Earlier this week, we talked about how easy it is for advertisers and others to see exactly what you're doing online and how hard it is to stop it, which made us wonder what can normal people do to protect their personal information without having to go to all kinds of crazy lengths. One way that's becoming increasingly popular is
using a VPN, or virtual Private network. A growing number of providers are offering VPNs as an easy way for individuals to keep our data from prying eyes, and people are using them for all kinds of reasons.
I travel internationally for work sometimes, so whenever I'm out of the country, I'll use a VPN if I'm needing to watch a TV show or something that I can't get access to through that version of the website in the particular country i'm in, And sometimes I use it at home. If there's a show like before Great British Bake Off was on Netflix, I would use a VPN to be able to watch it when it was happening live instead of having to wait for it to be released over here.
Yeah. I use VPN for work because we want to protect some of our more sensitive information, so we have to access the VPN before we can get into that part of our jobs.
People who live in countries with repressive governments like Russia have also used VPNs to get around sensors that block access to social media and news sites.
Basically, anytime there's a big geopolitical crisis, you're seeing massive spikes and VPN usage.
That's Bloomberg reporter Austin Carr. He went to find out if VPNs can actually deliver on their privacy they promise. I'm West Kesova. That's today on the big take. Austin, maybe start by telling us what is a VPN. What's it used for.
Essentially, what it's used for is to encrypt your web traffic by funneling your Internet browsing through remote servers around the world. It basically sends them out any website you go to, anysing and surfing you do. It sends that traffic out to servers in places like France, Brazil, Japan, encrypts them to hide your location and also the content of what you're actually browsing.
So the usual way it'd be is you look up a website and your identity is revealed to that website. But if you use a VPN, it bounces it all over the world, so nobody can tell where you really are and where that traffic came from.
That's exactly right.
I mean, if you're using the Internet right now at home or on your cellular provider that's known as an ISP and Internet service provider, and essentially what's happening is every single thing that you do is basically logged with the ISP, your location, the type of surfing that you're doing. They keep a sort of log of all that material
that you're surfing the Internet with. Now, of course, in the US that's not such a big deal, but abroad, in places where there's authoritarian governments or just different censorship rules, there's of course a lot of interest in VPNs because it allows you to circumvent those rules, hide your location, hide what you're browsing, and unlock things that might be cut off because of firewalls, like the Great Chinese Firewall is a great example of things where certain social media websites,
news websites are cut off, but with the help of a VPN, you can sort of work around those restrictions and gain access to a lot of content that you otherwise would not be able to. Now, of course there's a lot of lowbrow reasons for using a VPN as well. If you like to stream content, sometimes there's reasons that will be blocked for you know, IP reasons, or because your subscription is not relevant in a certain state or certain country.
If you're traveling, you can't use Netflix.
So a lot of people use VPNs actually to stream content just circumvent rules with content providers as well.
So let's say you're overseas and you want to watch Netflix and says sorry, Netflix isn't available in this country. It can fool Netflix into thinking you're sitting at home.
That's exactly right.
So when you're traveling abroad and you have a Netflix subscription to the US, or if you're a subscriber in England, you have access to differ content. They have their all their original content which is globally accessible, but there's a lot of content that's only geographically licensed to particular countries or regions. So if you want to gain access to that content, you'd have to use a VPN. And Netflix has actually done a lot of work to detect those
IP addresses that they give you. It's sort of like this game of IP address whack a mole. As soon as they sense that you're using a VPN, they might block it and you just have to keep changing servers. In the US, Let's say I'm in London and i want to access some content and I'm not recommending anyone does this. This might be violating some terms and conditions.
So this sounds pretty complicated. Is it hard to use?
Like?
What do you sit down your computer? You have a VPN? What is it?
Like?
How do you actually use it?
It does sound complicated, and I think historically that has been the roadblock a lot of these apps. To sort of install them, it took a lot of setup, a lot of sophistication, But nowadays they're super easy.
There's a bunch of providers.
If you just google vpn, you'll come up with all sorts of names, from ExpressVPN to NordVPN, which are two of the biggest brands, and it's just an app.
You download it. Some are free summer subscription base.
You just give it access to either your laptop or your cell phone and then you're essentially hooked up to a VPN and you can choose the server you want. Nord VPN, which is one of the big brands out there, it's a Lithuanian based company. They have about fifty five hundred servers around the world. You just open up the app and you can select any country you want to
browse from. You can even go down to the city, so if you're in the US, you can select LA, you can select Denver, Miami, Boston, New York, things like that. And once you just tap into that, they promise that it's a good safeguard against your traffic. It can predict your location and sort of yeah, fool your browser into thinking that you're in a different location, and that it can encrypt your traffic.
At the same time, Austin.
You report that another reason people have been using VPNs is in communicating after Russia's invasion of Ukraine.
That's correct.
I mean, basically, anytime there's a big geopolitical crisis, you're seeing massive spikes and VPN usage. In the weeks and months after or Russia's invasion in Ukraine, there was data that showed VPN interests spiking on search engines by over one thousand percent. And that is the case for every time. You know, when we saw sort of the crackdowns happening
in Iran, there was big spikes in VPN usage. When there was social unrest in Turkey following an earthquake and they blocked access to Twitter, you saw a VPN usage
spike in those areas as well. But the Russia one is a really interesting use case because you can sort of understand why it would be used for a healthy purpose, which is if the government is blocking access to certain news websites, you know, obviously there would be a lot of interest not just among social activists but just your average Russian resident who might want to find out what the real story is, and you can use a VPN.
It's become more difficult.
They've blocked a lot of VPNs, you know, NordVPN, one of the big brands there, has had to remove all their local servers from Russia and they've increasingly made it difficult to use a VPN there. But that's one of the major upsides of VPN sort of the high mind admission of these apps can be to circumvent that go from in censorship and help people access news, organize for protests, and just generally access the web a little bit safer than they could if they were going through their regular ISP.
How good our VPNs is actually doing that they promise you anonymity, but can they deliver any.
I think they're really good at marketing cybersecurity and privacy, perhaps more than they are at delivering it. I spoke to a lot of researchers for the story, and the one thing that pretty much all of them said was that you can't really put all your faith in these VPN providers.
And there's a couple of reasons why.
You know, if you're an Edward Snowdent type and you want to use a VPN and you have someone, you know, the NSA on the other side, or some government agency. Basically, VPN providers have told me that, look, we can't stop from that stuff. We can only do so much. Maybe we can unlock Twitter, but we're not going to be able to necessarily protect you against you know, a government
agency with those sort of resources to find you. The other big issue is that a lot of these VPN providers, they're sort of asking you to put all their trust in them that says, hey, we will not log any of your web activity, but there's not really any assurances. They have audits that happen on some of these servers, but that are done by auditing firms such as Price Waterhouse Coopers, but there's not really a way you can go in to see their code to make sure there's
no logs. There's not really a way you can go see their server room to make sure that there's no logs being taken off your web traffic. There's been instances historically where you know, a VPN provider will say we're not logging any traffic, and then suddenly they get subpoenaed by a government and they're able to provide those logs.
So there's been controversies like that over the years. Several University of Michigan researchers who I spoke with had also just said that there's ways to detect your activity even when you have a VPN on. So there's something called device fingerprinting where they can sort of triangulate your data based on specific computer you're using, or the browser size,
or the time that you're accessing sort of content. And there's also ways that if there's a bad actor sophisticated enough to access this ont they can sort of throttle your internet and see if any leaks happen from a VPN tunnel. That might sound really complicated, but what essentially means is there's no one hundred percent guarantee of safety. There's no one hundred percent guarantee of anonymity with these VPNs. In fact, most the researchers I spoke to would not
use any commercial VPN. They developed their own. So unless you're able to do that you're a sophisticated engineer or hacker. They all warned against you thinking that, hey, these things are going to provide you some sort of military grade protection.
After the break, what do VPNs know about what you're doing online?
I definitely feel secure about the connection, but I'm also not like worried. I'm not doing anything that I'm worried about people seeing or reporting. So I guess I've never really thought about, like, what would happen if it wasn't secure, But I feel secure through the one that I use.
I feel like ours is pretty secure in private. I've looked up the tool that we use, and I've talked to some of the IT folks, and they've given me a lot of confidence that RVPN is secure.
One of the big companies in this space is called Nord Security, and you wrote a whole piece about that. When to go visit them, tell US about Nord Security.
Nord Security is a fascinating company that's based in Vilnius, this sort of old world capital of Lithuania. They started a little over a decade ago and actually bootstrap their entire business until raising one hundred million dollars last April
at a one point six billion dollar valuation. But they've really ridden this wave of sort of marketing cybersecurity to the public at a time when there's a lot of questions about who is tracking your Internet browsing, whether you're safe online, whether social networks and search engines are mining your activity. And they developed these tools called NordVPN, which is one of the sort of I think, more user friendly apps out there.
It's super cheap. I think the.
Going rate is like three dollars a month to protect your web traffic. And when I met with the founder, Tom Aukman, he had just returned from Davos. He was going to Web Summit, which is this big tech conference in Lisbon, and you really got the sense this company is finally going mainstream, and I think that's because there's so many questions about what's happening to our internet activity online.
They're developing this whole suite not just a VPN products, but to cybersecurity products, dark web monitors, malware threat scanners, things like that, to sort of try to make this sort of encrypted subscription portfolio similar to what you might think about McAfee security or Norton back in the day.
The big question is whether some of the promises that they've made about cybersecurity and privacy are real and legitimate or is it just a lot of marketing to sort of drive up their subscription rates.
And when you talk to them, what do they say The reason you should use a VPN is like, what are they selling it for? I don't think it so you can circumvent the terms and conditions of Netflix. They probably don't advertise.
That they do not. In fact, they were very hesitant.
It was fascinating because when I'd gone there, I thought this was just sort of just the most obvious use case. But they were very, very specific and saying, that's not what we're using it for. You know, Netflix has never bothered us. They don't write us takedown notices, they don't complain.
I talked to former employees, one of whom said that, you know a few years ago when they would have marketing meetings, and whenever they saw huge spikes in cancelations, the first question they'd ask in meetings was is Netflix working right now or have they blocked our VPN and servers. But really what they're focusing on is cybersecurity. They're pitching this thing as this sort of all encompassing way to keep your web traffic safe, to protect you online, and
you know, so far that seems to be resonating. They argue, you know what, if you're on let's say a public Wi Fi network, if you're at a Starbucks using Wi Fi, Oh, there's hackers out there, there's cyber criminals that might be able to steal your banking information. You are more secure to have a VPN. On another use case, they would argue, is just hiding your web traffic from your ISP. There's
so many governments even in the US right now. You look at laws in Utah and Louisiana about how they are looking for a verification or for you to register with a web content in your surfing. But you know, one of the major things that they say is also that look, we, in all honesty, do not know what our users are using a VPN for. They have a
no logs policy. They're very serious about it, and in fact, they walked me through their hardware at their servers where they removed every single local storage drive in their fifty five hundred plus servers, which essentially means there's no way to physically store this data on a server. It's all run through what's called random access memory, which is essentially
your short term memory of your computer. And they just say it's rebooted every you know, I don't know how fro many hours or days if you went to one of these server rooms anyway, there's nothing you could pull off of it.
They've never had a data breach.
Nor At VPN is just one of a lot of companies, but there's a whole ton of them out there. It's kind of hard to tell which ones are good, which ones are really secure, and which ones are not.
Yeah, it's really one of the more questionable parts of the market. If you google best VPN, you're gonna come up with a list of dozens and dozens and dozens of websites out there, and they could range from sort of NordVPN or Express VPN, which are some of the more known companies out there. You also have other ones that are respected, such as Mulvad or Proton or tunnel Bear.
These are sort of big names in the industry. But you also have a ton that are just free, these sort of free apps out there that you're not quite sure. Wait a minute, how am I gaining access to this? What are they using my data for? Is this safe? And at least when I've talked to researchers, that's the
one thing they say. You know, look, if you are accessing these VPN providers that are free with sort of sketchy sounding names, that are promising all types of privacy protections, but you're not paying for it, Chances are they're mining your web traffic for other reasons, or perhaps their servers are not as safe as they let on. They might be collecting logs, they might be selling your web traffic to marketers. I mean, historically there's been some fun examples,
I mean quite scary to be honest. Facebook a few years ago they were running a free VPN. It was called a Navo, a Navo protect, and this was back in twenty seventeen twenty eighteen, and they were marketing it to the public as sort of this you know VPN that's going to protect you online, and it turns out that they were actually using that web traffic internally to see what their users were logging into. Were they using, you know, a different social media website, were they using
Snapchat more, were they using WhatsApp more? And they were sort of using these basically to monitor your web traffic for marketing purposes. And this violates the very core of what a VPN is supposed to do, which is protect your your web browsing and protect your anonymity. And Facebook ended up shutting that service down eighteen months after it was discovered, in about twenty seventeen.
So what did Facebook say about that when it came to light.
Facebook said that it was very clear about what information it was collecting and what it was using it for. And I'm sure somewhere in the terms and conditions there probably was something about, you know, this data could be used for X, Y or z when it comes to marketing purposes or internal research. But I think for the average consumer, the senses any VPN is supposed to protect you from that very use case of a company mining your traffic and sort of stooping on what you're doing online.
And I think that is one of the things that every researcher I talk to you just warned against is you never know. You are putting your a ton of faith in these VPN providers, and there's really just no way to know what they're doing with your data other than to trust them. And I think that's a lot of trust to put in these networks, especially when even for paying apps, you're paying like three to four dollars a month for these subscriptions.
When we come back, some countries start to crack down on citizens using VPNs to bypass sensors. Us in the rise in VPN use, especially in countries where they block certain portions of the Internet, have not gone unnoticed. In some of these countries are now going after the VPNs for allowing people to see sites they don't to see.
It really raises the question about whether the use case of circumventing governments is sort of a longer term or shorter term fixed to protecting your web traffic from peering eyes. In twenty nineteen, Russia made a big to do with a lot of the VPN providers about you know, we
want your encryption keys. We want to be able to access some of this server data that you're sort of using it for with these VPNs, and the VPN providers said to Russia essentially, at least the big ones, that we don't collect logs, we can't give you that data, and that sort of forced them to pull out of Russia. They actually, in the case of Nord VPN, they ended
up shredding, just ripping apart all their VPN servers in Russia. Now, local residents from about twenty nineteen to twenty twenty could still access a VPN through non Russian servers, meaning they might connect to a server in the US or Brazil or Japan or something. But a few years later, you know, in twenty twenty one, not long before the Ukraine invasion, Russia essentially banned all VPN usage outright, made it illegal.
And we're seeing a similar pattern playout in India. India essentially said the same thing, we want to have access to some of this encrypted data. Nord VPN said no. Other providers said no, and then they shut down all their servers in India. And so I don't know, I mean, it makes it difficult to know how long you know, these VPNs will sort of be relevant. With that said, there are still ways to access VPNs in these countries.
But it gets a really a little bit more complicated, and it also puts a lot of the pressure on these VPN providers to make sure they're safe. You know, if you can access let's say a VPN that is smuggled into a country on a thumb drive or something like that, they have tools that are called such as a kill switch, meaning that let's say you're rated and you have a computer, you can access this kill switch to eliminate any sort of visibility that you were using
of VPN. There's a lot more high pressure stakes when you're sort of protecting journalists or activists dissidents with VPNs than you are, say, providing someone in the US with access to ESPN plus in an area that.
They can't watch the Super Bowl.
So I think longer term that's what we're going to see is just whether or not a lot of these VPN servers are sort of ripped out of countries that
they don't want them. You know, in China, it's been difficult to access VPNs that you can't even go to NordVPN dot com and China, So that's going to be a big question longer term, is are these you know, VPN servers when it comes to protecting against governments, can they really do that or is there sort of a short life cycle for that if the government just doesn't want them to operating there?
So Austin, given all this, should people use VPNs? Do you use a VPN?
You know?
I think going into this I did use a VPN a lot more beforehand, before I sort of was learning more about talking to academic researchers, talking to the VPN providers themselves of what they do protect against. And I think there are very healthy use cases for VPNs. You know, I understand the use case of wanting to encrypt your traffic against an ISP or a content provider, or just
that you don't want someone to know your location. But I think also in the last ten years or so, we've seen the Internet go from really much more of a wild wild West area. A lot of your Internet browsing wasn't encrypted. When you did log onto an airport Wi Fi or a coffee shop WiFi, it might not have been encrypted. But nowadays browsers are a lot safer. Banking websites, public Wi Fi networks, they're actually a lot
safer and a lot more encrypted. And I think that's one of the things that VPN providers are going to have to figure out. When I've talked to NordVPN or Express VPN, they compared it to like an ADYT, the home security system. You know, just because you have ADT turned on, it provides peace of mind, but that doesn't mean you shouldn't lock your doors and make sure the
windows are locked at night. And so I think for a lot of customers, you know, it might just provide that level of peace of mind, that extra layer of encryption that you wouldn't have beforehand. If you do log into a you know, a McDonald's or a Starbucks Wi Fi, or you're abroad in a country that might not encrypt your web traffic, it can be a safer thing to add that layer of protection, but it's not necessarily going to be the end all be all.
It's not a pantas of security for you.
Austin, Thanks for coming on the show, Thank you for having me, Thanks for listening to us here at the Big Take. It's a daily podcast from Bloomberg and iHeartRadio. For more shows from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen, and we'd love to hear from you. Email us questions or comments to Big Take at Bloomberg dot net. The supervising producer of The Big Take is Vicky Rgalina. Our senior producer and the producer of this
episode is Catherine fink Kilde Garcia is our engineer. Our original music was composed by Leo Sidrin. I'm West Kasova. We'll be back tomorrow with another Big Take