Virtual private network tools maintain your online privacy and security. There are many reasons why you should use a reliable VPN service. You can hide your browsing activity from your ISP, download torrents safely, or unlock streaming services like Netflix or BBC iPlayer. But you might wonder if your VPN is being monitored to compromise your privacy and security.
In this article, we are examining virtual private network services to see how third parties can watch them. Then, we are showing you real-world examples of breached privacy when it comes to VPN users. Before leaving, you will learn seven uncomplicated ways to protect yourself from surveillance utilities.
Before proceeding, let us take a look at today’s menu (click to jump to topic):
- How VPN works
- Can VPNs be monitored
- Deep Packet Inspection
- Examples of monitored VPN traffic
How to protect yourself from VPN monitoring
- 2. Select a secure VPN protocol with high encryption
- 3. Enable leak protection and perform leak tests regularly
- 4. Activate the kill switch and split tunneling
- 5. Obfuscate VPN traffic to hide that you are using a VPN
- 6. Use VPN over Tor to conceal your data from your VPN provider
- 7. Switch to a multi-hop VPN service
- In conclusion
To understand how VPN is traceable, we must break it down to see how it works. Then, we can examine the vulnerabilities of each part of the VPN engine. By identifying the flaws, we can figure out how someone can exploit them to monitor your VPN traffic.
How VPN works
Data that passes through a VPN server is encapsulated into encrypted layers so that it can safely travel across the public Internet until it reaches its destination. Every action you do on the web registers as a connection request. Visiting a site or downloading a file are just a couple of examples. And every connection request comprises numerous packets of data. What a VPN does is individually encrypt the data packets.
- Once connected, your VPN client creates a secure tunnel to the VPN server. Everything that goes through this tunnel is invisible to anyone that might be watching.
- Your VPN client encrypts the message before relaying it to the router.
- The router broadcasts the message to the VPN server.
- Before the message reaches the VPN server, it must pass through your ISP.
- The VPN server acts like the middleman between you and the remote computer you are trying to contact. It conceals your IP address and makes all Internet-enabled devices think that you are using a different IP address (the one supplied by the VPN server). Plus, it must decrypt the message once it safely arrives at the intended computer.
Can VPNs be monitored
If you worry that your VPN activity is traceable, five main groups come to mind: your VPN provider, ISP, employer, government, and hackers. But you should understand there are only two parties in a VPN relationship: you and the VPN provider.
Let us explain. When you connect to the Internet through the non-VPN mode (ordinary connections), you must trust that your ISP is not snooping around. Using VPN traffic merely transfers that trust to the VPN provider: it has the same power as the ISP but supports online privacy. You must believe that the VPN company is not breaking its terms of confidentiality to betray your confidence.
By your VPN provider?
Virtual private network providers have all the necessary networking tools to monitor VPN traffic. Part of the logged info is harmless, such as the number of users, anonymous crash reports, and speed tests used to improve the product. And some VPN services give you the possibility to opt-out of these anonymous reports if you do not feel comfortable sharing them.
However, it becomes problematic when the VPN provider starts collecting data about:
- Yourself: email address, full name, home address, credit card details, purchase history.
- Your VPN connections: your home IP address, the IP addresses of the VPN servers you connect to, start and end time of your VPN sessions, amount of transferred data.
- Your online activities while connected to VPN: applications used for VPN (like torrent clients), visited sites, downloaded files (file name, size, checksum).
Therefore, it is crucial to find a VPN service that adopts a strict no-logs policy. The company should also have safe jurisdiction, be out of the reach of the 5, 9, 14 Eyes alliances, and reside outside any country with data retention laws.
By your ISP?
When taking another look at the VPN path that we previously described, we can notice that the ISP is involved in step 4. Your ISP can see the size of traffic that flows through its servers. It might also be able to tell that you are using a VPN service. However, it cannot know what you are doing, who you are talking to, or which remote servers you are communicating with. It is all thanks to VPN encryption.
If you ever receive a DMCA notice from your ISP related to a suspicious activity like torrenting (although you used a VPN), there are two possible causes:
- There is something wrong with your VPN service. It is not configured correctly or leaks your IP address by design.
- Your VPN provider tipped off your ISP somehow. Perhaps a law firm working on behalf of the movie production company compelled the VPN provider to hand over your personal details. In turn, the VPN provider contacted your ISP. Whatever the case may be, it means that the VPN company lied about the no-logs policy, and you should look for a more reliable product.
By your employer?
If you use a VPN client configured by your employer to connect to the office while you are at home or traveling, then yes: your VPN activities will be visible. It is why some employers explicitly warn employees about not downloading torrents with copyright content while connected to the office via VPN.
Now let us look at the issue the other way around. If you are at the office and wish to hide your browsing activities from your employer by connecting to a VPN service, it depends. If the company registers all desktops on an intranet server, then all data traffic passes through the intranet before reaching the public Internet.
Your VPN client will not be able to reach the VPN server to establish a secure tunnel by hiding from the intranet. It depends on the hardware and software installed on the intranet server, including network surveillance tools. Besides the fact that your employer can tell you are using a VPN, they might also see sites visited and applications used for VPN (including torrent clients).
On the other hand, your office intranet might not constrain your computer. And, if you have full admin rights, you can use a VPN service to protect your privacy just as if you were at home.
By your government?
To see what you are doing, government agencies must consult the ISP. Since the ISP can tell that you are using a VPN, the government will know, too. What happens next depends on the laws of your country. Thus, it is essential to find out if anonymizers like Tor and VPN are legal where you are living and where you are traveling.
Aside from the fact that you might be using a VPN to access blocked sites or download content forbidden by law, you must understand that governments have unlimited resources. If the technology exists and if they want to acquire it, they will definitely use it.
If interested, political groups can find out a lot of things about your VPN activities, even without the help of the VPN provider. Firstly, if the VPN protocol is weak enough, it can be cracked to decrypt your traffic. Secondly, the agency can build a profile about your online identity based on various patterns: where you connect from (home, work, public place), when you join (at night, during weekends), and so on.
It makes more sense to ask yourself about whether or not VPNs can be hacked. There are many ways for hackers to get hold of your data, even if a VPN is guarding it. It depends on the security level of the VPN service, like encryption, leak protection, and kill switch.
Some VPN protocols are incredibly weak and susceptible to man-in-the-middle attacks. For example, PPTP can be hacked by the NSA with minimum effort. And reports suggest that IPSec connections are just as vulnerable.
Other factors are equally important. For instance, a hacker can put together a fake Wi-Fi hotspot or rogue access point to trick you into signing into their network so that they can acquire your login credentials. Therefore, it is critical to take precautionary measures and learn about hacking methods to spot the signs.
Examples of monitored VPN traffic
In 2013, Facebook purchased Onavo, a mobile web analytics group, which featured a VPN service called Onavo Protect. As it turned out, the social media giant used the so-called privacy tool to monitor mobile users and find out their app preferences. Considered spyware, Onavo Protect was removed from the app stores of iOS and Android in 2018 and 2019, respectively.
In 2017, the FBI pursued a cyber stalker with the help of PureVPN. At that time, PureVPN’s terms of service specified that the company does not keep track of user activity or collect logs. In current form, the policy states that PureVPN does not have any data to share, even when asked by law agencies.
We pointed out in our Kaspersky Secure Connection review that the company site claims it does not log VPN usage details. However, upon closer inspection, we found out something interesting and equally disappointing. The company will help law agencies reveal your identity if you breach its contract. This cannot be done without exposing your IP address, which means that the company lied on its site.
Deep Packet Inspection
Deep Packet Inspection (DPI) is an advanced technique used to monitor and filter network packets. If applied correctly, it can help break down both the header and data of a packet. A header contains application info like usage and source or destination IP addresses.
Many ISPs use DPI as a network surveillance tool. They can inspect the Internet connections established by customers to discover not only the source and IP address or application used but also the exact contents. With DPI, your ISP can see exactly what you do on the web. It is particularly dangerous for users living in countries with harsh Internet censorship laws, like China or North Korea.
How to protect yourself from VPN monitoring
Below are seven simple measures to help you keep your VPN traffic safe from surveillance tools and hackers. Let us take a look:
Let us take Kaspersky’s example: the homepage says that Kaspersky Secure Connection will not log your activities, but the “Application usage restriction” page reveals that the company will not hesitate in helping law enforcement agencies find your identity. Discovering your identity cannot be possible without using your home IP address, which the VPN company promised not to log.
Similarly, make sure that the VPN company resides in a country with favorable data retention laws and outside the 5, 9, 14 Eyes surveillance groups.
2. Select a secure VPN protocol with high encryption
Part of the VPN providers no longer list the levels of encryption available for each featured VPN protocol. Therefore, you should look up this info on their website or get in touch with the help desk. Many experts believe that OpenVPN is the best protocol for virtual private network services, which perfectly combines speed and security.
Go with OpenVPN whenever possible. It has no known security flaws when making the correct protocol configuration. It features up to 256-bit encryption, 2048-bit RSA authentication, 160-bit SHA1 hashing, Perfect Forward Secrecy, along with full IPv6 support.
3. Enable leak protection and perform leak tests regularly
IP and DNS leaks happen when your VPN service spills your home IP address and DNS server all over the Internet. It means that your VPN defenses are destroyed and anyone can intercept to monitor your exposed information.
But some VPN services come with protection features against IP and DNS leaks. WebRTC leaks can only be controlled using the web browser, so you have to check browser settings, too. Make sure to run leak tests from time to time, especially if your VPN client received an update recently (there might be unexpected bugs).
4. Activate the kill switch and split tunneling
A kill switch is a mechanism that some VPN apps possess to stop all Internet traffic (including non-VPN transport) in case the VPN connection drops unexpectedly. It protects you from any dangers lurking around, waiting for you to step outside the private network. No Internet means no data breaches to worry about.
Split tunneling comes in handy, mainly if you are using a computer with older hardware. The newest VPN services can demand a high amount of network resources when using a robust protocol. If all Internet-access applications use the VPN, it can slow down your system to a halt and maybe result in sudden VPN disconnections and IP leaks. But you can enable split tunneling to control which apps should connect to the VPN.
5. Obfuscate VPN traffic to hide that you are using a VPN
We mentioned the dangers of using virtual private network services in countries with strict Internet laws that forbid the use of VPN. A man in China was sentenced to five years in prison and forced to pay a hefty fine for selling a VPN to circumvent censorship, which is illegal under Chinese law.
But there are ways to hide the fact that you are using a VPN. Some VPN services support obfuscation, an option that you can enable to make VPN traffic indistinguishable from HTTPS traffic. If someone watches your activity with specialized software, they would only see that you are trying to protect your privacy by accessing HTTPS websites. It is a terrific method for bypassing firewalls and other Internet filters.
6. Use VPN over Tor to conceal your data from your VPN provider
If you do not want to trust your VPN provider with details about your online activity, then you can connect to the Tor anonymous network while connected to a VPN server. Also known as VPN over Tor, it ensures that data flowing through Tor cannot be decrypted by the VPN company. It is an excellent solution to protect yourself from monitored VPN traffic.
7. Switch to a multi-hop VPN service
It is possible to add another layer of security and protect your VPN from hacking. To do this, you can resort to a VPN application that supports multiple hops. Also known as a cascaded VPN connection, here is how it works: you connect to one VPN server, relay your data to another server, and so on (depending on the number of hops). Examples of VPN services that support the multi-hop model are NordVPN, Surfshark, VPNArea, VPN.ac, and Perfect Privacy.
There are many risks involved with virtual private networks when it comes to online privacy. It is possible that your VPN traffic might be monitored by your VPN provider, ISP, employer, government, or hackers. But if you take all the necessary precautions, you can maximize your chances at preserving your online anonymity and surfing the Internet without worrying about who might be watching you.