information and metadata from the VPN provider instead of your ISP. To counter these risks, VPN providers will make a variety of promises with regard to logging. The big problem here, however is that your reasonable interpretation of the term "no logging" might be different from that which the VPN provider means or a definition which they're disingenuously relying on.

IT infrastructure has to be maintained and kept running efficiently. To do so without diagnostics, of which logging is an important part, would be exceptionally difficult so the provider may have some level of logging, in which maybe you cannot be personally identified and they might call that "no logging" because "obviously" you only care about your personal data. For your confidence, some VPN providers will claim that they keep logs only for a limited period, for example 24 hours and purely used to maintain an efficient service however if you were under investigation, the authorities may require your provider to keep logs for longer or more data (see 'silent disclosure' later).  Even if a provider claims that they have no hard disks/non-volatile storage, logs can be made to RAM and then off-loaded.  It seems highly unlikely that any service provider doesn't have the ability to enable logging to troubleshoot or administer their network and switch on logging of any and all data temporarily to diagnose service issues (or fulfil a subpoena!).

Furthermore, a VPN provider knows if that if they genuinely kept no logs and had no ability to enable logs their network would inevitably be used for illegal activities - not crimes which are acceptable in the free world but those crimes which are universally illegal and undesirable. When selecting your VPN provider, if this is a concern, check their logging policy and then dig deeper into their definitions and watch for weaselly words or ambiguity. Of course, even if they are completely honest and transparent, if they are compelled by law enforcement or government, their intentions become irrelevant (see 'gagging orders' later). If you're dealing in grade A drugs, people trafficking or trading child-sex media then, rightly, no-one's going to be very sympathetic but if you're disliked by your government, persecuted for your beliefs or a victim of an arguably unjust law then that's a different matter.

Film and media companies have a long history of locating torrent (or other media sharing methods) users and then demanding the identity of those users from ISPs. The media companies then issue 'invoices' to the users for copyright infringement in order to prevent criminal charges being brought (copyright infringement is a criminal offence not a civil tort in most countries). There isn't an example of these media companies going after VPN service providers yet but there's no reason they can't. Genuine "no-logging" would prevent your provider from cooperating but as a criminal offence, it's possible that they could be compelled to covertly change the policy. Again, I'm not condoning or protecting media pirates - this is a technical discussion. It's also possible that a rogue operative within the service provider surreptitiously logs or steals your (or any number of users') data.

If your provider is in another country, either their corporate or service location and you believe that provides additional protection, it may not and it may provide even less, especially if that and your country are in a 5 Eyes, 9 Eyes or 14 Eyes country (these are International Intelligence agency agreements). Something your own government is prevented from doing locally may be allowed by their 'eyes partner' acting on their behalf. Some VPN providers are deliberately 'based' in locations which they are claim outside particular jurisdictions, but registering a company in one place and offering service or having operations in another may not actually provide the protection that you hope it does.

Fingerprinting by Extrapolation

Even if the provider says that they don't log any personal data, depending on what data IS logged, you can work backwards and by a process of elimination, extrapolation and statistics, identify who the "anonymous" data actually belongs to. There are roughly three types of data which a VPN service might log:

Connection Logs - Time, date, duration and chosen server for every connection you make to their service.

IP Address Logs - The IP address you're allocated as source and that of each server/site you connect to (your 'browsing history').

Traffic Logs - The volume of data which you're sending or receiving from each connection and the traffic type/protocol.

Actual Data - It is highly unlikely that any VPN provider would log your actual uploaded or downloaded data. The sheer volume of data aside, most of it would be HTTPS (TLS) encrypted, however in a serious case of suspected crime, it is possible that the authorities could make the VPN provider (or your regular ISP) log all data for a specific customer.

Data volumes can also play a part in tracking you. If you are being monitored and your ISP identifies 4Gb of data entering your network starting at 12:41:27 and finishing at 12:58:21 and that roughly matches the timestamp of a download from a server, that's evidence against you - the VPN and any logging they might make is irrelevant. If "no logging" really means what it sounds like, none of the above information is available for any amount of time, and an honestly designed system shouldn't be able to enable such logging, even temporarily - which would then make diagnostics and efficient network operation difficult.

Additionally, the service you're connecting to (the web site, social media, steaming service) still gets plenty of information about you even if your real IP address is obfuscated. Your browser gives lots of unique information - it may not specifically identify you on its own but it can be used to recognise and match you approximately on subsequent visits or visits to other cooperating site (as a type of unique alias).  This information includes browser type, version, extensions, client-side capability, resolution, window size, cookie settings, referrer and your JavaScript status.  It could certainly count as evidence against you in trial.

Even a browser, like Firefox, which isn't owned by a corporation with commercial interests and allows highly configurable privacy controls can only limit telemetry so far otherwise web sites don't function correctly.  As an example, if you disable too much, a web site like Amazon will consider you 'suspicious' and force you to verify your account with 2FA every time you log in.  Another site I used wouldn't let me log in at all if I disabled the 'referrer' telemetry (your browser reports to every web site which site you just came from).

If you signed up for a streaming service in the UK but access their USA service, they can, of course see that.  They may not have taken action against you - it's a PR balance whilst the services battle to become dominant, but they know.  Even if you used a foreign credit card or bank account and billing address, it's entirely plausible that your account is flagged as 'suspicious' even if they don't do anything about it.

Beware 'free' and 'too cheap'

Be wary of free VPN services. Running a VPN service is costly in terms of bandwidth and infrastructure. If you're not paying for it, or getting a lifetime deal at what seems to be 'too cheap' a price, they are funding their service some other way. Try to find out how. It might be a loss leader to promote another service or build brand momentum but in the worst case, the 'free' service might be deriving value (and therefore income) from your data or metadata - though a commercial/paid service might do that too. This is no different to any other 'free' service. Gmail, for example, is a great service, but how Google monetises and uses your data and email content is where they derive the value - that's why it's "free". Remember that your VPN provider has access to all of your connection telemetry, all unencrypted data you send/receive as well as anything their client software might pick up from your device - you need to know who they are, what they claim and decide whether you can trust them.

Silent Disclosure, Gag Orders and Warrant Canaries

There are numerous cases of ISPs and VPN Service providers, including those claiming to keep "No Logs" being forced to secretly log user data and pass it to the authorities. If those actions prevent an act of terrorism or other serious crime then few people would dispute the benefit but many people are concerned about over-reach or when law-enforcement policy is informed by political motives. In a later blog, I'll be going into more detail about this.

DNS Leaks

Whilst all of your data might be being tunnelled through the VPN, your DNS lookups may not be. Your devices might continue to use your local ISP's DNS servers or, with the introduction of defacto DoH (DNS over HTTPS) within browsers in 2020, your DNS queries may be sent to the default servers of your browser, and those lookups may be logged against your digital fingerprint. Many VPN service providers will provide their own DNS services so do check what your browser and other services are using for their DNS lookups.

Bandwidth and Performance

Now that you understand the benefits of a VPN service provider, when choosing your VPN provider, one factor often overlooked is performance. I mentioned earlier that bandwidth is costly. A 4K data stream requires at least 25Mb/s so in order to sustain thousands of simultaneous users, a provider needs a lot of bandwidth, likely international, to each of their POPs (Points of Presence - the VPN endpoints). We do not endorse any specific VPN service providers but we would suggest that you select one which provides their full (not cut down/limited) service for a trial period so that you can thoroughly test it yourself. Watch out for claimed "unbiased" VPN comparison sites which are actually paid-for sponsored comparisons or who are paid affiliate commissions from their recommendation.  Raw throughput isn't the only factor - latency (the time it takes for a packet to get to the other end) can be variable and will always increase with a VPN. Whether that matters will depend on your application but in gaming, particularly FPS shooters, the lowest latency possible is crucial. Too long and you won't see a 'threat' or launch your counter attack in time and that's game over.

Example VPN Sponsored VPN Advert

So this is where we started and what prompted this article. Here's an example of a recent 'sponsored' message that I listened to on an otherwise fascinating video.  Note that it loses some of the authoritative tone when written down and not being read by a 'trusted' YouTuber but here it is, line by line:

"If you're on the Internet, you're giving advertisers and your ISP opportunities to collect your data and sell it."

Sounds bad, right?  What 'data' and is there any evidence that any ISP has actually ever sold individualised data?   If your data is encrypted then all they have is your identity and which IP addresses you're communicating with, along with the duration and volume.  It's likely that an ISP would monitor web traffic in aggregate in order to optimise their system - that's important in running the service properly but logging your destination IP addresses (remember it's only IP address not specific URLs) and using/selling that information against your identity?   I've not seen any evidence that it happens, it has limited value and even if it was happening, do you care?  You may care if you're, say, visiting illegal web sites and the ISP is looking for that but with a VPN, all you've done is move that information to the VPN provider.  If you're using mobile Internet connectivity, your network provider knows where you are anyway from the cellular connectivity, regardless of a VPN.

"Our VPN service changes your location which hides your IP address"

Without being overly semantic, I'll allow that.  It does hide your real IP address and disguise your apparent location to the service/server you're connecting to.


"...and then connects you to a secure server so that all of the data being transmitted from your device in the Internet is encrypted..."

Arghhh! No! They had to spoil it!  What's a "secure server" - that's inferrential nothingspeak™ !  Marketing 1, Facts 0 but the worst part there is the egregiously misleading claim that "all of your data is encrypted".  Firstly, it's probably all encrypted anyway but the VPN service is only encrypting from your device to the Internet - once it's on the Internet, the VPN had no influence on it at all - you're then on the good old plain Internet with everyone else.  It's like a knight wearing armour only on his way to the battlefield and removing it once he gets there.  The VPN service provides no encryption "in the internet". It's patently false and misleading.

"Our service adds an extra layer of protection against people trying to snoop around."

I've no idea...

Even if you're using incognito mode, your ISP can still see what you're doing and sell your data.

We've covered the 'ISP selling data' but it's useful that they point out that incognito mode is misleadingly named.

We'll will also keep you safe during DDos attacks when you game.

I couldn't find much detail on this, but let's assume that they do have protections against DDoS (Distributed Denial of Service) attacks - your real public IP address could be hit still but let's assume that the attacker has only logged/ascertained your VPN endpoint, there could be a benefit but, really, how common are DDoS attacks against individuals?   In online gaming, where latency is vital, a DoS or DDoS attack might be instigated (and they are) in order to handicap users, however until the point that such an attack started, the performance of the VPN is going to be so much slower and with higher latency than a native/direct connection that you'd have to be at pretty high risk to want to pay that price.

For gamers, our VPN will reduce your ping time.

I'm highly skeptical of this. They claim that by selecting a VPN endpoint closer to the server, you'll have a faster ping (the roundtrip time for data between you and the server).  I'm guessing that few VPN services have their own cables under the sea or their own satellites, so their VPNs are connected over the Internet or other shared infrastructure so how can it be that they can get somewhere quicker through their magical tunnel than you can get there directly across the (very efficient) Internet?   A VPN tunnel isn't like a road tunnel for your car that bypasses congestion - it just sits alongside' all of the other traffic.  There's not enough information given by this VPN provider to explain their claim or how likely a user is going to get that benefit in an actual use case.  In addition, the latency increase (bad) that a VPN provides (your data competing with every other customer's) is likely to be far greater than any latency decrease (good) that they are claiming is possible - but, I'll leave room for doubt and will be happy to receive an explanation and real-world results (and can amend this article later).

"With our VPN you can watch movies which are not available in your country on Netflix, BBC iPlayer and other services."

Hooray, a fact!   You can, if you have the right account and so long as the streaming companies don't blacklist the VPN exit nodes that you're using or otherwise identify out-of-area viewing by other means, which they are increasingly doing.

"Our service will protect your confidential information (such as online banking credentials or social media passwords) through VPN encryption"

Nonsense - they are claiming to protect you from a risk that doesn't exist. There is no mainstream social media service, let alone a bank which doesn't use mandatory encryption as standard. It's a shame because the service I'm quoting does otherwise seem to take great efforts to maintain privacy but then marketing people get involved and take the claims too far.

I'm not naming this particular provider because there are so many others also exaggerating and making misleading claims. If that means that a terrorist gets a false sense of security and gets caught, great, but if, as is more likely lots of regular people pay for a service which they don't need and get no benefit from, it's not so good.

Summary

VPN Services can be useful and can work well for shifting your apparent IP location and for bypassing local regulations. They are, however, unlikely to be effective in protecting your identity or from evidence being gathered against you by law enforcement or governments and the claims made by many service providers can be highly misleading.  Be skeptical about any claims which you cannot test yourself.

Tags

Freedom
Liberty
Privacy
Police
Government
VPNs
Anonimity