Do you actually need a VPN?

“This video is sponsored by NordVPN.” 

After watching several YouTube videos, it’s hard not to have seen ads for different companies (NordVPN, ExpressVPN, Tunnelbear or a million others) full of ominous warnings that unless you pay for their service, your private internet data is not safe on public wifi and  that your internet provider can track your every move. But is that actually the case?

The short answer is: no, not really. While Virtual Private Networks (VPNs) are legitimately useful for a number of things (I’ll get to that in a second), most VPNs advertise three major benefits, in roughly this order: hiding your private data from hackers, preventing tracking from your internet provider, and getting around various forms of content blocking. While the third reason in that list is legitimate, the second is a misrepresentation and the first is more or less an outright lie. 

Let’s examine the biggest reason VPN providers claim you should use their product: to hide your personal information. On their website, NordVPN lists “passwords and usernames,” “medical history,” “private conversations,” “online banking credentials,” and “work emails” as examples of private data that can be unveiled, and it’s heavily implied that anyone can steal your credit card number and bank password just by connecting to the same public wifi as you. 

The prospect of a hacker sniffing data from public wifi makes sense, intuitively, to someone with a basic knowledge of how wifi works. You’re transmitting data over radio waves, so a malicious actor could just “tune in” and read everything you’re transmitting. This is, technically speaking, true — anyone on the same public wifi network as you can read all the packets that your computer transmits. With such a treasure trove of data, you would be able to find out all kinds of secrets—the content of private messages, passwords, the whole thing. Right?

Wrong. 

What VPN providers conveniently forget to mention is that being able to intercept and read all of the packets from a modern machine doesn’t really pose a security risk. Obviously, you’d rather it didn’t happen, and you can get some information out of it, but modern communication protocols basically assume that people are listening in already. Any sensitive data  such as passwords or credit cards will be encrypted with HTTPS (that’s the little lock icon in your browser address bar) and have been since about the mid-1990s. Modern websites use HTTPS for the entire website, and properly configured ones will redirect unencrypted requests to use HTTPS. Additionally, modern browsers will automatically try to shove you onto an HTTPS connection and only use HTTP if you explicitly ask for it. Basically, it’s the future. 

But regardless of all that, what is HTTPS? Well, it’s a protocol that’s built on top of regular HTTP, which itself is a method for accessing data over the internet. In the case of HTTP, and its big brother HTTPS, the data in question is web pages. HTTP basically specifies a way of telling a given web server what page you want to see and passing along data for the server to use. The important part here is that a given HTTP message will contain the address of the server (everything before the slash in a given URL; for example, in the link swarthmore.edu/academics, the address would be swarthmore.edu) followed by a bunch of other stuff, unencrypted. Meanwhile, HTTPS encrypts that big second block of data. You can imagine HTTP as a postcard. Anyone can see the entire message you write with minimal effort. HTTPS, on the other hand, is a sealed envelope. In fact, it’s a magic envelope, impervious to all known forms of   physical and chemical attack, and impossible to open unless you a) are the addressee or b) spend literally millions of years breaking its encryption. The address is still written on the outside, because you need that to make sure it gets delivered to the right place, but the information inside is fully shielded.

So, let’s say that a hacker has intercepted your connection, and you weren’t using a VPN. They’d be able to see what websites you accessed, and roughly when, but would have absolutely no idea what specific pages you accessed or any information that was shown. We can even assume that your internet provider is spying on all of your traffic, because they’re functionally exactly the same thing. Either way, while they’d be able to view which websites you accessed, they would have no access to any data you entered or even any information about what you did or saw while you were there. Essentially, your personal data is safe; feel free to shop from your favorite coffee shop all you want, and don’t let companies scare you into paying money for a service you don’t need.

But what actually is a VPN, and what legitimate reasons might you have for actually using one? Continuing the envelope metaphor: a VPN is basically a letter-forwarding service. On your computer, VPN software puts each “piece of mail” into a slightly larger magically sealed envelope that it then sends to the VPN company’s servers. Those servers essentially open the envelope and send whatever’s inside back out onto the internet. From an outsider’s perspective, they’ll see that all of your internet traffic is going to one address (the VPN server), and then getting mixed with the traffic from a thousand other people before getting sent back out — making it effectively impossible to trace any connection back to you or to figure out what websites you’re accessing. This can also be used to prevent your internet provider from tracking which websites you visit, although in reality it just shifts this ability from the internet provider to the VPN. It’s not unlikely that a VPN, particularly a well-known and well-audited one, is easier to trust than Comcast; however, it’s no panacea.

One of the chief reasons to actually use a VPN is if you’re concerned that someone spying on your internet connection might seek to harm you based on what websites you visit, and not just based on personal data — for example, if you’re a journalist in China or Russia, or are accessing LGBTQ-related websites from within Saudi Arabia, or are searching for resources from within an abusive household. A VPN will hide that traffic (assuming it’s properly configured) but it will be pretty obvious that you’re using a VPN because all of your internet traffic will be going to a single place. 

Another reason that you would use a VPN is for its original intended purpose: changing where your computer is virtually located on the internet. For instance, Swarthmore has a VPN server on-campus, and by connecting to that server from anywhere in the world, you can access network resources that are normally locked within the campus network. From the Swarthmore network’s point of view, all of your connections are originating from a server somewhere in a basement on-campus, even though said server is actually relaying all of that traffic over an encrypted tunnel to whatever exotic locale you happen to be connecting from at the moment. The same principle applies to using one of many VPN servers that bounce your connection through some foreign country. Various services like Netflix will only serve certain content to computers located in specific countries — or, in your case, relaying a connection through said country. Note that doing this is technically a violation of Netflix’s terms of service, but this prohibition has never been enforced.

In summary, while there are legitimate reasons to use VPNs, protection of specific personal data isn’t one of them. If you want to be serious about that, you should absolutely be using a password manager. A VPN won’t help if some games website you made an account on ten years ago gets hacked, the attackers steal all the login information, and you’re using that same email and password for your bank account. “Reasons to use a password manager” is a whole other article but suffice to say that a password manager coupled with strong, memorable passwords will do infinitely more for your personal data security than a VPN will. I personally use 1Password, but there are a lot of options out there.

Hopefully, you’ve learned a bit about whether or not you actually need a VPN from this article. This article was heavily inspired by Tom Scott’s video on VPNs, and I also used this website to flesh out some of the discussion on HTTPS. Here’s a list made to shame websites that don’t redirect all queries to HTTPS (though most/all of them have an HTTPS option which your browser visits by default.) 

This is the first in hopefully many installments of … whatever I name this thing, a column trying to improve the discussion around and awareness of the occasionally impenetrable world of computer technology. If you want to learn more, or if you have any questions or ideas for future articles, email me at zrobins2@swarthmore.edu, or DM me on Instagram @software.dude.