Who is more trustworthy: your ISP or your VPN? \ stacker news ~privacy

pull down to refresh

Who is more trustworthy: your ISP or your VPN?

508 sats \ 26 comments \ @Scoresby 21h privacy

I have always struggled with the idea of a commercial VPN. Assuming a case where both are run by private companies, why would one be more deserving of your trust than another?

ISP5.0%

VPN95.0%

40 votes \ 3h left

view all related items

8 replies \ @Scoresby OP 21h

If you do trust your VPN provider more, why?

127 sats \ 4 replies \ @optimism 18h

Not trust, but less regulated.

VPN is in a privacy-respecting jurisdiction, but my ISPs often aren't - i.e. using one of those popular "anonymous" 3at or proximus esims, you're basically getting packet logged in resp. Austria or Belgium.
ISPs are often mandated by law to keep logs, VPN I use is explicitly excluded from that in their jurisdiction
My VPN doesn't have any KYC (neither does any of my esim providers though)
MOST IMPORTANT: I don't use a single VPN account. I switch prepaid VPN accounts when I switch eSIMs (and these I switch with every border crossing)

100 sats \ 3 replies \ @Scoresby OP 17h

I did some quick googling about packet logging, but couldn't get a sense of what the implications are. (Speaking as one who often uses esims while traveling)

202 sats \ 2 replies \ @optimism 16h

Packets are the atomic data containers that you use to communicate over the internet.

Packet logging is simply the act of capturing that data at the transport level. Often packets are logged, processed and discarded ¹. Much of this originates from the EU - of which both Belgium and Austria happen to be member states. To the best of my knowledge, the main body of text covering this is Directive 2006/24/EC.

For example, the 2005 comms law in Belgium (only available in Dutch, ugh) dictates a ton of information that needs to be stored by Belgian operators based on usage (including usage that fails.) This includes for example timestamps of sessions, with IP and port information. In practice, most (allegedly all) Belgian ISPs consistently fail to do this because it's too much data to store except for the KYC parts, which you avoid by ordering through a middleman internationally. ↩

100 sats \ 1 reply \ @Scoresby OP 15h

But if it's https aren't they encrypted? I'm sure there us meta analysis one can do on them, but I have been under the impression that encryption prevents some of it.

Now, there is also maybe the risk that they are storing the packets until encryption is broken...but I'm not too worried about that.

102 sats \ 0 replies \ @optimism 15h

Very good questions!

But if it's https aren't they encrypted?

The traffic is, but on all popular OSs (win/android/ios/macos), you have to manually configure encrypted DNS for your DNS lookups to not be in cleartext and the IP address that you're communicating with is too (and it's trivial to reverse-lookup) so your ISP can easily find out where you're going.

there is also maybe the risk that they are storing the packets until encryption is broken

There were some allegations that specific traffic, like all tor traffic, gets logged for later correlation, but I can't remember if I've seen direct evidence of that. Wouldn't surprise me though if that were the case.

But for the majority of traffic this wouldn't be feasible. I.e. an X post with 3 million views would be stored 3 million times, including all the megabytes of bloat surrounding the actual few 100 characters... Now imagine a 7GB youtube HD video. A Netflix series everyone binge watches... and so on.

22 sats \ 2 replies \ @SwapMarket 20h

because I pay them with LN bitcoin and there is no KYC. all they see is tls traffic, no way to snoop.

0 sats \ 1 reply \ @Scoresby OP 20h

don't they also see your ip address and every site you visit (and also your browser fingerprint)?

0 sats \ 0 replies \ @SwapMarket 19h

yes, sure. everything can be unraveled if there is a good reason. I rotate several vpns to make it harder, including my own hosted at aws free tier.

172 sats \ 7 replies \ @brunenzio 20h

An argument toward VPN is that their whole business is related to how much people trust them, while ISP do not need this because their business rests on basic internet availability.

However, this line of reasoning is based on rational behaviour and good faith, which means it will likely not be a good model of reality.

21 sats \ 5 replies \ @Scoresby OP 20h

Exactly! At the end of the day, a VPN could sell you out/leak your data just as much as your ISP.

Main difference is that with a VPN you send a signal saying that your willing to pay something to try to keep your ISP from seeing what you are doing.

102 sats \ 3 replies \ @SwapMarket 20h

Not just my ISP, but the sites I am visiting to not know where I am from.

5 sats \ 2 replies \ @Scoresby OP 20h

valid point! so a VPN does provide this service for their customers: keeping the customer's ip address hidden from sites they visit.

I wonder why ISP's don't offer this as a service?

102 sats \ 0 replies \ @LibertasBR 17h

The only thing I trust about my ISP is their incompetence and lack of interest in what I access. Even so, I tend to trust the VPN company more because of their entire business model, especially if the payment is via LN.

112 sats \ 0 replies \ @SwapMarket 20h

because their upstream connections are optimized for high throughput and low latency. to be a good VPN one must run servers in all corners of the world. the best ones offer split tunneling and lan isolation, so their apps must run locally on your devices.

102 sats \ 0 replies \ @brunenzio 20h

Of course it can, and sometimes it definitely does (that's a gut feeling induced by simple inference from standard behaviour on tech space).

However, VPNs are also used for work reasons, so I believe ISPs can not discriminate between the case of someone wanting to hide and someone who use VPNs for work, and thus don't pay much attention to whoever use it. Actually, I don't even know how the ISP can know you are using a VPN, so I realize I am writing almost meaningless words.

0 sats \ 0 replies \ @SwapMarket 18h

You don't need to run faster than a grizzly bear to survive. You just need to run faster than the next guy. My security model assumes that if my VPN provider leaks, it won't be my data. So I will have time to jump ship.

102 sats \ 0 replies \ @kepford 18h

This is a great question and few seem to even ask it which always makes me think they have no idea what is going on.

My answer is it depends. How much do I need to trust them and with what info.

My ISP has way more info about me than any VPN provider would let alone the providers I actually use.

I will say that for me I do not have to trust my VPN provider as much as I have to trust my ISPs.

102 sats \ 0 replies \ @j7hB75 18h

Neither? If I had to choose though, VPN. Specifically, Mullvad VPN.

133 sats \ 0 replies \ @aljaz 20h

Neither can or should be trusted

10 sats \ 2 replies \ @realBitcoinDog 10h

Lmao ISP doesn’t even pretend to care

112 sats \ 1 reply \ @NovaRift 6h

Smartest reply

0 sats \ 0 replies \ @realBitcoinDog 3h

💯

0 sats \ 0 replies \ @spiderman 11h

None of them is absolutely trustworthy. Not even my bank, obviously.

But in general, I have more choices in choosing a vpn (after due research) than in choosing my isp, which would be more heavily regulated by the government than rules my land.

Hence, I would be more comfortable with my vpn than with my isp

0 sats \ 0 replies \ @GrinSingularity 18h

Under many conditions, a VPN provider. However, if you run your own VPN server locally and you have the right configuration, then you can be 100% sure that your data are not at risk!

0 sats \ 0 replies \ @SevenOfNine 18h

Easy, neither.

Footnotes