7 good reasons why a VPN isn’t enough

With Americans spending over 10 hours of screen time daily across the various devices they own, this amounts to a lot of internet usage. Of course, all of this traffic goes through your ISP, and with the spectre of possible data breaches, this can create some real concern about your data and privacy.

Not to mention that over in the US, any fears along these lines have recently been compounded by the legislation which was passed earlier this year to overturn FCC privacy regulations, allowing ISPs to legally sell user data to the highest bidder in order to make additional profits. And of course in the UK we have the equally worrying Investigatory Powers Act.

The solution that many folks have turned to is a VPN or Virtual Private Network. Sending your data through an encrypted tunnel has an obvious and appealing privacy advantage. After all, doing so should keep your internet activities safe from your ISP’s prying eyes, and its ‘big data’ mining operations.

However, while a VPN is an excellent start in terms of protecting privacy and your browsing history, realize that it is not a cure-all, and does not provide full online anonymity or complete protection of all data when used alone.

In this feature we’re going to discuss some of the limitations of using a VPN.

1. Free VPNs

Everybody wants a bargain, but a free VPN is one offer that you might want to pass on. At least given the aforementioned concerns regarding security and anonymity, because with a free VPN, you are essentially signing up for a service which only has one way to turn a profit: by selling your browsing information to the highest bidder.

While everyone has to make a buck, you are definitely better off using a VPN that you pay for, which at least has a responsibility to value your privacy – because it’s literally their business to make sure this is the case.

2. VPNs keep track of data

When it comes to a VPN, one of the differentiating points is how long providers keep your data. Most VPNs keep data for between 14 to 30 days, and also require a varying amount of information for when it comes to signing up for an account. Obviously, the less information you have to supply to create an account, the better (in case of a potential data breach).

Ideally, a provider should log as little user data as possible, so pick your VPN carefully bearing this in mind. For example, check out our review of ExpressVPN which claims to not collect any browsing activity or traffic data, making it a standout in this area among rival VPN services.

3. Geolocation data

When you visit a website, often it already knows where you are via geolocation data. This is sometimes useful, for example when searching for a chain restaurant, because you’ll get directed to the closest location. This data can be supplied via your PC, and even more so with a smartphone which has integrated GPS capabilities, along with many apps asking for permission to access geolocation data.

With a navigation app, most of us won’t quibble about granting permission to access location data – as obviously it’s vital – but many other apps request permission to collect this data as well, with no direct need for it. They can then easily build a database of a user’s travels, and time spent at locations – and the point here is that this will not get cloaked even with your web browsing going through a VPN service.

Your only protection in this case is your common sense and a keen eye when it comes to app permissions.

4. MAC addresses

A MAC (Media Access Control) Address is the unique identifier for each and every device on the network. There are several standards for this, and they all consist of a series of digits – for example MAC-48 addresses consist of six groups of two hexadecimal digits that make up a 48-bit number.

A MAC Address, via the first three octets which make up the Organizationally Unique Identifier (OUI), indicates the manufacturer of the device. As each MAC Address is unique, it also allows your ISP to track a device’s usage. A VPN will not provide anonymity from this, and therefore some folks turn to MAC Address Randomization techniques in an attempt to provide a cloak.

5. Traffic statistics

Even in the best case scenario with all traffic encrypted by a VPN, an ISP can still learn quite a bit about the user. By analyzing both the volume of data, and the features of the data, the ISP can glean quite a bit of information without any need to break the encryption.

This type of analysis is known as ‘side channel’ information. Additionally, the times that the internet is used can also reveal patterns of internet usage that could be potentially useful, as seen in the screenshot above from an Asus RT-1900P router’s Traffic Analyzer feature, which can, for example, easily indicate how much video streaming the user is doing.

6. DNS requests

DNS (Domain Name System) servers deal with the process of converting the web address typed into your browser into the numerical IP address that’s actually used to direct the packets of data to your computer with the requested information. In general, the default DNS is your ISP, which again gives the company a complete web history of each user’s visited sites.

This can certainly be changed, but a popular alternative DNS – 8.8.8.8 – is Google Public DNS, which is hardly an anonymous solution. The issue is that even when using a VPN, the DNS resolution can still be performed by the ISP depending on the configuration of the VPN.

There is a method to have the VPN resolve the DNS requests with an alternate DNS, but this needs to be separately configured, or the VPN can be operated in ‘tunnel mode’ where all the data gets sent only to the VPN server, which then handles the DNS duties.

With a basic encrypted VPN not being the answer, there are free public DNS solutions that do not log requests – such as FreeDNS – which surfers are better off using from an anonymity point of view (whether that’s configured in the VPN client, or Windows itself).

7. History snooping

Long before ISPs were selling information to the highest bidder in the US, companies had come up with ways to spy on users, a practice that has unfortunately persisted. We’ll leave it to the conspiracy theorists to figure out if this is all about making additional revenue, helping the NSA, or worse.

Recent examples have included ‘super cookies’ from the likes of mobile carriers Verizon and AT&T, and the Blu phone issue which raised concerns about data being sent back to Chinese servers. Stories like these are enough to make your skin crawl, particularly as a VPN does not protect from this level of history snooping, because the spying is tied so closely into the device.