VPNs aren’t just for helping defend yourself when using insecure public Wi-Fi, either – they remain an important tool in keeping a home network secure.
As we’ve seen WPA2 (wireless) exploits like Krack, those using a VPN – even with a compromised home network – would still have protected their data from potential hackers. This is important, as it seems we’re still a long way away from adopting the more secure WPA3 standard on wireless networks.
Despite all the numerous advantages and uses for a VPN, there are potential downsides, too.
In this article we’re going to discuss six clear weak spots of VPN services, from the level of anonymity they’re supposed to guarantee, to issues revolving around user data, and the ever-present specter of mass decryption.
1. 100% anonymity – or not…
A VPN creates a private tunnel for a user’s encrypted data to travel down, but cannot guarantee complete or even 99% anonymity. Firstly, while the VPN service may promise that it does not log or share data, it is impossible to know if this is really the case. There is no way of seeing behind-the-scenes, as it were, to view how the VPN really works. (See below for more about logging)
Furthermore, there are multiple ways in which the data can be breached, including IP leaks (which can mostly be protected against with a VPN kill switch), and DNS leaks.
Even if a VPN provider uses their own DNS servers, you must have their software set up properly on your device to protect yourself, otherwise the requests you make to visit websites will be available to anyone with access to your ISP’s records, even if you do use a VPN. For more information, see our guide What is a DNS leak.
Most modern web browsers also support WebRTC (Real-time communication). In theory this is a useful school that allows you to place voice and video calls via your browser without installing additional tools. In practice, it needs to broadcast your IP address to do this and in some cases it doesn’t do this through the encrypted data ‘tunnel’ to your VPN provider. The bottom line is that your real IP address can leak onto the internet. Luckily this is quite easy to fix, either through changing your browser settings or by using a browser add-on. Make sure you know all about WebRTC leaks and how to prevent them.
For those users who truly want to take their level of online anonymity to the next level, we’ve looked at combining Tor and VPN, although this introduces its own set of issues (including whether the VPN or Tor browser should be started first for maximum privacy and anonymity).
Using Tor also comes with its own privacy issues, particularly if you’re accessing the clear internet via an ‘exit’ relay instead of a tor hidden service (.onion address).
2. Geo-blocking working against the user
We were promised decades ago that the internet would enable the exchange of ideas and content without any barriers. However, these days that’s hardly the case, and one prime example of a barrier is geo-blocking. This is where content is restricted on the basis of the user’s location.
There are plenty of examples of the best streaming VPNs being used to access geo-blocked content, such as enabling access to the BBC’s iPlayer from outside of the UK, or using the purpose-made VPN Getflix, which is purpose-built for circumventing Netflix’s geo-restrictions.
While a VPN can be useful as a workaround to bypass geo-blocking, it can also be a double-edged sword, in some cases making the internet frustratingly difficult to use.
This can occur when using a VPN with an offshore server, and then attempting to access a local map, local traffic data, or even the online circular for a local merchant, none of which will be accessible.
Also, with the VPN directing the tunnel to a server outside of your home country, you could lose access to popular country-specific websites such as Amazon.
Furthermore, you can get geo-blocked when you try to watch online video from your cable carrier, or access your local newspaper. Sure, a better VPN will have plenty of servers in your own country to run your tunnel through, but this still becomes one more thing you have to pay attention to, with potential for hassles therein.
You can overcome this issue by using a VPN provider which supports split tunneling. This involves setting up a specific app like Netflix to connect via a VPN server, leaving the rest of your traffic unaffected.
This has privacy implications, as if you use another app which is not connected to the VPN, your IP address will be available to the Internet at large. Your data also won’t necessarily be encrypted. Still, it does save the trouble of manually switching servers each time you want to appear to be in a different country.
3. Logs kept by VPN services
The concern with a VPN is that it may keep user data, specifically your data, and have a log of internet activities to provide to authorities. In the end, if you choose the wrong VPN, the record of your online activity may be hidden from your ISP, but instead it could be maintained by your VPN. So all you’ve done is change who is monitoring you.
The solution is to seek out a no log VPN – effectively, the most private VPNs you can get – which means that the provider promises user data is not logged, and therefore not stored, so there is nothing to hand over to anyone down the road. Some VPN services even market themselves with their ‘no log’ feature, and a good example of this is NordVPN.
Unfortunately, if you look deeper into the issue, you may find that one ‘no log’ policy differs from another. For example, while NordVPN clearly states it has a no log policy, its exact stance on ‘session logging’ is not clear – in other words, some of this may occur. Session logging does not record the actual data transferred, but just the time of logging on and off, as well as the IP addresses visited. But that data could still be used against someone. And this does happen.
Want a real-world example? Popular VPN HideMyAss responded to a court order back in 2011, and provided session logs for a hacker that was a member of LulzSec, and this resulted in an arrest. Furthermore, this is not an isolated example – there’s a more recent one of PureVPN collaborating with the FBI – so these logging policies and practices can potentially have serious implications.
The gold standard when it comes to logging is to find a provider which regularly submits to audits by a trusted third-party to ensure their “no logging” claims are true.
4. Free VPNs aren’t worth it
Many folks want to save money, obviously enough, and the best free VPNs can sound really tempting.
However, take a step back for a moment and realize that any business that wants to stick around has to make money at some point. Even free VPNs need to make a profit.
In one case, the VPN service Hola was accused of taking the bandwidth of 47 million users of the free offering, and allegedly selling this through a separate service known as Luminati (also owned by Hola). This plan allowed users’ IP addresses to be used for exit nodes.
In fact, selling user data to cover costs is a popular way for “free VPNs” to operate. As worrying as this, the apps are sometimes used to distribute malware.
In November 2022 security researchers found that a “free” VPN Android app, which had been downloaded multiple times via links in Telegram message boards contained the spyware Sandstrike, which harvests user information. The scary part is that the app wasn’t a virus per se: it did function as a VPN app should, just also harvesting data about certain users.
In short, tread carefully if you’re picking a free VPN. When it comes to software, consider using an open source VPN client like OpenVPN Connect if the provider supports it. Make sure to download VPN programs only from official sources such as the Google Play or Apple App Stores and verify all web links.
5. Data mining
While VPNs promise a high level of privacy, this isn’t consistently the case. With so much data going through a VPN, there are plenty of opportunities to use it for nefarious purposes. Also remember that the VPN has the key to decrypt the data that goes through its server.
Only the reputable VPNs will keep all of your info private, and there are multiple access points that can be compromised, including IP addresses, MAC addresses, geo-location data, and DNS requests. Furthermore, it’s nigh-on impossible to know what is really going on with your data behind the scenes – until a scandal story hits the news headlines.
Of course this is no more true of a VPN Provider than your ISP but remember when you start a VPN subscription, you’re simply shifting your trust from one company to the other.
Admittedly VPN Provider’s entire business model relies on respecting user privacy, so they may not willingly hand over information. Still, some jurisdictions allow VPN services to be served secret court orders where they have to start recording information like your IP address and DNS requests without telling you.
If you’re concerned about this, consider using a VPN which has a “warrant canary”. This simply involves the provider confirming at regular intervals e.g. through a monthly video address that they have not been subjected to any secret warrants or subpoenas. If they fail to regularly confirm this, you’re then free to close your account and use another service.
6. Mass decryption
The truly colossal number-crunching power of today’s supercomputers raises concern around the issue of who else has the power to peek inside a user’s VPN tunnel.
This process is termed ‘mass decryption’ and the likes of government cybersecurity agencies certainly have the massive power needed to crack current levels of encryption used by modern VPN protocols.
In September 2013 Edward Snowden leaked NSA documents which seemed to show they had deliberately weakened an open source RNG (random number generator) used for elliptic curve cryptography, which is commonly employed in VPNs. Theoretically this would allow the NSA to break encryption keys generated using the algorithm.
This was apparently part of their “Bullrun” program, whereby intelligence agencies spend hundreds of millions of dollars every year deliberately weakening encryption standards.
So, the short answer is yes, the likes of the NSA might well be able to break into VPN tunnels.
Therefore we must bear in mind that while using a VPN certainly boosts your level of privacy, it is far from a guarantee of avoiding government surveillance, at least.
The best thing to do is adopt a layered approach to your security. Consider the VPN as the outer layer, then see what you can do to protect your data if someone breaks through it.
Your second layer, for instance, could be to use messaging apps employing E2EE “end to end encryption”. In short this is where the encryption keys used to protect a chat, voice or video call never leave your device or that of the person you’re talking to.
That means that while a company like Apple might see your data moving through their servers, they won’t know exactly what you’re saying, even if your VPN protection is broken.
E2EE has become so popular that many mainstream apps like Microsoft Teams and Zoom’s Cloud Phone Service supposedly use it. However as these are proprietary products it’s difficult to take big corporations at their word. Try instead to use open source apps like Signal Messenger. If the code’s publicly available, it can be reviewed by security experts to check for any bugs or backdoors.
The NSA can also only target you if they know you’re using a VPN. Some providers like NordVPN and VyprVPN support obfuscation technology, whereby they try to hide your VPN traffic as regular internet traffic. This can be done through specialist servers and or custom protocols, though there’s no way of knowing if those fools intelligence agencies.