Do not use a personal virtual private network (VPN). Personal VPNs simply shift residual risks from the
internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and
commercial VPN providers have questionable security and privacy policies. However, if your
organization requires a VPN client to access its data, that is a different use case.
Do not use, vs do research and use a trusted provider are two very different arguments and they’ve used one that looks acceptable on the surface level, without considering the broader consequences.
They are trying to create fearmongering for VPNs and it might work. And this space is ripe for mis and disinformation. I just hope folks find the right source and info for the type of VPNs they ought to use.
It’s important we make ourselves available to people who trust and care about us, so that they feel comfortable inquiring to us about how to best interpret this kind of sly misinformation, and how best to protect themselves online.
This kind of stuff won’t stop, so we need to make ourselves available to be a sort-of front-line defense against this kind of lazy marketing against privacy tools.
Bad password manager recommendations (except Proton Pass) and the worst advice for a VPN
The only correct thing in the document is the shifting trust when it comes to VPN and the often questionable privacy (especially in free VPNs) and the recommendation for Proton Pass
To play devil’s advocate, out of the dozens and dozens of VPN providers out there, our community only recommends like 3-5 because of the issue of shifting trust and how much data gets funneled to the VPN provider.
That said, the answer is to acknowledge the good of VPNs and maybe point to the trustworthy options rather than recommend that people should not use VPNs. If I’m being charitable I can see the logic, but it should not come by throwing shade at VPNs entirely. Another concerning move.
That Forbes article appears to be FUD at worst and yellow journalism at best. They’re trying to get click with a clickbait headline that leads into an article with two different issues (VPN bans and U.S. cybersecurity advice recommendations.) The document referenced is a cybersecurity briefing for people considered to be under threat. Shady VPNs are popping up all over the place, and in light of this it’s not surprising they wouldn’t recommend a VPN especially as connecting to public WiFi, one of the only benefits of a VPN, isn’t something you should really be doing if you’re serious about security. They also neglect to mention that CISA suggests using iCloud private relay. The privacy guides team wrote a great article on MPRs vs VPNs I suggest everyone read, but suffice it to say that CISA recommending that over a VPN makes sense.
Other recommendations in that document that Forbes glosses over are:
suggestions for encrypted DNS resolvers including 1.1.1.1 and 9.9.9.9 which are both listed as privacyguides recommendations.
A recommendation to use Signal
Suggestions on things to look for in a secure Android phone
Disabling SMS based MFA
Using password managers including Proton Pass. If they were trying to clamp down on VPN usage I don’t think they’d be suggesting a product from a company that’s known for their VPN.
More so a gross oversimplication with some truth to it.
Remember that CISA concerns itself about enterprise cybersecurity far more than personal security or privacy. If an employee uses a random VPN provider to change their Netflix location, that would constitute a security risk if they were utilizing a work computer while doing so. Their suggestion is not wrong per say if you are a company or organization drafting up IT policies.
Following CISA for digital security or privacy advice is like asking a computer science student to diagnose a broken printer or PC. There is such a clear mismatch going on here.
I mean I do think “Stop using your VPN” is sound advice for 95+% of iPhone/Android users.
It’s one of those things were you either already understand the nuances of the topic and you’re therefore not the target audience of the advice, or you probably should heed it until you do understand the nuances and can decide for yourself.
I agree, frankly. People are generally better off not using a VPN than using an untrustworthy one. @Shampoo is also correct that CISA’s document is pretty clearly not in response to an impending VPN ban like the Forbes article would appear to suggest.
Their actual advice is oversimplified, and it leans too heavily on trusting big tech companies as long as they’re American (for example: Google Play Protect, and no mention of Apple Advanced Data Protection for iCloud users), but it isn’t flat-out terrible here.
I can already see the “free” VPN providers ringing their hands as masses of people sign up to sketchy VPN services to skirt the social media ID requirements.
So, the report is accurate in that a bad VPN is worse than your ISP, But unfortunately they leave out actual best practices for VPNs…which I guess is on- brand.
I think the most interesting part of the CISA report is that they do recommend Signal.
This leads me to believe that they either are very smart in mixing good privacy tools with bad, or that they are very dumb and don’t understand VPNs enough to recommend the good ones.
I’ll throw in that my understanding of CISA up to this point is that they’re actually a pretty good resource for cybersecurity. Based on the additional context from them that seems to be holding up. They won’t focus on personal privacy for example, but there is a lot of overlap between our two groups. They’re like a group that primarily emphasizes security and doesn’t emphasize privacy as much, and I think many of us have met that kind of person on a forum or two.
Now I don’t think the author of the Forbes article was trying to make a false connection. Rather, I think that more and more people are seeing the worsening situation when it comes to digital privacy and their freedom, and are rightly concerned. But when you are still learning or don’t have a good perspective yet you don’t know how to interpret different pieces of news or information. Pure speculation on my part.
Considering how untrustworthy VPNs can actually get, HTTPS and secure DNS can be better than a random VPN too sometimes.
I guess the real question is when it comes to not using a VPN to using an untrustworthy sketchy VPN or not using one at all, what’s better? That would come down to what one is trying to do with a VPN and what their threat model is. So its hard to say without knowing the use case.
Who will stop us from forming corporations with one or two people inside? Its going to be annoying with paperworks and some fee but it is certainly doable.
Clickbait article, For reference, CISA said the exact same quote a year ago re: protecting yourself from Salt Typhoon:
“Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies,” the Agency added. “However, if your organization requires a VPN client to access its data, that is a different use case.”