The Hated One

US Gov says 'Don't use a VPN'. Should you trust it?

Added 2025-01-14 18:59:19 +0000 UTC

Intro

When the US intelligence tells you anything, there's a 50-50 chance the opposite might be correct. The US government is seeking moral redemption. After decades of telling us that we should trust it with backdoors into our communications, it finally backfired spectacularly. Just as the privacy advocates have always been saying – that you can't have encryption badckoor just for the good guys. [0]

"For months or longer", Chinese government hackers held access inside US internet service and telecommunication providers collecting all of our browser histories, phone data and much more. This of course is a major national security risk. [1]

As any high-ranking politician, journalist or a random citizen, could be held at ransom for all the dirt the Chinese government now holds on each AT&T and Verizon customer. We'll probably see a major spike in support for Chinese policies as all the naughty secrets of key elites and individuals will be held for blackmail or it might "accidentally" leak to the press.

That's how serious this is. So now the US government is officially endorsing end-to-end encryption and private communication. But... that's a bit hyperbolic. Only one agency – the Cybersecurity and Infrastructure Security Agency, endorses it. [2]

The FBI on the other hand, still shills for encryption backdoor that only US law enforcement can access: "The FBI does not want encryption to be weakened or compromised so that it can be defeated by malicious actors. Rather, the FBI along with federal, state, and local law enforcement colleagues, want providers who manage encrypted data to be able to decrypt that data and provide it to law enforcement only in response to U.S. legal process." [3]

So thanks to the mindset that FBI has been pushing for rather successfully, the Chinese hackers were able to compromise US telecoms by abusing a wiretap used by US law enforcement.

Encryption backdoor that only the "good" guys can access, does not exist. One man's backdoor is another man's vulnerability. That came out wrong. Or did it?

So CISA has issued a privacy and security tutorial for all Americans to adopt. And it contains a lot of points about which I have lots to say. I already talked about the Signal recommendation. I can talk about more if you are interested, so let me know in the comments.

But there was one recommendation that I did not expect to see. It goes against something that I've been recommending on my channel for a long time. It's about using a personal VPN, or Virtual Private Network. This is what CISA has to say about this:

"Do not use a personal virtual private network (VPN). Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies. However, if your organization requires a VPN client to access its data, that is a different use case." [2]

So... that's surprising. I've been using VPNs for a long time. Granted, with a lot of nuance and caveats that I will get to and alongside heavy usage of Tor, which is an actually anonymous network. But was I wrong to trust a VPN with my data in the first place? Is the US government correct?

And the answer to that question is - the US government is technically correct in all statements about VPNs. But strategically, it is still wrong.

So let's dissect each statement one by one, I'll explain what it means and how it affects you. Then I will provide my recommendations what I think you should do. And I will also share a bit about my own setup for net and web privacy.

Residual risk

So let's zoom in on the first statement: "Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface."

What is this residual risk they are talking about?

When you connect to the Internet with your device, whatever online activity you are doing or your phone is doing automatically, goes through your Internet Service Provider. Your ISP can see where all of your traffic is going to based on the IP addresses and DNS queries requested by you when you visit a website or when your Facebook app checks with Meta's servers. That's all the apps on your phone, all of your browser history... that's all visible to your ISP. And being perverted creeps they are, ISPs collect and retain all of your traffic information and then sell it to data brokers and advertisers or build a profile on you to target you with their own advertising. [9, 10]

ISPs also share this information with pretty much any government agency in any jurisdiction almost always without a warrant. This is because your personal information is not considered private when there is a medium such your ISP handling your information. [11]

The only thing your ISP cannot see is the actual content of your traffic because that is encrypted most of the time – they can't see your messages, they can't see what articles you read or what you search for on DuckDuckGo. [12]

But they can see when you visited a divorce lawyer's website or whether you use a period tracking app. And most big ISPs can also see who you message with, if both you and your contacts use the same ISP or different ISPs that exchange each other's traffic. Because that's also something ISPs do.

That's a lot of sensitive information everyone using the Internet is inherently trusting some random companies and their governments with. And it's also what enables all the state-wide censorship of apps and websites or what enables content geo-blocking that prevents you from watching Netflix from abroad. And those are the biggest reasons a lot of people decide to use a VPN.

What a VPN is doing is that it reroutes your internet traffic to go through one of the VPN servers which does two things - it prevents your ISP from knowing which websites and servers you actually connect to, they would only see the VPN server. And the websites and apps you use will only see your VPN IP address instead of your own real IP address, making it possible for you to spoof your location and access geo-blocked or censored content. But the VPN provider knows your original IP address and they also know where your traffic goes. So they, just as your ISP, could easily collect, retain, share and sell your traffic to anyone anywhere in the world and you would never be able to do anything to stop it. But here's the kicker. Even if your VPN provider wasn't doing that, they too still have to operate under some Internet Service Provider, or multiple of them. And because ISPs routinely trade and exchange their customer internet traffic, it is possible and very easy for ISPs to correlate your VPN traffic to find out what websites you visit.

This is something that no sponsored VPN segment on YouTube will tell you. This is what I will tell you because I refuse to take sponsors that would conflict with the topics I cover on my channel. So patreon.com/thehatedone.

It is important that you actually understand this. Because all that talk about encrypted tunnels, and hackers and protection... it's all meaningless. VPNs are all about trust and that's a fundamental flaw of a technology that was never designed for privacy.

So the US government is correct. By using a VPN, you are merely shifting trust from your ISP to the VPN.

Questionable practice

From all this information, we know the second statement is also true: "Many free and commercial VPN providers have questionable security and privacy policies".

Virtually all VPNs I've seen sponsored on YouTube have no proven record of actually protecting your data. This is what I hate about big tech channels like MKBHD or Linus Tech Tips. Because they are shilling these VPNs, obviously under lucrative deals and they always oversell on the promise and underestimate or not even mention the many VPN risks and limitations.

VPNs have been caught logging user information when they said they had a "no-log" policy. They've had data breaches exposing user information that shouldn't have been retained in the first place. [4,5]

VPNs often change ownership, get sold, merged with, acquired. Many different VPN brands actually operate under the same company. Only three companies actually own some of the biggest VPN brands in the world, probably all of the names you've seen sponsored on YouTube. [6] This is embarrassing. Sometimes, the people surrounding the VPN, including employees and founders, have weird connections and ties to the intelligence community or have hacking controversies. [7, 8]

I am surprised a government agency is aware of this when 20-million-sub YouTube channels aren't. Which makes me think they either must know and just don't care or they are clueless and shouldn't be tech channels.

VPNs true purpose

CISA also says one thing that reveals the true purpose of VPNs, the one thing they are actually good at: " if your organization requires a VPN client to access its data, that is a different use case." VPNs have been designed to give companies with remote workers and offices a secure tunnel to communicate company proprietary ownership over. All the trade secrets, business intelligence, intellectual property... companies don't want to route over the open Internet, so they set up a VPN to secure the data. The kicker is that the company doesn't care about privacy of their workers. So they benefit from the ability to monitor all traffic of their employees on the company VPN. But that's all for company needs. Not for personal privacy needs. [13]

But here's the thing. None of this is new to me. I've been talking about the risks of VPNs for many years on my channel. Yet, I still recommend and use VPNs for personal privacy. What is going on? Am I stupid?

I still use a VPN

Knowing what we know about government and corporate surveillance, trusting the default option is really bad. Surrendering your browser records and all online activities to your Internet Service Provider is always going to result in your privacy being violated. On top of that, your IP address is a unique identifier that is being used to track you even if you "ask the app not to track you". Nobody should be comfortable with how this works.

If you can somehow hypothetically get a VPN that is not going to be in the business of logging and selling your data, you could actually gain some privacy by making it harder for creepy advertisers to track you. But you have to keep in mind that your IP address is only one data point and even if you obfuscate it, you can still be tracked by your usage data, contextual information and of course any information you actually submit to the service you are using. Facebook is not suddenly going to forget who you are when you turn on a VPN. They still have all your data, your friends' list and all your usage information and not having your real IP address does not matter with such a large volume of data collection.

In order to be truly private on the internet, you need to minimize your data footprint, anonymize information that cannot be removed and compartmentalize your online activities so they can't be correlated.

So what this looks like in practice is that you start migrating from privacy invasive services to privacy respecting ones. Instead of using Gmail, you use ProtonMail or Tuta, instead of WhatsApp and iMessage you use Signal, instead of Google Search you use DuckDuckGo, instead of Google/Apple Maps you use Organic Maps and so on and so on. For anonymization, you stop using your real life credentials where you can get away with fake ones. You start using email aliases, which can be generated for free with something like SimpleLogin, and use a password manager like Bitwarden or 1password to give all your accounts unique login credentials. And to fully compartmentalize your identities, you can use GrapheneOS because it is truly anonymous and doesn't require an account to use it. Then, if you need to be truly anonymous, you can route your whole device traffic through the Tor network by using Orbot. [16, 17]

When you have all this in order and don't want to use Tor, then it makes sense to add a reputable VPN to the mix. Because then all of that data minimization and anonymization will really benefit from your ability to also obfuscate your IP address.

So which VPNs do I use?

I think there only two, maybe three VPN providers I would trust my data with. And no, I am not sponsored by any of them. Pateron is my main source of income. The gold standard is Mullvad, which is based in Sweden and uses RAM-only VPN infrastructure, which is something that gives more technical guarantees of the "no-logs" policy. [14, 15] Evidence of their no-logging promise has also been provided when the Swedish police wanted to raid Mullvad's office and realized data they wanted didn't exist. I also like ProtonVPN, because it's based in Switzerland with very strict courts and a generally privacy/secrecy-minded legal system. I also add iVPN to the mix, because like Mullvad, it does offer anonymous signup (no email required) and I like to use multiple VPNs to hop between regularly so as to not leave a long trace of my activity at any particular provider.

In conclusion, while CISA is technically correct about its statements on VPNs, I think there is a lot more nuance there. All VPNs are bad for you, except for three is my take.

And if you like analyses like this one, free from sponsor-interest, support my work on Patreon.com/thehatedone and access a metric-ton of content I make there every goddamn week.