VPNs and the ongoing battle for privacy

Chris Sienko: Hello and welcome to another episode of CyberSpeak with InfoSec Institute. Today's guest is Pete Zaborszky, founder of bestvpn.com. Pete's specialty is virtual private networks. As VPNs become more and more commonplace, I thought it might be a good opportunity to talk about some VPN safety best practices, some of the issues currently swirling around VPN use and privacy, and some of the ethical considerations around VPN use. Pete Zaborszky has been invested in privacy since before Edward Snowden's revelations. Founded in 2013, his website bestvpn.com has helped over 30 million visitors gain information on how to protect their privacy in the digital age. Together with a team of experts, bestvpn.com is dedicated to fighting for people's privacy and freedom to use the internet when, where, and how they wish. Pete, thank you for being with us today.

Pete Zaborszky:

Yeah, thank you for inviting me.

Chris: So, tell me first about your security journey. Where did you first get interested in computers and tech, and what was the path from there to founding bestvpn.com?

Pete: Oh, yeah, that's right to the beginning. So, it started when I was about 15 or 16. That's when I learned programming myself and I made some online games and then ended up doing a degree in computing and I always wanted to start my own business. So, I tried quite a few ventures. Then in 2013, that's when I started bestvpn.com and what was interesting about it is that it's something that very much aligned with my personality. I think some of the other businesses I tried weren't really what I was truly interested in. But being kind of quite a libertarian, quite concerned about let's say the small person versus large governments or large corporations, it was something that aligned really well to my personality and that's maybe why it became so successful. So yeah, we started it right before Edward Snowden came out with his revelations and it took off after that. So, that's a short history of bestvpn.com

Chris: So can we get our listeners up to speed, those who haven't visited your site, what does bestvpn.com cover on the site? What is your organization's purpose and how long have you been writing about VPN use?

Pete: So, obviously, it's called bestvpn.com. So, we're comparing VPN services. But right from the beginning, I thought to really make the site successful, it needs to be about more than just VPNs. We always focused on writing guides about privacy, guides about cyber-security. I think one of the most famous ones is the Ultimate Privacy Guide, which is over 10,000 words all about privacy. And I think that joined into the VPN topic really, really nicely, and a lot of people find us when they're reading these guides, not necessarily when they're looking for VPNs. But then the nice thing about it is then the business came along, the business side of things that we could go along and compare VPNs, build a business on the back of that.

Chris: Yeah. So, it's not just a consumer guide for people who are buying VPNs now. I think it's worth noting because the name of it might suggest that if you're not buying a VPN right now, there's nothing to see on the site. But if you're interested in protecting your privacy and your best practices in that regard, it's also a good resource for that. Correct?

Pete: Yeah, yeah, yeah.

Chris: Yeah. So how has the use of virtual private networks changed since they were first introduced? A few years ago, it seemed like only elite computer users had VPNs, but they're pretty common now. So, what do you think brought about such quick change?

Pete: So, it's definitely just the issue of what big companies and what governments are doing with your data and it's become very, very mainstream and a lot of people are thinking about it in the general public, not just in the IT sects or all the cybersecurity sector. I think also because of that when I started it was a slightly gray area. Whereas now, it's very, very much a mainstream product and there's a lot of uses for the general public because we are, let's say, very, very much at risk of how the people using our data in weird, in ways we don't necessarily want them to use it. And a VPN is an important part of a portfolio software that you need to protect your privacy.

Chris: Yeah. How do you think that sort of perception changed? I mean I guess just the sort of situation we're in now in the sense that people are realizing what their data's being used for. Because like you say, VPNs seem very sort of underground a couple of years ago and now around the water cooler, everyone's talking about what they're using their VPNs for and stuff like that.

Pete: Yeah. I think maybe it's partly to do with the fact that I'd say Edward Snowden definitely had a big impact. But it's also if you look at what Google and Facebook have done since 2013 and how I think back in 2013 they were like really good corporations that everyone was in love with. They offered a great service and if you think about it now, that's changed a lot and people aren't that happy with what they're doing with your personal data. I think that as well and also just as the internet's evolved and moved along, people are a lot more aware. Let's say if I'm using wifi in a cafe then that might actually be dangerous because someone could intercept your communications. So, I think there's just generally people have heard stories and they've gotten a lot more informed about what they need to be careful of.

Chris: So I want to talk about this perception of VPNs and sort of introduce it with a little personal story. So, when your name was suggested for the podcast, I went to look up bestvpn.com at work and I got an error saying that the IP was blocked for reason of "proxy avoidance". So, when I tried again to look at you on my phone using my data plan, the site came right up of course. So this suggests that our web filtering service at work blocked your site because it didn't want us to know about VPNs and other options to get alternative networks. So, do you think this is a common thing in your experience? Is the very concept of VPNs considered taboo by internet service providers?

Pete: I think we've seen this happen more and more. I think for someone in the U.S. or Europe, it's something that's maybe a bit shocking when something like that happens. I think if you're in Asia, it's actually something that happens every day. In China, Indonesia, Thailand, they have sites blocked all the time. But it's interesting how our governments and all ISPs are becoming a lot more, they're starting to sense the things a lot more and it's a very, very worrying trend, I think. It's not really what the internet was founded on. It was supposed to be free-flowing information, but now apparently an ISP can decide what you should be looking at and what you shouldn't be. I think, especially if you're from the U.S., the UK, that sort of thing, it's very, very strange to be faced with censorship. It's not something they see-

[Crosstalk]

Pete: Yeah.

Chris: Are you beginning to believe that the use of unauthorized VPN servers, that we're getting this sort of friendly fire by removing all references to VPNs and also you're not just getting illegal uses taken away, but also educational materials and so forth?

Pete: Yes, and it could even impact users in a really, really bad way. Because let's say you are using public wifi, it is actually a lot safer using that with a VPN. But you're kind of jeopardizing that as an ISP by not letting people use a VPN. So you're almost putting users at risk.

Chris: So, at this point in the game, what are some of the main things you found that VPNs are being used for especially in the U.S. and the UK? You know, the common conversational use you hear is people are streaming TV shows from countries that they're not in or whatever, but there's got to be a lot more uses. What are some of the main uses that people are using for VPNs in your experience?

Pete: So, I think let's give the devil his due. That's something that's still happening quite a lot. What we've progressively seen the whole privacy issue, we run some questionnaires on the website asking people what they want to VPN for and we've seen privacy becoming more and more of an issue. So, I think more and more people are just using a VPN for that. Also, I think as people travel more and more, they also want a VPN, not just for security but also let's say you do go to Thailand or you do go to somewhere in Asia where there's site-censored, you realize that's happening and you start using a VPN. So I think those are probably the two biggest uses.

Chris: So you used the term already, but the main selling point of VPNs is privacy and the promise of being able to browse or do projects online without the big brother like monitoring of every click. But we need to be clear in our terminology here. Is there a distinction between privacy and anonymity? Is there sort of a limit to how anonymous you can be on the internet even with a VPN?

Pete: Yeah. This is something we talk about a lot in these guides about privacy because if you're looking for absolute anonymity, then VPNs aren't for you. Another thing we always say is if you're doing criminal activities, then don't use a VPN because for one thing you shouldn't be using a VPN for that or doing illegal things, but it won't actually help that much. If the FBI, NSA, whatever wants to come after you, a VPN is not going to help. So, people need to be very, very aware of that.

I think the things I was talking about before, that's what kind of VPNs are good for. If you want more and more, let's say anonymity versus privacy, you need to read up about the topic a lot more and there's a nice metaphor of a risk. You have like a risk ladder, maybe let's say that depending on how high you want to be on that ladder, and how anonymous you want to be, you need to look into more and more tools to do that. If you're a whistleblower or a journalist out doing high-risk things then it's throwaway laptop, it's only using wifi in cafes, getting rid of the laptop afterwards, that sort of thing. So, yeah, the VPN won't help you in those cases.

Chris: Yeah. To sort of jump on that, there was an article, a news story back in April on naked security. There was an employee at PennAir who, upon her retirement from the company, used a VPN to set up public accounts at the airline and was wiping out assignment maps and also creating top-level privileges for herself. And she was able to be caught because there was a trail of VPN logs that delineated all of her activities. So, I think this sort of ties into what you said that there's, you know, VPNs don't offer ultimate privacy. But it seems like a lot of VPN providers do sort of suggest or skirt around the issue that we don't keep logs or so forth. So, how does your site check to make sure that what VPNs say they're providing, they're actually providing or do they all keep logs?

Pete: I think that's very unlikely. Although it's very, very difficult to verify. Really good is that more and more big-name VPNs are coming out with public audits of their services. But it's even, you have to know that it's almost impossible to really know if someone's keeping logs or not. But I'd say if a certain VPN that we know has got millions of customers and there hasn't been an issue where someone's gotten arrested or whatever based on logs. If you know it's a big VPN company, it's very unlikely that they are keeping logs because it would get into the public domain that something has happened with logs. So, that's one of the ways. And then public audits, we do our own audits as well. So, yeah, it's hard to know exactly, but there's always indications of whether logs might be an issue or not.

Chris: So philosophically speaking what are your thoughts on a case like that where someone was arrested but it was done under the auspices of keeping logs, which they may or may not claim to be able to do. Do you think that that was worth it in that case or does that sort of open up another can of worms about what all this is actually for?

Pete: Well, I think there's been a couple of cases over the years where this has happened and one of the providers who it's happened to had a bad reputation even before that. So, I'd say do your research before you buy a VPN. And then there's another issue around it, is whether let's say you can keep logs in two ways. You can keep all the logs forever or you can say, "If the FBI comes to us and they do a request, then maybe we start logging some traffic." And that's happened in some cases as well. That's maybe, let's say we can maybe let the VPN off slightly off the hook in that case.

Chris: Of course, yeah.

Pete: But it's still quite bad. What you're doing with a VPN is really you're kind of outsourcing trust into the VPN and you're saying "I'm willing to trust the VPN more than I'm willing to trust, let's say my ISP." By the way, the odds there are about, you know, if I get a VPN, they've got millions of customers, millions of those customers trust them to not give up their data. So, they've got a very big vested interest in not doing that. So, they're probably going to be better than ISPs who, you know, last year we had the legislation go through where ISPs can now sell your browsing data. So you need to weigh up those things to make a choice about who you want to trust more.

Chris: Well, that jumps nicely into my next question. How do you recommend your readers go about shopping for a trustworthy VPN service provider? What are some red flags to consider when making your decision?

Pete: So, I think go and read reviews about the VPNs and read them on multiple sites. I always say, you don't have to just read bestvpn.com, although we try to do our best.

Chris: Sure, [crosstalk].

Pete: But I think if you're seeing consistently good reviews of certain VPN then that means something. And also, at this point, I think smaller VPNs are having more and more of a difficult time. So, the big VPNs, since they got so many customers, they're obviously doing something right. So, I think this happens with most markets anyway, but I think the bigger players are starting to get stronger and stronger as we go on. So, I think big brand names are quite reliable at this point just because it's become such a big market.

Then usually the comparison sites will have already reviewed any, sometimes there's been academic papers out about which VPNs do like ad tracking. This is especially an issue on mobile about which VPNs actually leak some data because of ad tracking. So, we've gone through those academic papers, we've distilled them, we've written articles about them. So, I think if you're looking through these comparison sites, they're going to have some pretty good information. They're going to have historic information built up about what's happened in the industry. So, I think that's a good place to start.

Chris: What can you expect to pay for a VPN? I mean obviously, it varies depending on what you need. But what's like an average cost if someone's looking to buy one for the first time?

Pete: I think if you're paying month by month, then expect between $5 to $15 a month. If you're willing to pay upfront, then you can get as low as about $3 a month to maybe even $2 but that's getting into cheap territory, so you never know how long that's sustainable.

Chris: Yeah, right. So for people who still think, as we said before, of VPNs as just a way to stream content from other countries and stuff, what are some of the more interesting uses of VPNs that you've been seeing that people might not have thought of?

Pete: So this is something we've tried to test but we haven't really got definitive data. But there do seem to be instances where certain websites will, we don't know how they do it, but based on your profile that they see, they show different prices for the same product. So, this has been rumored the airlines have done this. So you'll see different prices depending on where you are for a certain airline ticket. So, people have been using VPNs to get cheaper prices on airlines, possibly hotels as well. As I say, there's no definitive data on that, but it could happen.

Chris: It's like they see your browsing data and see that you're already buying high-end stuff and so they feel like they can charge you more for a plane ticket or something?

Pete: Yeah, I think that could well happen. Yeah. If they've got a profile of you that you're a rich person, then yeah.

Chris: Wow. So, we mentioned it very briefly before, but I read somewhere that only 23% of the countries have a free and open internet. So with so many countries access to information being restricted daily by their governments or companies, what roles can VPNs play in situations of helping to view restricted content, criticize dictators, organized civil actions, is that something you've seen or have been involved at all?

Pete: It's a major part. I think maybe the biggest victory for VPNs was when the Arab Springs were happening. So, there's a big, big VPN company who are probably the biggest brand name right now and almost everyone was using them to ... Because obviously, all the Arab governments were blocking access to social media. But with a VPN you could still access them. So, they really spread very, very quickly in those times. And I think that was a real victory to help people to rebel against their governments. That sort of thing is probably happening more and more often.

Chris: Yeah. And I have to imagine that people reading about those things over here probably, maybe it helped to mainstream the idea of VPNs even in countries where you're not getting restricted content all day.

Pete: Yeah. Yeah. Unfortunately, we're not going in a direction where more and more countries have got free internet. We're going in the other direction.

Chris: No, for sure, for sure. So, say you've got your VPN here. What are some security measures that new VPN users should implement when using them? What are some common mistakes that can be exploited by hackers?

Pete: I think out of the box there, they're going to work fairly well. You'd probably make sure that the VPN you choose has got a kill switch in it and it's turned on. So what a kill switch does is if anything happens with your internet connection and suddenly your VPN connection drops, then it blocks all internet traffic so you don't leak anything, which is a really useful feature. And what I always say is along with a VPN, you should probably be using an ad blocker as well or just one of those tracking blockers because that's one way where a VPN can't really help you to be leaking information to advertisers. So, using an ad-blocking software or tracking blocking software plus a VPM that's covering a lot of your basis. So those two in combination are really good.

Chris: Okay. So, between those two you're more covered than not, it sounds like there's not-

Pete: Definitely.

Chris: Okay. So as we wrap things up, where do you see VPNs going in the future? Do you see more regulation, other applications that aren't currently being utilized, and what does BestVPN planning on doing to sort of address these future applications and expansions?

Pete: So I think we're just coming up to the market becoming mainstream. So, you're probably starting to see VPN adverts in some fairly mainstream places now. I think that's going to continue over the next few years. So the VPNs are going to become like common knowledge that this is a product that exists, this is what it does. So I still think there's a lot of people who still haven't heard of a VPN or I don't know what it does, who you will start to know what it is. So there's a lot of growth left there. In terms of use, as I said multiple times, I think the internet isn't going in a direction where it's becoming more free. So, let's say for me personally, let's say that's unfortunately business-wise it might be good, but I don't think it's a good thing. But it's likely VPNs are going to be needed more and more.

Chris: I was going to wrap there, but it made me think of another thing. When you think of things like say marijuana legislation, you had these sort of small growers and small people and then as it becomes more and more mainstream you start getting sort of like corporate people, you know, tobacco industry might want to come in. Is there a chance that, in the case of VPNs, you have these sort of small companies who are invested in the idea of privacy? Is there a chance that the concept of VPN could be sort of co-opted by larger tech companies that want to get in on the action but maybe don't have the same, I don't know, a mission statement?

Pete: So it's a weird one because the entire market is built on trust and privacy. So, there have been attempts by let's say, big Silicon Valley corporations of launching VPNs. Actually, Facebook has got their own VPN, but they don't really take off because there's a disconnect between those businesses and privacy, so-

Chris: Okay. So people are still seeing through it more or less?

Pete: Yeah. Yeah. So, I think it's going to be very difficult for a business who isn't that trustworthy to be able to build a VPN properly. So you need to build that trust with customers and you know, they always say trust is really, really hard to build and you can break it in a moment. So, that's what you need to keep in mind. If it hasn't been broken for a long time, then these VPN companies are doing something right.

Chris: That's great. Pete Zaborszky, thank you for being here today.

Pete: Yeah, thank you for having me.

Chris: Okay, and thank you all for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to YouTube and type in InfoSec Institute to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday all of our videos are also available as audio podcasts. Please visit infosecinstitute.com/cyberspeak for the full list of episodes. Podcast listeners can also go to infosecinstitute.com/podcast to see our current special promotions. Finally, if you'd like to try our free security IQ package, which includes phishing simulators you can use to fake Phish and then educate your colleagues and friends in the ways of security awareness, visit infosecinstitute.com/securityiq. Thanks once again to Pete Zaborszky and thank you all for watching and listening. We'll talk to you next week.