Good luck finding a safe VPN

Everyone’s telling you to use a VPN but not how to choose a good one.

Illustration by D. Thomas Magee

If you're most people, you just found out about the FCC's internet privacy rules by way of their untimely demise. Thanks to the FCC's new chief, Congress, and Donald Trump, ISPs are now free to track you like crazy and sell your data to the four directions. As a result, interest in VPNs exploded overnight.

Before the Obama-era FCC's privacy and security safeguards could go into effect, new FCC chairman Ajit Pai readied the hearse by suspending them indefinitely as his first big act. This ensured they'd never see the light of day, even if Congress didn't come in for the kill with their anti-privacy-rules bill. Which they did. This was immediately followed by Trump signing that bill lickety-split, ensuring no one gets any of the protections they were promised.

When the attacker is your ISP

So, as you probably know from reading headlines over the past week, ISPs are free to track you and sell your data to third parties. Less reported, yet equally disastrous to have taken away, is the part in the protections that gave consumers power to hold internet and cable providers accountable for data breaches.

Consumer security, the new FCC chief told Congress, isn't the FCC's area of interest anymore.

Ajit Pai - FCC Chairman

The headlines quickly went from Trump signs bill rolling back FCC privacy rules for ISPs, to "hey everyone, protect your privacy from ISPs with a VPN (Virtual Private Network)."

Using a VPN for cloaking your activity from your ISP is a practical solution -- especially if you combine it with tracker-blocking browser plug-ins like uBlock Origin, because ads are trackers too.

With a VPN, the user's internet connection travels encrypted from computer to VPN server; from there the user's connection travels unencrypted to their final destination (a website). This way, websites only see the VPN's IP address and not the user's, and your ISP only sees you visiting the VPN. The ability of any attacker to spy, intercept, attack or steal information stops at the VPN. That's why they're essential for personal security when you use public WiFi.

Once the idea took hold that VPNs were the magic solution to ISP spying, tracking, and data sales, suddenly everyone and their dog was publishing an article about it. Lots of these articles tell you to use a VPN service with "the hallmarks of a trustworthy service" but few explain what that means, exactly.

Many of these explainery-think pieces, not surprisingly, are profit-seeking endorsements for affiliate VPN services. Not all of which are VPNs you can trust, even if they come from a trusted blog or source.

And fake VPN services rolled out in waves to cash in.

Trust issues

Selecting a VPN you can trust already took research and consideration, weighing connection speeds and pricing, learning about who keeps records and for how long and more. VPN services are also like any other in that they change their record-keeping policies and privacy practices over time, so that's another thing to keep up with.

In addition, these services are easy to misconfigure. Just over a year ago, VPN provider Perfect Privacy found a massive security hole in many services called "Port Fail." It was a bug that de-anonymized users, and most VPN services ignored the problem until the press made noise about it. Many took weeks to put in a fix. One of those was a service endorsed by Lifehacker, which just shows that anyone can have problems finding a reputable VPN.

It can be overwhelming. It's not as simple as using whatever VPN the security cool kids say is "the one," because even popular services have been behaving badly. For example, popular service Hola VPN recently got caught selling user traffic to a botnet.

Fortunately like most infosec topics, VPNs are a bit of a fetish unto themselves for people who are into them. Just take a look at this exhaustive comparison chart at That One Privacy Site.

If you want to know what the hallmarks of a trustworthy VPN service are, I have a controversial suggestion for you: Torrent Freak. Every year the site asks, Which VPN Services Take Your Anonymity Seriously?

In these extensive posts, TF talks to dozens of top VPN services and asks them what their record keeping policies are, as well as "various other privacy related issues." If a VPN gets a great review one year, has a less great review the next, and then drops off the list completely (like TigerVPN did), then definitely take that as a "buyer beware."

So if a VPN is recommended somewhere, do a little homework before you fork over your data (and your cash). Names that come up as trusted include Perfect Privacy, Freedome, TorGuard, Tunnelbear, Black VPN and others.

Should you have one for your phone? Absolutely, and most VPNs have mobile apps -- though look out for the bad ones. Google's Project Fi (the company's phone service provider) automatically secures users on a Google VPN in every public WiFi situation.

The drawbacks? They can slow your connection down, and they may not work with services like Netflix that want to know where you're physically located. Some public places block the use of VPNs, which should be your sign that the network isn't safe to use anyway.

Once you're setup, use the steps in this post to test your VPN to make sure the outside world can only see your VPN's IP address, and make sure you're not leaking your actual IP.

When the trend is people turning to VPNs for protection from their own internet service providers -- in their own homes -- it's safe to say the privacy and security situation for most Americans has gotten pretty bad.

It's not all terrible, at least insofar as general security literacy goes. But the trade-off is probably not worth it.

The murder of the FCC's privacy rules are a sign that any war for the soul of consumer protection in the era of the internet is lost. I just hope that someday we can find our way home from here, before it's really too late.

Images: Pau Barrena/Bloomberg via Getty Images (Ajit Pai); Prykhodov via Getty Images (VPN)