(no title)

It's far from a waste of money. They help with things such as skipping geoblocking, able to deceive ISPs that send mail warning users about pirated content, can in some cases help with gaming ping, allow users to trick sites that rely on IP logging and many other applications besides cybersecurity and privacy.

The main issue is that they all seem to advertise themselves as these privacy and cybersecurity services first, while ignoring all the other added benefits.

> you replace trusting your ISP with trusting a different group of unknown people with similar motivations

I've always seen this argument but it's never made sense to me.

For starters I absolutely don't trust my ISP. I know they are collecting, storing, likely selling my data and that they are 100% going to comply with any government requests from my government (I don't even trust that they would only respond to legal requests).

Years ago I used to use AirVPN. They claimed:

> AirVPN started as a project of a very small group of activists, hacktivists, hackers in 2010, with the invaluable (and totally free) help of two fantastic lawyers and a financing from a company interested in the project and operated by the very same people.

Maybe they're lying but at least there's some chance they actually care about privacy.

But even if they don't care about privacy at all and are lying, at the very least they are based in Italy and have their servers spread throughout Europe. Additionally you can pay via crypto (which gives you more anonymous payment options than your ISP). Simply being in another country then the one I live in makes it much harder for my government to arbitrarily request my data.

Yes if I want to do highly illegal activity that is going to get my government interested in me I absolutely don't think that would be enough. But if I want privacy from routine surveillance this seems like a fantastically better option that 100% giving up.

> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations.

When one party with auditors says they will protect your privacy, and the other openly spells out in their stated policies that they will run roughshod over your privacy, cataloging and trading your data as much, as long, and as insecurely as they like...

You don't have to trust the former party a lot to recognize the lesser evil.

> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations. At worst, it's a government agency honeypot or someone like Facebook.

My ISP is required by law to be an informant for government agencies, so the VPN can only be equal or better than my ISP.

Honest question: it's still a consensus that they do have value in situations such as airport Wi-Fi, correct?

Separately from that, I still do wonder whether, if you subscribe to a VPN that has well-examined security practices and whose reputation depends on such practices, whether it still may have value over relying on the security over a local ISP which may not have as much expertise or reputation investment with respect to security.

I'm not arguing, just trying to understand the issue better.

> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations. At worst, it's a government agency honeypot or someone like Facebook.

You're starting with the (completely correct) observation that any VPN is not guaranteed to be secure, confidential, or private, and then making an argument as though it were the case that every reputable VPN is equivalent to every untrustworthy ISP. I think that's why your argument doesn't make sense to me: I don't think there's an equal chance that a VPN provider with a good reputation is going to sell me out as my ISP.

It's axiomatic in risk management that there is no way to completely remove all risk. Running a proxy and Tor is not a guarantee of security any more than running the world's shadiest VPN is, though it's obviously more secure by far. But, it's a question of what the acceptable level of risk is, and what the marginal cost to reduce that risk is. For many people, a $5-10 (non-shady) VPN is a perfectly reasonable step to take.

What if you want a VPN to unlock location based content?

I'm convinced that you can get most of the privacy "benefits" of a VPN with an encrypted DNS, which a pihole can be configured to provide for your whole home network.

Your ISP could still figure out which sites you are visiting by what IP addresses your traffic gets pointed to, but I'd be willing to wager that the bulk of their data collection for the purpose of advertising comes from logging DNS requests, since it is far easier to do and captures 99.99% of their customers habits.

This won't do anything to protect your IP from being sniffed out by media companies when seeding copyrighted torrents, but that has never been a major concern in my house. This is probably also meaningless if you are being targeted for surveillance.

idk mullvad seems pretty alright

Tor is practically unusable in 2021. Tor is blocked or is very difficult to use for a growing number of sites. Google is the big one (whether one should use google at all is a different story).

Plus ISPs can detect tor use by its customers just from packet patterns. I don't want to be flagged as a tor user by either my ISP or the sites I visit.

The only other option is to set up your own ISP either in a colo rack or on a cloud VM. That's going to cost $50-$100 month plus your time fiddling with it and any network overages

I think there’s been good criticism of your arguments so far and I don’t want to pile on; but I see _a value_ in commercial VPN companies.

I, a tech savvy person, have no issue creating an SSH proxy server in any country in seconds.

But I also make online video games, and the US sanction system means I must block people from accessing our services; even if they have a copy of the game.

They did nothing wrong, my company isn’t even US based: we just used a cloud provider and all of those are US based.

So, I encourage those users to use a vpn if one is available to them.

> If you think you want a VPN for "privacy", use Tor Browser.

What about Tor over VPN, so that your ISP can't see that you're using Tor? That is, the VPN hides your usage of Tor from your ISP and Tor hides your browsing from the VPN (and since many VPN services even advertise Tor support, its not like it would be suspicious, plus you can pay for many VPN's with cryptocurrency while I definitely can't hide my identity or location from my ISP).

> It's been clear for a long time that every single commercial VPN service is a waste of money.

This is nonsense. It depends entirely on your goals. It's important to me that my ISP doesn't know what I'm doing while I couldn't care less if my VPN provider does. I also need to circumvent geoblocking from time to time.

> At best, you replace trusting your ISP with trusting a different group of unknown people with similar motivations.

I'm not sure what country you live in, but in the US, all the big ISPs might as well be run by the government, at least when talking about privacy. Private VPN companies are far more trustworthy, all else being equal.

I believe Mozilla's contract with Cloudflare to provide Firefox Private Network provides great value, and I've been happy with it service for quite some time. Mozilla and Cloudflare are both well known organizations, and Mozilla acting as a buyer's agent is a good position to be in.

These are the reasons why I use a VPN provider:

1. my threat model is not my government. It seems that the TLAs have thoroughly pwned our privacy for a long time now. (please note that I am in no way advocating for this mass surveillance, but I don't see that I have much choice in the matter)

2. My threat model includes my ISP. I am forced to use a scummy ISP who would openly steal my data if I let them. Same with my mobile provider.

3. My threat model includes the data thieves who have obvious business models built around selling my stolen data to the highest bidder.

4. My threat model includes black hats and script kiddies.

5. Do I trust my VPN provider? Eh. A little. For now. The thing is, I trust them more than #s 2,3,4 above. What other choice do I have?

I wouldn't say commercial VPNs are waste, It depends for what purpose do you want to use the VPN. Privacy? Yeah maybe not the best for that but these are extremely useful to bypass geoblocking of content. Moreover, many ISP do not like you downloading content via torrent. How do you propose we solve it? User experience with Tor is not always the best as well. Tor network does not have lots of bandwidth, It is okay for browsing but the moment you want to download something using Tor you'd notice that its actually very slow. I'd bet my money that using Tor would attract lot more attention by your ISP than using a regular VPN.

To make it slightly more expensive for the adtech industry to spy on all my internet traffic. I have little illusions that any tech measure whatsoever can thwart government entities.

It depends on your risk model.

We use a commercial VPN at our company because it provides a mechanism for traffic encryption for employees who might be connecting from insecure networks. Sure most sites use HTTPS but there is still some unencrypted traffic like CDN or similar.

It’s not a cure all or some privacy guarantee, it’s just that for us, the risk of our employees browser history being stolen by that VPN for some nefarious purpose is just less than the risk of information leaking via insecure network.

The main reason that I use (and many around here) VPNs is to access sites blocked by the government. And these blocked sites even included Wikipedia until recently.

Mind you, tor had basically the same issue a while ago https://archive.is/4FMxm

The utility in a VPN is in travelling, not at home. I’m not sure if I trust ProtonVPN more than I trust my ISP, but I sure as hell trust them more than I trust the little hotel I stayed at in Brooklyn.

Long term I’ll probably just solve this by setting up a VPN server at home, so I can tunnel through to my local services and protect myself from wifi endpoints I use on the go.

Having an easily-replaceable IP address is also of some value in case someone tries to DOS you in IRC/game chat/etc.

> Why do we even give these companies the time of day?

My understanding is that most people use a VPN to either watch the foreign catalogs of streaming services or insert a third party in a foreign country to make themselves less tempting targets for random enforcement of copyright laws.

Obviously they don't advertise like this because these activities are illegal.

Tor is too slow and often blocked by sites. And how do you know if an exit node is a honeypot or not?

Mullvad VPN seems like the best choice.

> At worst, it's a government agency honeypot

Kevin Poulsen's book Kingpin, about the takedown of CardersMarket, describes how the FBI ran a VPN service as a honeypot for quite a while as part of the operation, logging everything that passed through it. As you say, it could be anyone on the other end of that connection.

https://www.doineedavpn.com enumerates legitimate use cases well I think.

> This site was conceived and built by IVPN to challenge aggressive marketing practices in the VPN industry.

> If you think you want a VPN for "privacy", use Tor Browser

so replace a vpn, which might be logging your traffic, for a service which absolutely is logging your traffic?

Tor is an anonymity service, not a privacy service.

>If you think you want a VPN for "privacy", use Tor Browser.

Isn't using Tor browser trusting a group of unknown people as well (nodes)? I hear all the time theories that Tor is a giant honeypot

> If you want a VPN for any other reason that "normal people" think they want a VPN

As far as I can see, normal people are asking for VPNs to access Netflix catalogs of other countries.

Tor is almost certainly a government honeypot, but if you're just trying to hide from Google and other ad companies, it'll help. Except that it's cripplingly slow.

What assurances do we have that most tor end points aren't compromised as well?

You are right that most people are just signing up with the same credit card and details as their isp and even if they claim they don't keep logs the vpn needs to link the use of their service to your details for billing just like your isp.

That said if you live in the UK the government logs your internet history to be used against you at their convenience. Using a vpn like mullvad.net that you can buy with bitcoin and no details prevents the government logging my history, thats worth the £5 a month.

I'm not sure I totally agree, sure I don't know every single employee, but I use Nord because I like and respect Tom Okman[1]

[1] https://en.wikipedia.org/wiki/Tom_Okman