Virtual Private Networks (VPNs)

Virtual private networks all perform the same basic service: providing end-to-end encryption for any data sent through them. This encryption does not stop your data from being intercepted … but merely means that the person reading the content of your data is faced with unintelligible text.

All encryption is breakable, in other words the person intercepting could, theoretically, break the encryption, the whole system relying on the fact that the computing power required to break the encryption would cost considerably more than the possible gains and could take an unreasonably long time.

Company VPNs

This end-to-end encryption would appear to be a good thing, but does depend to a great extent on where those ends are. Traditionally, VPNs have been used to facilitate remote working; this is where the two ends are firstly on the company’s network and on the device being used, remotely, by the employee. This type of VPN has been used successfully for many years and creates an encrypted ‘tunnel’ between the employee’s computer and the corporate network, thus making the employee’s computer a part of the network (virtually). This represents secure connection between trusted computers owned by the same organisation.

Consumer VPNs

Whereas in the example above, the secure connection is between trusted computers, the ends of this type of VPN are the customer’s computer at one end and the servers of the VPN provider at the other. Therefore, when these providers advertise ‘secure end-to-end communications’, this goes only as far as their premises. Any insecure communication you send is protected by the VPN from your device as far as the computers of the VPN provider, but then reverts to its insecure state to complete its journey from there. What this means is that in using this form of VPN, you are placing a great deal of trust in the honesty of the VPN provider.

In this case, your VPN can provider potentially see everything that you do, every website you visit and the content of any communication you send. In the case of secure communications – for example a website with the “s” at the end of the HTTP address and a green padlock – they will not be able to see the content of any data you send. If you were to log into online banking, for example, they would not see any detail like usernames, passwords or details of your accounts. They would, however, be able to see who you bank with and obtain a list of every single website you visit, every computer you connect with and who you use for your email services whilst using their service.

Therefore, in using a consumer VPN of this type, you are trusting the provider not to use your data in a way that you would see as unacceptable. Most of these services claim that they keep no records of what you do online, but have no way to prove this. Given that they could have a record of all the websites we visit and could have seen the content of any otherwise insecure communication, you are trusting them to not retain the information and not use it for purposes such as profiling and targeted advertising, either on their own behalf or for third parties.

Much of the advertising for consumer VPNs claims that they allow you to fool online services into thinking that you are in a different geographical location, enabling you to access services which are not available in your area. More services like Netflix and BBC iPlayer are realising this and having recognised that the user is trying to hide their true location, are denying access to the service. Some providers also mention that using their systems will hide certain other dubious activities from your ISP, something not condoned by Get Safe Online.

The real benefit of a consumer VPN is whilst using Wi-Fi hotspots, such as hotspots in cafes and hotel rooms, on which your communications could be easily eavesdropped if the Wi-Fi is not secured. In this case, a VPN would not stop the interception but, as above, it would make the communication unreadable. In this case, you should remember that you are not obliterating the risk, just moving it from the local Wi-Fi to the computers of the VPN provider.

Summary

  • In the case of a VPN provided by your organisation to access their network, the end-to-end communication is between trusted computers and, if properly configured, should be considered safe.
  • Before using consumer VPNs, you should consider
    • How much you trust the provider.
    • What comeback you have on a company which is probably not UK based.
    • Whether you really need to use open Wi-Fi, rather than your 3G, 4G or 5G data which is inherently more secure.
    • Whether a consumer VPN is actually worth the subscription fee as you are, in fact, only moving the risk.