I am deciding to make this fourm post to try and hopefully the community can prove me wrong. Of course threat model according depending on your situation, not mine.
So a VPN provides two main guarantees.
Hiding your IP address from websites online to prevent IP based tracking.
Hiding your traffic from only your ISP.
Sure a VPN can be used to access geo-blocked content, but, doesn’t always work.
I’ll first address the first point:
You can be tracked via IP address online, but this by no means is the only form of tracking. It has been proven time and time again that this form of tracking is not really effective. A browser fingerprint is far more likely to be used.
In my situation at least, I am behind something that is called CGNAT. This makes many people (equivalent to an average VPN server if not more) share the same IP address. Both 5G home internet and Telecom networks have this kind natting because of the shortage of IPv4 addresses.
Second point:
What information can ISPs gain by logging the domains you visit (VPNs still have their use-cases like for torrenting, but I am talking about day to day traffic)? Sure they can sell that data to Big Tech, but if you are already using something like Pihole or NextDNS combined with UBO, how much is their tracking actually effective at that point? If the data sold to say Google, how would they realistically use it? If you were visiting a page like amazon searching for a hard drive, Amazon could sell that data maybe, and correlate with your IP address (but again, leads to my first point).
So combined with something like Brave’s tracking protections, or Mullvad Browser and UBO, a VPN has essentially no benefits (combined with the first point).
Lastly, Tor is a completely different topic on the other hand and has a completely separate use-case. I won’t dive into it. It’s outside most people’s threat models.
You can be tracked via IP address online, but this by no means is the only form of tracking. It has been proven time and time again that this form of tracking is not really effective. A browser fingerprint is far more likely to be used.
This is true, but only in the browser.
If you for example joining a Minecraft server the IP is used for tracking.
Sure they can sell that data to Big Tech, but if you are already using something like Pihole or NextDNS combined with UBO, how much is their tracking actually effective at that point?
The first packets from the client and web server (Client Hello) are unencrypted. In their you have a few data sets like the domain. So even with strict HTTPS, TLS1.3 and DoH the ISP or Network Owner (pub. Wi-Fi) are able to say which website you visit.
In addition, the ISP also gets your SIM Id. (IMEI) and the approximate location for your device.
They are also able to make a user profile on when and how often you use the phone (how much traffic from your device goes when out).
It should be also mentioned that depending on your country your ISP is forced to have a data retention policy.
And please also be aware that if you live in the EU the GDPR doesn’t protect you much on the ISP site.
I would rate the EU ISP and the US ISP at the same level.
Again leads to my first point. If one shares an IP address with many people this is not an issue. Same benefits that a VPN has. Also IP address is not used as the main way as an identifier. It is your public UUID that can be used to track you.
I know I said that here:
This is an issue with or without a VPN regardless. A VPN only encrypts all the packets sent to the VPN server. The ISP can still see the volume of the data (how much data there actually is). The only way to solve this issue is to remove the SIM from your phone.
Yes, but I’d argue most of that data is very vague. Again, I am talking about day to day browsing on the internet.
I agree with that. Although, at least the EU does have the GDPR. Most US states have nothing.
You bring up a good point. I usually don’t use VPN’s for day-to-day use either, so maybe I won’t convince you otherwise, but I’ll mention why I do use VPN’s.
Connect back to my home server when I’m out of the house
Torrenting (you already mentioned that)
Hide my IP address from a new Google account that only exists on my GrapheneOS profile that downloads app updates from the Playstore.
Otherwise, yeah, I’ll agree always-on VPN probably causes more inconvenience than benefits.
There has been enough discussion about this and the videos available from PG and Techlore should conclusively answer this question.
To me the answer is quite simple and I no longer overthink and analyze about this. If it does what it needs to do and if you you need it (the two points you mentioned), then yes it is really needed. Plus, geo-unblocking and torrenting are other reasons to use a good VPN too.
Is it always needed? I would say yes even though a case can be made for not always needing it. But I don’t think it does more harm than good and only helps even if you always have it on so might as well use it if you’re buying it.
To answer your titular question more directly - it depends on what you’re trying to achieve and why. Seems like you know enough about VPNs to answer this yourself.
Depends on the situation. If you say need to access your home network from the outside world, it becomes really inconvenient, because there is only one VPN on both IOS and Android. IOS makes this even harder because how restricted it is.
Well, I am trying to argue against these points. For example, I’d say if one is on a mobile network, a commercial VPN isn’t really useful. Depending on the person, this might just cause more harm than good.
I do and very well could answer myself. I just wanted to ask the community about this as I was curious about other people’s thoughts. Being behind CGNAT is a very popular within the US, because 5G home internet tend to be cheaper than fiber. This kind of internet could be from major Telecoms like Verizon, Xfinity, or T-Mobile.
I’ve been thinking about this and such questions more, the more I see them. And I think I have finally come to a conclusion.
There is no one right answer. We all know what VPNs do and don’t and can do and can’t - so, the answer to such a question is always that it depends on what you’re trying to achieve and what your use case and needs are.
I think that may as well be the final word on the debate on if VPNs are really needed. I also feel the question itself is incomplete because it does not account for the nuances for and against VPNs and thus leads to debates.
–
Consider this more of a general comment and not necessarily directed to you or to your main post. I can finally let go of this topic now that I have my own conclusive deductions for the same.
@anon52464727 has the ultimate answer in their post. The only thing I’d add is that often people view privacy tools as all or nothing. By that I mean viewing it as either the tool is a cloaking device from everything or it’s useless.
You may want to hide your traffic from a local network but not care that the end point knows who you are. For instance if you’re traveling in a country known to target people like you with malware, having a VPN on while you’re there could make you more difficult to target.
Say I was in a foreign country that may try to infect my phone with malware. If they see I’m connected to my bank website they could send a social engineering SMS pretending to be my bank that says “we see you logged in from an unusual location, click this link to validate it’s you” where that link is a one-click mercenary spyware payload.
Having a VPN enabled would prevent that avenue of targeting.