There’s a fascinating paper that’ll be published at ACM IMC this year called How to Catch when Proxies Lie that examines the location claims of various VPN providers. The authors figured out a way to do active geolocation through the providers and figure out the location of the server where the VPN exits onto the Internet. They ended up finding that around a third of the servers were in the wrong country. This is not very surprising. VPN providers have a history of making questionable claims about what their services can actually provide.

I’ll use the website copy of one popular VPN service, HideMyAss, as an example, which states “Whenever you’re online (like right now) and not using VPN software, you’re about as exposed as an evangelical nudist. Anyone can see what you just searched for, your banking details, what you’re typing — you get the picture.”. Other providers generally use similar language, saying that “anyone” can spy on you if you aren’t using a VPN. Understanding both how VPNs and tracking on the Internet works shows how misleading this is.

A VPN works by providing an encrypted connection between your computer and a server. Any traffic that would go online is instead funneled through this connection onto the server, where the server sends it out on the Internet. While between your computer and the server things are indeed encrypted and hard to spy on, but once it leaves the server it’s as unprotected as anything else.

diagram showing a tunnel from "your computer" to "vpn server" stating that various people can't spy on you and that website operators can't see your IP address
Much overhyped "security". Ironically the site I got this from isn't using HTTPS correctly.
Image credit: http://vpnknight.com/2017/09/14/why-you-should-protect-privacy-by-using-vpn/

Take browsing a website, for example. The messages connecting to it, downloading the pages, and possibly uploading data are still going out on the Internet, just from a different IP address. And large amounts of website traffic these days is now encrypted with HTTPS, meaning no unencrypted traffic is sent regardless of whether or not you’re using a VPN.

What the VPN does give you is IP address privacy. While that does have use for people who want to do things like getting around geolocking for streaming media, it doesn’t add much in the way of privacy. IP addresses aren’t very useful for tracking on their own. They get some ISP and location information, but they can’t be mapped to a specific person without ISP cooperation. Plus people’s addresses often change, and multiple people can be using the same one.

What is useful for tracking is things like cookies and other sorts of web trackers. These have the potential to gain a lot more data at a lot lower effort, and VPNs do nothing to protect against that. In fact when visiting HideMyAss’s site to write this I got a cookie banner:

We use cookies and similar technologies to recognize your repeat visits and preferences, to measure the effectiveness of campaigns, and improve our websites.

Using a VPN would have been of no use here.

So this brings us to the newly-published paper in question. They found that around a third of the VPN servers were in a country other than the one they claimed to be in. Given the provider’s other questionable marketing claims, it doesn’t surprise me that they would stretch the truth there as well.

Additionally VPNs are not without security risks. While your ISP won’t be able to decode your traffic, the VPN provider will. You have to be able to trust them not to peek 🙈 And any unencrypted traffic that you send out of the VPN, even though it can’t easily be traced back to your own IP, may be at higher risk for surveillance. After all anyone surveilling the Internet will know that traffic out of the VPN IPs will be from people who want privacy, so it makes sense that it would be under higher scrutiny. VPNs make sense in some circumstances, but most people who want to improve their Internet privacy would be better off with browser-based measures like the EFF’s tools.