back to article 'Get a VPN to defeat metadata retention' is good advice. Sometimes

With the kind-of-launch of the Australian government's telecommunications data retention regime, there's been a plethora of advice everywhere – from “lad mags” to the tech press to political parties – with one theme: “get a virtual private network” (VPN). Which moves Vulture South to idly wonder: do people know that a VPN on …

  1. spy

    why don't you have a vpn on the laptop?

    I realise the point being made, that to blindly trust a vpn on your phone is a bad idea. But surely installing a vpn on your laptop is not that difficult. Tunnelblick is easy enough.

    And you should always use it, not just when you want to hide your internet usage, otherwise you're still giving away useful information through the omission of observable traffic.

    1. Anonymous Coward
      Anonymous Coward

      Re: why don't you have a vpn on the laptop?

      I can speak from experience that sometimes you want to avoid that. Routing through a VPN adds overhead to your bandwidth usage, which can be problematic with a tight data cap. Second, there was the already-mentioned matter of lag, which can be raised to the point of timeouts. If your data allowance is generous and underlying service reliable, then yes it's a good idea, but if you're heading someplace new and are not sure about that, give it a test first. You may find it better to just stick to basic browsing for the news and otherwise go dark (no banking and such).

      1. DainB Bronze badge

        Re: why don't you have a vpn on the laptop?

        What ? Surely if you going "someplace new" you simply must have VPN client installed on your end device ?

        In-built Android lt2p client acts the same by the way.

        1. Anonymous Coward
          Anonymous Coward

          Re: why don't you have a vpn on the laptop?

          "Surely if you going "someplace new" you simply must have VPN client installed on your end device ?"

          Having it isn't the same as actually being capable of using it. Like I said, a laggy connection or a tight data cap can render the system impractical.

  2. clod computing is big
    FAIL

    wrong test

    tl;dr The actual IP address your traffic is coming from is a more reliable indication of whether the VPN is in play than latency measured by ping.

    Wouldn't the ip address reported by visiting an external site such as http://iplocation.net on the device you hope is protected by the VPN be a far more direct and reliable indicator of how your traffic is being routed?

    If it's the router/ISP assigned address, you have zero protection; if the ip address is assigned to the VPN provider then you are in better shape.

    A phone web browser or ssh client *might* with any luck be directed to a vpn tunnelling application running on the phone but it's unlikely that the authors of your devices "hot spot" app would have written code to look for a VPN application and route through that application if one is running. Not that it's a lot of work.

    At home, I have an independent wireless network through PIA using a separate wireless device running openvpn on tomato firmware. Every device connected to that network has all traffic directed through PIA making it harder for our data slurpers. Otherwise I assume I'm under surveillance and act accordingly - wearing my tinfoil hat and underpants.

  3. jamesb2147

    I'd disagree with your conclusions

    People should still be advised to use a VPN, but saying "there, that fixes our shitty policy ideas!" isn't really something that is worthy of broadcasting on TV.

    Average Joe: "Wait, if I can do this, can't the terrorists?!"

  4. Winkypop Silver badge
    Happy

    Learning much about VPNs

    Thanks Richard, and chewy on ya boot to George Brandis et al.

  5. cantankerous swineherd

    just had a squint at http://ics-openvpn.blinkt.de/FAQ.html where they say tethered connections don't go via VPN. no explanation given, but presumably they know why?

  6. Bryan444

    These benchmark is more complicated than you think

    Firstly, we have to define which VPN server is tested.

    Sometimes you have VPN with a foreign IP but this is just a "virtual IP" localised in your country. That mean you could get a Romanian IP physically localised in UK.

    Lot of VPN use these bullshit technology which is not protecting user from metadata retention. If you ping a VPN server very far with a ping less than 75 ms that's bullshit. I know that's my VPN provider ActiVPN is having real servers in real physical location.

    Secondly,

    it's impossible to compare 4G and DSL network based on ping, for the reasons it takes different network route to the VPN servers and it depend on processor power an app loaded on the smartphone. If smartphone get a lot of app running, software will be less focused on VPN app, so ping will be increase.

    Thirdly, on smartphone, there is not WebRTC protection which leak your real IP when you're surfing., so be careful. That's a bad idea to use it for web surfing, but it is prefect for eavesdropping protection including metadata.

    Quaterly, comparing ping based on WiFi with a smartphone and a MBP, could be biaised by WiFi signal level on each devices, because we know that stronger WiFi signal is, stronger speed is, so the signal on each devices must be the same to make these test, is that right ?

  7. ulbdd
    Holmes

    Why tethered traffic doesn't go through a VPN

    3GPP cellular standards (2G/3G/4G) can support several "Packet Data Network" (PDN) connections at the same time. Each PDN appears to the device as a separate IP interface. Some PDN are for administrations or specific purposes and access to them are limited to specific applications.

    How many PDNs are used and for what can vary depending on the operator.

    For example, a LTE network could use:

    - an IMS PDN for IMS functions (SMS, VoLTE). That's standard. Access limited to IMS software, and in some case this PDN can even be terminated on the modem chip (not visible from the AP);

    - an administration PDN, for device management (using OMA-DM typically);

    - a PDN for Internet connectivity. That's the one for the user traffic, most of the time. That's the one PDN the VPN software will intercept.

    When you enable tethering, on many operators it lead to a specific PDN being activated and used for this traffic. It's a new interface, and the VPN doesn't handle it at all. One would need the PDN to trap this new PDN creation and insert itself in the flow, but that doesn't seem to be supported.

    Bottom line: you need to run a VPN on all tethered devices to be fully protected.

  8. batfastad

    Hello Darkness My Old Friend

    Good old HTML 4 default table styling... I have missed you!

  9. Anonymous Coward
    Anonymous Coward

    VPN provider trustworthiness?

    I understand why doing business via VPN makes sense, and running one's own VPN server somewhere can offer some anonymity, but I don't understand why you should trust any of the commercial VPN providers including OpenVPN.

    You buy their services using your credit card and trust that they neither keep logs nor share metadata with the security services and other criminal organisations. But they can do what they want with your information.

    Why do people recommend using commercial VPN services? Why do people trust them?

    1. Charles 9

      Re: VPN provider trustworthiness?

      Because at SOME point you're going to have to trust SOMEONE. If you go into full Don't Trust Anyone mode, the only logical course is to cut off from the Internet and all communications because ALL of them rely on some level of trust to operate.

    2. xybyrgy

      Re: VPN provider trustworthiness?

      At least one VPN allows you to buy service with gift cards from retailers paid with cash... [one of the top 5]

      1. czthomas

        Re: VPN provider trustworthiness?

        ...and then you login to their dodgy service that is obviously designed by and for criminals and they can see all your passwords. Nice. That's not paranoia, that's just stupidity.

    3. czthomas

      Re: VPN provider trustworthiness?

      More importantly, your ISP is covered by your country's commercial contract laws and privacy laws.

      What if your VPN gets an offer they can't refuse and turns over all your unencrypted data to the Russian mafia/CIA?

      How do you sue them? Where are your rights to privacy?

      All this "use a VPN" nonsense is just so ironically wrong it's almost funny.

    4. Anonymous Coward
      Anonymous Coward

      Re: VPN provider trustworthiness?

      Hi,

      As owner/developer of CitizenVPN, I have always recommended that you choose your VPN provider as you would choose your accountant or lawyer. Many VPN providers don't disclose who they are or even what country they're operating from, so how is trust possible?

      When I created CitizenVPN I deliberately wanted to do something about that so I have disclosed who is behind directly on the site, motivations and business address etc. Secondly to increase privacy for customers I decided to operate the business from Bahamas which has strong privacy laws, even though the sales and marketing is done through our Danish partner-company.

      This brings two benefits: Avoids the EU logging directive (which is now largely defunct) and makes it difficult for EU or USA to put pressure on us to disclose information, and second allows the customer to purchase from a Danish company so therefore under Danish consumer-protection (which is very strong in Denmark). It also creates a barrier between the customer-records and the servers (which do not log IPs anyway), the servers are owned by the Bahamas company and the customer-records are owned by the Danish company, so if authorities want to try to correlate anything they need court-orders from both countries (and possibly from 3, if you connect to e.g. UK server). We also only use 3rd-party payment processors so we don't keep any credit-card details etc. (we ONLY need and email address and this can be a throwaway if you like).

      Furthermore we allow payment with Bitcoin if you want to be really anonymous.

      So as someone else has already pointed out: At some point you need to trust *somebody*. We hope that we can help to make that choice easier.

      I hope you will check us out!

      Have a nice day.

      Tobias

      CEO

      CitizenVPN

  10. czthomas

    I think it would be more important not to discuss the performance and efficacity of VPN services, but to discuss what it is people imagine a VPN can do in relation to the Data Retention Act.

    ...because as a person who has both read the Act and understands VPNs, I can't for the life of me see why you think they are relevant...

    VPNs do not encrypt the Communcations made using a Service that comes under the Act.

    VPNs encrypt communications that pass over the top of Service that is subject to the Act.

    And s187A,4, spells out in black and white that such communications aqnd services are not subject to Data Retention.

    So you are subjecting yourself to poor performance and data insecurity issues (you don't trust your local telco, but you trust an anonymous foreign VPN provider...? srsly?) for no purpose whatsoever.

  11. Anonymous Coward
    Anonymous Coward

    The point is...

    ...you diversify your network footprint.

    There is nothing (but practicality, of course) preventing you from spreading your internet activity across VPN endpoints in different jurisdictions.

    Invincibility is something that only fools (and RDBMS vendors trying to get a foothold in the OS market) try to trade in. The best you can, and should, aim for is to redress the imbalance that is created by the aggregation of our day to day activities onto a single medium.

    I've always known people can legally or illegally snoop on my snail mail. I know there is nothing I can do to make a paper envelope invincible. This has always been so, and because of this I manage what I send.

    People can legally and illegally break into my home. I know there is nothing I can do to make my home invincible. Knowing this, I manage what I leave lying about.

    Law enforcement - and criminals - have been increasingly advantaged by our aggregation of our private lives onto online services and all we should expect from VPNs (and the use of diversified online services) is the ability to fragment this aggregation.

    Getting angry at VPN for being imperfect (or online service providers, for that matter) is ridiculous. Similarly ridiculous is "educating" users that one approach (or service) is the panacea. It is incorrect, it encourages the politically-expedient notion that anything that supports privacy makes kiddy-fiddlers and jihadists "invincible" against law enforcement, and it denies our innate ability to manage (and be responsible for) our own risk profile when given usable tools and an understanding of their benefits and limitations.

  12. Anonymous Coward
    Anonymous Coward

    CitizenVPN has real physical servers in each country and also an Android app that connects with SSL (OpenVPN). Don't do ping/latency analysis it is inaccurate, just go to a citizenvpn.com/ip to see your current IP address and install the client directly on your laptop instead of relying on the phones connection.

    1. Anonymous Coward
      Anonymous Coward

      And how can we trust you're not lying? Web pages, IP addresses, even pings and route traces can all lie.

  13. Anonymous Coward
    Anonymous Coward

    "Use a VPN" not great advice

    "Sensibly blocks traceroute" --- It's simple enough to use other tools to trace the packet's hops. So all this does is deny a useful diagnostic facility to actual users. By all means rate limit traceroute, but blocking shows a quaint naivety.

    I'm not sure that "use a VPN" is great advice compared with "nothing on the Internet is private anymore". The basic conceit is that a little bit of software will defeat the efforts of the Three Letter Agencies. In the post-Snowden age it's clear that this conceit isn't realistic. Even if the NSA finds it difficult to break encryption itself (and it spends vast resources doing exactly that) then the infrastructure surrounding encryption is just so much Swiss cheese.

    For example, if ASIO really cared they -- or their Five Eyes partners -- would own that VPN server through a zero-day exploit. Or simply tap the links into and out of the VPN server and coorelate the encrypted and plaintext traffic using pretty basic traffic analysis.

  14. Mage Silver badge
    Pirate

    Most VPNs arn't for security?

    Mostly people seem to be using them so as to seem to be in a particular country so as to to use a geolocked streaming service. Not for security.

    It makes sense to use one ON your end point client if you are using random WiFi point, or ethernet. Put the VPN on port 80 and then you beat all local port blocking and can use POP3 & SMTP and whatever else via your home VPN server.

    I can't see how it does ANYTHING much for security at home or business to use random 3rd party VPN provider. I trust my own ISP better with my credit card and traffic than some random foreign outfit really set up to provide bypass to geoblocked streaming rather than security.

    1. Anonymous Coward
      Anonymous Coward

      Re: Most VPNs arn't for security?

      If your government suddenly decides it is in your interests that they force your ISP to store records of all the web pages you visit (yes although the police and certain other agencies will only be able to request the sites you visit without a warrant. WIth a warrant they will be allowed to see the pages too).

      A well chosen VPN is a good way of ensuring your ISP only stores a list of VPN servers.

      I also use a VPN (and a virtual machine) if I want to browse the web without no script and an adblocker - which is something I do to help support free sites such as this one. This helps to confound ad tracking.

      So they don't provide security but can be a useful tool in enhancing your online privacy.

      Very little will protect you if you are an active subject of interest for any state(like) organisation. VPNs can help defend you from the random slurp though. Also the more people that use them, the less you stand out.

  15. SinkHole

    ISPs can still log browsing history even with VPNs

    I use a VPN because I don't like the idea of people looking over my shoulder, and because I don't trust the future with my browsing history. Far from perfect but better than handing it on a plate to my ISP.

    Recently I found that my VPN service was not performing as it has in the past - for example I could browse bbc.co.uk and iPlayer while logged in from Mexico. Much head-scratching as I am no network expert, however some googling suggested that my DNS requests might be being hijacked.

    I recently upgraded my modem/router and discovered that I had not updated the DNS service in the router from BT's standard DNS ("Get from ISP") to OpenDNS or Google's service. After changing the DNS to Google, suddenly all was well again with my VPN service.

    My take is that BT were hijacking my DNS requests, and serving up what they thought I should see. I ask for "bbc" and I get directed to the ".co.uk" website - even though my IP address is showing as Mexico City.

    So, every web address I was entering was going through BT's DNS and may be logged "for training & quality purposes", or to be "anonymized" and flogged on at some future date. This made me unhappy.

    I tested the theory by visiting one of the more popular torrent sites. Sure enough I got redirected to a message from the UK High Court. This made me very unhappy, as BT is censoring my internet connection.

    From this experience I'd say that a VPN offers some protection, but does not necessarily prevent your ISP from logging the sites that you visit, or redirecting you as they see fit. DNS requests can be sent outside of your VPN tunnel, meaning your DNS provider is in control, and is watching where you go.

    I changed my DNS to google's service and all was well again... for now anyway.

    SH

  16. Andy 66

    Blame the telcos

    I put my distrust in the telcos for this - I get 4G+ on my phone with speedtest mobile app showing 80MB+ on download and 45MB on upload. Tether my laptop to the phone on classic or vpn and I can only get 10MB down and 1MB up.

    They don't want data hungry computers sucking up all their bandwidth

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like