You probably don't need a VPN. Despite all the marketing from VPN companies that you should pay them for a virtual private network to use from your home internet and, especially, from public wifi, most Americans may be better off not paying for a commercial VPN, according to multiple security experts.
The underlying reason: The internet is a very different landscape in 2021 than it was 10 or even five years ago. Although of course some people will still benefit from a VPN, and particularly those with a higher degree of threat against them, most Americans can probably save that $5 or so a month.
"It’s time we retire the stock advice to get a personal VPN," Bob Lord, former chief security officer at the Democratic National Committee, told Motherboard in an email. "Most people do not need personal VPNs today because the internet is much safer than it was in 2010. Personal VPNs create additional risks. Giving everyone advice that only pertains to some people misdirects them from the steps that will actually help them secure their digital lives."
Do you have information on VPN companies misleading their customers, or anything else? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
The main promise of a VPN is that it will encrypt your web traffic, so perhaps your ISP can't see what sites you're visiting or a hacker on the same public wifi network can't snoop and capture your credit card information as you make an online purchase. YouTubers sponsored by ExpressVPN, for example, have said "Don't let hackers steal your financial details," and "Working from home? Protect your sensitive data with an extra layer of security."
But most of the heavily used web is already encrypted in some form. Lord pointed to how nearly 93 percent of all page loads in Firefox in the U.S. are over HTTPS. That’s compared to around 25 percent in January 2014. Huge portions of the internet have been encrypted thanks to Let's Encrypt, the nonprofit Certificate Authority (CA) which offers encryption certificates to websites for free. Let's Encrypt was started in 2012, and today over 250 million websites use the organization's certificates, according to Let's Encrypt's website. Whereas it used to cost money for a website administrator to get a HTTPS certificate, now essentially any site can get one.
Google also prioritizes HTTPS sites in its search results, Lord said, which can have the knock-on effect of incentivizing websites that care about their search engine optimization to make the switch, and ushering users to sites that use encryption.
"Browsers have made it harder and more frightening to bypass security warnings and have updated the UI to call attention to non-HTTPS connections (since loading content over HTTPS is the expected behavior)," Lord added.
Security researcher Kenn White added that "for the vast majority of consumers, commercial VPN services add very little value and frankly most incur more security risk for the user."
"It’s time we retire the stock advice to get a personal VPN."
One risk is some VPN providers use self-signed root CAs, which allow the creator to read encrypted traffic coming from a computer. White said this is done in the pursuit of malware prevention, but that "is just a different way of saying 'intercepting your (otherwise) encrypted web and mail traffic.'"
"A good question to ask yourself is: do I trust my VPN company more than my ISP to handle the data of which sites I navigate to? If the answer is yes, then using a VPN may be a good match for you. If you're unsure or the answer is no, then the risks of a VPN may not make that trade-off worth it, and for many folks with a lower threat model, that is likely the case," Rachel Tobac, CEO of SocialProof Security, told Motherboard in an online chat.
On that point, at-risk groups will likely still want to use a VPN. I use one when researching people or companies who may later become adversarial before or after publishing an article about them, for example.
Tobac said that although social media, streaming, and banking sites all commonly use HTTPS which protects your credentials or other information entered on those sites, a hacker or ISP may still be able to see that you made a request to visit that site in the first place.
"If the fact that you navigated to your bank or Netflix is not thought of as a secret for you and your threat model, then you're probably good to go without it," Tobac said.
In emails to Motherboard, both NordVPN and ExpressVPN pointed out that on smartphone apps it is harder for an ordinary user to tell whether the app is sending data encrypted or not, compared to a normal web browsing session.
"Any tool that can make it super simple for a layperson to increase their protection is a win—and we certainly hope we’ve helped make VPNs one such tool," ExpressVPN Vice President Harold Li wrote.
NordVPN said in an email to Motherboard that "Americans need commercial VPNs (I guess that’s unsurprising, coming from a VPN service provider). In fact, everyone needs them." They pointed to how not all sites use HSTS, or HTTP Strict Transport Security, which forces sites to only use HTTPS. The company also said that a VPN with a good DNS filter can prevent people from accessing phishing sites. (A phishing site will still harvest a victim's credentials if they enter their details into such a site, whether using a VPN or not).
"A good question to ask yourself is: do I trust my VPN company more than my ISP to handle the data of which sites I navigate to?"
"Anyone, without having any technical knowledge, can add a layer of security and privacy with a single click. And because of the channels we use to market our services, we’ve been able to reach people who would never even think about cybersecurity," NordVPN added. "We strongly believe that recommending people to stop using VPNs will make the digital environment less safe."
There is at least one thing that some VPNs could help with: blocking malicious ads. The online advertising ecosystem is so dangerous that the U.S. Intelligence Community has blocked advertisements on a network-level, Motherboard reported recently. But online ads are not just a threat to intelligence agencies; Motherboard has repeatedly shown how data brokers harvest 'bidstream' data by participating in the online advertising process. This sort of information can include location data.
Some VPNs can block ads by stopping connections to the ad networks' domains, although not all necessarily do. A browser extension may be a more familiar way of blocking ads, but they also carry their own risks. Last year an adblocker developer sold two of his extensions to a new owner who then added malicious code designed to tamper with victims' social media accounts, Ars Technica reported at the time.
Or, of course, many customers will use a VPN simply to access online content such as Netflix that is ordinarily locked to a specific region. In which case, go crazy, maybe.
Subscribe to our cybersecurity podcast, CYBER.