Over the years, many security experts, and more than a few non-experts, have said that a VPN is an essential piece of security software for travellers and the users of remotely-accessed business systems. When I entered the corporate world in the 1990s, remotely accessing office systems without a VPN was considered a massive risk. But is that still the case? What are the cases for and against using a VPN and is there still a place for them?
What is a VPN?
A VPN is a virtual private network. If you look at the internet, it is basically a massive public network where your computer connects to another one to get something.
When you open an email your computer, through your email software, connects your computer to the server (which is just another computer) and collects the email. If you’re viewing some photos over Instagram, a dance on TikTok or working on a document using Microsoft 365 or Google Docs, your computer is connecting to another computer to send and receive data.
In the early days of the internet, all of those interactions were carried out without any real protection.
Eventually, businesses found ways to use the public internet to allow workers to connect to office systems. But as those connections weren’t encrypted – in those early days of remote access encryption wasn’t common – VPNs were created.
A VPN creates an encrypted connection between a computer and some destination.
For a business running their own accounting system, for example, a VPN would create an encrypted tunnel from a worker’s computer to that system. By using encryption, it creates a direct connection between the user and the system they’re accessing that no one can spy on.
What about consumer VPNs?
These days, consumers are being sold VPN solutions in order to protect their privacy. But do they really help?
The answer to that is not straightforward.
Today, over 80% of the traffic on the Internet is encrypted. So, when you connect to your bank, a cloud service like Salesforce or play on online game using Steam, that connection is encrypted and protected from someone intercepting it and reading it.
So, the argument about consumer VPNs protecting you from spying eyes is somewhat negated.
But what some widely used VPNs let you do is access the internet while hiding your activity from your service provider and, therefore, the government and authorities.
It’s why privacy advocates and criminals like them – albeit for different reasons.
Consumer VPNs create an encrypted connection between you and the VPN exit point.
When you enable VPN software on your computer, you connect to a VPN provider over the Internet. That connection is encrypted. The only thing an internet service provider knows is that you have connected to that service provider’s private network.
For example, when you type www.anthonycaruana.com using a VPN, that request is sent to the VPN provider through an encrypted connection.
The provider then sends the request on your behalf, retrieves the webpage and returns it to you over an encrypted connection. The only record of you using that site is on your computer (web browsers store things like your browsing history and some content to speed things up when you return to a site) and, if the VPN provider logs it, with the VPN provider.
If your focus is on maintaining privacy so your browsing history is not revealed to your internet provider or your government, then a VPN can help.
It’s worth noting that one Australian VPN, Wangle, was retaining logs as they saw themselves as being subject to local metadata retention laws. But it seems that they’ve shut down the service.
But if (almost) everything is already encrypted…
The chance of prying eyes intercepting and reading your internet traffic is quite small. When you visit a website that displays a little padlock in the address bar or has an address preceded with “https” it is already encrypted. So, adding a VPN’s encryption doesn’t really add any useful extra protection. Encrypting something that’s already encrypted doesn’t give you double the protection.
When you use a VPN today – other than for directly accessing internal corporate systems – what you are really doing is obscuring your internet tracks.
Obscuring your internet presence
What VPNs are quite good at, assuming your VPN provider doesn’t store logs that can be subpoenaed by the courts, is obscuring your activity and location.
Most of the commercial VPN providers have “points of presence” all over the world. So, if you’re in London but want the service you’re connecting with to think you’re in the United States, connecting to a VPN server in the United States will make it look like that’s where you actually are.
It’s why many people use a VPN when they access a streaming media service – they can access content from other countries that may not be a available at home.
The VPN performance hit
When you use a VPN, there’s an inevitable slow down in your internet performance.
Normally, when you connect to a server for your email, your computer makes a direct, encrypted connection to that server. With a VPN, the request to access that data is sent to the VPN provider who then sends it on to the email server. Then the response is returned to the VPN provider who passes it on to you.
By adding the VPN provider as an intermediary, you are making everything slower. How much slower depends on the provider.
Given a growing majority of interest traffic is already encrypted, the case for using a VPN all the time to protect your traffic from being intercepted and read is pretty thin.
But the case does stack up if you’re trying to either fake your location or if you’re concerned that the service or content you’re accessing needs to be hidden from service provider logs.
Choosing a VPN if you really need one
At this point you should be questioning whether you really need a VPN.
If you do, these are the factors I think you need to consider.
Performance can vary significantly between providers and will depend on the speed of your internet connection, how far away the VPN provider’s servers you connect are and what level of service they offer. Some VPN providers offer a baseline level of service but charge extra for “premium” performance.
Obviously price is a factor. And the prices can vary day to day with many providers offering “special” deals regularly. Many will try to sign you up for two or three years at a time but the renewal fees may be higher than you expect – so check the fine print.
The privacy question can be very hard to answer. Firstly, look for statements made by the provider that clearly state that they do retain any usage logs. Others, like ProtonVPN, route all traffic through servers in Switzerland or other places where the provider believes privacy is better protected.
The only way to answer the privacy question is to do research. Giving an answer here as to which VPN is the most private is tricky as new providers appear regularly and some may change their terms and conditions without notice.