The first question you should ask is why you want a VPN.
Because I believe many people newer ask this question and have some vague idea about "it somehow improves security and/or privacy". In most situations this likely isn't true. You add an additional attack vector and you centralize your communication to a single point.
100% this. VPN marketing appears to have really gotten to people, everyone's always asking about it.
Real reasons I can see to use a VPN service
1) You want your traffic to reliably egress in that country. i.e. I live in New Zealand but to access some Australian TV on demand, I need to "appear" in Australia.
2) Errr, I can't think of any others.
If you are really trying to hide your traffic from your ISP:
1) Change ISP
2) If that's not possible, buy a cheap VPS and run OpenVPN/Wireguard on it and egress your traffic via it. Disable all logging etc.
i.e. Unless you need traffic to egress via a particular place and you don't care about someone you don't know seeing your traffic, buy a VPN service. If you DO care about your privacy really, buy a VPS service in the country you want it to egress.
For some of us, we live in jurisdictions where all ISPs are legally required to keep all metadata for all connections. (In tinpot pseudo democracies with governments who fail to understand technology but pass intrusive laws governing it anyway, then declare "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.")
In that case, a few bucks per month is a pretty good deal - it won't protect me if the NSA or any of their FVEYs friends get curious about me specifically, but it _will_ protect me against all my internet metadata getting bulk collected by my ISP and handed over to "national security" relevant agencies, such as local councils, dog catchers, and the taxi commission (yes, those agencies really do request and gain access to ISP metadata!)
I can and have run my own VPN (and VPN-like) endpoints on cheapo vpses, but it's worth my while/time to pay FSecure/Freedome, to do that for me.
Did you just describe Australia as a ‘tinpot pseudo democracy’?
Not that this is a high point in Australian politics with the game of musical chairs that is going on.
I’ve just never heard someone living there be so down on it.
So to me this filters down to:
You care about your privacy and not have your (meta) data gathered up, but you don't care enough about it ensure that you're really protected, you just hope you are by piping your data off somewhere else, even though the place you're piping it to might also be doing the dirty you.
I do understand your point, which is (correct me if i'm wrong) that you trust FSecure/Freedome to be taking care of your privacy correctly and not just reselling your metadata back to your country of origin etc.
Perhaps I am being a pedantic, grumpy old man though. Because now I think about it, even if we all run our own VPSes there's no way to vet the VPS provider doesn't just tap your egress traffic too.
I'd say you are "appropriately grumpy and pedantic".
From my perspective, my ISP is untrustworthy because it's legally required to be where I live. At least FSecure are not subject to that law, and are business-wise and give me a choice of endpoints that are outside of the jurisdiction of that law. They _might_ be collecting and on-selling that metadata, but I believe they are not. I 100% _know_ my ISP (and all my alternative choices for an ISP) are. So using them is a win.
Even if FSecure turn out to be evil - they'll be doing it for different reasons to my ISP (profit motive vs being compelled by local Australian laws), so the nature of my exposure there is different - and so far as I can see, smaller.
I strongly suspect the NSA _are_ tapping the egress of every commercial VPN provider and every commercial VPS provider. But if my adversary ever becomes the NSA I'm fucked, and I accept that.
If the local taxi commission or dog catcher go asking my ISP for my metadata records - even though I don't own a dog or a taxi license, I feel happier knowing my ISP can only tell them "Don't know, sorry. Here's a bunch of encrypted connections to various VPN endpoints around the globe."
Also - it's not so much about " … don't care enough about it ensure that you're really protected … ", but more like "One of my concerns is getting drive-by exploited because my data appeared in a huge dump of randomly breached metadata, rather than anybody targeting me specifically", and it's worth a few bucks a month to stop worrying so much about that. Being "really protected" is not possible (when the ultimate end-of-level boss fight is with the NSA), and getting even _close_ to that becomes exponentially expensive. 60EUR a year for Freedome on my phones/tablet/laptops and not having to do any ongoing maintenance or upgrading or weekend sysadmin work - is a good value deal for me. I don't think there's a significant improvement I can make to my protection in this area for less than an order of magnitude more money and two orders of magnitude more fucking around. I don't think I'm prepared to expend either of those for some incremental improvement in my privacy... If I were an illegal international arms dealer or a trafficker of cocaine by the tonne, I'd without doubt spend more money and effort there ;-)
Be careful with that assumption. Many, many VPN vendors actually sell their user data even if they advertise otherwise. They can also be far harder to penalize than ISPs, especially if they're outside the US/EU.
Part of me thinks "I don't care. If Facebook or Google or Experian or Equifax or whoever it's work a buck to wants to pay my VPN provider for my metadata - that's kinda bad, but possibly not as bad as being part of a great big juicy pile of government compelled metadata retention records at my ISP which can be easily accessed by random government agencies or evil actors working in government agencies with very little oversight."
I suspect my data leaking through profit motive from a VPN company specifically selected to be in a far away country is much less likely to fall into the hands of an internet troll or griefer, a disgruntled ex employee or partner, or a vindictive neighbour - than the trove of ISP metadata that can quite likely be readily accessed by bribing or blackmailing some random low-level government employee locally...
Why do you think it would be discovered at all? Unless the downstream customer buying the data makes it public, nobody will know. And by operating outside of the EU, you can't really be checked. So nobody who knows what's going on has any incentive to make the arrangement known.
1) Protect against logging and data retention laws
2) Avoid ISP legal universal blocking regimes
3) Shop for and compare cheaper prices: many places implement what we call the 'australia' tax, artificially inflate the prices when they see we're shopping from an Australian location. This is independent of actual tax collection issues.
4) Torrent: Australian's frequently access shows via torrenting still because our licensing/supply regime gives us a vastly sub-standard catalogue, and you can't access individual shows without signing up to full carrier packages, and we can't sign up to the international carrier's catalogue
5) Avoid data-shaping/non-net-neutral policies
6) Easy International and Geo-IP Testing
7) Logging onto services in public places via public wifi or access points
8) Accessing services during international travel
9) Accessing media explicitly geo-blocked in our country
Your solution (i believe) additionally doesn't meet the criteria of being able to egress from multiple countries/sources, nor does it cover the users who don't want the extra step of setting up the VPS.
I haven't checked, but i'm guessing a VPS comes at a far higher price for less (out of the box VPN specific features) than a specialised VPN provider.
True, if you want to egress multiple countries a VPN provider that lets you do that is a good solution. It's too late to update my original post, sadly.
What about traffic aggregation? Correct me if I'm wrong on this but as far as I understood it, VPN services forward multiple users' requests from a single IP address, disabling website owners to track you using your address.
If you are not too worried about privacy and just want to appear in another country or get around your cafe's system blocking some pages, I use hotspotshield.com or occasionally hideme.com in their free forms. Hotspotshield is actually quite handy. I just had to use it to access https://www.privateinternetaccess.com/ as Pret a Manger had decided that deserve blocking for some reason. Hideme seems kinda unreliable but works sometimes.
I don't know if I get the whole privacy thing - if you're just browsing HN etc like me why bother and if you want to do criminal stuff I gather it's better to use a completely separate machine with no personal info on. Or someone said Tails OS.
Regarding the whole privacy thing - this is the "If you've got nothing to hide, you've got nothing to fear" argument. There's plenty of information around on the arguments for and against [0].
>1) Change ISP 2) If that's not possible, buy a cheap VPS and run OpenVPN/Wireguard on it and egress your traffic via it. Disable all logging etc.
Streisand (https://github.com/StreisandEffect/streisand) is another option. It has the benefit of running on your own VPS (or bare metal if you want) and it is extremely user-friendly to set up and use.
Communication is already centralized for many people, even when you factor in cell and home internet, often without much alternative. When they've got you locked in like that, they can get away with just about anything: tracking; selling data; hi-jacking your connection for their own interests; blocking anything that goes against their interests; cooperating directly with MPAA, RIAA; etc. There's not much you can do about it.
If a VPN get's caught doing any of that, even if they're remotley suspected, switching is less painful than switching any other online service I can think of. Their motives are as clear as can be with an internet service.
> switching is less painful than switching any other online service I can think of.
I'd even say in many cases switching is possible. It isn't always possible to switch your ISP. Or in my case I can, but all other providers cap at 20Mbps in my town (which is fairly common).
If you're in the States, you probably are better off trusting reputable VPN provider than your local ISP. Especially because your communications are already centralized on that point and there's a long history of them being less than trustworthy.
IMHO, the only valid use-case for one of these VPN services is to hide your traffic from your ISP. Perhaps there's a small improvement in terms of your privacy (the VPN service has less incentive to sell your traffic data than your ISP). But if security is your primary concern, I think you will have to look elsewhere.
My laptop moves between ISPs (mine, my parents', my friends', my workplace's). Using a VPN restricts the number of companies able to intercept my traffic.
Circumventing Geoblocking or other censirshop is a good reason to use VPNs.
"Somethingsomething I believe it's more secure but I can't exactly explain why" is not.
Because I believe many people newer ask this question and have some vague idea about "it somehow improves security and/or privacy". In most situations this likely isn't true. You add an additional attack vector and you centralize your communication to a single point.