So you’ve decided to make life harder for snoopers and criminals by purchasing a Virtual Private Network subscription. Good for you. By doing so, you’ve put a monkey wrench in the surveillance state. But have you totally protected yourself from being tracked?
Possibly not. This article will look at the vexed question of whether, and how far, VPNs provide a response to official and criminal surveillance. If you feel safe, think again.
How VPNs relate to surveillance
Virtual Private Networks have become extremely common over the past couple of years, and beating surveillance has been one of their biggest selling points. The reason is fairly simple. VPNs are designed to do a couple of things that criminals and state agencies hate: IP anonymization and solid encryption.
By encrypting the data sent by users, they make it effectively unreadable to anyone without the key – which itself changes on a regular basis. If the provider uses 256-bit AES encryption, cracking the data they send should be nearly impossible.
Secondly, VPNs use IP anonymization to mask the online identity of users. This is achieved by routing traffic through one or more servers located at a distance from the user. If this is done properly and reliably, onlookers won’t be able to discern the location of the user’s computer or smartphone.
This is why governments like China are so hostile to Virtual Private Networks. They know that if such tools become mainstream, the state would have far fewer means at its disposal to track and discipline citizens.
But the key question for us is, are those fears justified? Or are Virtual Private Networks a “paper tiger” that doesn’t protect users from surveillance?
Can you be tracked when using a VPN?
Basically, the question boils down to this: is it possible for external agents to track your physical and online movements even though you are using a Virtual Private Network?
The short answer to this is: no, at least not precisely. However, if a VPN malfunctions or deceives users, then tracking people becomes very, very easy.
Here are some ways that users can be tracked even when they think that their traffic is locked down:
- DNS/IP Leaks
Your Virtual Private Network provider is supposed to keep every user’s IP information confidential at all times. If this leaks, then it’s fairly easy to see the IP address of illegal streamers, comment board posters, or torrenters.
You can check whether your IP information is being leaked by using free online tools like IPleak.net – and all VPN users would be wise to do so (at least once a day). But you may also be able to tell if your IP details are being leaked through other means. For instance, you might not be able to access Netflix from abroad, or the iPlayer could be off limits.
If that happens, then this may be a signal that nothing you do online is 100% safe.
The same applies to DNS leaks. In these cases, the VPN may accidentally leak your actual IP address to DNS servers. These servers are routinely accessed when you move between web pages, so when a DNS leak happens, your browsing activity can be exposed.
Either way, a leaking VPN is not worth subscribing to. So find an alternative provider as soon as possible.
- Payment details
It’s also possible to detect when people have signed up for a VPN by harvesting their credit card details. If you use non-anonymous payment methods to buy a subscription, this leaves you open to investigations by law enforcement or other state bodies. If they subpoena the data held by Virtual Private Networks, they can find out when you signed up, and this can be a starting point for deeper inquiries.
This can be avoided by paying with gift cards via third parties, or via cryptocurrencies. And many secure providers also do not require personal information (such as your real name). So choose those companies if you’re worried about surveillance.
- Vulnerabilities in the VPN tunnel
Sometimes, user identities can be betrayed by poor performance at the server level. When you send information across the web via a Virtual Private Network, it’s important to remember that it must be received and decoded by the VPN’s own servers. And this can be a weakness.
Not all providers even own their own servers. Some rent banks of processing power from third parties, which could present a security risk. Others maintain all of their own servers and are generally the better options to choose.
However, even then you’re trusting your provider to keep each and every server properly firewalled and configured. It’s not often discussed, but hackers and spy agencies can almost certainly gain access to servers if security procedures aren’t watertight.
This is a reason why it’s not always wise to use VPNs that are located in the so-called 14-eyes network. This group of countries essentially consists of the USA and its key intelligence-gathering allies. Any security company based in nations like the USA, the UK, Germany, France, or Australia is therefore pretty suspect as far as surveillance goes.
Sometimes, people who want to track VPN users can turn viruses and malware to their advantage. It’s not unheard of for Virtual Private Networks to be caught disseminating malware, and plenty of apps have been contaminated without the owners knowing.
This applies particularly to free software – so think twice before installing that seductive Android VPN. For example, Easy VPN once soared high in the Google rankings for security app downloads. However, it’s now ranked as the second most malware-infested VPN around.
So if you’re relying on a free security app, or you haven’t checked the credentials of your provider, there’s a decent chance your VPN could be betraying your movements.
- VPN Detection
Finally, it’s often possible to detect when users are connecting to Virtual Private Networks. We’ve mentioned payment details as one vector for this kind of tracking, but there are others.
For example, your ISP will be able to tell whether your device is connecting to addresses that are associated with Virtual Private Networks. And they will also be able to see when you are using ports that are characteristically linked to VPNs.
That doesn’t mean an ISP can track your movements around the web. But it can be a valuable piece of evidence for investigators. At the very least it could alert them to the potential for IP/DNS leaks.
Does this matter? Should you be worried about tracking?
As we’ve seen, using encryption and IP address anonymization isn’t a magic bullet regarding surveillance. Even if we always use a Virtual Private Network, there are ways to learn about our online movements, and the risks are multiplied if we use poor quality providers.
Take China, for example. China matters because it’s probably the front line in the battle between state authority and individual privacy. In January 2019, Beijing started levying fines on VPN users who access “foreign content.”
In the Chinese market, completely dysfunctional providers rub shoulders with premium options – and consumers can get caught out easily. Just a single IP leak when using certain ports can result in crippling penalties.
And this kind of state action is far from a uniquely Chinese phenomenon. In 2017, PureVPN handed over logs relating to a cyber-stalking case to the FBI. This (justifiably) resulted in the arrest of a 24-year-old Massachusetts man called Ryan Lin. But it also showed that Virtual Private Networks can be used in tracking suspected criminals.
Tighten up your protection to stay as safe as possible
You almost certainly aren’t like Ryan Lin, and you may not need to worry about being fined for using encryption. But all of us should make sure our security apps minimize the risk of IP/DNS leaks and log as little as possible about what we do.
In the future, the environment for streaming or torrenting could be harsher. There may be all sorts of unfair paywalls to work around if Net Neutrality falls. Even accessing VPNs in North America could be harder if Bell gets its way.
So if surveillance powers expand, we need to be as secure as possible – which means using reliable VPNs, and being aware that tracking can happen, even when we think we are totally secure.