Who Owns, Operates, and Develops Your VPN Matters

Original Article ↗ Hacker News Discussion ↗

Perceived value and common use cases

  • Many see commercial VPNs as a marketing-driven “money-making scheme” built on vague promises of “security” and “identity theft protection.”
  • Actual user reasons skew concrete: piracy/torrents, porn, bypassing geo-blocks for streaming or crypto, avoiding ISP complaints, evading campus/office/public Wi‑Fi blocks, and slightly safer political shitposting.
  • A minority use VPNs for routing/peering improvements, roaming between ISPs without dropping connections, and hiding home IP when posting or running services.

Trust, ownership, and logging

  • Strong skepticism that price or slick branding correlates with trustworthiness; some suspect intelligence or criminal ownership, especially of very heavily advertised services or those linked to Israeli firms.
  • Doubts that “no log” claims would survive serious government pressure or national-security demands; audits can’t see what happens in secret rooms or after a court order.
  • Some still prefer VPNs over ISPs, especially in countries with mandatory logging or censorship; others prefer ISPs they can sue under local law.

Threat models and limitations

  • Repeated refrain: “threat model matters.”
  • VPNs are seen as adequate for low-level legal risk (copyright, minor speech issues), not for high-stakes crimes or evading powerful state actors.
  • Correlation/traffic analysis (timing, size, path) and browser/device fingerprinting can often deanonymize users regardless of IP or VPN.

DIY VPNs and alternatives

  • Self-hosted VPNs on VPS/home servers are common for ad-blocking DNS, safer use of public Wi‑Fi, and avoiding ISP snooping, but don’t provide strong anonymity and often get blocked by major sites.
  • Mentioned alternatives: Tor, Tailscale/WireGuard meshes, onion payment to VPNs, and zero-/multi‑party relay schemes (MASQUE, iCloud Private Relay, multi-party relay services).

Censorship, speech, and politics

  • VPNs are viewed as vital in more repressive regimes or where porn/social media age-verification regimes effectively censor content.
  • Debate over “self‑censorship” vs. using VPNs to speak more freely about controversial politics.

Technical nuances

  • HTTPS, HSTS, SNI, DNS hijacking, browser fingerprinting, and MASQUE/iCloud Private Relay are all discussed as shaping what VPNs can and cannot protect.
  • Some enthusiasm for traffic obfuscation (padding/chaff, DAITA-like systems) but recognition that correlation attacks remain hard to defeat.

Findings referenced from the report

  • “More transparent, no concerning findings”: Mullvad, TunnelBear, Lantern, Psiphon, ProtonVPN.
  • “Anonymous operators, potentially concerning”: several mid-tier/mobile-focused services (e.g., Astrill, PureVPN, Potato VPN and others).
  • “Concerning/suspicious, avoid”: a cluster of mostly mobile/free VPN brands tied to opaque entities (Innovative Connecting, Autumn Breeze, Lemon Clove, various “Melon/Snap/Turbo/Super” VPNs, etc.).
  • Some commenters question why major market leaders like NordVPN/ExpressVPN weren’t analyzed.