Welcome to the CozyNet Blog!
To VPN, or not to VPN?
Remember when people were shilling VPN's and spamming those referral codes everywhere? Then it wasn’t too long after and the anti-VPN shills came out to rail hard against it while promoting TOR.
I don't really trust VPN services that much either and can understand the arguments against them in regards to “privacy” or “security,” but it all comes down to what you’re trying to achieve with these services.
To clarify, I’m talking about internet VPN services such as Nord VPN, Mullvad, Private Internet Access, etc. I’m not talking about the site-to-site VPN’s you would typically find in corporate environments such are OpenVPN, Wireguard, Cisco AnyConnect, which are strictly for confidentiality purposes; same technology, but two very different applications.
So, what exactly are the benefits of an internet VPN service?
- Obfuscate your origin IP from web sites (i.e. Reddit, Twitter, 4chan, etc) to evade site bans or creeps on the sites that might try to use that information to dox or DDos you.
- Circumvent basic site blocks on school, work, hotel networks, and geo-restrictions.
- Obfuscate web traffic from egregious QoS shaping policies by dishonest ISP’s tampering with P2P and media traffic.
- Hide your activity from public network access points for whatever reason.
- Complicate profiling attempts by utilizing a shared IP (not always guaranteed today though due to advanced browser fingerprinting and identifiable user patterns easily recognized by AI.)
And that was basically it. There’s a level of trust you have to place in the VPN service provider, which depending on your privacy and OpSec requirements, may or may not be worthwhile.
For example, maybe you don’t want your employer knowing that you visit certain off color websites on the guest network during your lunch break. You don’t give a rats ass what the VPN provider knows because it’s inconsequential, but it could cost you your job if your employer knows, so you may find no issue in deferring that traffic thru a VPN.
This was all well known and understood, but then there was the Edward Snooden and NSA scandal followed up by snake oil grifters and opportunists alike. It didn’t take them long to muddy the image with their bullshit as they talked sweet lies and promises to convince the unenlightened to open their wallets. And then thanks to the boom in business, there was an explosion in VPN companies from out of nowhere that focused all of their budget toward advertising, branding, and very little toward internal security of their own services.
Privacy != Security
Security… A frequent misnomer touted in VPN advertising combined with privacy. I’m not sure how or why people confused this other than being ignorant, but they did. The “security” aspect of a VPN was mostly about encapsulating non-encrypted plain text traffic thru an encrypted tunnel; this is after all a VPN’s primary function in a corporate setting.
Now it wasn’t that too long ago when a majority of sites didn’t use any form of SSL or TLS encryption. It meant that someone at any point within the various linked networks routed between you and the site could potentially capture the traffic and steal your login credentials, or snoop on what you were doing. While a VPN could assist in improving the security of this transaction from a local network perspective, it didn’t really clarify the fact that the traffic between the VPN provider and whatever site you were connecting to was still non-encrypted within the context of a non SSL or TLS supporting domain. That could be pretty hard to explain to normies though.
The only privacy or security you could achieve with a VPN was between you and anyone else on your local network and ISP. From a higher level, it didn’t make a big difference besides hiding your origin. In fact, it probably made things worse because if you think about it (let’s think like a glowie now), if someone is trying to hide their online activities and is using a VPN to achieve this goal, then perhaps it would be worth your while to collect that information, right? So, do you really think a heckin no logs non-5-eyes VPN service isn’t lying thru their teeth and selling that info? When data = money, there’s profit to be made! The worst offenders are likely any one of those in some remote country with zero laws in fraudulent advertising and bypass OFAC sanctions thru crypto payments.
To boil it down, privacy != security, and vice versa. The privacy was slim at best to begin with since the VPN knows what you're up to, and seeing that most sites are now encrypted thru TLS, that one slight edge you could get in security with a VPN is no longer relevant either. Sometimes one can compliment the other, but it’s rarely the case and that sure didn’t stop the grifters from advertising a VPN as the magic cure all in protecting you from identity fraud, hackers, and glowies alike. That type of opsec is waaaay outside the scope of what a VPN could ever provide. We’re talking apples and oranges here, so false advertising much?
Rise of the anti-VPN shills
Upon receiving their manchurian commands from their Reddit and YouTube sleeper cells, the anti-VPN shills were quick to activate and spread their prescribed FUD against VPN services as a whole. They had it coming afterall, and the techtube grifters were quick to cut ties with their advertising deals and changed their tune into a sanctimonious flex in “protecting their viewership” by casting off any shade from their own involvement toward the VPN companies they were previously partnered with. The grifting hucksters were just as much a part of the false advertising scandal as the VPN companies, often embellishing the products capabilities to their audience.
A VPN service provider is only practical for getting around IP blocks and a basic degree of anonymity at a local network and ISP level. A VPN was never intended to keep your activities obfuscated from state actors. Now, that doesn’t mean you should throw it out altogether, but to just take into account what exactly you’re trying to achieve. The items that I’ve listed above are all still possible and make for a good reason to keep a VPN around if those are things you need.
I’ve seen some techtubers recommend hosting your own VPN with tools such as OpenVPN and Wireguard by routing your traffic to a VPS such as Linode. This is only good for items 2-4 in the above list, but would come at the loss of an anonymously shared IP seeing that VPS providers are almost always static. It may be worth considering though, depending on your requirements. I’ve also noticed that most publicly accessible networks are now blocking VPN providers, so hosting your own is definitely worth considering.
As for privacy tools and networks such as TOR... I don’t know man. It might be what the real privacy schizos are into; but if you ask me, I would sooner just distance myself from the internet and minimizing my interactions with it than to go down that rabbit hole. After all, what exactly is it that we’re trying to achieve here?
Don’t get me wrong now, I think TOR is pretty cool. I’m not trying to imply that “if you have nothing to hide, then you should have nothing to fear,” but I'm beginning to question peoples intent and wonder if advocating for these privacy tools could potentially be a misguided approach in achieving a means to an end at improved privacy legislation?
Consider this; these tools are a two edged sword. On one side, they provide a means to privacy on the web while on the other side, they also provide a means to conduct highly illicit activities. Yes yes, I get it, anything can be misused for nefarious purposes, but have you considered the alternatives? Instead of toiling away with circumventive mechanisms that exist in a grey area of legal technicalities, it may be much more effective in directly holding those accountable to their sworn governing positions to uphold or amend legislation.
A right to privacy isn't all rainbows and gumdrops. It takes being accountable in your own actions to retain this right; to behave as an adult and not as a child. And yet, more and more people everyday are finding it acceptable in allowing for their minute actions and conduct to be systematically recorded, audited, and verified within a rigid legalistic regulatory framework for liability and insurance purposes. If you want privacy, then you have to also accept the personal accountability that comes with it and stop trying to defer or outsource it.
Something that I found interesting was that the FTC was recently asked to “Curtail Abusive And Deceptive” practices observed in the VPN Industry on advertising and false statements of privacy. This sounds good, right?
This is a good example that takes the matter of privacy in a more direct approach by holding those accountable in governing seats to do their jobs, but it’s unfortunately caught up on circumventive tools that already exist in a legal grey area to conduct an illegal activity! Additionally, the people being represented paradoxically dismiss their own accountability by trivially excusing the product of their irresponsible actions into being a state funded and protected act. If you can’t accept accountability for your actions, then that means someone else will take charge of you and you’ll lose your rights and liberty.
So I question their intent seeing that it appears to be in bad faith. This is just one example, but I'm sure there are many more. I get the feeling that many privacy advocates withhold an ulterior motive whereupon they would soon abandon their positions if their irrelevant selfish motives were ever met.
Thanks for reading my blog!
Back to top!