The VPN Pandemic
I watch quite a bit of YouTube. Possibly too much. I even pay Google money (who I dislike immensely), so I don’t have to watch their punishing adverts. But I can’t escape the content creators who flog sponsor products ‘in video’. I’m talking the likes of website builders, like SkillShare, or the various VPN providers, NordVPN and Surfshark for example. I even get ones for Manscaping. Yep.
But this blog is about the VPNs. And everything that is wrong with the advertising of them. Cutting to the chase, the advertising is borderline scare-mongering, and predatory. It takes advantage of those with little knowledge of Internet security and lets be honest, that is most people. The technical jargon alone can be impenetrable. Clarifying also, there is nothing wrong with using a VPN either, there are good reasons for using one. They are a good tool to have in your Internet security ‘toolkit’. Its just not the only tool you should use. Its not like a Swiss Army knife per se that does everything. So lets break down the adverts and their claims then …
Who are you choosing to trust?
There are logs. There are always logs. Your ISP will have these logs. The information about your dodgy internet usage doesn’t evaporate because you decided to sign up to AcmeVPN™. You’ve just moved those logs and responsibility to them. Now they have them. Can you trust a foreign (probably foreign, I mean, do you know where they are based?) unregulated VPN provider more than your ISP? In some places like Europe, you are way better off trusting your ISP because of GDPR regulations and the like.
What is the ISP or hotspot you’re connected to able to see?
When some random content creator on YouTube tells me that AcmeVPN™ will protect my passwords or the data within the web-form I have just completed, well I’m thinking that sounds bloody awesome. Except that it isn’t, you could even say it’s a bald-face lie. Have you heard of a thing called HTTPS? Well, it’s a thing, and any reputable organisation, like say, a bank for example, will more than likely have an encrypted website. If they don’t, change banks.
If your connection to a website is encrypted with HTTPS, the amount of data any attacker can see, drops to almost zero. Sophisticated side-channel attacks aside, which a VPN won’t protect you against either, realistically, the only thing your ISP/VPN Hotspot can see, without stepping into legal grey areas, is the IP and Server Name Identification (SNI) of the server you are connecting to. The SNI is probably the more interesting than the IP too, as most major websites may have multiple servers serving their content and an IP address alone therefore doesn’t really tell you much.
What about DNS-Spoofing
DNS spoofing or poisoning or DNS cache poisoning, is a highly deceptive cyber-attack in which hackers redirect web traffic toward fake web servers and phishing websites. It used to be common practice of ISPs, to redirect non-existing web pages or even existing ones, to advertising pages of the ISP itself, by manipulating DNS responses. However, DNS over HTTPS is a thing now, and DNS Sec adoption is gradually growing also.
You could just use another DNS server too, rather than the one your ISP suggests to you. Almost any major browser or device has the option to change DNS servers. You could just use 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google) with HTTPS and you’re going to be fine.
Government Surveillance
Edward Snowdon told us many things before 'doing a mic drop' and scuttling off to hide in Russia. So whatever it is AcmeVPN™ tells me about hiding my stuff from the government, doesn’t pass muster either. The GCHQ in Britain for example, has been tapping most internet communications that traverse the fibres that enter the country for over a decade. A full-take system that can be searched at a later date (called Tempora). You can assume the other 5 Eyes countries do this also.
In other news, the NSA (No Such Agency) got caught snooping on German Chancellor Angela Merkel’s phone. This is Germany, an ally of the US, and also a member of the 9 Eyes multi-lateral signals intelligence alliance. So I’m pretty sure it won’t be a stretch for them to target a VPN provider. They’ll have no issue at all. No one should expect a VPN to provide total defense against nation-state surveillance, especially anonymity. The tools and money they have at their disposal ... well lets just say, its not a level paying field. However, a VPN’s physical location and the national law it operates under could afford users different privacy protections and does dictate how a VPN might respond to a government request for data.
Advertising and dodgy websites and apps
Advertising networks can track you with cookies, and browser exploits don’t care if you have a VPN. VPNs can’t read contents of encrypted pages, meaning they can't protect you from malicious content. If you download a questionable game or app for example and run it, there is a chance it just installs the latest ransomware and contacts its creators right through your VPN. There is so much more to online security than Transport Layer Security. You are much better off in terms of privacy, using a reputable browser with its security cranked up to 11. Or use a Tor browser.
In Summary
We all need to earn a living, and flogging VPNs on Youtube, especially if you're getting tens of thousands of views per video can definitely make bank. I have read perhaps 15-20 dollars per 1000 views to the content creator (I assume USD).
But, aside from people being parted with their money, the mis-information contained in these adverts can do real harm by luring people into a false sense of security. It takes advantage of a general lack of understanding by most, 'of how the internet works' or technology in general.
So next time you're on Youtube and are presented with this:
"This video is brought to you by today's sponsor AcmeVPN™. AcmeVPN™ protects your online data, detects malware and stops government surveillance! Sign up now and get 15% off ...
You shouldn’t, it doesn’t, it can’t and it won’t.