If you start paying some attention to keeping safe on line, it doesn’t take long before you start seeing articles — and advertisements — telling you that you need a VPN. So then — do you need a VPN?
To be a bit more accurate: probably not, under most circumstances.
It might help if I talk about what a VPN is. I could start by saying it’s a Virtual Private Network, but that’s not going to help. Let’s go back a bit. At the highest level, when your laptop or phone is communicating with a remote service, we might as well just think of it as a pipe between the two devices carrying data. (Yes, there’s an enormous amount of simplification in that.)
A slightly better picture is to remember that your network traffic (data) is actually passed from device to device. At a bare minimum, from your laptop to your home router, to your ISP, to their ISP and eventually on through several hops to the destination. And then back again.
The concern with this picture is that you never know who is seeing your data as it goes through the intermediate hops on the way to the destination. Very often your ISP is required by law to keep a record of the connections you make. And there could well be Bad Guys reading your data as it passes through your hands as well.
While that does sound like something to be worried about, in reality under most circumstances it’s not a big concern. To begin with, somewhere over 73% of all data carried on the Internet is now encrypted, and the proportion is increasing. Going a step further, your ISP and all the hops between you and your destination carry so much traffic that it becomes fairly difficult to zero in on individuals.
I will add a very big caveat to that last statement — difficult for criminals, but within the capabilities of nations. Depending on where you are, and where the destination service is, governments are well able to read your data if they want to.
So what does a VPN get us? Effectively a pipe within a pipe which carries all of your data encrypted from your laptop or phone to the server of your VPN provider. This gives you quite a lot of extra protection against certain kinds of problems.
For a start, your ISP can now only “see” that you have connected to the VPN server, and not the hops further along to your destination. In addition, the traffic on all the hops up to your VPN server is encrypted, rather than just some of the traffic being encrypted.
You don’t get absolute protection though — the VPN provider themselves can see your traffic, and Bad Guys can still see traffic between the VPN server and the destination. The good news is that for most eavesdroppers between the VPN server and the destination, your traffic cannot be traced all the way back to you.
The big myth around VPNs is that they “keep you safe”. The key to thinking about whether you need a VPN is that understanding that a VPN improves privacy from your laptop/phone all the way to the VPN provider, but not beyond.
There are certain scenarios where a VPN comes in handy.
To begin with, many VPN providers have servers located in different countries. This allows you to appear to some downstream service to also be in a different country. Quite a number of services, like Netflix or Hulu, only allow access if you are in the right country. This is usually called “geoblocking”. So if I want to watch something that is only available in the USA when I’m sitting in London, I can probably route it through a VPN server in the USA. Be aware though that a lot of services now detect that you are doing this, and will block your access anyway.
The other reason for appearing to be in a different country is to evade censorship in your home country. Again, a big caveat if you are doing this: using a VPN service is not a guarantee of safety and privacy, and improving your safety and privacy in this situation is potentially quite complicated.
Another scenario is if you travel, or use public wifi hotspots in transit. Because the first hop is from your laptop to some mystery hotspot, you really don’t know who might be listening. This is the one situation where I do advise using a VPN: doing anything confidential or private while on a public or shared WiFi hotspot.
The final case is if your business requires you to use a VPN to access their services remotely, something we are all familiar with during this Covid-19 lockdown. Enterprises usually have their services locked away behind firewalls and other protections on an internal network
By making use of the way in which a VPN service makes it appear that your device is somewhere else, then the enterprise can run it’s own VPN service and effectively make your laptop part of the internal network.
This is an attractive option for enterprises, because it is much simpler to extend the network to include your laptop than it is to secure all of the internal services and make them publicly accessible from the internet. Generally as well this kind of arrangement allows for more monitoring of your data, to constrain what external services you are connecting to.
Do you need a VPN service? Probably not.
As a rough rule of thumb, consider using a VPN if:
- you use public WiFi hotspots, or hotspots in places like hotels or conference centres;
- you would like to appear to be in a different country;
- your workplace requires to use one that they provide.
And remember: a VPN does not guarantee privacy and security, it’s only one tool to improve privacy and security in certain circumstances.