It’s very likely that the Australian federal government will soon pass laws that allow a wide range of government agencies to access large datasets collected by telecommunications companies and internet service providers about who you call, who calls you, who you email, who your friends are, where you are and where you have been.
Techy people just respond “yeah sure they can do all this, but I’ll just use a virtual private network (VPN) and then the gubmint knows diddly-squat”. Non-techy people say VPwhat? And this is a problem, as it means that tech-literate people will have more privacy than non-technical people, a perverted “might is right” style outcome.
So let’s look at what you can do to lock down your family’s, or business’ privacy using inexpensive, proven tools.
What is a VPN provider?
There are thousands of companies out there that will allow you to securely connect your devices to their network, such that when you then exchange information with other computers on the internet, those computers think you are wherever the network says, and not where you actually are. Sophisticated virtual private networks also provide tools that re-write the “metadata” that goes with each packet, to make it resistant to even the most detailed “deep packet” inspection. To the outside world you might appear to be living in some data centre in the United States, instead of your home, or office, or wherever your mobile says you are.
Prerequisites, jargon, and assumed knowledge
Unfortunately, choosing a VPN provider means learning some jargon. but to keep it super-simple, imagine it like this. Your device (phone, laptop, router, fridge, whatever) opens a secure connection to the VPN using one of the following encryption protocols, in order of worst to best: PPTP, L2TP/IPSEC. or OpenVPN (also known as SSL/TLS). From there, the VPN provider creates a tunnel between the outside world and your device. Your exit point is the location where you have told your VPN provider you want it to appear you are coming from. Good VPN providers have many hundreds or even thousands of exit points in many countries. In this way you can appear to be in the US to HBO and Netflix through your AppleTV (via paid subscription), but in the UK when you want to watch the BBC’s iPlayer. It also means, while you are travelling overseas, you can make the ABC’s iView think your iPhone is in Sydney instead of Istanbul.
So how do you choose one? Here’s a simple checklist:
1. Do they keep logs? Only choose a VPN that doesn’t track your use of their system.
2. Do they offer OpenVPN (aka SSL/TLS) and L2TP/IPSec, in addition to plain old L2TP and PPTP (which are not considered secure anymore)? Always choose a provider that supports OpenVPN.
3. Do they allow unlimited devices? A VPN is not secure if only some of your devices use it.
4. Do they offer unlimited bandwidth?
5. Do they offer a system for obfuscating your metadata?
6. Are they based in a “Five Eyes” country (US, UK, Australia, Canada, New Zealand), or politically unstable, or corrupt country? If so, go with another provider.
7. Have they been around for a while?
8. Do they offer good quality support?
I went through about 200 of the main VPN providers, and the ones on this list arguably satisfy the criteria, apart from the desire for unlimited devices.
Each of these comes with software and configuration instructions for most flavours of desktop and laptop computer, as well as iOS and Android devices. Because all of these services support OpenVPN, it is, in theory, possible for you to configure your home or business router (or get a techy friend to do this) to send all traffic via the VPN, thus protecting all the devices in your house.
Phones
The use of a VPN doesn’t stop some random technocrat from working out where you are from phone-tower records, as the device with your EMEI number (type *#06# on your phone to see it) moves between them, as well as the time and endpoints of every call and text message, as well as browser history, which apps are requesting network access — basically any “metadata” they can scoop up. Even an “off” phone will ping the towers every so often and report its device and SIM identifiers. A VPN won’t protect you from all of that, but it will keep your browser history and app traffic-profile secure, and if you make your calls with SilentPhone, Facetime, or any of the many end-to-end encrypted phone apps, then having the VPN will mask the type of data being sent, and when calls get made. A VPN won’t protect your SMS messages, but it will stop anyone knowing when/if you use iMessage, Telegram, Blackberry Messenger, SilentText or any other secure messaging system that sends its data via the internet.
Having a VPN installed on your laptop and phone is typically a matter of downloading and running a simple config app, which comes with your subscription for any of the services I’ve listed, as well as many others. Setting up your router to direct all your local network traffic via your VPN is a more complex proposition but a great way to protect your family’s privacy.
Thank you
If only those obsessed with trying to undermine much needed efforts to protect Australia from Fundamentalist Terrorists and other threats, instead did as much to help improve the systems, including any relevant privacy concerns, the Nation would benefit.
But I guess that mightn’t be as much fun for them, and there’d be fewer colourful stories for media entities vying for customers?
Hoi David Sag, Good article…but I have a question about one of your criteria:
“6. Are they based in a “Five Eyes” country (US, UK, Australia, Canada, New Zealand), or politically unstable, or corrupt country? If so, go with another provider.”
Is this really an issue? Or in fact is the reverse true as some VPN providers claim at least with respect to the US?
Some providers claim that the US at least has strong pro-free speech laws, well defined legal processes for bypassing those laws and accessing your (the VPN’s) information etc.
While we all know that the US (and the 5is) and its agencies routinely ignore or even go out of their way to break those laws, this same illegal activity by them applies to the whole world. At least if the target (ie your VPN provider) is in the US they can take legal action etc against those agencies or set themselves up so that even a successful subpoena provides no useful information. No one else subject to US spying, who is outside the US, can legally defend themselves.
I also have issue with suggesting a host based in HK (China) is in any way different to the US in these respects and in many ways may even be worse in that their agencies do not have to answer to any oversight or legal responses at all.
I am genuinely interested in your answer as I have been leaning towards a US based VPN provider for these reasons.
Cheers, dd
If only those much needed efforts to protect our nation …. were in any way effective. Alas.
Chris Hartwell, try to understand that to be effective doesn’t mean they have to be perfect. Our penalties against murder, for example, don’t result in there being no murders, but there’s general agreement that they probably do reduce homicide. Stopping Terrorists (and I’d hope you realise this) is a more complex challenge; but surely you must understand that Surveillance Services HAVE played an important role in the past?
In a changing world there seems no reason to blithely hope Terrorists won’t be tryin constantly to improve their I.T. capacities?
Therefore, assuming the protection of Australian interests is important:
Therefore, Australia should be acting to improve its I.T. defences. [Q.E.D.]