This article was originally posted at Comparitech.
A VPN is now a necessity for anyone who values their privacy online. They prevent hackers, governments, corporations, and internet service providers from monitoring and tracing internet activity back to the user. All internet traffic is encrypted and tunneled through a remote server so that no one can track its destination or its contents.
But using a VPN requires a certain degree of trust in companies that operate these services. They could–and some have–monitor and analyze the traffic that passes through their servers. These companies can in turn be hacked, abused, or coerced into giving up private information about users.
Nowadays, every VPN worth its salt touts a “no logs” privacy policy and strong encryption. The general agreement is that the provider does not record any information about the contents of customers’ internet traffic. That seems simple enough, but “no traffic logs” doesn’t necessarily mean zero logs.
>>VIEW VPN SIDE-by-SIDE COMPARISON CHART<<
Most VPN providers, even those that boast about their logless policy, do in fact store metadata logs on their servers. These can include a range of information about the nature of a customer’s VPN connections, but not the actual contents. Timestamps, bandwidth consumed, amount of data used, and even the original IP address of the user can all be logged by the VPN provider. In the hands of the FBI or a snooping hacker, this information could be valuable.
VPN providers’ encryption standards are also not always advertised in a straightforward manner. Most will inform you that they use either 256-bit or 128-bit AES for channel encryption, but can leave out information about how that channel was set up including RSA key exchange and authentication details read more
Be sure to visit John Jacob’s “Down and Dirty Guide to Electronics Security” – Internet and Computer security, anonymity tools and programs.
1. Isn’t it also very import for Govt’n security which country you connect to the VPN servers as well? For example I use a VPN and switch back and forth between various countries when I connect. Sometime Iceland, Sweden…etc etc.
2. Which are the most secure countries to connect via?
3. Which of these VPN are recommended for a smart phone?
4. What about Unseen’s VPN service? It includes a hardware device to use with the VPN, what are your thoughts on that?
GREAT questions. Here are my responses.
1A: It is especially important to avoid the 5 Eyes countries of US, UK,
Canada, Australia, and New Zealand. They share an international
intelligence sharing agreement (and may have added France, which is why
it is sometimes referred to as ‘6 Eyes’. Often a person will avoide
connecting to a VPN node in the US because of the pervasive intelligence
gathering efforts of the United States government. A user may connect
to another country because the access by US intelligence services is
more difficult, or the laws in that country are much more restrictive in
terms of allowing government access. Many countries have very strict
rules against government prying unless evidence can be shown that the
persons in question are involved in serious crimes. But the
Intelligence sharing agreement between the 5 Eyes nations allows full
access to each other for intelligence each country has collected, simply
for the asking. In fact, now with shared databases, they don’t even
have to ask. It’s like five roommates who all keep their food in the
same fridge. Whatever one wants, one just goes and takes. But let’s
say you are visiting, would you want to put your lunch in that
refrigerator? Your stuff may be left alone, or it might not. You may
want to keep your food in the next fridge over with the lock on it, and
the person who owns the next fridge over slaps the hands of the other
five guys when they try to get into the locked fridge to get your
lunch. That is, of course, unless the 5 guys can convince the owner of
the locked fridge that it’s not actually your lunch in there, but it was
a bomb disguised as a lunch. If they can provide sufficient evidence of
that, then the owner of the second fridge may give them access to look
at your lunch. Taking your lunch… well, now there’s a whole separate
set of rules for that. So, it’s a pain, and your lunch is much more
safe than if your lunch was in their refrigerator.
2A: There are no ‘Secure Countries’. There are some whose laws favor
privacy much more, and scrutinize government access more. This is why I
recommend individual companies who have built a reputation of keeping NO
LOGS. This way if even a “safe nation” government decides to make an
exception out of you, all they get during the raid of the VPN server is
… nothing. Because no logs are kept of any connection or user
activity. Eventually, world governments will call this a “loophole” and
in the name of keeping you safe, will pass laws requiring logs to be
kept for ‘special circumstances’, like keeping you safe from
terrorists. But for now, no logs are the standard you want to look for,
in my opinion.
However, are there safer countries than others? Yes. Iceland has some
of the strongest privacy laws, and most stringent restrictions on
government access, they are my number one choice. The VPNs I choose
most often, in order: Iceland; Switzerland; Hungary; Czech Republic;
Ukraine. After that, probably Poland and then I bounce around through
various south American countries, and occasionally Asia.
I always avoid connecting to: 5(6) Eyes, Russia, China, and Israel
3A: I use the NordVPN App on my smart phone. But that is just for
general principle. Do not believe for a moment that your personal
tracking device (smart phone) is secure in any way, PERIOD. What you
say, what you point the camera toward, and ALL of your activity, even
using encrypted apps, had better be of a benign nature and nothing you’d
ever want an intelligence service to have access to.
4A: I use Unseen mail and chat and love it. They’re also based out of
Iceland — one of my favorite server nations for connecting due to their
strict privacy protection laws. HOWEVER, I don’t like to put all my
trust into one basket. For that reason, I will not entrust a singe
company with both my encrypted email service, AND my VPN service. If
they ever sell out on their integrity and decide to turn things over to
a government entity, I want them to only have a piece of me. Not all of
me.
And on that note, I also highly recommend the use of gpg encrypted
email, where YOU create and control your encryption keys and distribute
those keys with parties of your choosing. You can also revoke those
keys and create new ones. If someone like Unseen ever stabbed us in the
back and handed all the unseen email traffic I’ve sent and received over
to a government entity, all they’d be getting is encrypted data that
they can’t read.
I use and recommend NordVPN, and they also have a VPN router (hardware)
you could set up in your home or business. Be personally, I like to
have the app installed on each individual device. There are certainly
strong arguments for havine the hardware VPN router though.
It’s just a personal choice.
Hope that helps some.
-JJS
Just for information, I have used PGP in the past and at one point operated a small net of about seven people for the purpose of exploring how to use PGP in a network setting. It wasn’t long before I had a new member, then another, then another, and the net started receiving messages from these guys, and replies, with perfectly innocuous content, but with subject headers of an extremely provocative nature. Stuff like “the bomb is ready” and “Attack tonight” and “the grenades have been distributed.” After about three of these, I replied to them in the clear, CC’ing the net, showing the innocuous content of the messages and asking “What the hell do you think you are doing? Trying to get one of your pet magistrates to issue a search warrant based on your own subject headers, aren’t you?” These guys disappeared and we dissolved the net, since the use of encrypted messages can be used as bogus (but effective) grounds to justify rummaging through our computers looking for incriminating material. Just FYI.
Interesting that they didn’t include Perfect-Privacy / Vectura in the comparison.
I’d agree about the 5-6 eyes comment. I signed up for Private Internet Access and used it a couple of weeks. One day my password/username would not work for secure connect. I submitted a password reset with the Forgot Password link. No reply. I opened a support ticket and no reply other than you have an open support ticket. I replied to the newuser email and got a comment added to my open ticket. I finally asked for a refund and they “hemmed and hawed” since I used a gift card to open the account. Some front end-back end BS.
Evidently some USA government entity contacted them and requested that I be booted. I believe PIA is owned by a UK company London Trust Media. Lesson learned. .