After getting a few questions from concerned folks about VPN services. I realized this might be better served as an article. This way anyone who is curious about how to protect themselves better online can reference it.
The Bad News
Well, there's really no easy way to this: There is very little, if any, privacy on the Internet. Even after following all of the advice I'm about to give, all sorts of clever folks in the Valley and beyond are envisioning clever new ways to improve the "User Experience" (UX) and in the process accidentally creating newer, clever means to circumvent any and all privacy controls you might deploy.
This never used to bother me all that much. I worked at one of the largest e-commerce sites in the world. I routinely used meta-data to piece together stories about interactions with our site that literally scared me, both because of what someone had attempted, and because I was able to replicate it with so very little data. I am beyond amused that Donald Trump signing S.J. Res 34 into law is getting so much attention. The Snowden leaks were MUCH more terrifying than this legislation, and spoiler alert, your ISP was already tracking you and making money off your habits.
I Came Here For The VPNs Smart Ass
Right, so you came here for advice on which VPN service to use. There have been lots of opinion pieces already written on this, so feel free to search DuckDuckGo for the "best VPNs of 2017." The truth is, a lot of these VPN services are probably much worse than your ISP, who for all their short comings is a legitimate, accountable business. This is my first piece of advice:
Step 1: Choose your ISP wisely
Yes, Comcast and Verizon have the fastest speeds. They don't rank so well in privacy. If that's important to you, vote with your business. The EFF Who has your back? reports the ISPs with the best reputations on Privacy concerns. I am lucky to live in a Sonic.net coverage area. Find small, local ISPs near you and talk to them about their privacy policies. They'll love to talk you about those things to get the word around.
VPNs Aren't Private in the Way You Think They Are
You'll hear some privacy advocates recommend against using VPN services in the US. It's likely using VPN services in any US allied nation is probably worse than using your own ISP. Why? Allies share intelligence. OK, I'll say that again: Allies share intelligence. It may still be illegal for the US to spy on US citizens, but it's not illegal for the UK, Australia, New Zealand, and Canada to spy on US citizens and share anything they find with the US Government in exchange for the same favor. Using VPN services in countries not allied with the US could be safer from the point of view of access by the US government to your traffic, but it's likely to raise flags and cause you to be under more scrutiny from the government anyways.
All things considered, you probably want to use a VPN service operating under the laws of the country you reside. If the reason you're using the service is to circumvent laws in the country where you reside, this article probably isn't for you. None of my recommendations will protect you from yourself and none of it will save you from prosecution. I wish it could, but that's not the Internet we built.
What is a VPN?
First you have to know the Internet is just a large mesh of computers, each with connectivity to one or more computers. These computers agree to transmit data for one another to end points they're not directly connected. There's lots of math and physics involved. For our purposes, just think of it as a socialist group of computers sending data down a path towards its destination. There's some meta-data wrapped around the data to help the computers determine where the traffic is from and where it might need to go next. There's a constant exchange between all the computers informing one another to which computers they can transmit data.
There's a lot of trust in this system, and up until recently, most of the data itself was unobstructed. Think of it as sending postcards. Everyone could see the source, destination, and the entire message. If they carried it, they could modify it without much ado. Since the Snowden leaks, the Internet has gotten serious about encryption. This means there are more coded messages flying around, but it's still on the back of postcards and anyone in the middle can read the source and destination.
So, now VPN's. You probably had to use a VPN at work at some point to access internal company resources while traveling or working from home. A Virtual Private Network uses the Internet to allow two computers that are not next to each on their physical network behave as though they were on the same physical network. They usually encrypt the traffic at a very low level to prevent computers in between from knowing the actual source or destination of the traffic.
This is good for making internal resources accessible to employees from anywhere in the world, but it doesn't exactly gain you much in the way of privacy. At the VPN service, all of your data is unwrapped and shipped off over the Internet to it's destination. You can transmit encrypted traffic, such as HTTPS, inside a VPN and the VPN service won't know anything about the content of the message, but they will still know it's source and destination.
So, they won't know what was in the content, but they will know that after loading an advertisement that your browser prefetched DNS records for "erectile-dysfunction.com" you then created an encrypted connection to "erectile-dysfunction.com" and loaded not one, but several pages, including one that called out to "verified-by-visa.com."
What is DNS?
Computers prefer numbers, humans prefers letters and words. To resolve this issue, (haha, you see what I did there? Don't worry if you don't, I'm laughing by myself) we have the Domain Name System or DNS. DNS allows you to type: "www.google.com" and your computer knows it needs to send data to "22.214.171.124" or whatever your DNS server says is www.google.com. It sounds simple, but it's a system with implied trust and some really cool tricks. This makes DNS an incredibly complex topic, so I'll gloss over all the technical details and say it does this pretty well, and it does so in plain-text. Anyone who sits between you and your local DNS resolver can see every name your computer tries to resolve without any obstruction, again like a postcard.
Almost 100% of DNS traffic is unencrypted today. DNSCrypt is looking to change that, but it's just now gaining traction and you probably aren't using it.
OMG, Why Do I Care?
Great question! Web pages started out pretty simple, but included ways to link and even include content from other web sites on your page. Over time, things got much more complex, and data gets loaded from everywhere. The average web page loads over 100 assets and almost 2 megabytes of files. This is a lot of data and a lot of network requests. To keep that in perspective, the original Legend of Zelda came in around ~128 kilobytes, so your average web page is using about 15 Legend of Zeldas worth of mostly garbage.
Since we all love speed and browsers are throttled by your home internet speed, a clever person in the Valley or beyond came up with an idea to improve the User Experience. They realized, once you load the page, you read it, your browser is sitting by idly waiting for the next command. Most of the time, the next command involves clicking a link, so resolving the hostname, fetching the page, reading the page for any assets it needs, resolving more names, fetching those objects. It takes time and you have to issue those first requests to know how many of the supporting requests are required.
So, this engineer thought, "what if we scan the page you're reading for links while you're reading and start that process?" And that's what they did. Most modern browsers use "content pre-fetching" to give you an artificially fast internet connection.
Step 2: Disable Prefetching
The terrible truth about prefetching is anyone who can see only your DNS requests can probably reverse engineer the words you just typed into Google's Search Bar REGARDLESS of whether or not you are using HTTPS. Here's a paper from 2010 detailing the privacy implications of DNS prefetching.
- Open a new tab
- Type: about:config
- Agree you're breaking your warranty
- In the search bar, type: network.dns.disablePrefetch
- If the value is "false", double-click on it to change it to "true"
Google Chrome (Mac)
- Select "Preferences" from the menu bar
- Select "Advanced"
- Disable the following:
- Use a web service to help resolve errors
- Use a prediction service to help complete searches and URLs from the URL bar
- Use a prediction service to load pages more quickly
From Apple Discussions:
- Open Terminal
- defaults write com.apple.safari WebKitDNSPrefetchingEnabled -boolean false
- Restart Safari
Step 3: Tweak Your Browser Privacy Settings
I won't go into details on these, but search DuckDuckGo for how to do each on your browser.
- Disable Usage Reporting - Reports to the browser developers how you use their product.
- Disable Crash Reporting - Reports crashes, including potentially sensitive or confidential information to the browser developers when your browser crashes.
- Disable WebRTC - WebRTC allows advertisers to fingerprint you by getting information about your home network.
- Disable Cookies (Third Party) - Completely disabling cookies will prevent most sites from working, but this limits it to just sites you visit.
- Uninstall Flash and Java - It's 2017, these two need to GTFO of our browsers. I don't have enough curse words to describe why.
Step 4: Extend Your Browser
To enhance your privacy everywhere, regardless of whether you're using a VPN or not, there are some tools freely available.
I work in IT Security. I know, "ad blocking takes revenue away from the little guys." Unfortunately, the reality is most ad networks do a sub-optimal job of curating their content. It's not uncommon for malware or viruses to be served via a legitimate ad network. Even if that weren't the case, the advertiser and the content-provider may have a contract in place with privacy clauses, but their contract doesn't extend to you, the casual web surfer. So, you may trust a particular website, but that doesn't mean you necessarily trust all of their ad partners.
For privacy and security reasons, you need to be using an ad-blocker. The best of the breed is uBlock Origin. It's light weight, efficient, and super configurable. Be sure to dig into the options and go nuts with block lists.
The EFF publishes two incredibly useful extensions: HTTPSEverywhere and PrivacyBadger. HTTPSEverywhere preloads a new browser feature that prevents snooping and traffic interception by forcing all communication from popular sites to be HTTPS. PrivacyBadger is the EFF's curated list of privacy threats. It's a good combo to compliment the community lists from uBlock Origin.
As I mentioned, web pages these days load resources from all over the place. There's a number of common libraries used in websites that are loaded from "Content Delivery Networks" (CDNs). These CDN's wind up seeing almost everything you do on the internet because they receive the context of where these assets are loaded. CDN's are generally seen as good because they speed up the internet by having bigger, faster connections in more places than most content creators can reasonably afford. They come at cost to privacy though, as they see what you're doing across thousands, if not millions, of sites.
Enter Decentraleyes. It contains most of those common libraries locally. When it can serve the library from a version it has loaded on you computer, it injects the library locally instead of fetching it from the CDN. This dramatically reduces the amount of network usage and the number of connections per site loaded.
If you happen to be on Firefox, and you probably should be, there's another extension called BetterPrivacy. This extension helps clear out persistent tracking data via configurable thresholds. You can configure it to wipe them every time you close the browser, or every X minutes.
Link and Click Tracking
Do you ever read the full links people post these days? Or held your mouse
over a link on a Google search results. There's a lot of extra junk in those
links, often with a
utm_ prefix. This contains information about the ad
campaign, the medium, and in the case of mobile devices, the application
information used to view the link. The thing is, these links will work the
same without all of that crap. I use
to strip unnecessary parameters from links to prevent leaking sensitive data
from my devices.
Again, if you're running Firefox, there's an additional extension I recommend, GooglePrivacy which does the same thing PureURL does, but your Google's search results and their specific internal link tracking.
For extra paranoid, I recommend the following extensions, but keep in mind, most of the internet stops working without you explicitly whitelisting resources in one or more these utilities:
- uMatrix - LittleSnitch for everything your browser does, everything.
- CertificatePatrol - Reports when the security certificate for a site changes.
Step 5: Understand "Private Browsing"
"But wait," you interject, "Why go through this madness when my browser has private browsing mode?" Excellent question! Private browsing is more "private from other users on my computer" than "privacy from the government."
When you start a private browsing session, the short and long term caching and storage for your browser are pointed to a new, unique location for as long as the private browser window is open. Think of it as changing your clothes, but grabbing a different wallet, with different IDs and credit cards each session.
That sounds good, but you don't change your internet address, and you're not changing your DNS servers. This means, to your ISP or anyone able to see your network traffic, you're still you. So, from an ISP or government perspective, nothing's changed.
Private browsing disables history tracking and makes you look like a new user to the websites you're visiting, but that's about it. Another nice feature is the local cache is cleared when you close the window. So all those embarrassing pictures of the Icy Hot Stuntaz won't be sitting around for your loved ones to find.
Step 6: VPN Up
OK, at this point, you've locked your browsers down, but you may have a few good reasons to use a VPN:
- You're going to be using a network you don't trust, like mobile networks or other people's WiFi.
- You're on a mobile device. Mobile networks are terrible for privacy and there aren't many choices aside from VPNs.
- You're in a country like China where your communication is severely hindered by your local government.
Those are the only reasons most responsibly savvy users may find they need a VPN. As I stated before, I'd recommend choosing a VPN service that operates legally in your own country. Some VPN service providers operate in many countries and all you to route our traffic to any one of those countries. If given the option, even if you live in the USA, I'd recommend using a VPN end point in your country. The exception to this being use-case #3. In those instances, choose a country that's least likely to cooperate with your government, but understand that you may wind up drawing attention from your local government in doing so.
My preference is to setup your own VPN server by building a pfSense image on Microsoft Azure or Amazon's AWS. The WebUI for pfSense if pretty easy to configure your VPN Server, even export profiles to use in your devices.
If that's too technical for you, I'd look into VPN providers with a history of transparency who are vocal and active with their privacy protections. Some signs a VPN Provider takes privacy seriously:
- Zero logging policy - This is almost always a lie as logs are necessary for support, so ask about what is logged and how long it stays on disk.
- Warrant Canary - The government doesn't allow companies to advertise when a warrant has been served. However, librarians came up with a clever system called a "warrant canary." It's a notice posted stating "No warrants have been served in the past X days." When a warrant is served, that posting is removed. It's a legal grey area and any service that takes privacy seriously will have one.
- Accept BitCoin for payment. I don't have enough time to talk about BitCoin here, but if you want to protect your billing information, you need to use BitCoin.
- Disclosure of the laws they operate under and where there servers are physically located.
- Do they provide DNS service? If not, then you're still leaking data over your ISP.
- Disclosure of all third party services. Who do they use to send you mail when your bill is due? Are they using a third party solutions for monitoring, instrumentation, or operations?
I wish I could tell you, "use this service," but it's not that simple. There's a lot to consider when making this choice and the answer depends on your expectations and your comfort levels. I believe the only way to be certain is to run your own VPN service, but with the rest of the tooling I mentioned in place to protect you.
Abandon all hope..
I probably bummed you out. I'm not sorry. I've been watching privacy erode on the internet for the last 20 years. It's hard to do privacy right on the internet. You're often an accidental mouse-click away from blowing all your protections. Hopefully this helps you navigate a bit smarter and understand a bit better that anyone purporting to sell you privacy on the internet is just blowing smoke up your ass.
Stay safe, my friends.