A few years back, an acquaintance asked me if I could recommend a VPN. And I’m afraid I didn’t give the best advice, so I want to recant and remedy that now. I think there are some misconceptions about what a VPN can and can’t do for you, so you may decide you don’t actually need one. But if you do need one, there is one and only one specific VPN I recommend. In this blog post, I’ll tell you how I came to choose this specific VPN service.
VPNs don’t protect you from hackers
I’m going to make a bold statement here. Most VPN advertisements I’ve seen claim that VPNs protect you from hackers or provide some additional security benefits.
There was a time when I would have agreed with this statement. Not so much anymore. Back in, say, 2009, a VPN did arguably provide some security benefits, because Web pages weren’t necessarily encrypted by default. If you could get on the same network as someone else, it was possible to intercept their social media traffic and see what they were reading and posting. With good timing or maybe just a tremendous amount of luck, it was also possible to grab usernames and passwords.
Back in the bad old days, unless a Web page processed credit card information or something else comparably sensitive, there was a pretty good chance an unencrypted version of the page existed, and it may have even been the default.
Thank Google, just don’t buy a VPN from them
Google probably did as much as any other company to drive widespread adoption of encrypted web pages. They started by directing traffic to the secured version of any given page, and if a secured version didn’t exist, they started deranking it in favor of pages that did have secured versions. (See, I’m not totally anti-Google. Just mostly.)
In 2009, a VPN helped you by encrypting all of your traffic, compensating for large portions of the Web not being encrypted. Today, since virtually all of it is encrypted, adding a VPN doesn’t provide any additional benefit. Either way, the data won’t be valid anymore by the time someone manages to decrypt the data, so double encrypting the data is severe overkill.
What about firewalls tho?
Many VPNs also provide firewalls. But modern operating systems already include a reasonably good firewall. The additional firewall provided by a VPN usually shouldn’t hurt anything. But it’s not really providing additional benefit either. If anything, it’s making you feel more secure than you actually are. And if that lulls you into doing things like not applying security updates to your system, then it’s bad.
What a VPN can do for you
Your Internet service provider can see what web pages you are visiting. They can’t see what you’re doing inside the page, but they know the sites you are visiting, and how frequently you visit them. They log all of this information too. Whether you’re looking for a new doctor or shopping for a car, they know.
Your ISP is monetizing this information to some degree or another. It’s valuable information for marketers, and your ISP is a large corporation looking for revenue streams.
Your ISP is also sharing this information with state and federal governments. I don’t like that. And you shouldn’t either, even if you’re in the I’m-not-doing-anything-wrong camp. That’s because foreign governments can and do hack in to help themselves to that information as well, since your ISP isn’t protecting the information as well as your government would. And then they use that information to try to influence your behavior, as well as the behavior of like-minded people, in ways that benefit them.
No matter who you are, some government you don’t trust is looking at that information. We can agree to disagree on which governments we trust and don’t trust. VPNs aren’t illegal, but they prevent governments from performing unethical activity.
Note that if you use your Internet provider’s DNS servers, a VPN doesn’t stop them from seeing what you are looking up. So you need to use a DNS server you trust, or at least trust more than your ISP, to receive the full benefit.
How VPNs stop your ISP from spying on you
A VPN encrypts all of your traffic so that your ISP can’t see what sites you are visiting anymore. They can tell you’re using a VPN, and that’s it. The VPN also routes all of your traffic to another geographical location. Ideally, you’ll choose a jurisdiction that values neutrality or privacy, or that has a good human rights record. Good choices include one of the Scandinavian countries or Switzerland.
I can get myself in trouble for telling you the countries I don’t recommend, so we’ll leave it at that.
How VPNs help you get around censorship
Some governments also censor content. A VPN helps you get around this censorship by routing the traffic through a jurisdiction that doesn’t censor the traffic. Recent events should have taught us that ignorance is a very bad thing, but unfortunately, some elements of society chose instead to double down on ignorance. Remember what I said about hostile governments influencing behavior?
And look. Some censorship isn’t even about suppressing information that certain political parties don’t like or find inconvenient. Maybe you just want to watch a TV show that isn’t available in your region because reasons, but is available in other regions. A VPN lets you do that.
The problem with ordinary VPN service
The problem with the VPNs provided by Web browsers or that you see advertised in random Youtube videos is that nearly all of them collect data themselves. It may be that they log everything just like your ISP does, so all you’ve really done is add a step when it comes to tracking you down. If the VPN provider is located in a country other than yours, arguably you have some benefit. But far from the maximum, because a VPN who logs your activity still has every incentive to monetize that information.
The VPN service I recommend: Mullvad
That’s why I recommend one and only one VPN specifically. And I am not receiving a penny for saying this. The VPN I recommend is Mullvad.
Mullvad’s technology is based on OpenVPN. Its cryptography and implementation are fine, and that’s good because a weak VPN can be worse than no VPN. And when you install Mullvad, it points your VPN connection at its own DNS, closing that loophole.
Mullvad isn’t the only VPN with good technology. Its advantage isn’t technical. It’s the business model.
Why you should choose Mullvad’s VPN service
Mullvad is the best because they don’t know who you are. When you create an account with them, they issue you an account number. They don’t store any payment information. You buy credits, which you can do with your credit card if you wish, or you can use something untraceable if you prefer, like cryptocurrency or cash. Yes, one payment option is cash. They’ll give you a tracking number that you write down, then mail the tracking number along with a fiver to the address they provide. They credit your account, then shred the envelope and the paper inside. It’s hard to get any more anonymous than that.
Even if you use your regular credit card, they don’t even take your name.
They don’t have your name, they don’t log anything, and they have documentation on their website to prove they aren’t logging anything. Mullvad can’t make you completely anonymous, but they make you about as anonymous as you can get today.
So as a security professional with a strong social justice bent, I strongly recommend you cancel whatever VPN you are using and get Mullvad instead. If you are using a paid plan, there’s a good chance Mullvad is the same price or slightly cheaper. If you are using a free plan, I guarantee that VPN is monetizing your data pay for you using it. I strongly recommend you find a way to afford 5 Euros per month, which works out to around $5.50 US. Because if you’re not paying for the service, you are the product.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.
Mullvad does still offer OpenVPN as an option, but it defaults to WireGuard.