[danShumway]

I have kind of a lot of issues.

First, the downplaying of IP location lookups. If you do a lookup on my home IP address, it'll get you within 5 miles of my house. From there, the only other information you need is my name and potentially one or two more details like a birthday (easy, I use my real name online) and you can get access to my voting data -- and that'll give you an actual address, not just a zip code.

OP is correct that your IP address doesn't directly leak your home address, but in many cases it can be a pretty helpful clue. In a small town, a zip code and a name can be good enough on its own for a stalker to find someone even without voting data or public records to pull from.

OP is also correct in that there are plenty of other ways to get this data, but I fail to see how opening yet another trivial hole in my identity helps with that.

Second, the downplaying of encryption concerns. We've come a long way on SSL, but it's frankly irresponsible to say that users should just assume all of their browsing will automatically be covered, regardless of what the top sites are doing. I am primarily visiting tech sites nowadays and I still occasionally run into sites that aren't encrypted. And that's nothing to say to the fact that there are multiple ways of configuring SSL and not all of them are equally secure.

This is just in my browser, which punishes sites with insecure warnings if they're not encrypted. How many native apps are sending unencrypted data given that there's no punishment and that the user gets zero indication of the SSL status? We know from the IOT industry that a lot of these products and apps are regularly getting rushed out the door.

Of course, VPNs only encrypts the data between you and the provider. But we don't live in a world where people are primarily using desktop computers. Most users are going to be on tablets, phones, and laptops, and they travel. And no, public networks are not the only risks -- even if a network forces you to put in a password you still don't know how that network is configured, you still don't know what vulnerabilities exist on it.

If you don't know who set up the network, you should treat it as if any unencrypted data could be intercepted before it reaches the router. And you should be suspicious of the router/provider itself, particularly if it's wifi being offered by a store/hotel/airport, or other commercial entity.

And that leads to the final, big objection -- the idea that VPNs are harmful because all they do is shift the trust model. If you're in the US, unless you are very, very lucky, you can not trust your ISP. Shifting the trust model is not a fatal flaw, it is literally the entire point.

Yes, needing to trust someone is not ideal. But my VPN provider has more of an incentive to take care of my data than my ISP does. If you're using something like Proton or PIA, then I feel very confident saying that I trust both of them more than Verizon or Comcast.

So I agree that bulletproof claims that come from VPNs are often inaccurate. I agree that there are problems. I don't see this article as any less sensationalist and inaccurate than the provider claims though. VPNs are just a kind crappy solution we're stuck with, and absent everyone moving to Tor, I have yet to see anyone propose a better solution.

[AstralStorm]

Why would everyone have to move to Tor? It already works, and the are good solutions for securely running it, like whonix. (Much better than just Tor browser alone, which is still necessary.)

Compare that to random commercial VPN app...

[danShumway]

You may have misinterpreted what I meant by that, or maybe I didn't phrase it clearly.

I don't mean that Tor will work better if everyone uses it. Quite the opposite, it will slow down considerably.

I mean that anyone who isn't using Tor needs a different solution. We have two solutions being proposed to the problem of leaking IP addresses: VPNs and Tor. Unless our plan is to move literally everyone onto Tor, we need a non-Tor solution for the people we don't move over.