For Internet Privacy, VPNs Are an Imperfect Shield

http://www.nytimes.com/2017/04/05/technology/personaltech/vpn-internet-security.html

Version 0 of 1.

When Congress voted to overturn online privacy rules last week, Steve Wilmot, a Los Angeles songwriter, reacted like many worried consumers: He looked into signing up for a technology service known as a virtual private network, or VPN.

The online privacy rules, which were set to go into effect this year and which President Trump fully repealed on Monday, would have required broadband providers like Comcast and Charter to get permission from customers before selling their browsing history to advertisers. Without restrictions, the companies can track and sell people’s information with greater ease.

A VPN was a natural service to consider in response. That’s because the technology creates a virtual tunnel that shields your browsing information from your internet service provider. So Mr. Wilmot researched VPNs in hopes of protecting his own browsing data.

“I don’t really want anybody to have any sort of access to what I’m looking at,” he said. “If anyone is going to profit off my privacy, I’d prefer it to be me.”

But while VPNs are worth considering, they are an incomplete and flawed solution. For one thing, they often slow down internet speeds significantly. Some apps and services may also stop working properly when you are connected to a virtual network.

Still, VPNs are among several tools for better protecting your digital privacy. Here’s an overview of the pros and cons, based on tests of VPN services and interviews with security experts.

When you browse the web, a broadband provider helps route your device’s internet traffic to each destination website. Each device you use has an identifier consisting of a string of numbers, also known as an IP address. When you are on the internet, a service provider can see which devices you use and which sites you visit.

VPNs help cloak your browsing information from your internet provider. When you use VPN software, your device connects to a VPN provider’s servers. That way, all your web traffic passes through the VPN provider’s internet connection. So if your internet provider was trying to listen in on your web traffic, all it would see is the VPN server’s IP address connected to the VPN service.

“We provide you an encrypted tunnel from you to us,” said Sean Sullivan, a security adviser for F-Secure, a Finland-based company that offers a VPN called Freedome.

VPNs are especially handy when you are connecting to a public Wi-Fi network with which you aren’t familiar. For example, when you use public Wi-Fi at a cafe, airport or hotel, it’s often unclear who the service provider is and what its data collection policies entail. In this scenario, a VPN is highly recommended.

VPNs also have the ability to make it appear as though your device is connecting from a different location. So if you are in Europe, traveling to Spain from France, and want to stream content that is only viewable in France, you could connect to a VPN server whose IP address is in France.

VPN services have their downsides, and the biggest one is speed degradation. Because your internet traffic passes through a VPN provider’s connection, you will likely see a dip in broadband performance.

Speeds will vary depending on the VPN provider’s infrastructure. In my tests with a Mac, download speeds dropped about 85 percent after connecting to F-Secure’s Freedome VPN service, and by 50 percent when connected to another VPN service called Private Internet Access. In other words, if you are downloading large files over a VPN, it will take much longer to accomplish those tasks.

Another drawback is that VPN services cost money. F-Secure charges $4.17 a month to use its service for a year on three devices, and Private Internet Access charges $6.95 per month or $40 a year on five devices. That’s not a lot of money, but broadband service is generally expensive, and tacking on a few extra dollars a month to use the internet more privately can be annoying.

In addition, some services may not work properly on a VPN. Netflix often blocks them to keep people from streaming content that is not licensed for their regions. In tests with Freedome and Private Internet Access, I tried connecting to a server in Mexico to stream the catalog of Netflix movies available there. With both VPN services, Netflix detected I was using a VPN and prevented movies from playing.

For VPN providers, this is a known issue. F-Secure’s Mr. Sullivan said that when services like Netflix block VPNs, they are probably “putting up a fight for Hollywood.”

There are hundreds of VPNs on the market, and vetting them can be overwhelming.

Runa Sandvik, a director of information security for The New York Times, said that consumers should be scrupulous about reading privacy policies and selecting a VPN they can trust. That’s because a VPN service is also tied to an internet service provider, meaning a VPN provider could share your information with the service provider if it wanted to do so.

With that in mind, Ms. Sandvik highlighted F-Secure’s Freedome as a trustworthy VPN provider. The Wirecutter, a product recommendations site owned by The Times, picked Private Internet Access because it has the hallmarks of a trustworthy service, available at a low cost.

Based on those recommendations, I tried Private Internet Access and Freedome for my tests. Both products were easy to use: Just install an app on your smartphone, computer or tablet and hit a button to connect to a server. In the end, I preferred Private Internet Access because of its faster speeds.

All things considered, VPN is only a partial solution for keeping your browsing data private.

Even if you hide your activities from your internet provider, web companies like Facebook and Google can use tracking technologies like cookies, which contain unique alphanumeric identification tags, to identify your activities as you move from site to site. Beyond that, web trackers often lurk inside ads.

“The real problem is ads are dangerous,” said Jeremiah Grossman, the head of security strategy for SentinelOne, a computer security company. “They’re fully functioning programs and they carry malware.”

If you are truly concerned about keeping your web browsing history private, Mr. Grossman recommended using a combination of a VPN and an ad blocker. His ad blocker of choice is uBlock Origin, a free piece of software. For those who would prefer not to block ads, there are tracker blockers as well — my favorite is Disconnect.

With VPNs, most people would probably be better off using them when it seems necessary — and turning them off when they are not needed. The slowdown in speed is the biggest negative and makes constant use impractical.

Many people would probably benefit from using a VPN in certain situations, like when they are connected to a public Wi-Fi network or are browsing sensitive websites. But for watching Netflix or sending emails with large attachments? Turn the VPN off.

For Mr. Wilmot, the Los Angeles musician, the slow speeds of internet downloading spurred by VPNs were a dealbreaker. In the end, he opted against getting one at all.

“If I don’t have lightning-fast internet 24 hours a day, it inhibits my workflow and affects deadlines,” he said. “I think I’m accidentally relaxing into that kind of ‘What can you do?’ mentality. There’s no good option.”