Welcome to “Ask a security trainer,” the column where the Digital Security Training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Submit yours here! Let’s jump right into this week’s question.
Dear DST,
Given the tenor of the times, I’ve been investing in my digital security. There is a lot of information out there about virtual private networks, and a lot of it is “do your own research” before choosing a VPN. Why is that? What, specifically, can the VPN prevent my ISP from seeing, if anything?
Thanks,
Tunnel of what, exactly?
Hi Tunnel,
Thanks for asking this question, and I agree with you: The information out there about virtual private networks can be a lot to take in. There are many, many options for VPN providers. Making an informed choice about which one to use, if any, can mean wading through a lot of information. But, to make this choice, it is worth knowing what sorts of information a VPN can protect — and what it can’t.
To get there, it helps to understand how a web request functions. When doing anything online, the first task is to connect to the internet through the services of an internet service provider (as you know quite well from paying your bills). Typing in a web address or using a search engine initiates a process of data exchange between the browser and a server where the content “lives,” with the ISP in the middle.
Understanding which entities are positioned to collect and utilize that data is part of the process of selecting a VPN provider and knowing when to use it. So let’s break down the data available to ISPs when performing their core service of providing internet access:
- To set up an account, ISPs collect personal information like name, date of birth, contact information, billing information, and any other personally identifiable information they deem necessary to provide services.
- To authenticate, authorize, and connect devices to the internet, ISPs may collect device specifications like the router's machine address, particularly if the router is leased from the ISP itself.
- To manage metered access, ISPs may collect session detail records, including volume of traffic sent and received, and transmission speeds.
- To deliver the content you request, ISPs need access to your web traffic. ISPs may retain logs of what websites you visit.
Worryingly, the companies that own ISPs, which often provide more services than just your home internet, may be gathering device information from third-party affiliates. For example, some ISPs own ad networks and television stations, and others also serve as telecommunication providers. It is not uncommon for ISPs to provide service packages that come along with streaming services. All of these services capture additional information about your viewing habits.
Now let’s take a look at another part of this exchange: the owner of the website. Similarly to ISPs, website owners can collect certain information on who visits their sites. This information includes the requester’s IP address — a unique numerical label assigned to each device on the web, which may be roughly tied to its location.
Likewise, website owners can see which pages the requester viewed within the site, and for how long. While website owners don’t have all the juicy personal and financial information ISPs collect just for the privilege of having someone as a customer, an IP address may be able to provide a picture of a rough location, and therefore enough information to determine that a member of the media may be doing an investigation. This has blown the cover of at least one investigation.
So, while VPNs can obscure the visibility of your data to your ISP, they are not a panacea, in spite of what some providers would like you to believe. But they can protect your privacy and encrypt web requests between a subscriber and the VPN’s servers.
How? When using a VPN, a subscriber’s computer (or phone) forms an encrypted connection — or tunnel — with the VPN provider. Traffic that uses this encrypted tunnel is also encapsulated, which allows your data to be sent across the internet while hiding your IP address from the websites you visit. The kicker here, though, is that the data points described in the list above can be collected by the VPN provider, if it’s interested in doing so.
So it is essential, yes, to do some research. But you don’t have to do it alone. A great place to start is FPF’s in-depth guide to choosing a VPN. It unpacks the hallmarks of trustworthy VPNs and then provides a list of recommendations from our own David Huerta.
Best wishes, and good luck out there!
Davis Erin Anderson
