A Plain English Explanation of VPNs

It seems like everyone is telling you to get a VPN these days. Likewise, almost every search on Google about computer security will turn up an ad for a VPN service provider. Well, if it is that ubiquitous, you should probably get one as well. Or should you?

Like with virus scanning companies a few years back, a lot of this is scare mongering to get you to open your wallet. Many ads will throw present you with worrisome statistics, scary images of hackers, and complex computer terms. To make it all look official and important, they will also include a bevy of computer acronyms, not the least of which is the term VPN, itself.

VPN stands for Virtual Private Network, yet even that is not very descriptive. Virtual as in virtual reality? Private from who/what? Network? Don’t you already have one of those? Anyhow, you spent enough resources securing it, so why do you need a VP network now?

The bottom line is that you have a business to run (or for those working from home, a household to manage). You are not a computer security expert and you don’t have time to research this. Can’t someone just explain what this VPN-thing is in plain English and without the techno-jargon?

Yes, I can.

 A Simple Example of the Problem

Imagine that you were expecting an important letter from your lawyer with highly sensitive information. When it arrived on your desk you noticed that the letter was not properly sealed. As a matter of fact, it may have been opened and then sealed again so that you would not notice.

Using the internet is very similar, but instead of paper letters, it is your email and your web browsing that could be read. The one difference is that you receive far more email and browsing information than regular letters. Imagine if all your lawyer’s letters had been routinely opened and then carefully resealed so that you would not notice, that is what using the internet is like.

There is simply far more data going in and out of a computer. All that data cannot be read by people, so this data is being archived, categorized, analyzed and corelated by specialized computer systems. These systems then build models of your online behavior. That information is then sold to advertisers who wish to sell you goods and services.

Sometimes the information is also shared with researchers interested in studying online behavior. Occasionally, governments also request this information if they believe you pose a threat to society. Of course, with so many people sharing this information, it can also end up in the hands of hackers and thieves.

Mitigating Factors

While it is well known that online behavior is being tracked this way, it is not yet clear how serious the risk is to individuals. This is because the sheer amount of data that is being collected is staggering. It is quite possible that information about a single person’s online behavior is still rather vague and not very useful.

Of course, because it is a staggering amount of data, it is also likely that one person’s information just does not stand out that much. It can also be assumed that other than hackers and thieves, the data is not being mishandled by those who use the information for legitimate purposes. As for the hackers and thieves, we can assume that only a very few people will be victimized.

Most individual people are not very rich or do anything that the government would be interested in. So, for most people, perhaps being an ordinary needle in a haystack, is enough to not have to worry about doing more. And this may very well be enough for most people.

Yet, for some people that is not enough. They need their data secured.

What a VPN can do

Returning to the example of the letter from the lawyer, one way to protect the information in the letter is to seal the envelope better. In centuries past, people that needed to secure a letter, would seal it with wax from a candle and imprint it with a unique seal that only they owned. If that seal was broken, then it would be known that the letter had been read during transit.

In modern times, letter can be sent with special sealing stickers that cannot be tampered with. They can also be sent in tamper-proof envelopes and sent with extra care requiring signatures along the way confirming where it is during the transit and that it is still sealed.

A VPN is a digital version of these methods, although the wax and seal are a simpler analogy. With a VPN all email and web traffic is wrapped in a tamper-proof digital envelope. It is then sent to a special service that places the seal on that envelope. This way, only the intended recipient can open the seal.

The seal is an encryption that makes the data unreadable to anyone else. Only the recipient can read the data and no one else. If for some unintended reason someone else does try to re-direct the data or tries to open the seal during transit, the letter is discarded without being decrypted. It essentially becomes unreadable and useless.

Another way to think of a VPN is an impregnable tunnel between you and whoever you are communicating with online. The date can only be accessed at each end of the tunnel, so that it is secure in transit. Anyone trying to access the data in the tunnel along the way is blocked.

Do you need a VPN?

Unfortunately, computer systems have become very fast and efficient. This allows them to sift through vast amounts of data very quickly. For the most part this data is used by corporations to market to us, which may just be annoyance.

However, because it is now so fast, cheap, and easy to do, there are also more and more people and groups who target individuals to extort money from them by holding the data hostage – this is what is called a ransomware attack.

In the end, it is a question of risk, which is fundamentally a business cost. It is no different than purchasing fire insurance. The chances that a fire will wipe out your business is small, so a decision must be made on whether it is worth the expense.

Yes, there are a few free VPNs available. Your cable internet provider may even include one for free or a very small fee. Maybe you have an employer or are part of an organization that provides a VPN service. Those would be good places to start, but ultimately, VPN services must cover their own expenses, so you should expect to pay a small monthly fee for a quality service.

If you do any banking with your computer or your phone, you should probably do so via a VPN. Likewise, if you discuss client information with remote staff, you probably need a VPN. Of course, if you communicate with your lawyer via email or the web, then you need a VPN.

Some Additional Benefits

A VPN is a set-it-and-forget-it service. Once installed, you forget it is even there. It does its encryption on the fly while you work. For most people that is all they need. For larger deployments, it is useful to know when the VPN is being used and when it is being turned off – this could indicate a potential staff problem or maybe that the network has already been compromised.

More advanced services will also provide stats on how much data was discarded – this can be useful in determining a potential problem. For example, it would be useful to know if this is occurring more often when your staff is working in a specific geographic location. VPN services also keep up with security news world-wide – this may be of interest as well.

Much has also been said that a VPN will allow you to pretend to be in another location. This is because the only discoverable location for your email and web browsing is that of the VPN service. This is handy to circumvent geographical restrictions for things like broadcast stations and paid video services.

While that is indeed the case, many of these broadcast and paid video services can now acquire this information from the VPN service directly, especially when they have a legal right to receive this info. So using a VPN service to bypass legal restrictions should not be a reason for subscribing to one. In any case, this is not exactly a business decision anymore than either.

Conclusion

The risk to your data is out there. As mentioned, whether we chose to remediate them is ultimately a business decision. However, not knowing what a VPN is should no longer be a reason to delay this decision. Likewise, not knowing what the risks are should not be either.

 A VPN has a very simple task: to make your data harder to get at by people who should not be getting at it. Sure, it can be circumvented – the NSA and the top research institutions probably have the resources to do so. However, most businesses, smaller groups and individuals do not have a way to get at your data. Most of them are also not very motivated to do so because there are plenty of people who do not have VPNs.

For peace of mind, a VPN is a recommended investment. Even for your home instead of your business, a VPN is a recommended consideration. You really do not want your door camera, your children’s web browsing, or your baby monitor, and your personal banking accessed by unauthorized entities.