After Congress clarified last month that ISPs have the right to monitor and use customer data I have read dozens of articles that recommend that people start using VPNs (Virtual Private Networks) to limit ISP access to their data. I’ve received several emails asking how VPNs work and will discuss the technology today.

Definition. A VPN is a virtualized extension of a private network across a public network, like the open Internet. What that means in plain English is that VPN technology tries to mimic the same kind of secure connection that you would have in an office environment where your computer is directly connected to a corporate server. In a hard-wired environment everything is secure between the server and the users and all data is safe from anybody that does not have access to the private network. If the private network is not connected to the outside world, then somebody would have to have a physical connection to the network in order to read data on the private network.

Aspects of a VPN Connection. There are several different aspects that are used to create the virtualized connection. A VPN connection today likely includes all of the following:

• Authentication. A VPN connection always starts with authentication to verify the identity of the remote party that wants to make the VPN connection. This could use typical techniques such as passwords, biometrics or two-factor authentication.
• Encryption. Most VPN connections then use encryption for the transmission of all data once the user has been authenticated. This is generally done by placing software on the user’s computer that scrambles the data and that can only be unscrambled at the VPN server using the same software. Encryption is not a foolproof technique and the Edward Snowden documents proved that the NSA knows how to read most kinds of encryption – but it’s still a highly effective technique to use for the general transmission of data.
• IP Address Substitution. This is the technique that stops ISPs from seeing a customer’s Internet searches. When you use your ISP without a VPN, your ISP assigns you an IP address to identify you. This ISP-assigned IP address then can be used by anybody on the Internet to identify you and to track your location. Further, once connected your ISP makes all connections for you on the Internet using DNS (Domain Name Servers). For instance, if you want to visit this blog, your ISP is the one that finds PotsandPansbyCCG and makes the connection using the DNS system, which is basically a huge roadmap of the public Internet. Since they are doing the routing your ISP has complete knowledge of every website you visit (your browsing history).  But when you use a VPN, the VPN provider provides you with a new IP address, one that is not specifically identified as you. When you visit a website for the first time using the new VPN-provided IP address that website does not know your real location, but rather the location of the VPN provider. And since the VPN provider also does the DNS function for you (routes you to web pages) your ISP no longer knows your browsing history. Of course, this means that the VPN provider now knows your browsing history, so it’s vital to pick a VPN that guarantees not to use that information.

Different VPN Protocols and Techniques. This blog is too short to explore the various different software techniques used to make VPN connections. For example, early VPNs were created with the PPTP (Point-to-Point Tunneling Protocol). This early technique would encapsulate your data into larger packets but didn’t encrypt it. It’s still used today and is still more secure than a direct connection on the open Internet. There are other VPN techniques such as IPSec (IP Security), L2TP (Layer 2 Tunneling Protocol), SSL and TLS (Secure Socket Layer and Transport Layer Security), and SSH (Secure Shell). Each of these techniques handles authentication and encryption in different ways.

How Safe is a VPN? A VPN is a way to do things on the web in such a manner that your ISP no longer knows what you are doing. A VPN also establishes an encrypted and secure connection that makes it far harder for somebody to intercept your web traffic (such as when you make a connection through a hotel or coffee shop WiFi network). In general practice a VPN is extremely safe because somebody would need to expend a huge amount of effort to intercept and decrypt everything you are doing. Unless somebody like the NSA was watching you, it’s incredibly unlikely that anybody else would ever expend the effort to try to figure out what you are doing on the Internet.

But a VPN does not mean that everything you do on the Internet is now safe from monitoring by others. Any time you connect to a web service, that site will know everything you do while connected there. The giant web services like Google and Facebook derive most of their revenues by monitoring what you do while using one of their services and then use that information to create a profile about you.  Using a VPN does not stop this, because once you use the Google search engine or log onto Facebook they record your actions.

Users who want to be protective of their identities are starting to avoid these big public services. There are search engines other than Google that don’t track you. You can use a VPN to mask your real identify on social media sites. For example, there are millions of Twitter accounts that are not specifically linked back to the actual user. But a VPN or a fake identity can’t help you if you use a social media site like Facebook where you make connections to real-life friends. I recall an article a few years back from a data scientist who said that he only needed to know three facts about you to figure out online who you are. Companies like Facebook will quickly figure out your identity regardless of how you got to their site.

But a VPN will completely mask your web usage from your ISP. The VPN process bypasses the ISP and instead makes a direct, and encrypted connection to the VPN provider instead. A VPN can be used on any kind of data connection and you can use a VPN for home computers and also for cellphones. So if you don’t want Comcast or AT&T to monitor you and use and sell your browsing history to others, then a VPN service will cut your ISPs out of the loop.