I believe at least one of the business models for "free" VPNs is to turn their users machines into exit nodes, and the real business is in selling those to people who want to spread their traffic across many residential IPs for usually dubious reasons (e.g. scalpers trying to scoop up concert tickets or limited edition sneakers or whatever without tripping bot detection).
It's worth pointing out that while it operated as a VPN (so it could capture traffic), it was ostensibly marketed as a "security" app (ie. scanning your web traffic for threats). It's not really a good example of shady VPNs.
Among all the people I know who use the kind of VPN services talked about here, these are exactly their reasons for using them. Obviously advertisements are going to shy away from these angles.
You may not even need a VPN to get around censorship, ISPs implementing legally mandated site blocks often only bother to enforce them at the DNS level so you can trivially bypass them by using an encrypted DNS resolver.
In the UK, at least, it isn't the default (because of "the children"/"terrorism"). But it's still just a setting in Firefox/Chrome to change (and I guess in Edge too).
Even just using a different DNS can be enough. A certain popular movie uploader is/was blocked by my ISP at the DNS level but worked fine once I changed to OpenDNS.
If only the Great Firewall were so easy. ExpressVPN seems to be "OK" once/if it connects but it's not very fast when websites load megabytes of crap via a bazillion tiny requests (which is a problem in any bandwidth-limited and/or high-latency environment: use your browser tools to simulate a slow connection, website devs!).
I think the snake oil claim is in regard to VPN companies marketing themselves as a security product. The security benefits that these companies claim in their ads are dubious but of course there’s other benefits to them, they just can’t advertise that they can be used for these things.
The problem is people who aren’t aware of this see these ads and think that they actually do prevent hackers from stealing their information.
> I think the snake oil claim is in regard to VPN companies marketing themselves as a security product
Considering that confidentiality is a vital component of overall security, it's not necessarily unreasonable to describe a VPN as a security product. Of course, it's not the panacea some companies claim; nobody's "surfing the web in full security and privacy" with just a VPN service.
We already have really good client-server confidentiality (and integrity) assurances from the wide adoption of TLS/HTTPS. Wrapping that in a VPN doesn't buy you all that much additional security. Maybe a little bit of DNS privacy and being able to mask your IP address on torrents, but that's all that comes to mind.
Similar to cryptocurrency in this respect. People would often tout nebulous benefits for hypothetical legitimate use cases, when in reality they were only ever really good at ponzi schemes and conducting illicit transactions.
That argument only makes sense if people don't really understand what a VPN is or what it is actually for. They're somewhat of an expensive and complex thing that usually noticeably slows down your internet connection... I doubt many people are buying them because they think it protects them from identity theft or something. I haven't seen an ad on the internet in a decade (thanks uBlock) - so I'm not sure if there's some ubiquitous misleading ads I'm missing.
I have mine always on for privacy. Is there a reason to not use it? The extra latency is close to 0 just use an exit node in the same city. Why should I donate all my browsing data to my ISP ?
There's another use case (and is why I primarily pay for one, mostly due to being too geographically mobile to want to set up a bunch of VPS around the US): bypassing throttling on low-cost pay-as-you-go MVNO networks.
I use Visible (pre-paid Verizon), and they very clearly deprioritize, say, youtube when things get crowded. I turn on my VPN and all of a sudden I can play 1080p no problem.
The problem is that they are sold as a security/privacy product, because they can’t mention the more illicit uses (which the author mentions under “when to use a VPN”), which are the real use cases people buy them for.
It’s kind of like when shops selling bongs would market them as “tobacco accessories”, but there was a wink-and-nudge understanding about how they would really be used.
The thing that bothers me is that we've had these things for so long, but no one does any actual research about them, so we still can't say that we know they don't work, but only that we don't know that they work. And "we don't know that they work" doesn't really convince people who say "thousands of years of tradition say that they work, and my great aunt was healed by it".
Research has been done, and has shown herbal medicines to not work[1], to nobody's surprise. Sure, there's not a huge amount of research into the matter, but this is comparable to the small amount of research time sunk into verifying if prayer can cure cancer.
Nonsense like "rhino horns look like an erect penis, so surely they will give you erections" should be dismissed without further discussion, but unfortunately a multi-billion dollar industry continues to wipe out rare and endangered species for magic cures that can't possibly work.
[1] A large subset of such medications are basically stimulants that make patients feel better but do more harm than good. My father in law was scammed this way by a herbal doctor that gave him such huge doses as to cause heart damage.
We have done this research, and the result is called "medicine" now instead of "herbal medicine".
Aspirin used to be extracted from tree bark.
Opium and morphine is the juice of the opium poppy.
Penicillin is from a mould.
Botox is from a bacteria.
Heck, there's an entire subset of the pharma industry running around testing every damned plant, weed, and flower to see if it has some sort of useful effect! There's even been movies made about this! https://www.imdb.com/title/tt0104839/
We've tested herbal medicines, and use the pure extracts from those that do actually work every day in every country.
That doesn't mean the guy selling dried tiger penis should be allowed to open shop next to a pharmacy and claim mysterious properties "unknown to science".
> Is "geofence bypass for region-locked content" actually “illicit”?
Yes, in practically every jurisdiction. It’s wilful breach of contract, tortious interference with the content distributor’s licensing schemes and copyright infringement.
Unless you have any explicit court case decisions to the contrary, I'm calling bullshit. I did a simple Google search and could not find any examples of someone being sued or prosecuted for region bypass.
When was the last time you heard of anyone murdering someone with a sea cucumber? People obviously use VPNs all the time for region bypass, and have for years, so if anyone had an issue with it it surely would have had some relevant legal proceedings.
Laws only mean what courts say they mean. Besides that, I have simply never heard any argument of region bypass being illegal or otherwise illicit, and you haven't provided any evidence to the contrary.
A notable exception being the use of a VPN to access region-protected content.
INAL, but while this use case might violate ToS, the case law suggests that courts deem this to be fair use provided you don't breech other laws in the process (e.g, copyrights).
> tortious interference with the content distributor’s licensing schemes
No it's not.
Tortious interference with a business relationship is no doubt what you're referring to here, but it's a long bow with multiple layers of indirection. It is "intentionally acting to prevent someone from successfully establishing or maintaining business relationships with others".
Miramax, as a content distributor, might license their content to Netflix.
You are a customer of Netflix.
Now say you are a customer of NordVPN.
For one, NordVPN isn't trying to prevent you maintaining a business relationship with Netflix. Nor is it trying to prevent Netflix having a business relationship with Miramax.
NordVPN may provide you means by which you can choose to be in violation of your TOS with Netflix. It's not acting to ensure you are.
Netflix doesn't have to -allow- this, hence VPN/proxy detection. But they have recourse, drop you as a customer, for you, the customer's, actions, not for NordVPN's actions. Miramax can't argue that NordVPN acted to interfere with their licensing scheme with Netflix.
> Miramax can't argue that NordVPN acted to interfere with their licensing scheme with Netflix
No, but they could argue that the VPN user interfered with their licensing scheme. (If everyone in a region circumvented geoblocks, why would someone in that region pay for regional rights to that content?) They wouldn’t, because it’s not worth it.
This is false, it is not illegal. You might be in violation of a specific contract, but that is far from it being illegal. For example Steam might ban you if you circumvent a region lock. Reason for that is that there are other legal requirements for them as a market place.
I highly doubt you know the laws in every region globally. This may be true in yours, but it's not a good idea to make such blanket, objective statements online.
> Exactly. Is there anyone whose primary use case for a personal VPN is not "Geofence bypass for region-locked content"??
Hi! /waves I use a VPN to stop my ISP from monitoring my traffic and selling my personal information. My VPN (usually) exits in the same "region" as my real location; I guess if I hit a geoblock I could look at that, but it hasn't come up.
You can set mullvad (which offers VPN service) as your DNS over https server. Traffic is also mostly encrypted by https. Your ISP still gets the destination IP addresses, though they are harder to track.
Skipping the broader discussion of AI, the ridiculous amount of automatic and human impossible pattern, matching and correlation with seemingly harmless data is something that I don’t think we are equipped to fully comprehend.
The time at which I hit some meta CDN, seems harmless. Until combined with some cookie and some access time to some asset it uniquely identifies me to previously anonymized data.
So no, I do not think HTTP and a good DNS are enough.
No; until Encrypted Client Hello is ubiquitous HTTPS still has domains in cleartext. Also, I don't think we should be casually dismissing tracking by IP addresses.
If the local ISP has a 100% chance of monetizing my data and the VPN provider has anything less than that, then it's still a win.
(Longer answer: This boils down to the weighted probabilities; if the ISP was meaningfully regulated such that it was legally restricted from doing certain things with my data, that might matter, and one should also play in the exact likelihood that either party is selling my data. In my case the weighted probability is wildly in favor of a VPN, but I suppose I can imagine situations where that wouldn't hold.)
It’s their business (value proposition) to not do the same and most explicitly commit to that. They also get third party aidiots and publish results. This isn’t fool proof but it’s better than trusting Comcast or ATT or whoever.
> You're just trading your ISP for a different third-party
Yes.
> who has all the same incentives.
And no. The ISP has little to no competition or incentive to not sell my information, while the VPN provider has loads of competition and often has user privacy as a core part of their value proposition.
Besides - even if both of the did have the same incentives, one openly says they're selling my data and one says they're not. At worst it's a gamble between the VPN lying and the ISP telling the truth.
In many (US, at least) locations, there is only a single provider of fixed broadband. Not sure how it is elsewhere, but without a more customer-friendly framework (infrastructure isn't owned by the same entity selling user access), I can't imagine too many places have multiple, parallel cable or fiber networks in a single town/city.
The availability of internet service providers typically varies by state and even by city. In many cases, your choices might be limited. Often, you may find yourself restricted to a single cable provider, with the possibility of DSL, but not much else, unless you consider wireless options. Installing a wired line can range from very difficult to nearly impossible. Cities might impose a moratorium on new installations, often due to lobbying, and even if installation is permitted, the costs can be exorbitant. For example, the cost of laying new lines can reach into the hundreds of thousands of dollars, with service providers generally unwilling to cover these costs. One recent quote I saw was as high as $160,000.
I reckon the majority of VPN sales are actually people being bombarded by adverts and sponsorships for VPNs and think that is actually of benefit. I am constantly bombarded by questions on which VPN product to use from people who are even unaware you can steal content.
My dad used to complain that he couldn't get on certain websites, got CAPTCHAs a lot more than he used to and often prices came up in US dollars on his computer, turns out he paid for a 3y plan to NordVPN and had it start on start up on his computer.
He can barely work the Sky box never mind stream stuff from the internet, he got duped into thinking it would make him "safer" when in reality it just makes using the internet a lot harder as everyone flags your traffic as malicious based on the datacentre IP.
Because people run crawlers and perform illegal activity, and/or because ‘security companies’ sell the IP lists as low reputation potentially malicious IPs?
Anyone who has browsed through one of these personal VPN services - or even a DIY VPN from a datacentre IP - for more than about 10 minutes will have experienced the increase in captcha's.
>Anyone who has browsed through one of these personal VPN services - or even a DIY VPN from a datacentre IP - for more than about 10 minutes will have experienced the increase in captcha's.
Because I've hosted websites where blocking datacentre IPs has caused a massive reduction in spam and malicious activity - and tried to use Google search with Mullvad dialled only to be greeted by a CAPTCHA every other search.
As someone who operated a high fraud target during the pandemic, I am comfortable asserting that while not all commercial VPN traffic is fraudulent or malicious, most fraudulent or malicious traffic is over VPN.
Yes, lots of people have other primary use cases? Why is that even a surprise?
VPN companies are more trustworthy than my ISP. Many get third party audits and publish results. And if the VPN company and server are in a privacy friendly country, they are hard to subpoena. Individual privacy being the default is itself valuable.
This is leaving aside numerous other reasons like avoiding censorship or persecution or whatever.
But that said, on this point I do agree with the author: privacy improvements from using a VPN are marginal for the average user due to the now widespread use of HTTPS. Yes, your ISP can see which domains you visit, but that's about it. I'm curious if there have been any successful lawsuits or prosecutions based solely on domain access logs.
I absolutely despise my ISP’s business arm, but I trust their network arm not to do something stupid. I certainly trust them more than a company in a remote tax haven with a broken legal system.
Sweden and Switzerland are hardly 'remote tax havens with broken legal systems.' you don't actually prefer your ISP's DNS service over something like say, Quad9's, do you?
LOL. Several of the large ones are owned by the same entity.
The main reason they exist is to do grey market bypass of controls becoming media access. If you trust them to not do some grey/shady exploitation of your metadata, more power to you. Sounds foolish to me.
My ISP Comcast (sometimes called Xfinity) has regularly done MITM attacks that inject javascript into web pages since 2013. Surfing the web without tunneling my connection is unacceptable with an ISP that commits CFAA crimes like this. It is a valid use case for a VPN or VPS tunnel for the 30 million of us stuck with a comcast monopoly.
I am old fashioned. So I would use a VPN if I want to prevent my landlord from getting a cease and desist letter from a lawyer when I download warez. Mostly audio books, and textbooks, but also movies and music.
Ie, it's the use case where you Pirate all the media, and use a VPN as a security bandaid against anti-post-scarcity busybodies.
There's no ethical difference between faking your location to bypass licensing and copyright and downloading a file via torrent to bypass licensing and copyright. Both are piracy.
My primary use case for a vpn is i dont trust people on my guest network and dont want their traffic looking like it is coming from an ip associated with me. I am not protecting against 3 letter agency levels of surveillance so i dont need the extra benefit and slowness of tor, i just need to move that traffic to a different jurisdiction to complicate things enough that people dont bother to figure out it came from my network on the off chance that someone i let on myguest network does something untoward.
That's a valid privacy concern
But is a VPN service a good solution? Certainly not if you are on a shared IP with the VPN.
I know you can get some with a dedicated IP, but with most VPN providers it is still probably coming out of a cesspool of ips that you don't want any kind of association to.
Shared ip is even better if you are reasonably sure the provider deletes logs (i.ec you are using mullvad). Good luck proving in a court of law which of the firehouse of clients did whatever you are claiming.
Except that use-case doesn't even work because any service worth a salt just blocks the VPN's IP addresses. For example: US citizen living in US goes to the UK and uses VPN service to watch US-based netflix. Netflix blocks this.
There's also bypassing nanny software in coffee shops. I've had checking a word meaning on Urban Dictionary and checking the odds of Trump winning 2024 blocked by that. I guess for naughty words and gambling?
I felt stupid when someone told me what the 'roses in a glass' tubes that were sold in convenience stores were really used for, but I guess it never occurred to me that crack pipes would be something these places would want to be associated with. At least it restored my faith in romantic gestures a bit to know people weren't buying them as a token of love.
The bodega sells whatever people want to buy, as long as it doesn't get the bodega in trouble for doing so.
Beer, wine, booze, tobacco, and vapes are obvious, but things like cough medicine (dextromethorphan), diarrhea pills (loperamide), little roses in neat glass tubes, and air dusters (let's kill some brain cells!) are perhaps less-obvious.
The bodega wants to be associated with being the place where a person can stop in and buy anything, from a can of soup to a pair of pants.
I once asked why levothyrox, a drug to compensate a dying thyroid, is so regulated (at least in France). It's not like it's psychotic or something, it is just a hormone. Turns out people were buying it expecting weight loss...
It's because of such idiots that people whose life is already complicated gets it even more.
It's an opiate, and some opiate addicts like loperamide. It's certainly not the fix they're looking for, but some of them like it enough that -- unlike seemingly every other OTC drug they stock -- it is kept behind the counter at the Dollar General near me, so that a would-be buyer has to ask for it.
And that's not a result of regulation (anyone can buy as much as they want), but is rather a result of stock shrink. It tends to disappear in some less-than-savory neighborhoods.
(I use loperamide occasionally for its main intended purpose of settling my gut down enough that I can do something other than hang out near a bathroom while I quickly dehydrate, and more than once it has been legitimately hard to find in some areas when I've needed to buy more.)
NYC has Mullvad ads plastered everywhere. They bill themselves as protection from corporate surveillance. This is not wink-wink advertising. It’s an attempt to swindle somewhat tech literate people through a lie.
Sure you and everyone else on HN know what a VPN for, but that’s not the case for 97% of the people on a subway car who see their latest campaign.
This is exactly what it is. Almost everyone I know here in my country, which has not (yet) gone China, who uses a VPN does so exclusively to access sites and services that are banned or not reachable here (read porn, p2p, and geo-limited services like Hulu, and Spotify before it was released here etc). No one, absolutely no one, uses it for privacy and security.
I've never seen a whole lot of value in personal VPNs; it's basically trading one network that can observe you for another. Often with unverifiable claims about not observing you.
But, it can be helpful to trade one network's routes for another, in cases where direct routing between you and your desired peers is poor for whatever reason. And it's clearly useful for circumventing geographic restrictions (as long as those imposing the restrictions dont' care to identify and restrict access through VPNs)
In general I agree about it not providing security benefit, but they can reduce the exposure of eavesdropping like DNS leaking browsing patterns, and so on. Sure, you’re now leaking your DNS traffic to the VPN server, but in my opinion it’s better to leak that to somewhere external than somewhere close by (e.g. to companies or individuals directly related to your network that will use it for monitoring and monetisation)
https downgrade attacks and the like (html injection on http pages) can also be thwarted (unless they are done on the vpn->service path ofc),
Wouldn’t switching to something like Cloudflare’s 1.1.1.1 DNS mostly solve the DNS issue without going the VPN route? The user’s DNS provider would no longer be their ISP.
Does that work anymore with DNS over HTTPS? I think the real leak is that until we get Encrypted Client Hello your HTTPS connections expose the domain in plaintext so DNS is kind of a moot point.
It does not. DoH and DoT is a real lifesaver for the privacy-minded people.
And it's hell for the security minded people. Before I could do DNAT on my router to redirect everything to my Pi-Hole, even the Google Mini that staunchly ignored the handed out DNS, but used 8.8.8.8.
But soon they'll start using DoH and I can't do anything anymore at all.
Say I sell snake oil, and I say it will cure cancer. Then Peter comes and buys it because he lubricates his discumbulator machine with it. It has a legitimate use, and maybe I even know that, but I still sell it as a cancer cure (which it isn't). Its still snake oil.
Argument is based on the assumption that "probably only one percent of users correctly use a kill switch", and in general shows a low level of understanding of threat models and the swiss cheese security model. Author assumes to know the intentions of VPN users and asserts users are dumb, also throwing unnecessary barbs at "wannabe hackers". Unprofessional article, bad advice, no differentiation between nonlogging services and services like nordvpn that bundle google analytics and tracking into their application.
My take? Do a threat assessment, build a threat model, know your adversary be it your own ISP selling your data or protection against hostile state entities when traveling overseas. There are many valid uses for the various types of commercial VPN and instead of an objective look at these services the author walks in with an assumption that they are all the same and never provide value to their customers, then bends over backwards to attempt to make weak arguments against a vast category of service.
I think this is one of the biggest misunderstandings about security that there's one linear scale and that every solution can be assigned a generic positive/negative delta on that.
Author is correct that TOR has better privacy than a better VPN because TOR means you are truly anonymous (assuming the network is not majority compromised).
However, bandwidth and latency on TOR suck, and in many cases the endpoint IPs are blacklisted to hell due to abuse. A VPN is a nice middle ground where your can put another entity between yourself and your traffic, which is valuable against most opportunist adversaries. If a TLA wants me and can get a warrant, not even TOR will save me, but a VPN keeps the ISP from selling my traffic and the media trolls from sending me grumpy letters because the neighbors keep using my wifi to watch free content.
Everyone is pointing out that the article shoots itself in the foot by giving three very good reasons for VPNs and dismissing them. But I think there's a fourth reason that isn't mentioned:
The US doesn't have reasonable privacy laws and I don't trust my VPN to not sell my browsing history to anybody with two pennies to rub together.
Yeah, I can (and do) use DNS over HTTP, but the ISP still knows what IPs I am connecting too. It's trivial to find out what domains are hosted there.
Furthermore, they use their VPN clients as proxies and sell access to their network to scrapers and botnetters. Usually the rule of thumb is that if you're not paying, you're the product, but in this case they manage to double dip. That's where the real funding comes from.
It is really question do you trust your ISP or do you trust your VPN provider? And if you are doing something your state might have interest in. Well VPN options might also be questionable. Either in some adjacent state, or other ways scrupulous...
>But why would I trust a random company with this information over an ISP, who yes aren't always angels, but at least are somewhat accountable.
ISPs often have captive markets and have enough political sway to grant them said captive markets. VPN companies have none of that, and live or die based on their reputation, so they arguably have more of an incentive to behave well. Meanwhile some ISPs have even admitted to selling your traffic for marketing purposes or are forced by the government to keep records. There's plenty of shady VPN companies out there, and not all ISPs are scummy and sell your info, but there's quite a bit of range between the scummiest ISP and the best VPN, and for a subset of people using VPNs definitely makes sense.
1) You can choose where in the world your traffic exits.
2) You can switch your VPN provider or even use/stack multiple and it’s easier than changing ISPs which encourages innovation.
3) ISPs and VPNs are regulated differently. In many if not most countries ISPs have to log and store certain PII.
Yes. Via the new age verification laws which require any site with a considerable amount of 18+ content to verify their users are 18+. This has passed in a few states. Leading Pornhub, and some other porn sites, to block access from those states.
The age verification laws are written pretty broadly and could be used to target a wide variety of content. Not just porn. Anything the state deems 18+ would require age verification.
These laws are facing some court challenges. If we're lucky, the laws will not survive.
VPN or not, the biggest MiTM threat to privacy on the web is Google. They may not be actively malicious and steal your bank info, or do other nefarious stuff, but they will always oppose end-end encryption. Google's stance is to lock out the competition under the guise of "protecting" users, so only they can spy on user data.
Although i agree with the overall message, there are privacy concerns with OCSP[1] which are mitigated by using a VPN. When trying to use the web privacy conscious, it might actually be beneficial to your privacy. This is a very edge case though.
I play Final Fantasy XIV, an MMORPG - apparently, supposedly, the peering connection between AT&T and FFXIV's US ISP (NTT) was particularly bad. [1]
This manifested as pretty severe connection issues for AT&T customers playing FFXIV. Except, it was a chronic issue that would only flare up when that particular connection point was stressed.
One of the easiest workarounds? Hop on a VPN.
That's one example. Anecdotally, I have a few friends that toggle VPNs on and off when they encounter "network weather" in games. Personally, I'm a bit skeptical they're truly so often mitigating problems by toggling a VPN (instead of, say, just waiting a couple minutes), but hey, they swear by it.
It's baffling that banks/governments that do geoip based risk assessments (ie. the ones that would lock your account if you tried logging in from a random country) wouldn't flag logins from a VPN/datacenter IP. Those basically tell you nothing about where the user is actually logging in from, and they should therefore treat them as if you're logging in from a random country.
1. it's more expensive than commercial VPNs, which you can often get for <$3/month, or even less with promos/cashback sites
2. you're limited to one region, which means you can't use it as effectively for geoblock evasion purposes.
3. you get less anonymity because you get a static ip that's assigned to you only, as opposed to a commercial VPN provider where you can connect to hundreds/thousands of servers each of which are used by probably hundreds of users.
If a VPN provider doesn't keep logs and if their routes to you are not being tapped for packet timing correlation then they are superior in privacy to DIY VPNs due to them laundering your connections/packets with multiple other people.
I need a VPN to do a lot of stuff with crypto now because websites are blocking Americans. $5 a month and having to use it is annoying, but I'd have missed out on thousands of dollars of income if I wasn't using one.
There is a fourth use case for VPNs: evading traffic shaping and censorship on public wifi hotspots. Many hotels block not just porn sites but also legitimate news pages (e.g. Torrentfreak), and most drastically throttle YouTube, Netflix and other streaming-heavy sites.
A fifth use case is related: evading bad peering. Deutsche Telekom was infamous for years to "double dip", i.e. requiring that other (backbone/regional) ISPs pay them for peering, and so DTAG customers that tried to access Hetzner servers were throttled as the Hetzner-Telekom link got saturated in the peak traffic times.
For real, this is the only case where I wouldn't mind AWS to actually use their market size firepower. Throttle all of DTAG on a single 1 GBit/s link and tell them, either you peer with us for free like everyone else, or you'll have to deal with annoyed users.
- In Hotel, Airport. VPN can be used to bypass DNS based captive portal.
- Yes true hopefully all website are encrypted with ssl, but still an attacker can easily fingerprint me through my internet usage, even though everything is ssl, there are still a lot of plain-text data flying around. So yeah, ProtonVPN, ftw.
I care, and my feeling is that more people do each day as they become aware of how tracked they are. Why does anyone need to know anything about me - it feels like a violation. There are all sorts of possible costs to that, but I think many of us value privacy on its own.
But as for an attacker - maybe they discover something about you from one compromised service and correlate it to something else. Or maybe they extort you in some way. Who knows - there are many possibilities and it’s safer to reduce exposure.
204 comments
[ 4.3 ms ] story [ 221 ms ] threadAnd it's unregistered!
https://www.namecheap.com/domains/registration/results/?doma...
Edit: Per below, missed the last dot. zoltanbalazs is registered. https://www.namecheap.com/domains/registration/results/?doma...
Also, what would be more interesting: a financial breakdown of how an average free VPN provider makes money.
I assume ad injection + selling traffic data, but does that make enough to offset the cost?
I know I read a article about one where they at least routed some other traffic through the vpn app, but I can't find the article anymore.
facebook used their vpn onavo to mitm users of snapchat, amazon, youtube: https://techcrunch.com/2024/03/26/facebook-secret-project-sn... – somehow I had missed this, I was only aware of the much older scoop about facebook using it to track underaged users: https://techcrunch.com/2019/01/29/facebook-project-atlas/
It's worth pointing out that while it operated as a VPN (so it could capture traffic), it was ostensibly marketed as a "security" app (ie. scanning your web traffic for threats). It's not really a good example of shady VPNs.
zoltanbalazs.com was registered in 2021.
Sadly, doesn't look like there's anything hosted on zoltanbalazs.com
Anyway is this comment a reference to the domain? I don't understand what you mean
> - Geofence bypass
> - Piracy
> - Soft network block/censorship
Among all the people I know who use the kind of VPN services talked about here, these are exactly their reasons for using them. Obviously advertisements are going to shy away from these angles.
[0] https://news.ycombinator.com/item?id=8863
The problem is people who aren’t aware of this see these ads and think that they actually do prevent hackers from stealing their information.
Considering that confidentiality is a vital component of overall security, it's not necessarily unreasonable to describe a VPN as a security product. Of course, it's not the panacea some companies claim; nobody's "surfing the web in full security and privacy" with just a VPN service.
Renting a car in Belgium from the Canadian website is cheaper than renting the same car on the Belgian website.
I use Visible (pre-paid Verizon), and they very clearly deprioritize, say, youtube when things get crowded. I turn on my VPN and all of a sudden I can play 1080p no problem.
It’s kind of like when shops selling bongs would market them as “tobacco accessories”, but there was a wink-and-nudge understanding about how they would really be used.
Did you know the original vibrator was a medical device by doctors to automate treatment of Hysteria?
1) https://jhupbooks.press.jhu.edu/content/technology-orgasm
2) https://www.psychologytoday.com/us/blog/all-about-sex/201303...
3) https://www.bbc.com/future/article/20181107-the-history-of-t...
We might have a long way yet to go as a species, but we’ve sure come a long way.
Nonsense like "rhino horns look like an erect penis, so surely they will give you erections" should be dismissed without further discussion, but unfortunately a multi-billion dollar industry continues to wipe out rare and endangered species for magic cures that can't possibly work.
[1] A large subset of such medications are basically stimulants that make patients feel better but do more harm than good. My father in law was scammed this way by a herbal doctor that gave him such huge doses as to cause heart damage.
Plenty of herbal medicines are effective. Which is why we need research to understand which ones are, and which ones are bullshit.
Aspirin used to be extracted from tree bark.
Opium and morphine is the juice of the opium poppy.
Penicillin is from a mould.
Botox is from a bacteria.
Heck, there's an entire subset of the pharma industry running around testing every damned plant, weed, and flower to see if it has some sort of useful effect! There's even been movies made about this! https://www.imdb.com/title/tt0104839/
We've tested herbal medicines, and use the pure extracts from those that do actually work every day in every country.
That doesn't mean the guy selling dried tiger penis should be allowed to open shop next to a pharmacy and claim mysterious properties "unknown to science".
https://www.theatlantic.com/health/archive/2018/09/victorian...
https://archive.is/idRiW
Whenever a state in the US passes a new "we need your ID to watch porn" law, sales of personal VPNs must predictably skyrocket in that state.
Yes, in practically every jurisdiction. It’s wilful breach of contract, tortious interference with the content distributor’s licensing schemes and copyright infringement.
I also don’t think there is prosecutorial precedent for murdering someone with a sea cucumber; that doesn’t make it licit (or legal).
Laws only mean what courts say they mean. Besides that, I have simply never heard any argument of region bypass being illegal or otherwise illicit, and you haven't provided any evidence to the contrary.
INAL, but while this use case might violate ToS, the case law suggests that courts deem this to be fair use provided you don't breech other laws in the process (e.g, copyrights).
No it's not.
Tortious interference with a business relationship is no doubt what you're referring to here, but it's a long bow with multiple layers of indirection. It is "intentionally acting to prevent someone from successfully establishing or maintaining business relationships with others".
Miramax, as a content distributor, might license their content to Netflix.
You are a customer of Netflix.
Now say you are a customer of NordVPN.
For one, NordVPN isn't trying to prevent you maintaining a business relationship with Netflix. Nor is it trying to prevent Netflix having a business relationship with Miramax.
NordVPN may provide you means by which you can choose to be in violation of your TOS with Netflix. It's not acting to ensure you are.
Netflix doesn't have to -allow- this, hence VPN/proxy detection. But they have recourse, drop you as a customer, for you, the customer's, actions, not for NordVPN's actions. Miramax can't argue that NordVPN acted to interfere with their licensing scheme with Netflix.
No, but they could argue that the VPN user interfered with their licensing scheme. (If everyone in a region circumvented geoblocks, why would someone in that region pay for regional rights to that content?) They wouldn’t, because it’s not worth it.
I highly doubt you know the laws in every region globally. This may be true in yours, but it's not a good idea to make such blanket, objective statements online.
Hi! /waves I use a VPN to stop my ISP from monitoring my traffic and selling my personal information. My VPN (usually) exits in the same "region" as my real location; I guess if I hit a geoblock I could look at that, but it hasn't come up.
Wouldn’t that address your concern?
Skipping the broader discussion of AI, the ridiculous amount of automatic and human impossible pattern, matching and correlation with seemingly harmless data is something that I don’t think we are equipped to fully comprehend.
The time at which I hit some meta CDN, seems harmless. Until combined with some cookie and some access time to some asset it uniquely identifies me to previously anonymized data.
So no, I do not think HTTP and a good DNS are enough.
https://en.m.wikipedia.org/wiki/Server_Name_Indication
But then how do you stop your VPN company from doing the same? You essentially have two ISPs now.
(Longer answer: This boils down to the weighted probabilities; if the ISP was meaningfully regulated such that it was legally restricted from doing certain things with my data, that might matter, and one should also play in the exact likelihood that either party is selling my data. In my case the weighted probability is wildly in favor of a VPN, but I suppose I can imagine situations where that wouldn't hold.)
They probably could sell my traffic, but I estimate it (based on vibes) as being less likely than for most other intermediaries
Yes.
> who has all the same incentives.
And no. The ISP has little to no competition or incentive to not sell my information, while the VPN provider has loads of competition and often has user privacy as a core part of their value proposition.
Besides - even if both of the did have the same incentives, one openly says they're selling my data and one says they're not. At worst it's a gamble between the VPN lying and the ISP telling the truth.
"Are you downloading films from anywhere?"
"Huh what from Disney Plus?"
He can barely work the Sky box never mind stream stuff from the internet, he got duped into thinking it would make him "safer" when in reality it just makes using the internet a lot harder as everyone flags your traffic as malicious based on the datacentre IP.
I occasionally fire up Mullvad when I’m on the go. I get blocked way more often when I use it
So has anyone behind random CGNAT.
VPN companies are more trustworthy than my ISP. Many get third party audits and publish results. And if the VPN company and server are in a privacy friendly country, they are hard to subpoena. Individual privacy being the default is itself valuable.
This is leaving aside numerous other reasons like avoiding censorship or persecution or whatever.
But that said, on this point I do agree with the author: privacy improvements from using a VPN are marginal for the average user due to the now widespread use of HTTPS. Yes, your ISP can see which domains you visit, but that's about it. I'm curious if there have been any successful lawsuits or prosecutions based solely on domain access logs.
Side question: Anyone know of a gateway or self-host service which supports DNS over HTTPS relay?
i.e. it will accept vanilla DNS requests, but if it needs to forward requests, it will only do so to DoH / DoT servers?
The main reason they exist is to do grey market bypass of controls becoming media access. If you trust them to not do some grey/shady exploitation of your metadata, more power to you. Sounds foolish to me.
Ie, it's the use case where you Pirate all the media, and use a VPN as a security bandaid against anti-post-scarcity busybodies.
> Is there anyone whose primary use case for a personal VPN is not "Geofence bypass for region-locked content"??
There's no ethical difference between faking your location to bypass licensing and copyright and downloading a file via torrent to bypass licensing and copyright. Both are piracy.
does that count?
Beer, wine, booze, tobacco, and vapes are obvious, but things like cough medicine (dextromethorphan), diarrhea pills (loperamide), little roses in neat glass tubes, and air dusters (let's kill some brain cells!) are perhaps less-obvious.
The bodega wants to be associated with being the place where a person can stop in and buy anything, from a can of soup to a pair of pants.
I once asked why levothyrox, a drug to compensate a dying thyroid, is so regulated (at least in France). It's not like it's psychotic or something, it is just a hormone. Turns out people were buying it expecting weight loss...
It's because of such idiots that people whose life is already complicated gets it even more.
News to me as well
And that's not a result of regulation (anyone can buy as much as they want), but is rather a result of stock shrink. It tends to disappear in some less-than-savory neighborhoods.
(I use loperamide occasionally for its main intended purpose of settling my gut down enough that I can do something other than hang out near a bathroom while I quickly dehydrate, and more than once it has been legitimately hard to find in some areas when I've needed to buy more.)
Sure you and everyone else on HN know what a VPN for, but that’s not the case for 97% of the people on a subway car who see their latest campaign.
"Our hotel uses unencrypted wifi, so if you want any kind of privacy on hotel network, please use a VPN, kthxbye."
But, it can be helpful to trade one network's routes for another, in cases where direct routing between you and your desired peers is poor for whatever reason. And it's clearly useful for circumventing geographic restrictions (as long as those imposing the restrictions dont' care to identify and restrict access through VPNs)
https downgrade attacks and the like (html injection on http pages) can also be thwarted (unless they are done on the vpn->service path ofc),
Only if the ISP doesn't do DPI to transparently route any outgoing DNS traffic to their (censoring) servers. There have been enough cases of that.
And it's hell for the security minded people. Before I could do DNAT on my router to redirect everything to my Pi-Hole, even the Google Mini that staunchly ignored the handed out DNS, but used 8.8.8.8.
But soon they'll start using DoH and I can't do anything anymore at all.
I believe IMDb on iOS already uses DoH.
My take? Do a threat assessment, build a threat model, know your adversary be it your own ISP selling your data or protection against hostile state entities when traveling overseas. There are many valid uses for the various types of commercial VPN and instead of an objective look at these services the author walks in with an assumption that they are all the same and never provide value to their customers, then bends over backwards to attempt to make weak arguments against a vast category of service.
However, bandwidth and latency on TOR suck, and in many cases the endpoint IPs are blacklisted to hell due to abuse. A VPN is a nice middle ground where your can put another entity between yourself and your traffic, which is valuable against most opportunist adversaries. If a TLA wants me and can get a warrant, not even TOR will save me, but a VPN keeps the ISP from selling my traffic and the media trolls from sending me grumpy letters because the neighbors keep using my wifi to watch free content.
There is no such guarantee AFAIK, as long as a bad actor controls all the nodes in YOUR route, they can deanonymize you.
The US doesn't have reasonable privacy laws and I don't trust my VPN to not sell my browsing history to anybody with two pennies to rub together.
Yeah, I can (and do) use DNS over HTTP, but the ISP still knows what IPs I am connecting too. It's trivial to find out what domains are hosted there.
But why would I trust a random company with this information over an ISP, who yes aren't always angels, but at least are somewhat accountable.
https://oxylabs.io
Guess.
ISPs often have captive markets and have enough political sway to grant them said captive markets. VPN companies have none of that, and live or die based on their reputation, so they arguably have more of an incentive to behave well. Meanwhile some ISPs have even admitted to selling your traffic for marketing purposes or are forced by the government to keep records. There's plenty of shady VPN companies out there, and not all ISPs are scummy and sell your info, but there's quite a bit of range between the scummiest ISP and the best VPN, and for a subset of people using VPNs definitely makes sense.
Guess.
* In the Bible Belt (a.k.a. Chistianstan) and some Muslim countries it is to access porn.
* In Canada and Mexico is about accessing what Netflix doesn't provide to their countries.
* In hybrid offices it is about the second job that they do remote and hidden.
They want something simple for a couple of months and then just discard it. VPNs are good for that.
The age verification laws are written pretty broadly and could be used to target a wide variety of content. Not just porn. Anything the state deems 18+ would require age verification.
These laws are facing some court challenges. If we're lucky, the laws will not survive.
>even better, a browser built with privacy in mind
which is full of VPN ads https://www.privacytools.io/privacy-vpn. Browse https://www.privacyguides.org/en/vpn/ better.
[1] https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...
In an attempt to be edgy, their website was at:
triplew.dot.net.au
"triple w dot dot dot net dot au"
I play Final Fantasy XIV, an MMORPG - apparently, supposedly, the peering connection between AT&T and FFXIV's US ISP (NTT) was particularly bad. [1]
This manifested as pretty severe connection issues for AT&T customers playing FFXIV. Except, it was a chronic issue that would only flare up when that particular connection point was stressed.
One of the easiest workarounds? Hop on a VPN.
That's one example. Anecdotally, I have a few friends that toggle VPNs on and off when they encounter "network weather" in games. Personally, I'm a bit skeptical they're truly so often mitigating problems by toggling a VPN (instead of, say, just waiting a couple minutes), but hey, they swear by it.
[1]: https://forum.square-enix.com/ffxiv/threads/482155-Bad-lag-a...
I run a low-volume scraper which benefits a ton from keeping the IP address fresh.
So I guess, in a sense, I’m grateful that enough people are paying for ~nothing to make the service pretty great.
1. it's more expensive than commercial VPNs, which you can often get for <$3/month, or even less with promos/cashback sites
2. you're limited to one region, which means you can't use it as effectively for geoblock evasion purposes.
3. you get less anonymity because you get a static ip that's assigned to you only, as opposed to a commercial VPN provider where you can connect to hundreds/thousands of servers each of which are used by probably hundreds of users.
A fifth use case is related: evading bad peering. Deutsche Telekom was infamous for years to "double dip", i.e. requiring that other (backbone/regional) ISPs pay them for peering, and so DTAG customers that tried to access Hetzner servers were throttled as the Hetzner-Telekom link got saturated in the peak traffic times.
[1] https://www.golem.de/news/hetzner-und-netzneutralitaet-extra...
- In Hotel, Airport. VPN can be used to bypass DNS based captive portal. - Yes true hopefully all website are encrypted with ssl, but still an attacker can easily fingerprint me through my internet usage, even though everything is ssl, there are still a lot of plain-text data flying around. So yeah, ProtonVPN, ftw.
So an "attacker" can figure out that you browse hacker news. Who cares?
But as for an attacker - maybe they discover something about you from one compromised service and correlate it to something else. Or maybe they extort you in some way. Who knows - there are many possibilities and it’s safer to reduce exposure.