Skip to content
Naked Security Naked Security

Can a commercial VPN really keep you anonymous? [VIDEO]

Are VPNs about privacy, about anonymity, or about both?

Last week, we wrote a law-and-order story about a woman who set up a bunch of fake sysadmin accounts on her employer’s network shortly before leaving the company…
…only to connect back in later on from home to wreak some kind of ill-considered vengeance.
She was identified, charged and given a criminal conviction, part of which involved paying $5616 in restitution, that being an estimate of how much the company lost trying to put things right.
We gave that article what we thought was an uncontentious headline: Employee from hell busted by VPN logs.
Well, THAT stirred up a hornet’s nest of comments!
Many comments insisted that we had misrepresented one of the virtues of VPNs, namely that a VPN (short for virtual private network) is handy for not getting busted, because it can help you stay anonymous.
So, which is it? Are VPNs about privacy, about anonymity, or about both?

(Can’t see the video directly above this line, or getting an error such as “no longer available”? Watch on Facebook instead.)

Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. Internet Explorer users may need to use the general link https://www.facebook.com/SophosSecurity/videos/ instead.
No sound? Click the speaker icon in the bottom right to unmute.



16 Comments

video doesn’t work on facecrap either. Link says you need to log in to watch. Good going guys putting up a post that doesn’t work.

Hmmm. I’m going to guess you are using Internet Explorer, which is the only browser I’ve had trouble with. (That’s why the article says “with most browsers you don’t have to be logged in”.) Safari, Firefox, Edge and Chrome all seem to work as you might expect: the direct link to the video works fine, and so does the embedded version. With IE, I get a full-screen Facebook logon page; I don’t know why.
But if I visit the following page in IE…
https://www.facebook.com/SophosSecurity/videos/
…then I can watch the currently featured video [the VPN item as at 2018-04-24T14:00Z] without logging in. In other words, you *can* watch the video via IE without logging in, but for reasons I am disinclined to try to figure out, given that every other browser works as expected, and that IE is the past and not the future, IE won’t accept our direct-to-the-video links.
If I felt any kind of personal responsibility for IE, I’d apologise, but I don’t (and you chose to be carpingly rude) so I shan’t :-)
I’ll add a note to the existing note to explain.

Most VPN’s are not to be trusted unless they specifically say they don’t log anything. Even then, caution should be taken.. Don’t want to go to jail? Don’t attack.

Isn’t there a better place to store video than Facebook given all the recent privacy issues? One that wouldn’t have constant errors about how the video cannot be embedded or when linked to the site “no longer available”?

Please see above. You don’t need to be logged into Facebook to watch the video, or even to have an account, so I can’t see any privacy-related reason not to use Facebook for our live videos.
Remember, we’re not just recording these, editing them and publishing them later on – if we were, we’d probably use YouTube or Vimeo (which still wouldn’t please everyone). We’re doing these as live streamed videos with real-time comments, as a way of engaging with more than a quarter of a million people who follow us on Facebook. If you know of a better live video streaming service than Facebook that is as open to everyone as Facebook, please let us know.
PS. The ony browser that has given me any “can’t be embedded” problems is Internet Explorer. All of Safari, Edge, Chrome and Firefox work just fine. If you’re still using IE, maybe that’s something to consider changing before worrying about Facebook – and if you do switch browsers, you won’t have the “constant errors” any more, for a double win!

Thanks. I saw that initial reply after I posted, unfortunately. I will say that while I understand your crusade against IE for a variety of reasons, it’s still the dominant browser at a Fortune 500+ level, or so I’d guess. I’d be interested to know the mix of traffic by browser you receive during daytime hours in both UK and US. Is it greater than 10% or more from IE?
The live recording piece of it definitely limits the possible tools, but YouTube does have live streaming and automatic recording. I just don’t know about the editing capabilities. I’m sure some would complain because nothing is ever satisfactory to all, but it feels like a more appropriate place for that purpose, in my personal opinion. A double win there would be that you wouldn’t need a paragraph of workarounds below the video!
I recognize you can watch the video without logging in, but I meant it more in the sense that it appears like support for Facebook in a time when data leakage from the surveillance capitalism headquarters seems to be at an all time high. I know this would mean Sophos taking a position against FB, which I’d guess it’s unlikely to do for a few reasons, so I suppose I should just put my money where my mouth is and boycott any and all content stored or sourced from there.

Will, I don’t intend to sound combative–just a couple observations.
I rarely watch the videos myself but usually read the (typically) short accompanying article–and the comments. Naked Security has used Facebook Live for a while now, since significantly before the latest round of more egregious FB privacy concerns. Duck explained the choice rationale on at least one other article/video like this one and (correctly) observed that someone would be displeased no matter which streaming mechanism was chosen….so they picked one.
Additionally some hold that the thought of Facebook embodying privacy issues is not terribly new.
Also, a dominant browser would likely command more than 10%.
Lastly, IE is a crappy browser (even disregarding how it’s now been replaced). Between browser wars it languishes unchanged for years, despite being security-Swiss-cheese. For a security company to cater to its use even it it *were* the major [a Mark Twain quote comes to mind] shareholder would be capital Bad News(TM).

You can (well, I was able to) watch the videos with IE without logging in – you just have to go indirectly via the link I added to the article.
I don’t have the exact figures to hand but IIRC the proportion of Naked Security page views done with IE is below 10%.

facebook have literally just been outed for tracking everyone, including those without a facebook account! Shouldn’t a company like sophos understand this?
Just use a real video service. Facebook is dead

If you are worried that Facebook will have a record that your IP number, using your preferred browser on your preferred operating system, watched our video, and when…
…don’t watch it :-)

Say you have what is considered a trustworthy VPN by people who have inside knowledge about the provider, while considering where they are incorporated, say in an area that doesn’t care about US subpoenas. Pay with cash through the mail with an email account using Tor. Then open up a VM with another so-called trusted VPN paid for with cash, and then run Tor through those two VPN’s. [link removed]

If you can use Tor, why would you jump through all those hoops to pay for a VPN? Defence in depth I suppose.
You can always add more nodes (computers) to your Tor circuit and change how often your Tor circuit is refreshed, which is a bit like cycling through a random collection of VPNs every few minutes.

I suppose so. But if there is another bug in the TBB then they would have to trace through 2 or 3 VPN’s to find you. And if you pay in cash and they are VPN’s who are in jurisdictions that don’t honor US law then it would be a lot of work to trace it, if they could. But changing those nodes frequently sounds like a good idea. For me, I would fire up a VPN first because a Tor connection going through your ISP automatically looks suspicious. Most people don’t realize that Tor hidden services is just a small slice of what people use Tor for. But I rarely even use a VPN anymore. I’m just not on the computer like I use to be.

Just going to point out that edge for windows 10 mobile behaves like ie and forces a login prompt no matter how i try to watch.
Firefox on my pc worked just fine, however, and its not like edge mobile has much market share…
(still, that’s another edit for the under-video explainer for you..)

I actually have a Windows 10 phone – bought it for research purposes, decided I loved the GUI, was getting ready to switch to it for work purposes…
…when Microsoft, having finally built what was for me a better phone OS, announced it was all over bar the shouting (and there wasn’t much of that). So I admit that the mobile browsers I tried didn’t include Edge.
Thanks for the note.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?