Bypassing censorship with VPNs ― is that safe?
More and more countries are blocking undesired websites on their networks or specifically searching internet traffic for critical and opposition voices.
When the internet becomes a state-controlled intranet, users run into problems: They can then no longer access the website of Deutsche Welle or other free media, for example. Social media platforms on which opposition activists had arranged to protest just a short time before are suddenly offline.
Read more: Tor, Psiphon, Signal and Co.: How to move unrecognized on the internet
A quick solution: VPN
Whenever a regime censors the internet in a crisis, many users in their helplessness resort to the simplest solutions. These are often virtual private networks (VPNs).
VPNs were developed to allow companies in different locations to connect their internal networks (intranets) via encrypted channels through the internet. But VPNs can also be used to connect a private computer from within a non-free government-controlled network to a server on the free internet, using exactly the same principle.
Read more: OONI: An app for detecting Internet censorship
Providers make big promises
VPNs are now readily available to everyone. Corresponding programs are available free of charge. VPN apps even top some charts. But users usually don't think about the risks in this situation.
VPN apps are plentiful, and the providers' promises are great. If you install their software on your cell phone, you can go online particularly securely, they say. And they promise that your personal data can no longer be accessed by potentially malevolent forces. What is clear: If the VPN works, you can use streaming services from other countries, bypass government censorship and access blocked websites.
How do VPNs work?
A VPN establishes an encrypted tunnel from your smartphone or computer to a remote VPN server. From this endpoint, you enter the public internet. When you surf the web, it looks to the operators of the websites you're visiting as if your computer was the VPN server.
If, for example, you are using a computer or smartphone in Germany but your VPN server is located in Japan, then the operators of websites you visit will think you're in Japan. This game of hide-and-seek is based on the fact that you do not appear with your own IP address, but with that of the VPN server.
Can you be detected while using VPN?
Basically, regimes that control internet traffic are able to detect when someone is using a VPN. However, they cannot detect what someone is doing with it, i.e. what data is flowing back and forth in the VPN tunnel.
Some dictatorships have banned VPN use for this reason. Such regimes then block access to VPN servers abroad or, in rare cases, even persecute the users individually. But governments usually cannot take blanket action against every VPN, because many foreign companies also rely on VPNs for their internal company communications.
So as long as governments do not list the IP addresses of foreign VPN servers in their firewalls, and thus block them, it is possible to use them to circumvent censorship.
How secure is my data in the VPN?
Here lies the second weak point: All your data make a detour via the VPN provider. But do you really know the company and what it's about? Essentially, you will have to trust your provider to maintain data privacy.
Because the provider operates the tunnel, the company can also see which websites you access, when and how often. The provider may also be able to see the non-encrypted content of your communications, such as simple e-mails.
This data can be stored, and especially the data about surfing behavior can also be sold for marketing purposes. For VPN providers, this can be a successful business model. They take money from the customer for VPN use in a subscription model. At the same time, they sell data about web usage to the advertising industry.
In the worst case, however, they also sell or supply data to government authorities. Even if the provider promises not to sell the data, it is already a risk that the data is stored at all. Not a day goes by without a new data leak being reported, whether due to poor security or criminal hacker attacks.
The better solution: Tor — privacy by Design
It's better if no data is collected in the first place. If a VPN provider promises it won't do that, I have to trust him. But a system that does not collect any data in the first place is even more secure.
This is what Tor can do. Tor builds a triple tunnel directly through the Tor Browser. With Tor, you actually don't talk about tunnels, but onion layers, hence the name: Tor = The Onion Routing.
The good thing is that none of these onion layers know your identity and destination at the same time. Which web pages you access, when and how often, cannot be stored anywhere because this information is not available at all. The whole thing is therefore called "Privacy by Design".
Tor is a non-profit project run by many volunteers. It is free of charge for users. But there is one small drawback: The internet connection can sometimes be jerky. Unfortunately, this much privacy comes at a price in terms of speed and convenience.
If you want to be able to surf the internet quickly with your browser, with a foreign IP address, and do not need the utmost protection of privacy, you should use a VPN provider that you can trust as much as possible. It is, therefore, better not to rely on VPN comparison portals that rate any provider well.
These are often not independent, but contain sponsored links of the VPN providers. Instead, it is better to ask trustworthy digital security experts or read current VPN reviews from reputable trade journals.
Read more: DW websites accessible via Tor Protocol
These are the traces we leave behind on the net
When computers communicate with each other on the internet, IP addresses are always exchanged. No IP address — no World Wide Web. However, the possibilities of identifying individuals based on their IP address are often overestimated, because IP addresses are rarely firmly tied to individuals.
The situation is similar with cookies. The user can turn these off and cookies have long since ceased to be of great importance to internet giants such as Facebook and Google. This is also reflected in Google's recent announcement that they no longer want to collect 3rd party cookies in their Chrome browser.
Moreover, internet users can now be identified much more precisely via so-called fingerprinting processes. That means browsers collect relevant information such as the time zone, the keyboard layout, installed plug-ins and properties about the creation of graphic elements.
Users can usually be recognized with an accuracy of more than 99% through those fingerprints. The method is very popular with large internet companies. Linked to a login, for example, at Amazon or Google, a fingerprint is also directly linked to a true identity.
Incidentally, these fingerprints are not only collected directly on the sites of these internet giants, but also on third-party websites.