How to (and why you should) protect your personal data from governments and hackers

Cartoon strip on wireless eavesdropping

Are you aware of just how much of your personal data is available to governments, hackers and corporations?

I was talking to a friend the other day who said: ‘If my email is hacked it’s a pain, sure, but I don’t get any important emails, so it wouldn’t be the end of the world’. (He’s retired).

So then I asked him what he does on the Internet: Online banking? Yes. Book airline tickets? Yes. Facebook? Yes. Do any of that in airport lounges? Yes. On aircraft? Yes. In hotels? Yes.

Finally: Do you have a VPN? No.

You see, the hackers may not get everything they need to steal your identity by hacking your email, but they can piece together a comprehensive profile of you with the different bits of information they can get by tracking the full range of your online activities.

Also, of course, they can (and do) hack Facebook, or Twitter, or LinkedIn, or Yahoo and pick up more of your private information that way.

Governments too, in many jurisdictions, can simply subpoena all the data that your ISP has on you. That would include your name, address, credit card details, social security or ID card number, and all the websites you’ve visited for as far back as their records go.

Corporations can offer to buy that data for marketing purposes – and many ISPs will willingly sell it to them.

So your personal data and web browsing habits are available to anyone who wants to steal them, or pay for them for their own financial benefit, unless you take steps to protect them.

Impact of identity theft

Imagine this scenario:

You’re on an important trip to somewhere and you suddenly find that your mobile phone no longer works. You try to hire a car when you arrive, but none of your credit cards work.

So you search out an ATM to get some cash, but your request is rejected and, when you reach your hotel, you find that your reservation has been cancelled.

You are, quite literally, stranded, with no way of being able to do anything.

That’s what can happen if someone steals your identity.

They make a call to your phone provider and report your phone stolen, they go online and transfer all your money to a charity, and they cancel your hotel reservation.

This is not fanciful. It is easily done by hackers who have stolen your usernames and passwords.

Strong, unique passwords

I’ve talked about the importance of creating and using strong, unique passwords here and here.

It’s extremely important for your own protection against identity theft that you safe-guard your personal data, and it’s not difficult. I urge you to read those articles.

I’ve also talked about VPNs before, so that’s where I’ll focus this time.

What is a VPN?

VPN stands for Virtual Private Network and commercial VPNs have the effect of creating a private network just for you, through which you can surf the Internet with anonymity.

The way they do this is to create a secure, encrypted link between your computer and their VPN server.

In doing so, they hide your details, and details of the site you’re visiting, from your ISP, local WiFi networks and anyone snooping on your connection.

Commercial VPN network graphicAs you can see, there is a secure encrypted connection that goes directly from your computer to the VPN provider’s server.

From the VPN provider’s server your connection emerges into the Wild Wild Web, and from there it goes on to the website you’ve requested.

So it is the IP address of the VPN’s server that the websites you visit see as the point of origin of your visit, not your original IP address.

By using a VPN you will bypass your ISP’s DNS servers, so they cannot see which websites you visit. The originating IP address will be that of the VPN provider, not yours, so your web activity is hidden from prying eyes.

Commercial VPN providers have servers, also known as Points of Presence, in many countries around the world. The provider I use has servers in more than 80 countries.

As a customer, you can choose which Point of Presence you want to link to. For example, I can sit here in Hong Kong, but connect through my VPN provider to one of their servers in the UK, or wherever I want.

That means that websites I visit think I’m visiting them from the UK, not from Hong Kong.

How does this protect my private data?

Graphic depicting an encryption keyLooking at that diagram in the previous section, the first leg of the link (from your computer to the VPN provider) is encrypted. That means that the data going through that link is scrambled and can only be read by the receiving server (the VPN provider) that has the decryption key.

Once your connection emerges into the Wild Wild Web your data is no longer encrypted unless your destination website is running on HTTPS. (Details on HTTPS here).

For financial transactions (online banking, online shops, Amazon, etc) it has been mandatory for some years for those institutions to operate their websites on HTTPS so, in the vast majority of cases, your data is encrypted from end-to-end.

If your destination website is running on HTTP, however, then your data is not encrypted between the VPN provider and the destination website. But as long as you’re not sending sensitive data to that website there is no risk.

If you are entering sensitive data, though, e.g. a username and password, you should always check to see whether the website is running on HTTPS.

Screenshot of the address bar of an HTTPS websiteAnd you should be extremely wary of entering sensitive data into a website that is not running on HTTPS.

Don’t do it unless you have no choice – the risk is theft of your personal data.

At least your IP address is still protected, even if the website you’re visiting is running on HTTP because, again, the visited website will only see the IP address of the VPN server to which you connected, not your own IP address.

What should you be looking for in a VPN provider?

So if you’re going to sign up with a VPN provider, what should you be looking for? Firstly, as always, you get what you pay for, so don’t go for the cheapest price.

Here are some things you should look for in a VPN provider:

  • Is it based in a location that does not have draconian government rights to access your data? The VPN I use is based in the British Virgin Islands, and Panama is another good location. Both jurisdictions have a high level of commitment to personal privacy. Avoid VPNs based in the US, the UK, the EU, Australia and other countries that share security and anti-terrorism information
  • The number of countries in which the VPN provider has servers, and the total number of servers it has, should be as high as possible
  • How committed to your personal privacy is the VPN provider? Look for statements of their commitment to your privacy and read them carefully
  • What data does the VPN provider log and keep? They do need to log and keep enough data to enable them to develop the service and trouble shoot network or customer problems, but they should not log or track any personally identifiable data
  • Does the VPN provider offer apps for all your device types (Windows, Mac, Android, iOS). I use my VPN 100% of the time on 100% of my devices

Benefits of using a VPN

Clearly, the chief benefits of using a VPN are that your personal data is protected and you can browse the web anonymously.

But there are some others as well:

  • You can log onto your VPN in different countries to get the best price when you’re shopping online
  • If you’re in a country where the Government blocks websites it thinks are not suitable for you, you can log on to your VPN in a different country and get access to blocked websites (I made a lot of use of this when I was working in Saudi Arabia and Iran a couple of years ago)
  • You can get access to content that’s restricted to its country of origin by logging on to that country’s VPN point of presence (useful when you’re a national of that country but you’re working abroad)

Downsides of VPNs

While VPNs are great at protecting your personal data, maintaining your anonymity online and enabling you to bypass government censorship, there are a few downsides:

  1. Some content providers will not accept connections from VPNs because of licence restrictions in different locations – Netflix is an example
  2. Some websites won’t accept your connection precisely because they want your location and IP address before letting you see their content
  3. I have been asked to complete a CAPTCHA form when doing searches on Google because they recognised I was connecting from a VPN
  4. In some cases, and with some VPN providers, using the VPN can slow down your internet response time

In closing…

As I said earlier, I have used a VPN 100% of the time on all my devices for some years now. While those downsides can be frustrating on occasions, overall they’re a price I’m very happy to pay in order to protect my anonymity.

And, anyway, remember that you can always turn off your VPN to complete any tasks or visits (e.g. to Netflix) that are blocked because you’re using a VPN.

As always, you get what you pay for, so don’t go for the cheapest.

A VPN provider that does not log personally identifiable data cannot give it in response to a government request, so establish where they are based and look for assurances on what information they log.

Stay safe,

Martin Malden

Martin Malden
Owner – WP Security Basics

P.S. Is your WordPress website as secure as it could be? These are the security products I use on my own sites, and sites I build for clients, to keep them safe and to recover from a hack: