New Peril

An exploration of the intersection of politics, technology and privacy

Pages

Recent posts

VPN Services and Privacy: A Common Sense Discussion


Because of the way we, as a society, have decided to fund the Internet – through advertising revenue – the goal of all online interactions, from the point of view of the service provider, has become to gather as much data as possible about you – the consumer – in order to influence what you are likely to buy next.

If you find this concerning, you should, in every Internet encounter, strive to make yourself LESS unique1 . The less unique you appear, the harder it is for the tracking algorithms that manage this data collection to match your current activities to your profile.

If you’ve never done so, point your browser at amiunique.org and view the report on how you are seen on the Internet. It displays the various identifiers, the “fingerprint,” you are exposing every time you connect. It’s a very educational experience.


But you may say, “I use a VPN. I’m protected!”.


Let’s be clear, a VPN service (virtual private network service) does two things:

  • it replaces your originating IP address (internet protocol address), with the IP address of the VPN endpoint you are connected to.
  • It encrypts your network traffic between the source and the VPN endpoint.

That’s all it does. Despite what VPN marketing materials may lead you to believe, you are NOT surfing the web in stealth mode, invisible and anonymous. In fact, by using a VPN, you are likely attracting scrutiny that is both inconvenient and unwanted.


A VPN endpoint is not some sort of amorphous, anonymizing entity. It is just a physical server that resides on a common-place network. The endpoint you connect to has an identifiable IP address of its own just like the one you are trying to mask.

When you connect to the Internet through a VPN service, the actual benefit in terms of privacy is not the change of IP address (see below), it is one of ‘blending‘. With thousands of clients all using the same endpoint (and so the same IP address), your network traffic, in terms of IP address, appears LESS unique.


Look at it from the point-of-view of an algorithm. If your phone connects to the Internet via your mobile carrier’s cellular network without first connecting to a VPN, there is 1/1 chance that the requests associated with that IP address originated from you. You are 100% unique. If you live in a household of five individuals all connecting to the same WiFi, there is only a 1/5 chance that any interesting traffic originated from you (if the algorithm is considering IP address alone). When you connect through a VPN service, these odds change dramatically. The algorithm must now make its calculations based on a probability of 1/10,000, or 1/100,000.

But if your goal is to evade fingerprinting in general, this blending may not be particularly useful as a tactic. IP address is just one of many markers. And it is not a particularly efficient data point for identification.


Consider your activities on any given day:

  • when you get up in the morning and check your email, the weather and the news headlines over breakfast, you are connected to your local WiFi. That’s one IP address.
  • when you leave the house for work and your phone connects to your carrier’s mobile network, you switch IP addresses.
  • maybe you stop at Starbucks on your commute and connect to their public WiFI, yet another IP address is in play.
  • you arrive at work and connect to the office WiFi, again, another IP address.
  • On the way home from work you stop at the gym, and you pull another IP address.

When you connect to the Internet through a VPN service, all you’ve really accomplished is changing your IP address one more time. This constant ‘switching’ is behavior the tracking industry expects, and its algorithms deal with it efficiently.

Also consider that networks are well aware of VPNs. As an educational side trip, do the following: activate your VPN and surf to whatismyipaddress.com. You will see that the network has no problem at all detecting that you are using a VPN. The tracking algorithms can now add the following identifying data points to your profile :

  • the fact that you are a VPN user
  • the name of the VPN service you use
  • which specific VPN endpoint you have accessed

So, while you have gained some blending benefits by using a VPN, you’ve actually added three more identifying data points to your fingerprint. In the end, you have made yourself MORE unique not LESS. And because the network knows you have connected via a VPN service, it will ignore your IP address as a useful identifier, and focus on other aspects of your fingerprint.

You could try using a privacy engineered browser like Tor or Mulvad. These products use innovative routing and packet ‘onioning’ routines that significantly reduce the number of identifiers available to tracking algorithms. These type of applications are not, however, designed for general web browsing. Because of their various security enhancements, many of the internet services you rely on (your banking website, for example) will simply not function. And because these browsers are far less commonly used than say Chrome or Firefox, in terms of some important fingerprinting metrics you are, ironically, dramatically INCREASING your uniqueness.

I’m not saying that VPNs have no value. That’s just not true. But their utility depends on your goals.2

  • If you are a journalist or a dissident, or if you live under a repressive regime, and it is imperative that you obscure your internet traffic until it leaves the jurisdiction, then a VPN could save your life.
  • If your concern is mostly Internet hygiene and general online privacy, then sure, use a VPN for its blending benefits, but be aware of the limited value of masking your IP address. “Fingerprinting” is a science and it involves so much more than simple IP addresses.
  • The encryption features of a VPN prevent your internet service provider (ISP) from reading the content of your network traffic. Perhaps this is of particular importance to you. But this only eliminates your ISP from the surveillance chain. There are countless other actors involved. If your ISP doesn’t nail you, then Google, Meta or CloudFlare certainly will. Keep in mind that your traffic is only encrypted until it reaches the VPN endpoint. By the time you actually reach your destination, your request has been fully decrypted. 
  • If you just want to stream US Netflix content from your living room in suburban Toronto, (here we are talking about the geo-location benefits of VPNs) a commercial-grade service like SurfShark or NordVPN will probably meet your needs just fine.
  • If you are connecting to sketchy public WiFi, DEFINITELY USE A VPN! But here we are, again, leveraging the encryption features of a VPN service, not its IP masking abilities.
  • If you are doing something illegal online and do not want law enforcement knocking on your door, you may gain some benefit from masking your originating IP address. But in reality, even in the absence of a specific IP address, the authorities could take the information they do have to a data broker, spend a few bucks and purchase your entire profile. It would likely contain your current address, along with every address you’ve ever lived at thrown in as a bonus. No extra charge. 

You may decide that a VPN service is an appropriate tool for your privacy kit. Be aware that the benefits come at a cost. There are trade-offs.

  • Network speed. If you pay a premium to your ISP for a high speed connection (500 mbps or 1000 mbps), be aware that by using a VPN, your transfer speed is limited by the capabilities of the endpoint you are connected to. Your speeds will likely drop. You can easily gauge the impact by visiting speedtest.net and running tests both with and without your VPN connected. If you are an online gamer, or if download/upload  speeds are crucial to your workload, then do your research and pick a service that offers the connection speeds you require. You may end up paying a premium to both your ISP and your VPN service.
  • Geo-location. Websites and apps make use of your IP address in a variety of helpful ways. If your physical location is Calgary, Alberta, Canada, but you are connected to a VPN endpoint in Tuscon, Arizona, BestBuy.com is going to offer you “deals” and calculate things like shipping rates and delivery estimates based on your assumed Arizona location.
  • Basic app/website functionality.  Certain mobile apps and websites will either force you through extra verification steps or simply drop your connection if you attempt access with your VPN engaged. Make sure you pick a VPN service that offers “Split Tunneling.” Using this feature, you can specify apps/URLs to exclude from the VPN tunnel. This will solve the immediate access problem, but you will lose the benefits of the VPN while using these apps or visiting these websites.
  • Firewalls. You may need to access resources that reside behind a firewall. Firewalls are typically configured based on IP address ranges (CIDR blocks). If you use a VPN, your IP address is unstable and unpredictable. This will cause headaches. One work around is to use a VPN “browser extension” instead of a full-stack desktop product or a router based VPN application. The extension will shunt your browser traffic (https: port 443) through the VPN, but leave other connections, such as ssh (port 22) unaffected.

As a final note, temper your privacy expectations. Internet tracking is a sophisticated, multi-billion dollar industry. The algorithms they employ operate at levels that the work-a-day Google searcher or casual online shopper cannot hope to fully comprehend let alone evade. Don’t expect your $9.99 NordVPN subscription to offer much protection.

  1. Yes, I realize that ‘unique’ is an absolute term, so the concepts of more or less unique are nonsensical, but this is the term the literature uses ↩︎
  2.  The literature speaks of ‘threat models’. ↩︎

Posted in

Leave a comment