How to protect your personal data from governments and hackers

Cartoon strip on wireless eavesdropping

Are you aware of just how much of your personal information is available to governments, hackers and corporations?

I was talking to a friend the other day who said: ‘If my email is hacked it’s a pain, sure, but I don’t get any important emails, so it wouldn’t be the end of the world’. (He’s retired).

So then I asked him what he does on the Internet: Online banking? Yes. Book airline tickets? Yes. Facebook? Yes. Do any of that in airport lounges? Yes. On aircraft? Yes. In hotels? Yes.

Finally: Do you have a VPN? No.

You see, the hackers may not get everything they need to steal your identity by hacking your email, but they can piece together a comprehensive profile of you with the different bits of information they can get by tracking the full range of your online activities.

Also, of course, they can (and do) hack Facebook, or Google+, or LinkedIn, or Yahoo and pick up more of your private information that way.

Governments too, in many jurisdictions, can simply subpoena all the data that your ISP has on you. That would include your name, address, credit card details, social security or ID card number, and all the websites you’ve visited for as far back as their records go.

Corporations can offer to buy that data for marketing purposes – and many ISPs will willingly sell it to them.

So your personal data and web browsing habits are available to anyone who wants to steal them, or pay for them for their own financial benefit, unless you take steps to protect them.

How can you protect yourself?

I’ve talked elsewhere, and often, about the need for secure and unique passwords, and I’ve also referred to a VPN.

It goes without saying that creating and using strong, unique passwords should be done without a second thought, especially as they are easily managed with a password manager.

So this time I’ll look a bit more closely at VPNs and how they can help to protect you.

What is a VPN?

VPN stands for Virtual Private Network and commercial VPNs have the effect of creating a private network just for you, through which you can surf the Internet with anonymity.

The way they do this is to create a secure, encrypted link between your computer and their VPN server.

In doing so, they bypass your ISP, local WiFi networks and anyone snooping on your connection.

Commercial VPN network graphicAs you can see, there is a secure encrypted connection that goes directly from your computer to the VPN provider’s server.

From the VPN provider’s server your connection emerges into the Wild Wild Web, and from there it goes on to the website you’ve requested.

So it is the IP address of the VPN’s server that the websites you visit see as the point of origin of your visit, not your original IP address.

By using a VPN you will bypass your ISP’s DNS servers, so they cannot see which websites you visit. The originating IP address will be that of the VPN provider, not yours, so your web activity is hidden from prying eyes.

Commercial VPN providers have servers, also known as Points of Presence, in many countries around the world. The provider I use has servers in more than 80 countries.

As a customer, you can choose which Point of Presence you want to link to. For example, I can sit here in Hong Kong, but connect through my VPN provider to one of their servers in the UK, or wherever I want.

That means that websites I visit think I’m visiting them from the UK, not from Hong Kong.

How does this protect my private data?

Graphic depicting an encryption keyLooking at that diagram in the previous section, the first leg of the link (from your computer to the VPN provider) is encrypted. That means that the data going through that link is scrambled and can only be read by the receiving server (the VPN provider) that has the decryption key.

Once your connection emerges into the Wild Wild Web your data is no longer encrypted unless your destination website is running on HTTPS. (Details on HTTPS here).

For financial transactions (online banking, online shops, Amazon, etc) it has been mandatory for some years for those institutions to operate their websites on HTTPS so, in the vast majority of cases, your data is encrypted from end-to-end.

If your destination website is running on HTTP, however, then your data is not encrypted between the VPN provider and the destination website. But as long as you’re not sending sensitive data to that website there is no risk.

If you are entering sensitive data, though, e.g. a username and password, you should always check to see whether the website is running on HTTPS.

Screenshot of the address bar of an HTTPS websiteAnd you should be extremely wary of entering sensitive data into a website that is not running on HTTPS.

Don’t do it unless you have no choice – the risk is theft of your personal data.

At least your IP address is still protected, even if the website you’re visiting is running on HTTP because, again, the visited website will only see the IP address of the VPN server to which you connected, not your own IP address.

What should you be looking for in a VPN provider?

So if you’re going to sign up with a VPN provider, what should you be looking for? Firstly, as always, you get what you pay for, so don’t go for the cheapest price.

Here are some things you should look for in a VPN provider:

  • Is it based in a location that does not have draconian government rights to access your data? The VPN I use is based in the British Virgin Islands, and Panama is another good location. Both jurisdictions have a high level of commitment to personal privacy. Avoid VPNs based in the US, the UK, the EU, Australia and other countries that share security and anti-terrorism information
  • The number of countries in which the VPN provider has servers, and the total number of servers it has, should be as high as possible
  • How committed to your personal privacy is the VPN provider? Look for statements of their commitment to your privacy and read them carefully
  • What data does the VPN provider log and keep? They do need to log and keep enough data to enable them to develop the service and trouble shoot network or customer problems, but they should not log or track any personally identifiable data
  • Does the VPN provider offer apps for all your device types (Windows, Mac, Android, iOS). I use my VPN 100% of the time on 100% of my devices

Benefits of using a VPN

Clearly, the chief benefits of using a VPN are that your personal data is protected and you can browse the web anonymously.

But there are some others as well:

  • You can log onto your VPN in different countries to get the best price when you’re shopping online
  • If you’re in a country where the Government blocks websites it thinks are not suitable for you, you can log on to your VPN in a different country and get access to blocked websites (I made a lot of use of this when I was working in Saudi Arabia and Iran a couple of years ago)
  • You can get access to content that’s restricted to its country of origin by logging on to that country’s VPN point of presence (useful when you’re a national of that country but you’re working abroad)

Downsides of VPNs

While VPNs are great at protecting your personal data, maintaining your anonymity online and enabling you to bypass government censorship, there are a few downsides:

  1. Some content providers will not accept connections from VPNs because of licence restrictions in different locations – Netflix is an example
  2. Some websites won’t accept your connection precisely because they want your location and IP address before letting you see their content
  3. I have been asked to complete a CAPTCHA form when doing searches on Google because they recognised I was connecting from a VPN
  4. In some cases, and with some VPN providers, using the VPN can slow down your internet response time

In closing…

As I said earlier, I have used a VPN 100% of the time on all my devices for some years now. While those downsides can be frustrating on occasions, overall they’re a price I’m very happy to pay in order to protect my anonymity.

And, anyway, remember that you can always turn off your VPN to complete any tasks or visits (e.g. to Netflix) that are blocked because you’re using a VPN.

As always, you get what you pay for, so don’t go for the cheapest.

A VPN provider that does not log personally identifiable data cannot give it in response to a government request, so establish where they are based and look for assurances on what information they log.

Are you using a VPN? Leave us a comment with your experience and, if you have any questions relating to VPNs leave those in a comment as well.

Stay safe,

Martin Malden

Martin Malden
Owner – WP Security Basics

P.S. Is your WordPress website as secure as it could be? Take a look at the WordPress security products I have reviewed (I use all of them and I’d be happy to answer any questions you may have):