A VPN, or Virtual Private Network to be formal, is a method of creating an encrypted data tunnel across the Internet from your device to a destination server.
Although savvy home users and enterprises will operate their own VPNs (business-grade routers provide this functionality) for most folk, a VPN comes by way of a dedicated service provider.
In theory, and as far as many of those VPN users are concerned, this provides them with both security and secrecy. People think that a VPN keeps them anonymous while online. People are more often than not wrong.
What a VPN, any VPN, can actually offer is a method of securing your connectivity and making it much harder for an attacker (be that a hacker or the government) from intercepting your data whilst in transit.
Some VPN services do offer user anonymity as a selling point, but how honest are they being? OK, so the word 'private' in the expanded VPN acronym suggests privacy. But privacy and anonymity are different things. Certainly when talking about VPNs, we should be thinking in terms of the interconnection of private networks rather than the privacy of end user identity.
When it comes to services that claim to provide anonymity, I certainly wouldn't recommend taking them on their word. In fact, I would argue, it is beholden of the prospective customer (that's you) to fact check everything before handing over any money.
And handing over money, funnily enough, is right there at number one in my list of checks to make. If the VPN company is taking a subscription payment from you then what method is it using? A credit card leaves a footprint that leads right back to you, as do most of the normal payment methods. I'd look for a VPN service that accepts Bitcoin as a way of ensuring the hardest to follow payment trail.
Next on my list of things to check would be the policy of the VPN provider when it comes to usage logs. Only those that can state they keep no usage logs (which also means checking the country they operate out of as some have laws requiring the keeping of such things) should be on your list.
Then throw in shared IP addresses to make identifying individual users, for particular behaviours, out of a whole bunch of users almost impossible.
Once all of these check boxes have been ticked, then you can start getting really serious and look for features such as double VPN availability. This means that your connection is made to one server, in one country, which then connects to another in another country.
I use this functionality myself, as it routes my traffic through two hops (or more) with the connection encrypted within double layers of cipher AES-256-CBC encryption. That the connections are mixed between TCP and UDP adds yet another layer of security into the mix. All of which slows the connection speed, but not enough to impact upon my usage. If I were streaming movies, then I wouldn't go down the double VPN route to be honest!
Even after all of the above I wouldn't state that anonymity is 100% guaranteed: that's a tough call on the Internet.
There have been problems in the past with VPN services being vulnerable to leaking IPv6 data for example. More recently, research into Android-based VPN apps revealed huge problems with not only privacy but also security. 'An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps' is the result of a comprehensive analysis of 283 Android apps using the Android VPN permission that were chosen from the Google Play store.
The researchers included an analysis of the source code for each app, and the AndroidManifest file that requests either a custom VPN permission or the official Android BIND_VPN_SERVICE.
- 8% of the apps were identified as having malware (43% of this being classified as adware)
- 18% of the apps used tunneling protocols without any encryption.
- 66% of the apps didn't tunnel DNS traffic.
- 67% of the apps embedded a third-party tracking library in the source code
- 82% of the apps requested permission to access sensitive data such as SMS history
84% of the apps didn't tunnel IPv6 traffic.
The researchers concluded that "despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains 'terra incognita' even for tech-savvy users."
So, after all that, here's a question for you: which VPN service do you use or do you run a home-brew VPN through your own router - and a secondary question would then be, what are your primary expectations of this VPN?