An Interview with That One Privacy Guy- The Man Behind That One Privacy Site

Do you think there is a way to combat the problem of “native advertising?”

TOPG: The best way of handling the problem of native advertising is two-fold.  First, education.  Many people, if not most, don't understand what it is (in a nutshell, native advertising is a way of disguising advertising to look like legitimate content – a review, top 10 list, blog post, article, etc).  Second, making it clear that it will be called out and not tolerated.  I do my best to do this on the comparison chart and my interactions with users.  Such sites, for example are not allowed to be linked to on most of the subs I help moderate.  I also make a point to ding services that promote the use of unethical advertising in my VPN reviews.

I should note that NOT ALL affiliates and native advertising have to be intentionally misleading, although the vast majority, sadly, is.  Those outlets that wish to make it clear they are on the level, can display full and prominent disclosure in accordance with FTC rules (if you live in a developed country other than the US, you most likely have an equivalent to this).

It seems the keeping of “logs” is a highly misunderstood concept, though a phrase often thrown around in the VPN world. How risky is it to connect through a VPN who keeps even minimal logs?

TOPG: Many people don't understand what “logging” is, so I'll provide a brief description.  Logging is the storing of connection info, including details of traffic, DNS requests, IP addresses, bandwidth used, timestamps, etc.  This information, in the wrong hands may expose your private interactions as well as uses of the internet and other internet based services.

Jacob Applebaum gave a good speech regarding linking of metadata and how (while politicians downplay this) it can be used to paint a picture of your life and indirectly be a violation of your privacy.  If even some of the connection metadata is logged on the VPN server in question, it could be obtained by “the wrong hands” and used to violate your privacy.

This is not to be confused with “monitoring”, which is a reality in most VPN services.  Though some may not keep logs, they will often (by virtue of how networking works fundamentally), have to keep track of some data in real time.  I touch on this later, but if the company is in a jurisdiction where government interference is a reality, this can be a risk to the user.

In your opinion, is simply using the Tor Network (which is free) a good alternative to using a VPN?

TOPG: Like so many questions in privacy, the answer is “it depends”.  In this case, it depends on your needs and threat model.  Tor is a tool that has its place, but still isn't bulletproof.  Many Tor exit nodes have been proven to be honeypots – and techniques have been revealed which can be used to trace your use of Tor specifically back to you.  If you live in a country where your life is at risk when practicing your freedom of speech, please research and make this decision (whether to use Tor or a VPN) carefully.  Many privacy advocates (Edward Snowden for instance) speak highly of Tor, so I'm certainly not the final word on it.  Both Tor and VPNs can be discovered upstream on a network when certain tools and methods are used.

TOPG's color-coded VPN comparison chart

Can you explain what “Five Eyes” is, why is it so important when choosing a VPN provider?

TOPG: You're referring to a group of countries who (at the time of the Snowden leaks) officially could not spy on their own citizens.  To flout this restriction on their surveillance, they spied on each other’s citizens and compared notes to achieve the same outcome.  (These countries are Australia, Canada, New Zealand, United Kingdom, and United States of America).  There are other countries that participate to a degree, which are known as the Nine Eyes, and Fourteen Eyes.

If you were to choose a provider in one of these jurisdictions, your usage of a given VPN could be compromised.  One example would be that your logs (if kept by the service) could be subpoenaed by a government agency or potentially hacked and extracted by a third party, compromising your past usage.  Another risk is the VPN getting served an NSL (National Security Letter) with accompanying gag order in which case your present and future usage would be compromised.

In what countries are VPNs illegal? Is it likely that someone would be caught if using one in such a country? Or does the fact that they are using a VPN make them inherently untraceable?

TOPG: There are many countries in which the respective governments have chosen to crack down on VPNs and other privacy enabling tools.  As far as a list, I will let your readers do that research themselves – unfortunately, it's getting worse every year, and any list I could provide would soon be out of date.  As far as if someone would be caught using them – it all depends on the network scanning and “protections” in place on the government's part.

There are ways to obscure the use of a VPN (broadcasting on ports typically seen as used for normal internet traffic, using a variety of protocols, etc), but there is no silver bullet and even these methods can be thwarted by use of deep packet inspection and other network scanning tools.  There is always a risk!

Do you think that the advent of quantum computers – and the hacking abilities that will come with them - will pose a threat to those using VPNs eventually?

TOPG: Again, it depends.  Some encryption schemes are theoretically more resistant to quantum decryption techniques than others.  There are many VPN protocols and types of encryption used today and they will all certainly be more at risk, though many will probably be viable in a post-quantum world.  An example of a type of encryption that is theoretically viable in a post-quantum world would be the widely used AES protocol.

How do you feel about the assertion that simply using privacy-related apps (such as VPNs) actually causes the NSA to target you more than if you did not?

TOPG: At some point in time, you might have seen a forum poster ask an eyebrow-raising question and someone respond with something akin to, “Now you're on the list”.  This is most likely a real thing (depending on where you live).  The Snowden leaks revealed the true extent of the mass government surveillance that had been taking place worldwide, which includes databases of citizens and connections drawn between them and activities/belongings (by using collected metadata like we talked about above).  It's a sad state of affairs where privacy rights are concerned.

TOPG's comic strip-style description of VPNs (by Dooz)

Many users are very confused about the different protocols available, and which one they should use. Is OpenVPN always a safe bet, as I have been led to believe?

TOPG: Again, no one VPN protocol (or any privacy tool for that matter) is foolproof.  That said, there are definite advantages to using OpenVPN over other protocols.  OpenVPN is free (as in freedom) and open software whose algorithms and code are available for anyone to review.  This allows security experts to perform audits of the software and report flaws and vulnerabilities to the developers in order to keep it as robust and secure as possible.

The OSTIF recently organized such an audit with some coordination and the financial contributions of many VPN companies around the world.  By coming together in this way, the product that these companies rely on can be made better for all – company and customer alike.

I hesitate to use any absolutes when it comes to security.  While other viable alternatives exist, I believe that OpenVPN is one of, if not the best available option for privacy and security today.

What is the difference between TCP and UDP?

TOPG: Both are internet connection protocols.  TCP stands for “Transmission Control Protocol” and UDP stands for “User Datagram Protocol.”  This response could go for pages, but in a nutshell, TCP both transmits and receives confirmation of transmission, while UDP sends without worrying about a receipt.  In terms of how this affects a VPN: UDP is typically faster and TCP is typically more stable.  This isn't always the case, and like anything involving networking, is highly dependent on the devices, network, ISP, software, etc being used.

Other factors also come into play. For instance, utilizing TCP over port 443 for broadcasting can aid in masking the usage of the VPN on numerous networks that are heavily regulated.

Is it as important to use a VPN on your mobile device as it is on your computer? Are mobile devices as vulnerable?

TOPG: I hate to sound like a broken record, but the answer, again, is “it depends.”  A threat model is an important exercise when determining this answer for an individual or group.  If data will be transmitted using the mobile data or WiFi radios of the phone, a VPN can be useful.  Note that using a VPN will not help where voice, SMS, MMS, location broadcasting, etc are concerned.  There are apps that act as a replacement for some of these features (allowing the user more control to maintain privacy).  There are also special accessories (Faraday bags for example) which can supplement the use of a mobile VPN for a more complete privacy and security setup.

Is a dedicated IP address recommended for the average user? What are the benefits of having one? Are there drawbacks?

TOPG: Say it with me now… (classroom full of children shouting) “It depends!”.  If your goal is to achieve as much anonymity as possible, a shared IP address would be beneficial, as your endpoint would be pooled with others.  A dedicated IP is useful when hosting email, databases, files, etc on a server for instance.  Anything that needs to be remotely accessed could be a good candidate.

What are your plans for the future with the site in the future, if any? Or with any other projects/privacy activism-related activities?

TOPG: In a perfect world, I'd like to make the site a little more professional in addition to my current focus on functionality. Due to time constraints, however that's a constant work in progress.

I do plan to branch past just VPNs at some point, but I don't want to reinvent the wheel. I felt like there was a big need in the VPN industry for my research and opinions when I started this project, but where other privacy topics might be concerned, I found some solid, existing resources (such as Reddit's /r/privacy, privacytools.io, and prism-break.org).

There are a few areas I've learned a lot more about, such as privacy based email providers, which has a lot of overlap with VPNs - namely being web services, and therefore, things like logging, jurisdiction, trust (and native advertising) all apply. I feel that this and a handful of other web service industries (hosting, VPS, cloud services) need more transparency too.

More security than privacy maybe, I've thought about writing a little on the smartphone industry and making a series of charts to compare devices - not the usual specs, prices, etc, but more from the manufacturer angle. Things like update schedules (promises versus fulfilment), length of time devices are officially supported, if code has been open sourced according to its license, how long it’s taken to comply, and so forth. Time is limited, so we'll see.

Thanks for the opportunity to discuss this important topic! If your readers wish to learn more, they are always welcome to visit That One Privacy Site or contact me using the info on the site!