DEV Community

Cover image for Three rules for choosing a VPN that takes your privacy seriously
Victoria Drake
Victoria Drake

Posted on • Originally published at victoria.dev on

Three rules for choosing a VPN that takes your privacy seriously

Lesser-known risks of ISPs and why I chose ExpressVPN

This post includes my affiliate links for ExpressVPN. I only refer products that I use and love. If you find it useful and decide to sign up, I’ll get a few bucks at no extra cost to you and you'll get three extra months free.

Most people know that a VPN is meant to protect your privacy on public or open Wi-Fi. A lesser-known purpose is to protect your privacy right in your own home, from your own internet service provider (ISP).

A set of Federal Communications Commission (FCC) rules entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” were unfortunately struck down in 2017. These rules would have prevented ISPs from using and selling your sensitive personal data, such as precise geographic location, health and financial information, web browsing history, and even the content of the messages you send.

I’m not comfortable having that data stored anywhere. Handing it over to my ISP makes me even less comfortable, since these treasure troves of sensitive personal data are a frequent and profitable target for ill-intentioned hackers as well.

Your online activities shouldn’t be anyone’s business, and certainly not in a literal money-making sense. Using a VPN helps to keep your private information where it belongs: between you and the person you’re sending it to.

Of course, if you type any flavor of “VPN vs VPN” into a search you’ll get a smorgasbord of comparison blogs and providers vying for your attention. How do you know what makes a VPN “good”? (Answer: lots of research.)

If you’re a regular reader, you know I’m big on security and privacy. (If you’re not yet, welcome! Hi!) Since I’ve built my career in the cybersecurity industry, I take my VPN fairly seriously. Here are the top three things I look for when choosing my own VPN provider:

  1. No DNS leaks
  2. A real commitment to privacy, with no logs
  3. Ease of use across all operating systems

I’ve written about why a VPN is important and even how to deal with the challenges of DNS leaks when using OpenVPN to set up my own. The response I often get to articles like these includes the question, “Which VPN do you use?”

The answer is ExpressVPN. Here’s how my privacy philosophy got me there, and why these three points matter so much.

Why you don’t want a DNS leak

In a previous Linux-flavored adventure, I created my own VPN using OpenVPN and AWS EC2. While I’ve been told my post was helpful, this was definitely not a plug-and-play solution. After reinstalling a new OS, I once failed to follow my own guide to the letter. It took a few months before I discovered I had a DNS leak.

A diagram of a DNS leak

Using a VPN prevents your ISP from collecting your sensitive personal data, including your web browsing history, but only as long as you don’t have a DNS leak. A DNS leak means that your ISP still sees all the URLs that you visit: their servers resolve them for you. This is plenty of information to build a picture of who you are, what your interests might be, any health issues you might have, what you like to spend money on, and much more.

Protocols like DNS over HTTPS will help, but they rely on co-operation between many entities that is still in its early stages. In the meantime, I want my VPN to do everything it can to avoid using DNS servers that could collect or sell my browsing history.

At time of writing, there’s really only one fool-proof solution to ensuring that your browsing records aren’t accidentally shared: run your own private DNS server. So ExpressVPN did just that.

Of course, this only works in my favor when the VPN itself doesn’t keep a record of my activities. Which is why…

A no-logs philosophy matters

VPN providers do not all value your privacy, and some are no better than your ISP. Many VPN providers, especially free ones, elect to log your personal data and sell it to data brokers and marketers. Using a VPN that does any kind of logging simply transfers the risk from your ISP to the VPN provider.

At a minimum, you want a VPN provider to clearly state a strict no-logs policy. Of course, this still means you’ll have to trust that they aren’t being cagey with their definition of “logs,” and still writing your personal data to disk under a pretense.

A more trustworthy solution would be to remove the possibility of writing any personal data to disk in the first place. So ExpressVPN got rid of the disks.

A cartoon of a ram eating logs. Text reads: Hey look, data! Nom. What am I eating again? Eh nvm.

Dad joke. I know.

I was pretty thrilled to learn about what ExpressVPN calls TrustedServer, which runs only on random-access memory, or RAM, and not on hard drives. Unlike a disk meant for long-term, fault-tolerant storage, RAM is volatile memory. It requires constant power to operate, which guarantees that all data is lost when the server is rebooted.

While you wouldn’t want a laptop that runs entirely on RAM, volatile memory is perfectly suited to an ephemeral, no-logs VPN server. The entire software stack including the OS must be re-installed from a central, signed image each time the server boots. This also means it’s always installing the most up-to-date security patches and configuration. That’s clever.

This post goes into more technical detail on TrustedServer, which was independently audited by PricewaterhouseCoopers.

As a Director of Engineering myself, I have a deep appreciation for a company that builds its technology on its philosophy.

That said, the technology only works if you actually use it.

The best VPN is one you actually use

None of what I’ve said so far would matter one iota if my chosen VPN was even just a little bit inconvenient to use.

My preferred platforms are Linux and iOS. I’ve had my fair share of struggles finding all kinds of software that works equally well on just these two. ExpressVPN seems to offer one of the few applications I’ve come across that isn’t trapped in an ecosystem.

There’s a dedicated app for every major platform, including even smart TVs and game consoles. Unlike my experiences with other VPNs, ExpressVPN's Linux app just works, out-of-the-box, the way they said it would.

All the devices!

I especially appreciate the Network Lock kill switch feature, which prevents me from accidentally sending unprotected network traffic when I first open up my laptop and it reconnects to Wi-Fi. It prevents my ISP from seeing anything I do, and only takes a few seconds to reconnect.

ExpressVPN connects fast and then gets out of my way. I haven’t noticed any reduced speeds or blocked sites. I gave a lot of thought to choosing my VPN so I wouldn’t have to think about it on a day-to-day basis. I use ExpressVPN constantly, and it just works.

Privacy is more than personal

When you protect yourself and your family with a VPN, you improve more than your own personal cybersecurity. The less data your ISP can collect, the less they have to lose, sell, or profit from. One day, the risk and cost for ISPs will outweigh the payoff. When you take action to prevent ISPs from scooping up your family’s sensitive personal data, everyone’s privacy can benefit.

If you found this article helpful, I invite you to sign up for ExpressVPN. It only takes a few minutes (assuming you remember where you left your credit card) and will give you the best possible set-it-and-forget-it privacy protection that I can recommend.

For more about privacy, cybersecurity, and reliable cartoon dad jokes, go to victoria.dev or subscribe via RSS.

Top comments (6)

Collapse
 
moopet profile image
Ben Sinclair

I think the thing that puts me off ExpressVPN is their advertising budget. They are pretty cheap, yet they have enough budget to push ads everywhere. It really makes me wonder how much money they're actually saving to provide the service!

Collapse
 
victoria profile image
Victoria Drake

Have you read about how ice cream is linked to shark attacks? 😆

I can’t speak for “everywhere,” but in my case I don’t expect to see a big buck from writing about ExpressVPN. They’ve built a great product, and I want to see great products succeed. Maybe lots of people feel the same way!

Collapse
 
moopet profile image
Ben Sinclair

I can guess the content of that link! It'll be about correlation and causation, right? That's not what I'm getting at, at least not precisely.

It's more like if someone made a film, and spent more on the budget for the trailers than the film itself. I guess I wouldn't trust the film as much as I could.

Collapse
 
brenodamata profile image
Breno da Mata

How does NordVpn stack up against these metrics?

Collapse
 
mccurcio profile image
Matt Curcio

Has anyone looked at the Mozilla firefox vpn?

Collapse
 
lydia307 profile image
Lydia

Thank you. I am using Pandavpn and want to look for a backup vpn. Your post helps a lot.