←back to thread

Who Owns, Operates, and Develops Your VPN Matters

(www.opentech.fund)
201 points sdsantos | 9 comments | 03 Sep 25 16:51 UTC | HN request time: 1.137s | source | bottom
Show context
fujigawa ◴[03 Sep 25 17:28 UTC] No.45118394[source]
Commercial VPNs will go down as one of the greatest money-making schemes of the last decade. Outside of a few specific use cases their sales often rely on leveraging non-technical users' fear of what they don't fully understand.

I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".

Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."

replies(16): >>45118443 #>>45118486 #>>45118558 #>>45118644 #>>45118672 #>>45118693 #>>45119064 #>>45119252 #>>45119261 #>>45119717 #>>45119817 #>>45119936 #>>45120136 #>>45120782 #>>45124630 #>>45126517 #
1. zoeysmithe ◴[03 Sep 25 17:56 UTC] No.45118672[source]
This is my feeling too. I also don't think these people realize how none of these groups can refuse a subpoena so the scenario of "the government coming after me," doesn't get addressed either.

Worse, some of these are tied to foreign nation state intelligence, who are now analyzing your data when before they couldn't because they didnt have a relationship with your ISP. Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.

Weird technical issues happen because a lot of services don't keep vpn's in mind. I saw a lot of people were having issues connecting to multiplayer game servers. The vpn provider broke something, maybe it was on a blacklisted IP, maybe increased latency, maybe the IP is in the wrong region and people are connecting to a NA server but are in LATAM, etc.

I really dont know the use case for a vpn, not to mention advertising snooping happens on the application level anyway. Its javascript running on my browser and html5 and heaven knows what else analyzing me for ads, not "what IP did you connect from."

Lastly, there are privacy tools like onion and running a browser with no js active. These vpn types dont do that. They're actually not getting the privacy and security they want because tor is slow and a no-js firefox is unfun. So this weird cargo cult of VPNs has appeared, similar to stuff like "disable UAC" and other "computer enthusiast" knowledge you see in gamer or low information forums. Its the blind leading the blind here and these capitalist opportunists absolutely are taking advantage of that. "I'm safe I have a vpn," is a normal thing to say even though its almost entirely wrong.

The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.

replies(3): >>45118877 #>>45119211 #>>45124097 #
2. TGower ◴[03 Sep 25 18:19 UTC] No.45118877[source]
Many major VPN providers claim to keep no logs, and some have had third party audits supporting that claim. Subpeonas don't do anything if the company doesn't keep logs.
replies(3): >>45119431 #>>45119751 #>>45120257 #
3. 5f3cfa1a ◴[03 Sep 25 18:52 UTC] No.45119211[source]
I suspect every single VPN, including the ones who claim to not log, maintains or exposes enough information for a dedicated adversary to make a convincing case if they want. I give a little extra credit to Mullvad simply because I can put cash in the mail, but even then if a significant adversary wants to know you are connecting, they will.

> Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.

Even the "friendly" international ones aren't in the clear. Sweden isn't in FVEY, but they're in Fourteen Eyes. And we know from the XKeyscore leaks that the NSA hoovers up metadata like there's no tomorrow. I'd bet my house that anyone who connects to a commercial VPN or _especially_ to Tor lights up like a Christmas tree on the NSAs board – so they might not know for sure what you're doing, but they know you are possibly doing something.

Apple's Private Relay is probably the best chance to actually blend in, but estimates are 1-2% usage for "average users" and 3-5% for Wikimedia editors who I'd assume to have a technical slant. That's an order of magnitude too low for a crowd to exist to blend into, and with two friendly US entities on both sides of the privacy equation, I wouldn't rely on it to stand up against significant scrutiny.

> The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.

My analysis tends towards this: there's a gradient of behavior that is "tolerated" at each step. If you want to torrent, a cheap VPN is tolerated and your crimes will be overlooked... because it's far better to catch serious criminals through that VPN. If you want to buy LSD from a dark web site, Tor lets your crimes be overlooked, because the big fish are the sellers. If you want to commit a significant crime, TLAs know everything about you already and the DEA/HSI/FBI/USPIS/IRS-CI or your local equivalents are ready to parallel construct your ass to the wall when you become noticeable enough.

But maybe I'm not as pessimistic as you – the vast majority of people aren't at the far end of the spectrum, so if you want to infringe copyrights, $60 to Mullvad for a year is what you want.

4. ◴[03 Sep 25 19:12 UTC] No.45119431[source]
5. stackskipton ◴[03 Sep 25 19:50 UTC] No.45119751[source]
I also wouldn’t trust VPN provider standing up to the pressure of really angry Western government. If Mullivad gets US FISA warrant followed by threat to destroy their ability gain access to US payments, they are going to flip logging for you on so fast.
replies(1): >>45125369 #
6. heavyset_go ◴[03 Sep 25 20:48 UTC] No.45120257[source]
Third party auditors aren't going to be allowed into Room 641A.

Courts can order providers to keep logs on certain users. Wiretapping laws also allow for it. And all of that goes out the window if the government decides there's a threat to national security.

7. afiori ◴[04 Sep 25 06:09 UTC] No.45124097[source]
I use mullvad and the main reasons I pay the 5$ a month are:

1) I do believe it is quite private

2) the socksv5 proxy is useful to prevent qbittorrent connecting to the internet at work by mistake

3) if the network is spotty or a bit unstable the vpn hides the instability from apps

4) I don't trust my isp DNS

5) geoblocking (mullvad is not the best at this though)

8. reorder9695 ◴[04 Sep 25 09:38 UTC] No.45125369{3}[source]
I'm not necessarily sure they would, they've built their company based on no logs and privacy and seem fairly ideological, if this occurred their business would likely be permanently crippled. Most of their users use them because of their strong guarantees.
replies(1): >>45130016 #
9. stackskipton ◴[04 Sep 25 17:44 UTC] No.45130016{4}[source]
Turning on Logs for single user vs taking what could be crippling business hit? Maybe their CEO is ethical but that would be behavior I haven't seen from CEO ever.