With so many people working from home as a direct result of the COVID-19 pandemic, there is a renewed interest in VPNs. Many people are, of course, using corporate VPNs to connect to their employer’s networks. Other people are adopting third-party VPNs as a tool for improving their online security. Even so, there seems to be a lot of misinformation about what a VPN does and the types of protection that it provides. Since so many people will continue to work from home for the foreseeable future, I wanted to take the opportunity to talk about how VPNs work, and what they do (and do not do) to protect you.
Before I begin
Before I get started, I want to point out that some of the consumer-oriented VPN vendors offer supplementary security software to go along with their VPN offerings. This software likely provides protection that goes well beyond what a basic VPN is able to provide. For the purpose of this article, I’m not going to be addressing any add-on software, nor am I going to be focusing on any one specific VPN. I am only going to be talking about VPNs in a somewhat generic sense.
What is a VPN?
Some of the marketing hype would have you believe that a VPN is a tool that allows you to anonymously browse the web with total impunity. However, this is only a half-truth at best. VPN is an acronym for virtual private network. The technology is based around the use of a VPN server. This server does two main things. It encrypts user traffic and it acts as a proxy on the user’s behalf.
To show you what a VPN actually does for you, let’s take a look at what normally happens when you visit a website. I’m going to simplify things a bit and leave out a few steps, but this oversimplified explanation is sufficient for illustrating what a VPN does.
Every Internet-connected device in your home is assigned an IP address. Your Internet router is also assigned an IP address. The Internet-connected devices on your home network use private IP addresses, which means that their IP addresses are never actually exposed to the rest of the world. Whenever you visit a website, your device sends the request to your Internet router. Since your Internet router has a public IP address, it is able to communicate directly with the Internet, whereas your device is not. Your router reissues the request. The website that you are visiting sees your router’s IP address, rather than your device’s IP address. When the site responds by sending you the requested content, it actually sends that content to your router, which in turn forwards the content to your device. In many ways, this isn’t all that different from the way that a VPN works.
As previously mentioned, a VPN acts as a proxy on your behalf. In other words, your computer tells the VPN server what it is that you want to access, and the VPN server reissues the request. The website that you are visiting sees the request as having originated from the VPN server’s IP address rather than the IP address that has been assigned to your Internet router.
The other important thing that a VPN does is to encrypt your Internet traffic. Before you can use a VPN, you have to install a VPN client onto your device. This client establishes communications with the VPN server, and in doing so creates what’s called an encrypted tunnel. Any traffic flowing between your device and the VPN server is encrypted.
On the surface, the idea of encrypting your Internet traffic and hiding your IP address from the sites that you visit sounds enticing. Unfortunately, a VPN does not allow you to anonymously browse the Web with total impunity as so many people seem to believe. So, let’s talk about what a VPN does and does not do to protect you.
Generally speaking, VPN protection should extend to hiding your web-browsing activities from your Internet service provider (ISP). Since the VPN is encrypting all of the traffic that passes through your ISP, your ISP theoretically should not be able to monitor your online activities. There are some exceptions (such as when the VPN is provided by the ISP), but by and large, a VPN will shield your activities from your ISP.
What a VPN won’t do, however, is let you browse the web anonymously. Remember, the VPN protection you are getting is simply masking your IP address, thereby making it appear as though your traffic is originating from elsewhere.
To show you why this technique does not equate to anonymizing your identity, let’s talk about something that you might have done many times in the past. If you are reading this article, then I am guessing that you have a laptop that you use at home, at work, or maybe both. I’m also guessing that you have used the laptop elsewhere on occasion. Maybe you spent an afternoon working at a coffee shop or had to travel for business and used your laptop in a hotel room. Maybe it was something as simple as taking your laptop to a friend’s house. As you think back on such a situation, try to recall what browsing the Internet was like. The Internet connection that you were using might have been faster or slower than the connection that you normally use, but I’m guessing that the sites that you visited behaved the same way that they always do.
The reason why I mention this is because when you use your laptop (or any other Internet-enabled device for that matter) in a coffee shop, a hotel room, an airport, or anywhere out of the ordinary, it receives a different IP address from the one that is used at home or at work. Even so, the sites that you visit on a regular basis don’t care that your IP address has changed. They recognize you just as they always have. The same thing happens when you use a VPN.
So how is it that websites know who you are even if your IP address has been obscured by a VPN? There are any number of ways that these sites can determine your identity. In some cases, you might actually log into the sites. In other cases, a site might tie your online identity to the account that you used to sign into your computer. A site could even use something as simple as a cookie to figure out who you are.
VPN protection? Not as much as you may think
While a VPN can be used as a tool for obscuring your online activities, the use of a VPN alone does very little to ensure your privacy. The only way to make sure that your online identity is truly protected is to use a VPN in conjunction with an entire laundry list of other privacy tools and techniques.
Of course, you must also consider the issue of trust. Even if you take all of the necessary steps to protect your privacy, everything that you do online passes through the VPN provider. As such, you must consider whether you trust them to keep your activities private or if they are likely to sell a log of your online activities to advertisers or to surrender the log to law enforcement.
Featured image: Pixabay