Using a reputable VPN (virtual private network)1 to protect yourself when you use public Wi-Fi is basic computer security. It’s either that or stay off of public Wi-Fi entirely and use your phone as a personal hotspot. This is where the security experts point out that there is a third option.
Yes, a third option. If you are careful only to use websites and services that are properly configured to use HTTPS/SSL, you should be safe. That includes your email server. If you understand how to do that, feel free. For most regular users (and I put most lawyers in this category), it is safer to rely on a VPN or personal hotspot to protect you when you are connecting to the unencrypted half of the internet.
Here is the catch. If you rely on a VPN or personal hotspot, that effectively means sending all your information through one service. Therefore, you have to be able to trust your VPN provider. And, this should go without saying: not all VPN providers are trustworthy.
In fact, a lot of VPN providers contain viruses and malware. So how do you know which VPN you can trust?
For starters, avoid free VPN providers. There are notable exceptions like rolling your own OpenVPN install, but that’s for advanced users only. In general, free VPNs aren’t really free. They make money by inserting one thing or another into your information, or else they harvest your information. Neither is good if security, privacy, and confidentiality are part of your reason for using a VPN in the first place.2
Choosing a VPN provider that suits your needs will depend, first and foremost, on your threat model. (And no, lawyers don’t all have pretty much the same threat model. That’s a dangerous assumption. Take the time to come up with your own threat model.) That One Privacy Site has a fairly detailed guide to choosing a VPN as well as a comparison chart. Make sure you know what the flags mean so you can decide whether they matter to your threat model.
At Lawyerist, for example, we use Cloak. It has red flags in three columns on the comparison chart at That One Privacy Site, but they aren’t critical to our threat model. Further, we are comfortable with Cloak’s policies related to each of those red flags. Plus, Cloak is easy to use and reliable, which are especially important factors to us. We have a few other VPN recommendations here.
To sum up, a VPN can be an effective way to protect your computer when using public Wi-Fi3, but choose carefully. When you choose a VPN provider, you are choosing to trust that provider with any unencrypted information you send over that VPN. You’ve got an ethical (and practical) obligation to assess the benefits and risks before you make that choice.
Note: this is not the same kind of VPN you may use to connect to your firm’s file server. Both are VPNs, but we are talking about VPNs as a “secure line” to the internet at large, not just to your firm’s file server. ↩
As opposed to escaping geoblocking. ↩
Public Wi-Fi refers to any Wi-Fi network for which you don’t know and trust every other computer connected to the same network. It doesn’t matter if there is a password to connect because every computer that is connected can see every other computer on the network. ↩