VPN or Virtual Private Network started as a service to facilitate secure access to private networks over the internet (or public connection). At the time, the primary use-case scenario for the service was to create a secure channel to access information within governments, organizations, and businesses, without inflicting a threat to their data. However, over the years, as products and services leveraging the personal information of users started taking center stage on the internet, the need for secure and private access prompted the demand for something as sophisticated and secure as VPN to come into the mainstream for personal use.
Even today, as its adoption for personal use continues to grow among the masses, and the service appears to be one of the promising and secure solutions to access information while preserving user identity, it is still not the safest bet and has its share of flaws and shortcomings, which implies that even VPNs aren’t perfect, after all.
To fathom this narrative, it is imperative to understand the working of a Virtual Private Network and its underlying intricacies that may lead to potential vulnerabilities and hold the scope of identity leak. So, let’s begin by first answering the most obvious questions and slowly delve into the concerns that follow.
What is a VPN and what purpose does it serve?
A VPN (or Virtual Private Network) is a modern-day solution comprising of various protocols that allow users to access information over the internet in a secure and anonymous (sort of) manner.
Or, in general, you can also refer to it as a glorified proxy. As in most cases, the basic idea behind both a VPN and a proxy is essentially the same — to act as a middleman between your device and the server (you are connecting to) — in a way that allows you to disguise the source of the request and maintain anonymity. However, while the two share a similar working principle, it is worth noting that, unlike proxy servers, VPNs come with additional features and security measures — that is, when granted, the VPN provider abides by the claims and policies it suggests to practice.
Talking about applications, compared to the initial days of its inception, the modern VPN service extends the scope of application even further. From offering an encrypted channel to access public WiFi — to providing secure access to a private network — to something as basic as bypassing geographic restrictions to view geo-blocked content across OTT platforms — among others. However, despite the range of applications it offers to assist in different scenarios, it is the way in which it performs these operations, which raises several questions.
How does a VPN work?
Moving right along, before delving straight into the concerns associated with a VPN, we must look at a brief overview of its working principle to better understand the potential for some of the underlying vulnerabilities. As mentioned a couple of paragraphs earlier, you can think of VPNs as glorified proxies. Since, to a greater extent, they offer the same basic functionality. So when you use a VPN, in essence, you are leveraging a proxy to make requests on your behalf to the destination server. And by doing so, you are, in turn, eliminating the need to establish the connection yourself, which, in a way, helps you stay anonymous on the internet to some degree.
To understand this, consider an example where you try to visit a geo-restricted website in your region. While you do that, the server can identify the source of request using the IP address provided by your ISP. And, in turn, can prevent you from establishing a connection and accessing its services. However, when you introduce VPN into the picture, the situation changes altogether. As now, when you use a VPN client to request access to the restricted website, the server notices the request to be originating from the same region it is being hosted. Thus, permitting you access to its services. Moreover, since the channel between your device and the ISP is encrypted, it prevents your ISP from identifying the request and the response on either end of the connection. As a result, you eventually manage to bypass the restriction despite being located in some other part of the world.
Similarly, when you use a VPN with the idea to browse the internet securely and anonymously, the service creates an encrypted tunnel between your device and the ISP and uses tunneling to prevent your ISP from viewing your online activity. Moreover, it also masks your IP (Internet Protocol) address with some random address, which ensures you stay anonymous while surfing the internet. However, that is not to say an IP address is completely untraceable, as there are certain loopholes with VPNs that can be exploited to recover such information.
What are the problems associated with a VPN? And why they aren’t perfect?
When you use a VPN client on your device, even though the connection is encrypted and your IP is masked, you can still be tracked using other parameters. As it turns out, an IP address is a small piece of trackable information in your internet profile. And there are other unique clues for your internet identity that can help an attacker or advertiser generate your internet profile. Not to mention, in some cases, the VPN service provider could itself be susceptible to attacks. And as a result, it might get compromised and leave you vulnerable with all your information ending up on the internet.
2. Hiding your IP is a must
In the same vein, a large number of VPN providers also seem to create a state of urgency or panic among users, suggesting that an IP address holds the key to a lot of their personal information. And therefore, one must sign up for their VPN service to mitigate this concern, and in turn, improve their privacy. Although, at large, this is not completely wrong, as an IP address does hold the key to some of the crucial profiling elements of a user on the internet. But, that does not, however, suggest that an IP address is the single most entity that holds the key to more personal data about a user, as there are various other factors too, which can help someone track a user on the internet. Thus, suggesting that the claims from these VPN providers are nothing but solely marketing affirmations.
3. Logging and selling user information
4. Marketing DNS leak prevention as a feature
Besides no-logging claims, VPN service providers also claim to prevent DNS-leakage, which is a term used to refer to a situation where the service fails to tunnel your DNS requests, and instead, it ends up with your ISP. To give you a quick primer, a DNS or Domain Name System is a decentralized server that is responsible for holding records of domain names and their associated IP addresses. So, for example, when you enter youtube [dot] com, the DNS comes into play to resolve the domain name with its designated IP address to present you with the result for your query. Coming back to DNS leak, what this essentially means is that, in an ideal scenario, when you request a website over a VPN, it should get resolved instantaneously, and you must have the page open on your device. However, in certain instances, the VPN fails to keep this a secret and ends up leaking the DNS entry for your requested website with your ISP. And even though some services suggest offering it as a feature, the idea seems kind of pointless in the first place, since ensuring DNS leaks don’t happen while you use a VPN, should be a rudimentary functionality, and not something that the service providers need to market as a feature.
5. Traffic encryption promises
Last, but certainly not the least, is the concern over encryption, which seems to create a lot of confusion among users. While most service providers claim that using a VPN encrypts your data with strong encryption standards before it ends up on the public network, the wordplay here is something that causes the user to fall for their promises and subscribe to the service right away. As, even though the data is encrypted by the service, it is the degree to which it is encrypted that plays a crucial role. What this essentially means is that the part of the communication that is encrypted determines the level of privacy and data security one can expect out of the service. In most cases, the VPN providers encrypt the part of the communication that involves the connection between your device and ISP, leaving the transmission of data from the ISP to the destination server unencrypted. So, while the data flows through the secure tunnel between your device and the ISP, you can be assured that it is secure from the prying eyes. However, what happens beyond the ISP through to the destination server, is all unencrypted, leaving it in pretty much the same situation as it would be with no VPN in the first place.
All these concerns leave the end consumer in uncharted territory, where, in a majority of cases, despite paying for a premium, the users are still not convinced whether the service offers complete anonymity and does not put their information at risk. Moreover, the policies on some of the services do not clearly describe how they handle user’s data and what measures they take to deal with targeted advertising.
Should you use a VPN at all?
Although during the course of the article, we did emphasize on how VPNs have their disadvantages and drawbacks, and that, they aren’t perfect in any sense and should not be trusted blindly, we are in no way suggesting you to abandon them altogether. But rather, asking you to limit its usage to crucial situations only. For instance, you can use a VPN to access resources on a company’s private network, bypass geo-restricted content, circumvent ISP-level content blocking, or even to access public networks in hotels or cafes in urgent situations.
Besides, if you are open to considering some other alternatives to VPN, there are other working solutions for different use-case scenarios to help you alleviate the need for a VPN in the first place. Some of these alternatives include Smart DNS — to disguise your location to access geo-restricted websites; Tor (The Onion Router) — to increase your security and anonymity and to bypass restrictions; mobile applications such as Orbot and Orfox — that helps you redirect the traffic on your device through Tor; among other solutions.