Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is There Really A Reason to Hide From Your ISP using a VPN?

Become a Patron of Ask Leo! and go ad-free!


Show Transcript

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio


55 comments on “Is There Really A Reason to Hide From Your ISP using a VPN?”

  1. Leo, start looking into the way “Big Data” (about 5,000 pieces of personal information on every US voter) affected the outcome of Brexit and the last US presidential election–both campaigns run by a new company headed by Alexander Nix called Cambridge Analytica– and I think you may change your mind about ‘we’re just not that interesting’ to companies who have our individual information to sell. Not a happy story

    Here are a few of these sources:

    Cambridge Analytica Channel 4

    Company psychologically tailors ads to voters

    The Data That Turned the World Upside Down

    Alexander Nix, CEO Cambridge Analytica – OMR Keynote | OMR17

    Trump’s plan for a comeback includes building a ‘psychographic’ profile of every voter

    • But those all indicate how crowds are interesting. I’m not saying that’s not a problem – it can be, and I’m certain we have a long way to go to understand the ramifications and control.

      My point is that as an individual person what I do matters to these organizations not one whit. They care about what large numbers of people do. That’s why they data is collected and sold or shared.

      • Not sure I’m understanding you, Leo…the 5,000 bits of data on each individual adult in the US is not anonymized data. The political campaign accessed individuals’ data to do such things as visit specific homes to use tailored tactics to influence their votes; they use what one article called ‘dark posts’ on Facebook (that can be seen by certain individuals, but not by others) using individualized data to influence votes, or to motivate (scare in some instances) people to get out to vote. A non-political example was given about a person owning a beach who wants to keep others out. One (honest) tactic would be to put up a sign saying ‘private beach, no trespassing’; a different sign would warn people they would be eaten by sharks (totally made up–but works really well!).

        If politicians could be trusted to be truthful and full of integrity, this would not be as much of a problem. But I think we all know how many untrue things were made up about candidates. And I think we all are feeling how very deeply divided we are as a nation–due in large part, it seems, because we are all getting different ‘facts’. Plus, there is the most important general issue of what I see as our inalienable human right to privacy. And there are many other very nefarious ways that individual data could technically be used in the future, if no controls are set in place.

        This is veering off your topic of VPNs and purely technical advice so I won’t comment anymore. However, you are in a position to influence a great many people, and that is why I hope you look more into this topic.

        thanks, Leo!

        • You’ve missed a point…your comment about Facebook only relies on one thing, mandatory participation.

          The internet data in whole is made from highly fragmented and somewhat random data points.

          Not everyone is on Facebook, nobody has required them to be and for them to make a broader and more detailed profile of their users as well as those that merely graze their data (i.e. read things on FB but aren’t members) they still have to gather data from other sources than Facebook. It would be prohibitive to operate as the sole source to gather their own data.

          And another thing you forget about everyday, and welcome more often than not, is how stories as well as ads are placed for you by the data given what you prefer (still a patchwork of clicks and returns used, not Jolene Blow).

          The truth is that the internet is COMMERCIAL, and equally true that even with the amount of data transferred every second you have a business contract with the ISP and they have to state how your data is used. If you do not like the outcome, you can use another provider perhaps, even in a ‘one-horse (franchise) town. At this point there are too many ways to send information in the US that it probably bugs those that want to control it. To be blunt, They banned all but the Nazi Party and sent dissenters to death camps etc in the scenario you can’t tie to any leader or dictator and not even Der Fuhrer as radio made it nigh impossible to silence opposition. As long as ANY information can come in and go out there is no political vacuum.

          And to complete the Off-Topic reply to the Off-Topic reasoning before (which isn’t that OT) NO, the information flows freely, real and not real, unimpeded, which neither solves anything anybody wanted nor makes anyone any more popular. so nobody ‘wins’.

          Maybe ‘democracy’. But back to the 1s and zeros. The only free platform is one that you own completely and control the content on. Talking to yourself is what it’s called.

        • In your example, were the signs aimed at specific individuals or at a group (whomever would want to use the beach)?

          “If politicians could be trusted to be truthful and full of integrity” – when has this ever been the case?

          “our inalienable human right to privacy.” Where did you get this? The Declaration of Independence shows only “life, liberty, and the pursuit of happiness” as being inalienable. The basic Constitution and original Bill of Rights do not include a right to privacy.
          Even today there are some communities where the concept of privacy is alien – and I don’t mean suppressed countries. Privacy is something one person/group imposes on others. Actually, the only difference between ad firms prying into your personal life and a nosey neighbor/coworker is their motive. I hear all sorts of clamor about people wanting to keep certain groups from obtaining their information, but nothing about any movement to stop nosey people from doing the same thing. Strange. Again it seems to boil down to who’s doing it. Keep it up and the only ones with access to our personal information will be malware writers/distributers, terrorists, foreign governments, and other nefarious groups.

        • This is interesting, and my group will look at the links and analyze. However, there is a new awareness dawning, and as stated above, most of the mainstream media, political parties, and fortune 500 companies have their own agenda and must not be trusted. There is a way around the slants and lies. Americans need to learn how to obtain original source data (and be willing to make the effort) instead of blindly following some talking head on the television or a Facebook personality with 3 million likes.

          Like him or not (and I never did) Glenn Beck preached going to original source information instead of trusting a media that has lost all sense of journalistic integrity. A good example is Donna Rice, former National Security Advisor. While in office, she made several false assertions about the underlying cause for the attack on the U.S. Consulate in Benghazi – saying it was caused by a YouTube video produced by a lone individual in Los Angeles. The media blindly backed her claim, but it was absolutely false. Subsequent FOIA requests, and reviews of U.S. government message traffic revealed not only that it was a coordinated Al Qaeda attack, but that she knew it was the night of the attack. However, I still know people who adamantly believe the YouTube fable.

          We must teach people how to obtain Original Source Information and stop allowing these Corporate Monoliths to shape our thoughts and opinions. They are dividing all of us but our interests are pretty much the same. How could that be? All the information of mankind is at our fingertips today. We must learn to use it…

          • I find the example of Benghazi not such a good example of something you could confirm. It might be a bit difficult to confirm, as you’d have to go to classified documents to either confirm or deny it. That wasn’t possible till much later when the documents were declassified.

          • I said I wasn’t going to add anything more, but just discovered that I left out the most important article (and the most readable one although every long)…am including a couple of quotes: (the ‘micro-targeting of individuals is the key, as far as I’m concerned.) I’m done posting now :)

            How the Trump Campaign Built an Identity Database and Used Facebook Ads to Win the Election

            [Trump campaign] built thousands of different web sources that were “micro-targeted at different segments of voters.”
            “Trump’s risky bet on micro-targeted Facebook ads to discourage African Americans and young women from voting was handsomely rewarded with a presidential campaign victory. …

            “Trump’s revolutionary database, named Project Alamo, contains the identities of 220 MILLION PEOPLE in the United States, and approximately 4,000 to 5,000 INDIVIDUAL DATA POINTS ABOUT THE ONLINE AND OFFLINE LIFE OF EACH PERSON. Funded entirely by the Trump campaign, this database is owned by Trump and continues to exist.

            “Trump’s Project Alamo database was also fed vast quantities of external data, including voter registration records, gun ownership records, credit card purchase histories, and internet account identities. The Trump campaign purchased this data from certified Facebook marketing partners Experian PLC, Datalogix, Epsilon, and Acxiom Corporation. (Read here for instructions on how to remove your information from the databases of these consumer data brokers.)

            “Another critical supplier of data for the Trump campaign and Project Alamo was Cambridge Analytica, LLC, a data-science firm known for its psychological profiles of voters. …

    • with the new info that… they are now using browsing history to adjust or cretic credit scores.. maybe this should be a time for a revisit of this topic??

  2. Strangely enough Bank of America blocks access via a VPN. On the other hands SSL is more effective than a VPN anyway.

    • It depends on what it is you’re attempting to be effective at. :-) Using SSL your ISP can still see that you’re visiting your bank.

  3. I live in Europe and have used a VPN for years to get access to content not available in this country. That said, I’ve been harping for a long time on the dangers of a VPN. They have access to everything your ISP would have had access to, and I tend to believe many if not most are more unscrupulous than your ISP. I trust many ISPs more than any VPN. The privacy laws are very strict here, to the point where it’s illegal for a newspaper to mention a suspected criminal’s name (IMO a good thing). When I travel back to the US, my home computer can be my VPN. I can access my computer in Germany via TeamViewer. I haven’t used it for that, because I haven’t needed to, but if the need presents itself, it’s available.

    • “I’ve been harping for a long time on the dangers of a VPN. They have access to everything your ISP would have had access to, and I tend to believe many if not most are more unscrupulous than your ISP.” – I completely agree. While VPNs certainly have their uses – such as circumventing geo-blocks – they really don’t do anything to improve security or privacy. In fact, using a VPN may very well be less secure and private than connecting directly to your ISP.

  4. Leo, thank you for your information. Would my security be improved if I created a separate email address exclusively for accessing bank accounts, IRA and stock trading site accounts, etc. or are unique passwords sufficient? I would never use this separate email address for browsing.

    • Long unique passwords are your best protection along with second factor authentication if your accounts support that. Separate bank accounts could help a little, to the degree that the email account you use to access your financial accounts wouldn’t be circulating.

    • Email addresses aren’t used for browsing to begin with, so this would be unrelated to that.

      Having a single account with a strong password is typically enough (as long as you have an appropriate, separate, “recovery account” also in case you ever get locked out). I tend to use a separate email account for “important” things not for security, but to control spam somewhat, and so that I know that anything coming in on that account is … important.

    • I go to the bank, and since all but one are nice ladies I’ve known for four decades in one case, and it’s nearby, why NOT?

      ‘Social’ is bugging them in person.

      • I do 99% of my banking online, as you might imagine. BUT I do periodically show up in person at my local branch just to maintain the contact. Part social (I’ve known these people for years) and part strategic (ya never know when you might need the bank to help w/ something), it’s nice to stop in and say hi. :-)

  5. I like your objective way of approaching this subject. There are way too many scare-mongers taking advantage of society today.

  6. Privacy…something that the younger generation does not expect. Privacy…something the older generation is so saddened and shocked at losing.

  7. If someone would just hack the ISP records of a few Congressmen trolling p*o*r*n sites, then we’d get our privacy back.

    • If it’s hack, its unlikely anything would change. What we need is someone to legally gain access to sensitive data like that. Then we’s see the laws change. I’m not holding my breath.

  8. Leo,

    How about an article about how to set up your own VPN? If I could do that
    for a few hundred dollars (mostly for a dedicated computer to run the VPN
    open source software), that would seem much safer and even cheaper than
    paying say $10/month to a commercial VPN whose privacy policies may or
    may not protect me.

    • Honestly, I’ve looked into doing it myself. It’s amazingly complex, can be expensive, and very easy to get wrong. Honestly, that last item is what worries me the most: thinking you’re protected but because of some oversight, you’re not.

  9. Leo,
    Many thanks for the explanation that makes sense. I’m tired of misleading headlines and you have clarified the issues. I have tried paid VPN’s but the degradation of service is so bad I removed them. Now glad to hear I don’t really need an VPN.

  10. I agree with Leo that most info gathered or sold by the ISP’s is mostly a sort of market survey, I guess if they stood in a market or mall with a clip board and asked what sites you visit you would probably tell them, as we all usually search for things we are interested in.
    I do feel however that if the government snoop on certain people they have a genuine need to do so in order to keep the public safe, and I for one agree with this, as I have nothing to hide.

    • It’s not a matter of having nothing to hide. It is a matter of whether or not you would be willing to have everything about you made public.

    • “I have nothing to hide.”

      To quote Edward Snowden: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

  11. I think the most important part of all of this is the AIM of the marketers. They really do want to know the habits of every single person. Sure, maybe it’s an aggregate that’s collected, but their aim conflicts with my privacy. Their collection of MY data, from what I’m thinking, to should be forbidden. In a perfect world, nobody’s data is interesting. In reality, I can see some big money being paid out to reveal the IPs of users of ABC Widget in my town.

    • The gold (I wanted to type goal, but in a way gold is really what it is. The gold standard of advertising) of advertisers is pure targeted ads; no more shotgun advertising. That’s not longer aggregate data. That means they have personal information on you. It may only be accessed via an algorithm, but they still have that info and a different algorithm can be used for less benign purposes.

      • I somewhat disagree. When we visit a site, all it really sees are our IPs. Targeting then goes to that IP, not actually the individual.
        I let my granddaughter use my computer to look for a few items online. Then I started getting ads for those, and related, items. Although it was my IP, it wasn’t me. However, the tracking company had no way of knowing that. Also, I got a copyright violation once. It said that someone with my IP [note that it did not say “you”.] had downloaded a pirated movie. However, it wasn’t me, it was one of the tenants using the Internet service for the house.

        As Leo has stated in other articles, they can only see my ISP and possibly track my location to wherever the ISP’s hub is located. [Mine is about 6 miles where I live. Reading Microsoft’s forums, one person was complaining because the location showed 85 miles away, and in a different country.]

        • You hit the nail on the head. But unfortunately, I don’t think the current Congress and President are likely to make any laws to limit data collection and distribution.

        • “all it really sees are our IPs” isn’t exactly true. If you’ve been to that site before it sees the cookies of that prior visit. If you’ve been to other sites that use the same advertising network, then the advertising network sees all the sites you’ve been to including this one. And if you’ve actually LOGGED IN to anything covered in the prior list, then you’ve provided specific, personal, identification to the site.

          Yes, much “tracking” is limited to IP address only, but that’s not to say that’s the only level at which tracking can occur.

        • Tracking IP, cookies, browsing history are trivial matters. The technology exists for someone to search your drives and emails on your machine and send back entire files – if they choose to. And if they do, the “law” (now) doesn’t consider this as hacking, but normal pursuit of business objectives.

  12. Good morning Leo,
    Comment on ‘new vid formate” if I may.
    Suggest family pics.and misc memorabilia be removed as only act as a distraction.
    Means a lot to you of course but distracts from your message somewhat.
    Suggest use blue or green screen and project relevant stuff in the background to
    make it a bit more relevant and varied each time. A bit more work but decent film production has never been easy.
    Personal opinion.

  13. Thanks for that nice summary, Leo. One of my concerns is the information that ISPs are not prevent from ‘selling’. This includes sensitive information, specifically social security numbers. While this is, practically speaking, a part of mass effort for marketing purposes, the proliferation of SS numbers into an increased number of databases is just increasing the risk of those SS numbers getting stolen.

  14. The best way to actually see what information your ISP collects and how that is used is by reading their Privacy Statement. Since this is part of the contract between you and them, it is legally binding on them.

    My ISP’s Privacy statement tells what they “may” collect and what they “might” do with it (permission granted, but not necessarily acted upon). It tells specifically what they will not do with that information (unless by legal means, such as a court order).

    If you are thinking of using a VPN, make sure to read the Privacy Statement as well as user ratings.

    You should also read the Privacy Policy of Google, Yahoo, Facebook, and a host of other services you use. See how they compare with your ISP.

    • You also need to understand where the VPN is located to understand whether or not the privacy policy carries any weight at all with respect to you and your location. (for example, even if legal everywhere, is it even enforceable across borders?)

  15. Something you didn’t mention is the rationale behind rescinding the unenforced requirement. Part of it is the usual party politics: if they’re for it, I against it – if they’re against it, I’m for it.

    Another aspect, which I’ve read elsewhere, is more complicated.
    The restriction only applied to the FCC, which includes ISPs. Companies like Google, Yahoo, Facebook and many VPNs come under the FTC, which did not have the same restrictions. So, yes, the ISPs had a legitimate complaint – they can, but we can’t.
    From what I understand, the opponents to the restriction (Democrats as well as Republicans) want Congress to enact a law that will apply to both the FCC and FTC. That would be more effective, and provide better privacy protection, than a one-sided regulation.

    I agree that repealing the restriction does tend to send the wrong signal to ISPs. Congress would have to stop bickering over minor issues and actually do something constructive for a change – and do it quickly. Voice your desire for a law that would stop everyone (not just one group) from selling your information. Contact your Congressional members (House and Senate), maybe Speaker of the House, and even the President and Vice President. If we don’t do our part and take action, we can’t expect someone else to do it for us. Protection of individual privacy is up to each individual – not some group.

  16. This is slightly off topic, but as it relates to privacy, I’m posting it here. A couple of days ago, I got an email from a friend who wanted me to print a boarding pass. I printed it, and 2 days later, I got this popup on my computer. I know, it’s probably benign, but the process which caught that has the capability of sending that information back to Microsoft and possibly sold to a third party. Somehow I find that worrysome.
    flight info

  17. Is there any value to getting more than one VPN? I have a lifetime subscription to one, and have had three offers for different VPNs hit my inbox this week.

    • As long as it works, one should be enough. The only exception I can think of is if you use it to access a site with content unavailable in your country and the site gets wise to your VPN and blocks it. And if you get any offers for any VPNs, be very wary as VPN scams are rampant now.

      • All of the offers (including the original one) have been through StackSocial/Yummy Software/X-Mirage (which took me an annoying amount of time to figure out were all the same, needing the same username and password). I’ve been happy with the one (Hotspot Shield), so I guess I don’t need the rest. Thank you.

      • Aaaaand now a search for “VPN scams” shows I might have been the victim of one, since I bought it through StackSocial. So far so good though. By the prices listed, I’ve already gotten my money’s worth. One year anniversary is coming up in June, so I’ll see.

  18. I think that you are not to the point that “we-users are not of interest to advertising and marketers”. I contrary I think that THEY have computing power now to collect ALL and slice ALL of our browsing and other histories etc etc. And In my experience if they CAN they WILL !


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.