What VPNs can do for you & how they protect you

Virtual private networks (VPNs)** can protect you and your online privacy. VPNs encrypt your data, hide your IP address and can even help preventing certain kinds of cyber attacks.

But not all VPNs services provide the same level of protection.

Behind the great image of many “famous” VPNs are some hidden risks for the users, mainly because of thei centralized structure. This is way usually decentralized VPNs (dvPNS) are better.

In this article, we will explain how VPNs protect you and your privacy.

Why do you need a VPN?

Who needs a VPN in the first place? And for what exactly?

How does a VPN protect you: VPN uses

VPNs serve a number of purposes, but generally they are turned to for greater online anonymity, privacy, and security. Say you want to download something, but don’t want anyone to see or be able to track who is doing it. A VPN can potentially mask who is downloading the content. As we will see, however, this “masking” is definitely not full-proof.

Here you can read more on the topic of online tracking.

Are VPNs absolutely necessary all the time? For most day-to-day tasks like web browsing and emailing with friends from home, maybe not. Default web security is very different than it was even 10 years ago, let alone at the unencrypted dawn of the world wide web. Most websites now provide a certain default degree of encryption for user traffic, and browsers can be configured to flag or prohibit access to unsecured sites. Moreover, password-secured wi-fi networks and encrypted home devices are already significant improvements for online security. But is all this enough?

How does a VPN protect you: safeguard your online privacy

Even if default security measures online have become more advanced for general users, so too have the types of surveillance, data theft and sale, and cyber attacks affecting users all over the world. For many people, using the internet has become an essential tool for almost everything. As a result, who we are, what we do online, and our personal habits and desires have become the constant objects of cyber tracking and exploitation.

We might think that it’s relatively innocuous that websites track our browsing habits in order, for instance, to tailor ads to our preferences. This micro tracking, however, feeds into a much more massive, complex, and clandestine system where user data is accumulated, profiled, sold, and maliciously exploited. Even the most basic things we do online have become resources for potential use outside of what we consent to. We face a double fight as global internet users: to prevent the details of our personal lives from being harvested for profits, and against governments from keeping tabs on us or deciding what information we can or cannot access.

Before turning to the best type of VPN to look for on the market, whatever your privacy needs and concerns may be, let’s demystify the technology a bit.

How does a VPN protect you?

A VPN essentially provides a proxy server through which your online data and activity is transmitted and routed. It does this through three privacy features: encryption, secure routing, and IP address obfuscation.

Have a look at this article to see if a VPN can protect you from being hacked.

However, like any product, the efficacy of these promised functions depends a lot on the quality of the VPN service you are using. And VPNs that centralize user data ultimately cannot guarantee your privacy or anonymity online because of the possibility of data breaches from their servers. But before we get there, it’s important to consider how VPN technology works to protect us online.

Encryption

When you connect to a VPN, your online traffic is first encrypted before ever leaving your device. Encryption is a cryptographic way of encoding your data so that only those with a unique and shared key can actually view its contents. In the case of VPN encryption, only your device and the VPN server should possess the key. If an external party manages to intercept an encrypted message along the way, they would be unable to decipher it. It would just look like gibberish.

To be clear, data encryption is not a novel VPN technology, nor is it the only way your data can be encrypted online. Many websites, apps, and devices provide certain kinds of encryption to protect users. What a VPN can provide is a particular encrypted route, from end-to-end, between your device and what you want to access or where you want to transmit something online. This has the primary advantage of further masking your actual activities from less trustworthy parties trying to listen in on what you’re doing. It also displaces the need to trust our Internet Service Providers (ISPs) to protect our privacy, because all our traffic is routed and masked through the VPN server.

Tunnel routing

Once your data is encrypted on your device, it is then directly transmitted to the VPN provider’s own server(s) which will serve as your proxy on the web. The security route between the two is what’s called a “tunneling” protocol established by the VPN. We can liken it to driving through an underwater tunnel between two land masses. The concrete tube is engineered to secure your car’s passage, preventing external water from entering, and oxygen and pressure from escaping. Now imagine this (VPN) tunnel is just for your data, and that when your car (or data) exits on the other side, its license plate has been changed.

With VPN encryption and tunneling, neither the contents of your activity nor its ultimate destination can be viewed by your ISP or other third parties. If you’re accessing a website (the “destination”) via a VPN, the ISP will simply see the VPN server as the destination and not the website itself. However, your ISP will still see the connection between your device and the VPN server. This is important to remember because ISPs can be compelled by authorities to disclose user data, which of course might include who is using a particular VPN service.

IP address masking

Once your traffic is with the VPN service provider, your IP address is replaced with the VPN’s own before going to its final destination. This is how a VPN “masks” or obfuscates your real identity: it acts as your proxy for what you do online. But what is an IP address exactly, and why is it such a valued resource in surveillance and hacking?

An IP address (short for Internet Protocol) is a unique numerical identifier for your device in connecting to a network. For minimal network functionality, an IP address indicates the position and certain details of your device in relation to others in a network. Some IP addresses are “static” and stay the same for your device across different networks and sessions. Others are “dynamic” and change depending on how a network might assign many coming-and-going users with temporary and reusable identifiers. Whether static or dynamic, an IP address reveals something about you and what you’re doing.

However, it is not an automatic identifier of your personal identity (such as your name and registered address). It may only reveal an approximate location of your device, the ISP you’re connected to, and what kind of device you’re using. However, in conjunction with more precise information gained from your ISP, it can lead to these more personal details, like billing and residence addresses. Sophisticated surveillance programs and hackers can use it to paint a fuller picture of what we’re doing online to exploit us.

What traditional VPNs can't do for you

Whatever we do online, we leave a data trail behind. VPNs can provide a first line of defense for online privacy by encrypting our traffic and masking our IP addresses. However, they also centralize and likely keep records of what we do, including the metadata of our real IP addresses, time-stamps, device information, and traffic durations. If this underlying data is leaked or accessed from the VPN’s own database, it can be used to track our activities or to exploit our systems. Users will thus rightly wonder whether we are truly anonymous and secure while using a VPN.

VPNs do make it more difficult for our online activities to be easily tracked, surveilled, and attributed to us. This is for a simple reason: they route and mask what we do through one proxy connection (or hop) before accessing the destination. So let’s run through what a VPN can and cannot do for your online security and privacy.

Mask your metadata

End-to-end encryption is the first step to make your digital data more secure. Encrypted data can't be read and so it's protected even when intercepted.

Let's say that for example someone has hacked a public wi-fi network that you are using. If you don't use a VPN the hacker can clearly read data about your online activity. On the contrary, if your data is encrypted the hacker can't read the data and spy on your activity.

Two of the most used (and reliable) encryption protocols are OpenVPN and WireGuard.

Read our comparison between OpenVPN and Wireguard

Encrypting your data can't protect your from those who want to track and psy your online activity. In fact, information about your online activity can be derived from your metadata that is present on traditional VPNs servers.

Read this article to discover what is encryption.

Avoid information logging

Traditional VPNs function as proxies for us by rerouting all our online activities through their own servers. But this raises an important question: can our traffic be viewed or tracked once it passes through there? The answer is yes, but only potentially and partially.

To be clear, when using an end-to-end encrypted connection, the content of what you do online can never easily be seen by a VPN service provider or external parties, unless encryption is broken. However, the VPN can fully see and potentially keep records of the metadata of our traffic, such as the time-stamps and destinations of what we access. The VPN service provider thus has the ability to keep “logs” or records of possibly identifying user data that they route.

Given this ability, VPN service providers often pledge to not keep logs of our metadata – records of who we connect to, when, and how much traffic is exchanged through the VPN server. This is often marketed as a “no-logs” or “zero-logs” policy. Ideally, without any central log of our identity and activities, what we do cannot be easily traced back to us. This can make it difficult for surveillance to track our online behavior, for hackers to exploit our personal data, and for governments to demand access to who’s doing what through a VPN.

Users thus often turn to VPNs to avoid the question of whether we can trust our ISP to keep our traffic private. With a VPN, we effectively transfer this trust to the VPN service providers themselves, hoping their privacy mechanisms will better protect our data. At the end of the day, however, the way many VPNs centralize our data poses security risks to our privacy.

Prevent data leakeage

Good enough encryption is the first line of defense against data leaks between your device and the VPN server. This is because even if external parties are able to intercept the content of your data along the way, it would be unreadable. However, this is potentially not enough to protect our privacy. As we have seen, once your traffic passes through the VPN server, the metadata of your traffic is centralized there and thus vulnerable to attack. Choosing a dVPN or mixnet VPN is an important option to avoid this risk.

There are also other vulnerabilities with some VPN tunneling protocols not related to centralization that are important to keep in mind. One risk is what’s called a Domain Name System (DNS) leak. This is where your traffic, such as entering a website address (the “domain name” query), goes through your ISP rather than through the VPN tunnel. This is a bug caused by the configuration of your own device with the VPN. The fault typically lies with poorly designed VPNs which do not properly configure your own system’s default DNS settings to pass through the VPN’s own. Other cases might be the fault of your operating system or browser. Whatever the cause, your data may be compromised. It is therefore important to choose a VPN with specifically designed protocols for ensuring that DNS requests are also always tunneled via the VPN.

How does a decentralized VPN protect your privacy?

Traditional VPNs keep all users data in servers that they own. This data centralization is a big risk for your privacy and security. Decentralized VPNs on the contrary use a network of independent nodes to reroute your traffic.

Read this article and learn more about decentralized VPNs

Decentralize how your data is routed

dVPNs and mixnet VPNs like NymVPN offer an alternative to centralized VPNs that directly address this vulnerability. In short, dVPNs distribute your traffic through a decentralized network of independent nodes rather than a central server. The risks of potential logging or data breaches are greatly reduced because no single server ever has access to both your IP address and your data’s destination. Even if a node operator does log traffic through their individual server, they never have access to the full picture of what’s going on in the network where user data is routed via multiple hops.

Traditional VPNs know well the problem they expose us to, and this is why users on the market for a VPN face commitments to “no-logs” or “zero-logs” from them. Even if a VPN claims they will not keep records, we must still trust that they will abide by it, especially under external (and sometimes legal) pressure. But needing to trust a centralized VPN’s promise can be avoided by choosing a dVPN or mixnet VPN. The centralization of our data on their servers still poses security risks, like the hacking or breaching of their servers where our metadata is located. The VPN’s financial records of who pays for their services, furthermore, can directly link you to them. And of course, not all VPN services even have zero-log’s policies, so we need to choose wisely.

Quality encryption

Like traditional VPNs, encryption is a primary security infrastructure of dVPNs in conjunction with a decentralized network. NymVPN safeguards both your data and metadata using robust encryption techniques like AES128, ChaChaPoly, and BLAKE2 to ensure that your information stays secure and protected from unauthorized access or tampering. NymVPN also uses WireGuard for end-to-end routing, which is faster than OpenVPN and has a lower surface of attack.

Conclusion

We’ve all seen the number of cameras that line roadways and corners almost everywhere, there to simply collect data on who goes where. Internet surveillance is much worse and more complicated than we can imagine. And the adversaries in this global battle are numerous: malicious hackers; data-brokers who profit on our habits; governments trying to keep tabs on what we’re doing; and censorship laws that block information, content, or online services.

To this end, VPNs remain an essential tool in the fight to protect our data online, but they are not absolute solutions to the privacy and security problems we might face. Additional tools like multi-factor authentication, password managers, anti-malware software, and good browsing habits can also be important complementary tools. Read more from Nym about how VPNs can and cannot protect us against certain cyber threats.

The protections we’ve explained in this article are all possible with VPN technology, but not all VPNs provide them or can guarantee them if they do. The crucial issue is that data centralization by many modern commercial VPNs continues to pose a security risk for users. A mixnet VPN like NymVPN is an innovative solution to this problem: decentralizing the control of our online data simply takes the question of trust out of the equation.