Hacker News new | ask | show | jobs
by jwr 2624 days ago
I use VPNs for one main reason: so that my ISP does not build a complete profile of me based on the sites I'm visiting. This can be mitigated to a certain extent by using a VPN. I do not expect to become anonymous or invisible on the internet all of a sudden, I just do not want the guy listening next to my front door to know everything about me.

In the US, where personal data is a free-for-all and everybody and their dog sells data about me to everyone else, this is important.

I agree with the author that VPNs should not be advertised as a complete security and privacy solution, but I disagree with his statement that they can actually do more harm than good.
3 comments
jedberg 2624 days ago
But all you've done is kick the can down the road, so now your VPN service can build a profile on you instead.
link
nuclx 2624 days ago
Then use different VPNs for different types activities, combine it with TOR if necessary. It's not like it's a free lunch.
link
AstralStorm 2624 days ago
The ISP can easily build a reasonably reliable profile based just on packet size and timing. TLS and most VPNs do nothing to these.

If they actually wanted to. You could sure them under wiretapping laws if they did.

If you cannot trust your ISP, you cannot really have any privacy without truly extensive measures. Not even Tor is enough, it does not pad and change timing enough.

The real problem is cookies, requirement for email backed login and phone home downloads. (E.g. images such as social buttons, JavaScript. They can also leak cookies or make them live longer.)

The last one is combatted to an extent by mix networks like Tor, or better yet, by aggressively caching and/or predownloading.

link
crooked-v 2624 days ago
> You could sure them under wiretapping laws of they did.

I assume you meant "sue", but, no, that's not actually a guarantee, because companies can require that you "voluntarily" agree to mandatory arbitration in order to get any service at all.

link
AstralStorm 2624 days ago
Those clauses are illegal, much like indemnification by you of a big ISP. Even clauses of choice of law are very suspect.

Relying on such a clause to attempt to prevent a civil suit is stupidity, if only because people are not properly informed of what the clause meant, making it void. (I could quote a few cases. But I am not a lawyer. Microsoft and EULA comes to mind.)

And by EU law, they are completely null and void by just being illegal.

That said, most of those suits do not reach court by means of settlement, not arbitration.

link
crooked-v 2623 days ago
> Those clauses are illegal

Not in the US!

https://en.wikipedia.org/wiki/AT%26T_Mobility_LLC_v._Concepc...

link
TeMPOraL 2624 days ago
> If they actually wanted to. You could sure them under wiretapping laws if they did.

Could you? I was under the impression that (in the US) the main difference between a phone line and an Internet connection is that former is legally protected against wiretapping and the latter not so much.

link
danShumway 2624 days ago
> You could sure them under wiretapping laws of they did.

Has this ever worked though? Cursory searching, I don't see or know of any examples of lawsuits that have actually succeeded on this front. And it's not like ISPs have never given consumers an opportunity before.[0]

[0]: https://www.cnet.com/news/verizon-draws-fire-for-monitoring-...

link
AstralStorm 2624 days ago
The cases are almost always settled for reasons I outlined in response to another thread. (mostly related to peering and PR damage, that can kill an ISP)

The app is a tiny blip on the radar waiting for careless. (Read the darn contact, especially if you get a discount.)

link
danShumway 2624 days ago
You're not exactly boosting my confidence here.

The easy sniff-test for whether or not existing laws are enough to dissuade an ISP from building user profiles is to check to see if it was enough in the past to stop them from doing so.

Do we have any cases of where an ISP broke wiretapping laws and was punished severely enough in a settlement or trial that it either killed the ISP or forced them to restructure or rebrand?

If ISPs can pull off highly profitable abuses and get away with it by just settling when they're called out, that's no guarantee that they aren't going to do the same thing in the future. Verizon bragged that they broke wiretapping laws in 2012. How are they doing now? Still struggling to recover from that, I would expect?

Certainly not selling real-time location data to bounty hunters.

link
fulafel 2624 days ago
Identifying based on traffic analysis is easily feasible if they collude with advertisers, since they can then correlate traffic by timing. ("Which ISP can sell us subscriber data with TLS traffic to our our ad at the same times that the ad was served with this visitor-id?")
link
netwanderer3 2624 days ago
If you use Chrome browser or Android phone then Google is already able to build a profile on you. They have multiple ways to ID every session and individual browsing tab to link them back to your profile. VPN is completely irrelevant in their game.
link
danShumway 2624 days ago
If Google has my data, does that mean I should also give it to Comcast?

This kind of argument comes up a lot, and I really don't understand it, at all. Privacy is a process, it's something you improve over time. The alternative is completely circular.

I shouldn't care about switching to Firefox, because my ISP is already getting all this data anyway, and I shouldn't care about using a VPN because Google is getting all of this data anyway...

If you want to go from no privacy to decent privacy, it is inevitable that there is going to be a period where you are only plugging some of the holes.

link
netwanderer3 2624 days ago
My point is if you are trying to prevent someone to build a profile on you entirely then VPN is useless.

For majority of the public who use a VPN provider, they are essentially shifting all the risks of their personal privacy from a highly regulated industry (ISP) to one that is much less regulated (VPN providers). This is a bit similar to all the ICO scams associated with an unregulated cryptocurrency industry. ISP at least will not sell your data to questionable buyers, but there's no law in preventing a VPN provider not to do so.

If you truly believe VPN providers can survive giving you unlimited bandwidth worldwide for only a few bucks a month, without relying on other sources of revenue, then I have a bridge to sell you.

Most of them don't operate with transparency, not being audited nor being accountable or required by regulation to keep your data safe but yeah let's trust them instead!

link
danShumway 2624 days ago
> ISP at least will not sell your data to questionable buyers

https://techcrunch.com/2019/01/09/us-cell-carriers-still-sel...

ISP regulation in the US has completely failed to prevent abuses. I'm not here to argue that you should blindly grab a 4-5$ a month VPN, but absent a technological solution like Tor, this is better than nothing.

But if you really think your ISP is more trustworthy than PIA, set up your own VPN on a Linode server and use that instead. At least then you won't have to trust your university/hotel/business Internet to be configured correctly, and at least then you won't be handing your zip code to every single site you visit.

Even a self-controlled VPN is a strict privacy/security upgrade over connecting your laptop unprotected to a hotel's wifi.

> if you are trying to prevent someone to build a profile on you entirely

If you are trying to prevent someone from building a profile on you entirely, then you are going to need to do a lot more than use a VPN. But that's in addition, not instead. You have to start somewhere.

link
netwanderer3 2623 days ago
The only effective way, that I know of, to prevent someone to build a profile on you is by throwing a lot of useless data to confuse them. Blocking their access is not effective because they have multiple ways to get to you, especially when you're just part of a bigger target market. These conventional methods like VPN are simply too easy for them with million of other people also using it.

If you're constantly throwing useless data at them, adding irrelevant URLs or browsing patterns to the data stream then their system will be confused and unable to paint an accurate picture of your profile.

This is borrowed from a similar strategy used by professionals who have gone off-grid and wanted to avoid being tracked. They would pay multiple other people to use their credit/debit cards at various different locations around the world so the system tracking them would be confused and could not pin point their exact current location.

link
stordoff 2623 days ago
> For majority of the public who use a VPN provider, they are essentially shifting all the risks of their personal privacy from a highly regulated industry (ISP) to one that is much less regulated (VPN providers).

But I don't like the logs that my ISP is _required_ to keep, an and the organisations that have access to them as a result. A VPN removes that.

> but there's no law in preventing a VPN provider not to do so

GDPR.

(for a UK perspective)

link