Virtual private networks (VPNs) have become increasingly popular in recent years, largely due to the Covid-19 pandemic, which accelerated the shift towards remote and hybrid work setups.
Yet, the underlying mechanisms and, more importantly, the benefits they offer may not have been fully understood or appreciated by most.
For many, a VPN remains just an additional step required to gain access to their employer’s internal systems. But for others, VPNs represent a significant enhancement to their online experience.
One popular use for it is getting around geographical restrictions, known as geo-blocking, especially to access streaming content that may not be available due to regional licensing restrictions.
A longtime VPN user, who only wanted to be known as Chong, says that he’s been using one for over 10 years to mainly gain access to Japanese-exclusive content.
“The official streams are not available to overseas viewers, so the only option I had was to use a Japanese VPN, and this has not changed over the years.
“If region-locked content were to stop being an issue, then I would probably ditch the VPN, but unfortunately, I don’t see that happening,” he says.
While using a VPN on its own is legal, bypassing geo-blocks is against the terms of use for most streaming services.
Disney+ Hotstar, for instance, states that users should not conceal their actual geolocation, while Netflix has a mechanism in place to detect spoofing.
According to Dr Kuruvikulam Chandrasekaran Arun, a senior lecturer at the School of Technology at the Asia Pacific University of Technology and Innovation (APU), this has created a conflict between VPN service providers and streaming platforms.
“A number of streaming services include service terms that explicitly prohibit using VPNs to access content from a different region. However, a few VPN providers continue to ignore the streaming service terms and allow users to access content from a different region, creating a conflict between VPN providers and streaming platforms,” he says.
In 2022, technology magazine Wired reported that a group of VPN service providers were subject to a lawsuit from 26 film studios over copyright infringement and liability over having enabled piracy for their users.
Additionally, the lawsuit highlighted the VPNs’ advertising claims of bypassing regional streaming restrictions as a violation of authorised distribution and reproduction rights.
However, the consequences for users remain to be seen, as most services, up to this point, have only blocked the IP addresses of the offending VPNs.
Online and on guard
Under the surface of VPNs lies a robust security infrastructure, providing an extra layer of protection against cyberthreats.
According to a Microsoft post, a VPN allows users to access the “public Internet via a secure and private network connection” by hiding a user’s IP address and protecting their personal data.
The data is encrypted – and it’s not uncommon for VPN providers to boast military-grade encryption or AES-256 in their advertising – which makes the information transmitted illegible to eavesdropping third parties.
Using a VPN can also obscure a user’s real IP address, location and browsing habits, limiting advertisers’ ability to use the information to build user profiles and serve targeted ads.
Arun emphasises that VPNs act as a shield, guarding against hackers and malicious actors.
When a connection is established between a user and a VPN, all data transmitted between the sender and receiver is encrypted using a technique called tunnelling.
This ensures secure data transfer, preventing unauthorised access to or tampering with the transmitted information.
“VPNs use protocols like PPTP (Point-to-Point Tunnelling Protocol), L2TP (Layer 2 Tunnelling Protocol), IPsec (Internet Protocol Security), and OpenVPN to establish these secure and encrypted connections.
“When a user connects to a VPN network, it replaces the actual IP address of the user with a virtual address affiliated with the VPN server,” he says.
This allows an employee to remotely connect to an office network and access company data and resources.
VPNs can also be invaluable for frequent travellers who may have to rely on free public WiFi networks, which could pose privacy risks.
In a blog post, NordVPN claimed that a VPN will protect Internet traffic on public WiFi, as anyone snooping on a user’s web traffic on unsecured networks will need to break through a layer of encryption. It also listed some of the common intrusions hackers can orchestrate on public WiFi, including what is known as the man-in-the-middle (MITM) attack.
“The cybercriminal places their device between the connection with your device and the public WiFi hotspot.
“This discreetly allows them to monitor your activity and even control your traffic, potentially redirecting you to a site they created that will fool you into entering your credentials or banking details,” it said.
Also, while overseas, a device’s current IP could be used to set the default language for a website based on the geolocation, which could be a problem for those who are unfamiliar with changing the language.
Users can choose between free and paid VPN services, with the main distinction being that free options typically throttle speeds or impose data caps to limit usage.
Some paid VPNs also offer additional features, including servers in many more countries (for bypassing geo-location restrictions), malware protection, better reliability, a smaller impact on Internet speeds, support for multiple devices, and app- or website-based VPN activation.
Arun advises users to pick a VPN provider with a strong track record and a good reputation for offering trustworthy service.
He also recommends periodically assessing the VPN service’s policies to gain a better understanding of how the specific provider handles user data, as this can change over time.
This includes checks on the provider’s encryption protocols and software update frequency to address security vulnerabilities and ensure an acceptable level of performance.
It’s also important to determine whether the VPN service provider logs activities and stores user data, as a data breach could expose a host of Personal Identifiable Information (PII).
In 2021, Kaspersky reported that a server configuration oversight caused user data from SuperVPN, GeckoVPN and ChatVPN to leak online. The database, which contained information belonging to a total of 21 million users and included details such as payment-related data, full names, usernames and email addresses, was offered for sale on a hacker forum.
Prickly privacy problems
For some, the use of a VPN is all about protecting their online privacy, particularly from unwanted tracking and targeted advertisements.
Such is the case with a longtime VPN user and IT support representative who wanted to be known as only Navin, who highlights his concern about data being sold for targeted advertising as one of the key reasons for adopting a VPN.
Corporations have been exposed for collecting and selling users’ personal Internet browsing data and, in some cases, indicted in court. For example, anime streaming service Crunchyroll had to pay a US$16mil (RM75.4mil) class action settlement to users who subscribed to the service between Sept 8, 2020 and Sept 20, 2023.
The lawsuit asserted that the platform divulged users’ personal information to third parties such as Facebook, Google Analytics, and Adobe Analytics without their consent.
However, subscribing to a VPN service doesn’t always guarantee protection or privacy, as not all provide the same level of service.
This is evident from the lawsuit between the Australian Competition and Consumer Commission (ACCC) and Meta-owned free VPN service provider Onavo Protect. The lawsuit revolved around Meta’s purported use of anonymised personal activity data collected from Onavo Protect users to identify popular rival social media apps and utilise it for business intelligence.
The ACCC also accused Meta of deception, given that the app was promoted as a tool to safeguard personal information. Meta was fined US$13.5mil (RM63.6mil) in the case last July.
According to Arun, while a VPN conceals users’ IP addresses and makes it more challenging for websites to track their activities, this safeguard doesn’t extend to the VPN service provider itself.
“The truth is, a VPN can hide the IP address, but it does not make the user completely anonymous.
“The VPN provider still knows the user’s IP address and sometimes maintains the user’s activity logs. Therefore, anonymity solely depends on the VPN provider’s policies regarding activity logs,” he says.
In other words, picking a VPN provider with a no-logs policy could potentially avoid the issue of user data being sold as no information was collected in the first place.
Arun advises users to carefully read the privacy policies to gain a better understanding of how a service handles user data and to “find a VPN provider whose security protocols are verified and audited” before deciding on one.
While Arun encourages users to scrutinise the policies, he acknowledges that they can be lengthy and complex.
“I advise them to read at least the FAQ or summary sections offered by some VPN providers, which provide information about the data handling procedures, features, performance, and privacy protection.
“In addition, users can see the reviews and ratings given by some websites that compare VPN providers with others in terms of privacy protection,” he says.
He also recommends reaching out directly to the provider’s customer support team for clarification if needed, adding that they usually respond to concerns promptly.
Another resource Arun highlighted are online forums and communities, where members with more expertise in VPN privacy practices can provide answers.
“Users can get advice from subject experts like cybersecurity or network professionals who can give insights into privacy policies and data handling practices by VPN providers,” he says.
Looking at limitations
While VPNs provide enhanced security, the quality of service may not stay the same. Arun illustrates this with an example of a service provider using outdated security protocols, which could lead to data leaks and compromise user security.
Beyond security, there are also aspects of practicality to consider – with a VPN server rerouting Internet traffic, Arun says that additional overhead can reduce Internet speeds.
“Moreover, security measures in applications like banking and online gaming might prevent them from working well with a VPN.
“Also, technical knowledge is needed when troubleshooting or configuring a VPN, and users with limited knowledge of VPNs might feel challenged,” he says.