The title isn’t intended to be provocative or clickbait. It’s simply the truth, in spite of the misleading advertising you may have seen. In this article I’ll explain why.
What is a VPN?
Many of the protocols used on the Internet are specified in documents called RFCs. The production of these documents is overseen by the Internet Engineering Task Force (IETF). I won’t go into any more detail about RFCs or the IETF here because they aren’t the subject of this article.
RFC 4026 gives us this definition of a VPN:
“3.10. Virtual Private Network (VPN)
VPN is a generic term that covers the use of public or private networks to create groups of users that are separated from other network users and that may communicate among them as if they were on a private network. It is possible to enhance the level of separation (e.g., by end-to-end encryption).”
(Side note: for a more detailed description of VPNs, read RFC 2764, “A Framework for IP Based Virtual Private Networks.”)
Now, let’s get back to the definition of a VPN in RFC 4026: a VPN exists whenever you create a private network connection over the public Internet. At a minimum, that private network connection includes authentication, so that both ends of the connection can be sure of who they’re communicating with. Additionally, the private network connection may include encryption – and usually does. Since the communication is happening over the public Internet, there’s always the possibility that the traffic may be intercepted anywhere along the path, so encryption is a good idea – but don’t lose site of the fact that encryption is not included in the definition of a VPN.
Here’s an example. A VPN tunnel can be established with Generic Routing Encapsulation (GRE), without encryption. An unencrypted GRE tunnel is still a Virtual Private Network. It meets all the requirements of the definition in RFC 4026.
Ordinary, unencrypted web traffic uses “Hypertext Transfer Protocol” (HTTP). Today, most Internet traffic uses the encrypted version, “Hypertext Transfer Protocol Secure” (HTTPS).
In practical terms, whenever you establish an HTTPS connection with your bank, you’re communicating with the bank over a VPN. It’s a private connection over the public Internet, both you and the bank have used authentication to verify each other’s identity, and the connection is encrypted for an additional level of privacy.
In fact, any HTTPS connection, with any website, is an encrypted VPN connection. It’s free. It doesn’t cost you anything extra.
Note that a VPN has nothing to do with hiding your location.
Also, note that a VPN has nothing to do with hiding your identity.
Hiding your location isn’t done with a VPN. It’s done with a different feature called “IP address redirect.” We’ll get to that in a moment. But right now, let’s continue to gain a clear understanding of VPNs.
Why do businesses use VPNs?
Site-to-Site VPNs – For many years, businesses have used VPNs to connect branch offices to the home office, because that’s where the server room was, and that’s where all the data was kept. More recently, businesses store their data in an off-site data center. Today it’s common for all business locations, including the home office, to connect to the data through VPNs.
Personal VPNs – As remote work became common, a second type of VPN grew in popularity. Instead of connecting two business locations together, a personal VPN is established to connect the remote worker’s laptop to the business location or data center.
Site-to-site VPNs are typically “always on,” 24/7.
Personal VPNs are established “on demand,” and the user, more often than not, disconnects the VPN when it’s not in use. There are exceptions. Some businesses provide laptops to their remote workers that are pre-configured to establish the personal VPN every time the computer is turned on, and it stays connected until the computer is turned off. This still falls in the category of an on demand VPN, even though to the user it appears as always on.
Concerns about privacy
We’re going to shift gears now, as we prepare to talk about IP address redirection.
As Internet use increased and as VPN technology became less expensive, some entrepreneurial types saw an opportunity. There were lots of articles written about the loss of privacy on the Internet. People were becoming concerned about these scary unknown things called “tracking cookies.” They were told that they were being spied on – that their Internet Service Provider (ISP) was watching every site they visited, everything they searched for, every video, every song, every purchase they made (see Figure 2).
The entrepreneurs said, “What if we can profit from this concern about privacy?”
And, indeed, they did find a quasi-solution to the privacy concerns.
The solution is IP address redirection. But the marketing is misleading. These companies tell you that they’re a “VPN service.”
It works like this: you install their software on your computer. Refer to Figure 3. When you visit a website, all of your web traffic is routed through your ISP to the proxy server owned by the company that provides IP address redirection. As far as your ISP is concerned, 100% of your web traffic goes to the same address.
IP Address Redirect
Let’s examine a typical “VPN service” provider. I chose this one because they’re fairly well known, not because they’re special. There’s very little differentiation in the advertising of any of these companies.
Here’s a description from the NordVPN website: “NordVPN encrypts your Internet connection and hides your IP address and location.”
For example, one of their proxy servers is 193.29.61.158.
This server is registered to PacketHub S.A., with headquarters in Panama City, Republic of Panama. The server itself is located in Seattle, WA, USA. They have servers all over the world.
“Encrypts your Internet connection.” That’s not a VPN function.
“Hides your IP address and location.” That’s not a VPN function.
The proxy server processes all of your information and sends everything to and from the websites you visit. If you visit, say, a dating website, the dating website sends data to the proxy server – not directly to you. The “VPN service’s” proxy server acts as an intermediary, redirecting traffic in both directions.
Additionally, all of the data between your computer and the proxy server is encrypted in both directions. Here are the results:
- The ISP doesn’t know what websites you visit.
- The ISP doesn’t know what data you send.
- The website you visit doesn’t know where you are.
- The ISP doesn’t know what data you receive.
True enough, but…
“How should we market this?”
What the users are paying for – what they want – is (1) encryption, and (2) IP address redirection. Those are the two specific features our sample “VPN service” highlights. Is a VPN involved? Yes, but only tangentially. It’s true that the software creates a VPN between the user and the proxy server. And the word “private” is right smack in the middle of the term, Virtual Private Network. So it looks interesting.
The entrepreneurs are correct: “People will pay for this!”
But – it’s misleading.
The VPN doesn’t provide the service the user wants!
Recall the IETF’s definition of a VPN.
Encryption? The VPN doesn’t require encryption.
IP address redirection? The VPN doesn’t make use of IP address redirection at all.
The VPN goes right through the ISP with its encrypted traffic – but that happens today with almost all of your traffic, whether you pay for a “VPN service” or not.
For example, when you establish an HTTPS VPN with your bank, it’s the same thing – the encrypted traffic goes right through the ISP, and the ISP can’t read the data. It costs you nothing.
Refer to Figure 4. When you connect to YouTube using any modern web browser, you’re using an HTTPS connection. It’s a VPN between you and YouTube. Not only is it a VPN – it’s encrypted. Your ISP cannot see your activity on the YouTube website. Your ISP knows you visited YouTube, but they don’t know what you’re looking at. And it costs you nothing extra.
Most websites today use HTTPS. And when a user sends traffic to any website using HTTPS, the traffic is encrypted and the ISP can’t see what traffic is passing through it.
A Red Flag
Using a “VPN service” can be a red flag. In some countries, these “VPN services” are against the law. The government wants to know what sites its citizens visit. Since the “VPN service” uses (1) encryption and (2) IP address redirection through a proxy server, the government loses visibility into its citizens’ activity. Note that the two features these governments deplore are not the VPN connection. I’ll say it again: neither encryption nor IP address redirection are features of a VPN.
Now, consider: what about your country? The ISP knows if it’s sending all of your traffic to an IP address redirection proxy server. Is there any chance your country asks the ISP to provide information about all of its customers who use such a service?
If you live in a country where HTTPS encryption is allowed, and you use an IP address redirection proxy server even though your traffic is hidden, could that put a target on your back? Maybe it makes you look like you have something to hide.
But wait – there’s more!
The ISP has been given a bad rap. They’ve been set up as the bogey man. “Don’t let the ISP know what websites you’re visiting!” Well, that’s pretty pointless, because your browser knows every website you visit, and your browser is probably passing that information along.
Microsoft gets your browsing information from the Microsoft Edge browser.
Google gets your browsing information from the Google Chrome browser.
And you know what? Even if you use a “VPN service,” these browsers still know every website you visit.
“Not me,” you say. “I use one of those secure web browsers that doesn’t pass along my information.”
Well, great. In that case, your Internet history is being hidden from Microsoft and Google, you’re using free HTTPS encryption, and you don’t have to pay for that “VPN service.”
Who do you trust?
So, you’ve decided to use IP address redirect proxy servers with a “VPN service” anyway. Between that and a secure web browser, no one can see anything you do on the web, right? Is that what you think? Well, wrong. You haven’t hidden your activity – you’ve just transferred your trust to the “VPN service.”
Are they more trustworthy? Why? What makes you think so? What evidence do you have to support the idea of placing your trust in the “VPN service?”
If you’re using one of the free “VPN services,” please think about how they’re coming up with the money to pay for the proxy servers, the data centers, the electricity, the fiber optic bandwidth… That money comes from somewhere, and if you’re not paying for the service, they’re making a profit some other way. You know, like selling your data.
In conclusion
1. The free “VPN service” is lying to you. They must make a profit. They’re monetizing your data.
2. The paid “VPN service” isn’t offering you all that much. You can have all the VPNs you need without them. You can have encryption without them. Your browsing activity is captured several different ways, directly from your computer, whether you use IP address redirection proxy servers from the “VPN service” or not. You’re not hiding nearly as much as they want you to believe you’re hiding.
3. Who do you trust? Do you really trust a “VPN service” that doesn’t clearly and honestly tell you what they’re selling you? Does their misleading advertising make them worthy of your payment? Remember, the product they’re offering you in plain language on their website is encryption (not VPN) and IP address redirection (not VPN) – so why do they tell you they’re a “VPN service?”
The title of this article is, “VPNs don’t hide your location.” And it’s true.
“VPN is a generic term that covers the use of public or private networks to create groups of users that are separated from other network users and that may communicate among them as if they were on a private network.” (RFC 4026)
If you think the features offered by these so-called “VPN services” are valuable, great. Use a paid one, not a free one. Just understand what you’re paying for. It’s misleading to call it a VPN.