Be Careful Choosing a VPN (Obviously)

Using a reputable VPN (virtual private network)1 to protect yourself when you use public Wi-Fi is basic computer security. It’s either that or stay off of public Wi-Fi entirely and use your phone as a personal hotspot. This is where the security experts point out that there is a third option.

Yes, a third option. If you are careful only to use websites and services that are properly configured to use HTTPS/SSL, you should be safe. That includes your email server. If you understand how to do that, feel free. For most regular users (and I put most lawyers in this category), it is safer to rely on a VPN or personal hotspot to protect you when you are connecting to the unencrypted half of the internet.

Here is the catch. If you rely on a VPN or personal hotspot, that effectively means sending all your information through one service. Therefore, you have to be able to trust your VPN provider. And, this should go without saying: not all VPN providers are trustworthy.

In fact, a lot of VPN providers contain viruses and malware. So how do you know which VPN you can trust?

For starters, avoid free VPN providers. There are notable exceptions like rolling your own OpenVPN install, but that’s for advanced users only. In general, free VPNs aren’t really free. They make money by inserting one thing or another into your information, or else they harvest your information. Neither is good if security, privacy, and confidentiality are part of your reason for using a VPN in the first place.2

Choosing a VPN provider that suits your needs will depend, first and foremost, on your threat model. (And no, lawyers don’t all have pretty much the same threat model. That’s a dangerous assumption. Take the time to come up with your own threat model.) That One Privacy Site has a fairly detailed guide to choosing a VPN as well as a comparison chart. Make sure you know what the flags mean so you can decide whether they matter to your threat model.

At Lawyerist, for example, we use Cloak. It has red flags in three columns on the comparison chart at That One Privacy Site, but they aren’t critical to our threat model. Further, we are comfortable with Cloak’s policies related to each of those red flags. Plus, Cloak is easy to use and reliable, which are especially important factors to us. We have a few other VPN recommendations here.

To sum up, a VPN can be an effective way to protect your computer when using public Wi-Fi3, but choose carefully. When you choose a VPN provider, you are choosing to trust that provider with any unencrypted information you send over that VPN. You’ve got an ethical (and practical) obligation to assess the benefits and risks before you make that choice.

  1. Note: this is not the same kind of VPN you may use to connect to your firm’s file server. Both are VPNs, but we are talking about VPNs as a “secure line” to the internet at large, not just to your firm’s file server. 

  2. As opposed to escaping geoblocking. 

  3. Public Wi-Fi refers to any Wi-Fi network for which you don’t know and trust every other computer connected to the same network. It doesn’t matter if there is a password to connect because every computer that is connected can see every other computer on the network. 


  1. Avatar Richard Tucker says:

    To be fair, there is no expertise required on behalf of an end user to have “properly configured HTTPS/SSL”. The only “expertise” required is to look for the padlock in the address bar (just as it appears for!). This is as simple as it gets, and there isn’t a service out there worth using that doesn’t come HTTPS/SSL ready. Am I missing something?

    • Avatar Sam Glover says:

      Kind of. Many HTTPS implementations are “leaky.” At a minimum you should use the EFF’s HTTPS EVERYWHERE plugin to make sure you are actually protected. But email is the potentially bigger hole. If you are using an email client like Outlook or Mail on iOS, you need to make sure you are using SSL to send and receive email. Better yet, your email server should be configured to require it.

      • Avatar Richard Tucker says:

        Leaky HTTPS, is highlighted to users with a missing padlock symbol. I’d advise getting in the habit to check for the padlock when submitting confidential data on a website. If the padlock is gone, it’s no longer secure for data in transit. The problem of using a VPN provider for this issue, is that it will only protect between you and their VPN infrastructure; it will do nothing to protect between the VPN provider and the actual website, nor will it protect around poor controls for data at rest which I’d be equally worried about for a site with leaky HTTPS. Indeed, at worst, having a VPN to protect against leaky HTTPS is a false sense of security.

        Totally agree about email; that said, it is better to ask your email provider to confirm that SSL is enforced, as a VPN on a PC does nothing to support email going to your mobile devices – better to have SSL enforced by default by your provider for all email connections, and this is a non-issue, as all emails in transit to user devices will be protected regardless of device. Indeed, if you have an email provider who is not doing this (it is trivial on modern email systems), there are additional worrying things to be asking about their stance on security. Make your email providers manage this risk, don’t put band aids in on their behalf.

        • Avatar Sam Glover says:

          Yes, VPN is not a substitute for improperly implemented HTTPS.

          My thinking is that, to the extent possible, we should recommend tools that minimize reliance on the end user (making sure there’s a padlock, for example). That’s easier in an enterprise environment, but that’s not what you find here. Over half of lawyers practice alone or in small firms where they are their own IT department, including security. A reputable VPN is good protection from local threats, HTTPS and SSL are good protection from remote threats, but harder to enforce. The best you can do is advise people to install HTTPS EVERYWHERE, urge people to pay attention to the padlock, talk about SSL for email, (and good passwords, and …) and cross your fingers that nobody screws up.

          Lawyers aren’t particularly receptive to the idea that security requires practice, not just a one-time fix. So I try to recommend the one-time fixes to get them out of the way and then do the hard work of trying to teach lawyers the importance of practicing security every day.

          • Avatar Richard Tucker says:

            Well, doing something is definitely better than doing nothing! Kudos for giving awareness to security. Oh, and I very much enjoy your blog, and in particular the podcast!

Leave a Reply