On April 4, 2017, a measure was signed into federal law that allows Internet service providers to collect and sell your personal data without your consent. Things including your physical location, your favorite websites, and what Internet apps you use are all valid targets for a price tag. One of the ways you can maintain your privacy is with a virtual private network (VPN). While these were originally designed for business users, VPNs have greatly expanded in recent years to cater to personal use as well. But not all are created equal, so we've created this guide to help you navigate through a sea of choices.
SEE: The best VPN services for 2019 (CNET)
First, what is a VPN?
A virtual private network is like a tunnel within a tunnel. This inner tunnel has its own layer of encryption, so that your Internet service provider can't see what websites you're going to or the data that you're transmitting. Your ISP can only see that you're connecting to a VPN. On the other end, the website you're connecting to cannot see your device's IP address. It sees the IP address of the VPN server instead. That way, there's no log of your device connecting to this website (unless your VPN keeps logs, and the privacy-oriented ones do not).
Since your ISP can't see where you're going, and the website can't see where you came from, this helps to preserve your online privacy and anonymity. But before you sign up for that free VPN that's been spamming you with ads, let's talk about what a VPN can't do.
What a VPN is not
Despite what many sketchy VPN companies will tell you, a VPN won't make you invisible or truly guarantee that no one can snoop on you. The VPN provider itself may be secretly monitoring your activities to sell your user data later, its technology may be prone to hacks, or it may even be using your Internet bandwidth to run its network. In fact, the stronger a provider's claims are about your safety, the more skeptical you should be.
Also, once the IP addresses for the VPN's entry and exit servers have been discovered by third parties, those parties may be able to monitor those servers and piece together who is connecting to what -- or get the servers shut down.
Also, the connection between the VPN and the websites that you visit is not necessarily encrypted. The VPN has no control over that. Your bank website (hopefully) encrypts your connection to it, but this doesn't happen as a rule. Google and Firefox have been taking steps to encourage all websites to encrypt their traffic, but given the sheer number of sites out there, converting everyone will take years.
Finally, many VPN services block peer-to-peer traffic to protect themselves from piracy lawsuits. So there may be limitations on the kind of web activities you can engage in, even when your P2P is legal.
Because of these issues, a VPN alone may not be enough to protect you against a determined spy. You may need to combine a VPN with Tor (see below) or another privacy tool to protect yourself.
Countries (and groups of countries like the European Union) have varying laws on what they allow companies operating on the Internet to do. EU laws require companies to retain certain customer data for six months, which is a problem for a VPN service that's trying to advertise privacy and anonymity. Specifically, the EU laws require them to keep a record of IP addresses, which law enforcement uses to identify specific users.
There are potential problems with this, such as the data being stolen or accidentally disclosed, and the difficulty of proving in court that a specific person is linked to the activity log of a specific IP address. An unauthorized individual may have been using the IP address without the legitimate owner's knowledge. The German legal system determined in 2010 that this law is unconstitutional. Romania and the Czech Republic have also rejected the law, and it appears that the EU will not compel them to follow it.
However, EU members also benefit from the new General Data Protection Regulation that gives them greater control over the data that websites can retain.
In the United States, data retention is a complicated issue. Currently, there is no law compelling mandatory data retention, but there are indications that U.S. law enforcement has ample resources and legal powers to monitor you without your knowledge. Therefore, a VPN provider based in the United States may be confronted with these agencies without its customers being aware. Because of this, a number of VPN providers are deliberately headquartered outside the jurisdiction of the United States and the European Union to avoid these complications, and they usually mention this in their marketing materials.
Paying for VPN access
Let's assume you've found a VPN you trust that appears to be free of laws that could compromise your privacy. If you haven't, we did some research and came up with interesting choices, such as IVPN.
With a free VPN, your connection speed is usually pretty slow due to the high demand, and the variety of geographical locations you can connect to may also be limited. When you pay for VPN access, your download speed is usually unrestricted, there usually isn't a data cap, and you get a wider range of server locations to connect to.
Most paid VPNs have monthly and annual options. The more time you pay for at once, the less you pay on a monthly basis. Some services allow you to pay in three-month or six-month blocks as well, or they add a two-year option. Often you can try the service for a few days and get a full refund if you change your mind.
If privacy or anonymity is a big concern, you won't want to use your personal credit or debit card to sign up. You can use cash to buy Visa or MasterCard, thought they usually come with activation fees and potentially monthly service fees. But these cards usually require you to activate them online, using a physical address, name, phone number, and even a Social Security number. As a result, many people turn to VPN services that offer Bitcoin as a payment option.
Also, some services that offer a monthly subscription will not accept a gift card or reloadable card as payment, since these can eventually be depleted. These cards are also frequently limited to use within U.S. borders. So if the website's payment processor is based in Europe or Canada, for example, your card may be declined, even if you have sufficient funds. Lastly, if a store-value card gets lost or stolen, you lose all the funds stored on it.
A number of VPN providers also use an open-source connection client called OpenVPN. Since proprietary source code can't be inspected by the public to verify its integrity, even the VPN provider itself may recommend OpenVPN over its own apps. It's generally not as convenient to use, but you get more safety in exchange.
Bonus considerations: Linux and Tor
Do you trust your operating system? If you really need a secure computing environment, Linux might be a better option. Like OpenVPN, Linux distributions are open source as a rule. There's a lot more programming code in an OS than there is in a VPN client, so there's a greater chance for suspect code or bugs that threaten your security, even when the code is publicly reviewable. But Linux may be a better choice when privacy is paramount. Popular choices include Linux Mint, Ubuntu, and Fedora. If you need something really secure, there's also Tails.
If you suspect that your VPN is being spied on, you can add Tor to your connection to mask your pathway to a certain degree. Tor reroutes your traffic through a network of encrypted relays operated by volunteers around the world. The Tor browser is a version of Mozilla Firefox that's been modified to connect directly to this network.
However, websites (and oppressive governments) can recognize that your traffic is being routed through Tor and decide to block you. Wikipedia is one example. You can counter that by using a Tor bridge (detailed on the Tor Project's website). Lastly, the Tor network is a relatively slow one. You won't be able to use it to stream HD videos, for example. It's optimized for privacy, rather than speed.
There is a kind of arms race going on between those who want to have privacy on the Internet and those who want to track you. The mere act of choosing one side may put you on the radar of the other. For example, the National Security Agency is known to use a system called XKeyscore to monitor the Tor network. The NSA says that XKeyscore is intended to gather information about "legitimate foreign intelligence targets," a broad classification that can include a variety of individuals, from terrorists to local politicians. That's all the more reason to use tools like Tor and VPNs for personal privacy.