Commercial VPNs prey on ignorance as well. They frequently talk about “keeping you safe from hackers”. When is the last time sensitive data was intercepted due to lack of TLS? Twenty years ago?
VPNs do nothing to protect from the most common and serious threats - data breaches, spear phishing, any/all of the other myriads of ways users are tracked online, etc.
I’m also of the belief that security services take a closer look at VPN traffic (like some Tor exit nodes) that also happens to make their jobs easier by concentrating the data for them.
Commercial VPN services certainly have some valid use cases but for the vast majority of the population they effectively do nothing or worse.
If there’s any benefit to their proliferation it’s in the security service case. Now that all of your non-technical friends have signed up for ExpressVPN because they heard about it on a podcast there’s just that much more data to sift through. Not that security services can’t handle vast amounts of data… I’m just certain that from a classification standpoint intercepted data coming out of a VPN (and certainly Tor exit) is likely classified higher for analysis, potential manual review, etc. Much bigger haystack in the VPN/Tor case.
Two decent use cases are out-of-region TV and hiding your unencrypted traffic (URLs) from your ISP (as you say you don’t hide it from your VPN provider, but they don’t know your address). Also sites you visit don’t get your location.
Personally, given the kinds of friends I have, a VPN hides my traffic from them when I’m on their WiFi. But I don’t need a commercial VPN for this.
The out of region TV is a use case but I wonder how long before this turns into a cat/mouse game between VPN providers and streaming services/content providers. I am pleased to see (when I have to sit through these ads on podcasts) that providers have seemed to start emphasizing this use case instead of their dubious security related benefits.
This is kind of my point - now if a law enforcement or security service wants to get access to a treasure trove of traffic and analytics that is likely significantly more interesting to them than general ISP traffic they send an NSL or equivalent to a VPN provider and have it all nice a collected for them. That said, DoH appears to finally be gaining some traction (default on Firefox, IIRC).
Hah, I’m a little curious about what kinds of friends you have for this to be of concern :).
> The out of region TV is a use case but I wonder how long before this turns into a cat/mouse game between VPN providers and streaming services/content providers.
This cat and mouse game has been going on for a while. I actually subscribed to Expressvpn for my kid, who likes to watch tv in the languages he grew up with: he says their customer support is really good for this use case. (This reminds me he’s now old enough to pay for this himself).
After Tom Scott made a video about VPNs[1], apparently a lot of VPN company executives got together to rethink how they market their product. He mentions that the reason there are so many VPN ads is probably because they are VC-funded, so perhaps the gravy train will run out for these companies some day.
It's odd to me that they have pivoted to marketing VPNs for out-of-region TV, because that's against the terms of service of pretty much every streaming provider. I guess if the ads don't mention a name, they can say "oh we expected you to find a streaming service where that's not illegal, not use Netflix."
No one is going to admit it upfront but I imagine that there is a huge number of people who use a VPN as their defacto means to torrent.
Additionally unfortunately at least in the United States a lot of ISPs snoop on your traffic, so you can avoid throttling and achieve some semblance of net neutrality by running everything through VPN (assuming of course that VPN doesn't do any throttling).
Obviously your IP records may be available, depending on whether or not the VPN keeps logs, but in general most cease-and-desist requests for torrenting go after the low hanging fruit e.g. people who don't obfuscate their IP address at all.
Commercial VPN services certainly have some valid use cases but for the vast majority of the population they effectively do nothing or worse.
If there’s any benefit to their proliferation it’s in the security service case. Now that all of your non-technical friends have signed up for ExpressVPN because they heard about it on a podcast there’s just that much more data to sift through. Not that security services can’t handle vast amounts of data… I’m just certain that from a classification standpoint intercepted data coming out of a VPN (and certainly Tor exit) is likely classified higher for analysis, potential manual review, etc. Much bigger haystack in the VPN/Tor case.