Distrust and Verify: Your ISP and Choosing a VPN

Earlier this year, I noted that the Senate had eliminated consumer protections for broadband customers. This change could result in Internet Service Providers sniffing your broadband data to potentially sell your browsing history to marketers. Yes, it sucks.

I also noted that one way to counter this practice would be to mask your broadband traffic through a Virtual Private Network (VPN). When you tunnel your traffic through a VPN, your ISP can’t tell what websites or Internet hosts you are visiting. All it can see is that you’re transmitting and receiving encrypted data to your VPN provider.

However, tunneling all your traffic through a VPN is not an ideal solution because the performance of your broadband connection will suffer. There are still perfectly good reasons for using a VPN:

  1. You’re connected to an untrusted network, such as a public WiFi hotspot in a cafe, hotel, or airport.
  2. You’re trying to access geofenced content, such as information that is not available in your country but is in another.
  3. You don’t trust your Internet connection because you’re in a foreign country or on the premises of a business competitor.

But a VPN doesn’t provide you with 100% security or privacy. Instead you’re simply replacing the ISP you might distrust with a VPN provider that you might trust a bit more. Your VPN provider will “know” every website that you visit while you are connected to it. And just as your ISP does, some VPN providers keep logs of what sites their users are visiting.

Boni Satani recently coauthored a guide on The Best VPN that surveys 118 VPNs and their policies that indicate that they do not keep logs of their subscribers’ activity. If you’re considering subscribing to a VPN, I would recommend reviewing this guide to help find a VPN that does not log your traffic. Of course, you’re the final arbiter of what is the best VPN for you. Do your homework and choose widely.

Personally, I use TunnelBear for occasions when I’m at an untrusted public WiFi network and don’t want someone to “sniff” my data. Their privacy policy states that they do not “store users originating IP addresses when connected to our service and thus cannot identify users when provided IP addresses of our servers.” They may log what site you visit but they cannot associate that information with you. And they have those cute bears.

Update: I should reiterate that using a VPN doesn’t guarantee complete privacy or anonymity. For example, the FBI was able to use PureVPN’s IP address logs to determine that a PureVPN user was allegedly cyberstalking a former roommate and her friends. PureVPN was listed in the Best VPN survey of VPNs that do not keep logs. They apparently do.

Leave a Comment

1 Comment

  1. Hey Juan, I enjoyed your this post. I just want to clarify one point regarding PureVPN’s logs because the media and rival VPN companies are mischaracterizing it.

    First, PureVPN keeps connection logs. This is common knowledge and something they have disclosed in the past. Most VPNs keep logs of this type, which typically includes the incoming/outgoing IP address of the user, as well as a timestamp of the session start/end time.

    More info on the difference: https://www.vpnuniversity.com/learn/what-do-vpn-really-log

    Most VPNs that claim not to keep logs are actually referring to ‘activity logs’, meaning actual logging of browsing and download history. This is a technical distinction that allows a huge number of VPNs to CLAIM to be non-logging, when in fact they still keep connection logs.

    That’s point #1.

    Point #2 is that PureVPN’s logging policy has almost nothing to do with the FBI investigation. According to the report, the same PureVPN-owned IP address was used to sign into his personal gmail accounts and also used to commit one of the alleged crimes. Without keeping any logs whatsoever, it can still reasonably be shown that that there is a pattern of IP address overlap between Ryan Lin’s accounts and the harassment activity. This would be enough evidence to get a wiretap order in the form of a packet sniffing tool like Wireshark to actively monitor the VPN server and catch the culprit in the act. I’m not saying this is exactly how it went down, just that it’s perfectly plausible that PureVPN didn’t lie about their logging policy.