First of all, VPNs are not bad in general. We just created this section to talk about the shortcomings of bad VPN providers and would like to explain why a VPN is not ideal for all situations. These services are for everyday internet browsing, but not when serious privacy and anonymity are required. VPNs are dangerous, because people are made believe they are 100% protected!
In this section, we explain risks that are directly related to the way your VPN provider handles your personal information. These are by far the most severe issues. They can harm you if you believe that you can trust VPN providers and rely on the VPN’s protection. Since this is a privacy blog, these issues are what makes us tell you that VPNs are dangerous.
With a VPN, your traffic only goes through one relay. That means that the privacy of using a VPNs server is quite a bit weaker than for other anonymisation techniques, like a proxy chain or the Tor network. The fact that there is only one relay has the effect that this single server knows where the data you sent to it came from and where it goes to. A VPN server has that information at all times.
The VPN provider can see exactly who you are, who you are communicating with and can decrypt the data you send to the VPN server. That is the purpose of a VPN.
Your traffic is sent encrypted through the network of your ISP, until it reaches the server of the VPN provider. Then it is decrypted to be able to communicate with the website you are visiting. This is very useful, because it helps you stay anonymous for everyday activity on the web. You should, however, know that a VPN is not intended for very serious privacy in situations where your freedom or even your life depends on you staying anonymous, as it is for whistleblowers or journalists.
The way VPNs operate means essentially that the VPN provider is the middleman between you and servers on the internet. That is the issue with VPNs. They know where your traffic came from and also where it goes. Those companies will identify you if forced to do so by government authorities, law enforcement or if their system gets hacked. In that situation, they often have unencrypted records of your activity. Law enforcement could even take control of a VPN server themselves if they have a warrant, and as you now know there is no second server to protect your data. In the next paragraph, we will outline some weaknesses of the VPN model.
That VPNs are dangerous in some cases is not only cause by privacy issues. In this section, we explain risks that are caused by the implementation of the VPN. That includes the protocols used, but also encryption security considerations. These issues would still exist, even if a VPN provider was 100% trustworthy.
Many VPN providers says they have a “zero logs policy”, but you should be sceptical of that. There is no way to verify that with proprietary software. Most VPNs are closed-source and only a few like OpenVPN publish their source code.
When looking for a VPN, you want a company that uses mostly open-source software and has servers located in a country with strict privacy laws. Good ones are Switzerland (ProtonVPN), Iceland, Canada (TunnelBear) and Norway. Generally bad are South-America, Afrika, Great Britain (ExpressVPN), most of Asia and Russia. The US (IPVanish), Germany, Romania (CyberGhost), France, the Netherlands, Panama (NordVPN) and the UK are somewhere in the middle.
The countries we rate as bad have laws in place that force VPN providers to give authorities detailed record of your activity.
Never go for a cheap VPN. Those will use obsolete protocols like the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP). These protocols have many known security issues. A cheap VPN will still use these, since servers with those protocols are less expensive to operate. After all, you get what you pay for!
If your VPN provider uses either of the two mentioned protocols, you are at serious risk. That is the case, since you believe that you are protected, but in reality, you are not anonymous at all.
The next problem with VPNs is that the data can be completely decrypted by the VPN server. This server therefore knows who you are and what you send at the same time. That is so, since VPN servers can decrypt your data in a single step, while more advanced anonymisation techniques use so-called “layers” of encryption, so a single server alone cannot perform the entire decryption.
Most (cheap) VPN providers use only one server between you and the web. Therefore, the server you initially send a data packet to and the server that decrypts it are the same machine. This is a problem, because the VPN server associates the decrypted data with your real IP address. It is therefore in the hands of the provider whether they let police eavesdrop on your internet communication. Just know that they definitely could.
The main reason VPNs are dangerous is the false safety they give people. Many VPN users do not realise that they are always identifiable. You cannot trust VPN providers 100%, they might collect user data and reveal it to law enforcement at request.
The assumption of false safety that people get from these services is partly the fault of some black sheep among VPN providers. Those companies have advertised their products very aggressively in the last few years and caused the misbeliefs about the effectiveness of this type of network.
That does not mean that VPNs are bad, not at all. They are just not magical anonymisation tools as advertised. We actually strongly recommend a VPN for everyday internet use. You just always have to remember that if what you are doing requires absolute anonymity, a VPN is not the right choice. We therefore cannot recommend them for journalists and their sources, persecuted minority groups and democracy activists living under authoritarian regimes.