Internet Tubes in the Era of Privacy: VPNs Explained
A down and dirty primer on Virtual Private Networks and everyday life
This article was first featured in Ericius Security’s blog. If you like the idea of keeping advocates who fight sex trafficking and human rights violations safe, consider partnering with #teamhedgehog.
If you have been around computers recently, you have likely encountered a few “how not to get hacked” articles. You know that you should use strong passwords in a password manager, utilize two-factor authentication, install an antivirus agent, and install security updates as they pop up. It is also likely that you also have been advised to use a Virtual Private Network (VPN), “because privacy.”
Rhetoric you may have heard are “Hackers are trying to sniff your data and steal your identity, use a VPN!” or “Governments are spying on you, use a VPN!” (or more esoterically, “Use Signal, use Tor!”). While these privacy battle cries are not completely out of place, such advice probably left you feeling like VPNs are more about fear, uncertainty, and doubt than the cornerstone of your IT strategy.
What’s the problem?
By the beginning of 2020, corporate data collection through ad technology and monitored network traffic is an open secret. In 2017, the U.S. Federal Communications Commission’s regulations protecting consumers (that is you and me) from collection and re-sell was crushed by U.S. Congress in both the House and Senate. Regardless of your opinion on privacy (these authors hold privacy is a right to protect your thoughts, ideas, and person), one can probably see this policy position skews power over personal data away from you — the individual — and toward corporations. It probably would not be surprising to learn corporations actively collect, exploit, or resell your data.
The problem is that your data is being collected and attributed back to you — the individual – painting a detailed picture of who you are. You may want to opt out of that. While you cannot stop companies and governments from collecting your data, VPNs add a layer of obfuscation that makes it harder for these entities to exploit your data for behavioral insights.
What is a VPN?
VPN stands for Virtual Private Network and originates from a network engineering solution which allows remote workers and campuses to not only connect across the internet, but also behave as if they were the same network. VPNs do this by creating an encrypted tunnel (also known as “data encapsulation”) from one network to another so users can then communicate seamlessly across that connection. Or as former Alaskan Senator Ted Stevens famously put it:
Take working from Starbucks as an example. By using a VPN connection, internet routers would observe encrypted, unreadable traffic originating from that Starbucks going to your company’s network. From there, your traffic emerges alongside the other traffic coming from your company’s building. Anyone peering into your company’s traffic can only deduce you are browsing the web from your desk at work!
Thus, we see that anonymizing VPNs is a way to use technology to hide your normal internet browsing profile. But how does it work on a technical level? First, a VPN will connect your computer to the internet directly through your default gateway (usually your home router router connected to your internet service provider) to the VPN provider’s network. Next, the VPN provider tells your computer that one of their servers (say, in Croatia) is now your gateway router, instead of your home router. This is important because your gateway router is the default place your computer knows to send traffic to the internet. Once the connection is created, your computer and the internet interact as if the Croatian server is your home router. Hundreds, maybe thousands, of other computers are doing this as well, which has the net effect of making the internet view all these computers as the activity of one user.
Imagine that your computer is a small island, and for most of your life you’ve been paddling directly from your island to the mainland. Everyone can see that you’ve gone back and forth between your private island and the mainland. But one day you created a tube across the ocean from your island to a larger island (the VPN), populated by millions. The larger island reaches the mainland by a bridge, where you can see traffic flowing between the island and mainland. Every time you interact with the mainland/internet, you first cross the tube to the larger island. To observers on the mainland, your point of origin was the large island, and not your private island. The added benefit is your oceanic tube is opaque. If someone is watching specifically for you, they cannot see how often you traverse that tube, just that it exists to link your private island with the large island. No longer can they identify you by your direct trips to and from your private island, they have to sift through the milieu coming out of the large island.
This is the power of a VPN — you create an encrypted connection that cannot be inspected in order to mask your true location by blending the unique internet traffic generated by your computer with thousands of other computers.
But what about HTTPS?
HTTPS, or HTTP Secure, is a well-established encrypted protocol for internet traffic. Over time, the protocol has been continuously improved and its adoption rate soared. Nowadays, a large portion of your web browsing is encrypted by default. So if our internet browsing traffic is encrypted, how can anyone see my browsing patterns and data?
The increased adoption of encryption means that network defenders, censors, and surveillants alike cannot inspect the internals of network traffic. However, they can still use metadata, or data that describes data. There’s probably no better way to describe the value of metadata for data exploitation than the Electronic Frontier Foundation’s response to the U.S. phone call metadata collection program. By interpreting HTTPS traffic, surveillants can infer critical and personal details. For example:
- They can see you went to a porn site at 2:24 AM and streamed for 18 minutes, but don’t know what video you streamed
- They know you visited the suicide prevention hotline from a mobile IP, but the exact topic researched remains a secret
- They know you visited an HIV information site, your doctor’s website, then your health insurance site in the same hour. But they don’t know when your next appointment or complaint is
- They know that you went to the NRA website, then your congressman’s site, but the nature of your concern remains unknown
- They know you went to your local gynecologist site immediately followed by a Planned Parenthood site, but nobody knows what paragraphs you looked at
However, with a VPN a surveillant cannot draw the above inferences about a specific individual. Remember our island analogy? Observers can only see traffic coming across the bridge to the big VPN island, but not the smaller islands. Likewise, a surveillant might see traffic going to an HIV information site, but won’t be able to tell which computer that traffic was requested from.
That’s it, a VPN will solve all privacy concerns
The short answer is…no. While associating data collected with an IP is one technique, there are numerous other techniques that are used to build your digital footprint, such as delivering ads based on search history, and data shared between linked social media accounts. However, VPNs add an important layer of your digital defense that cannot be discounted.
So what’s next?
Okay, so corporate and government data collection is scary. But do you need a VPN?! In our next article, we’ll talk through some problems that VPNs can reasonably help you solve.
