THE GREY FILEFIELD NOTES FROM THE QUIET TRADE
← THE GREY FILE  ·  Tradecraft
Tradecraft

The VPN Truth

It hides one thing well and a dozen things not at all. The trouble is the confidence it sells you on the rest.

Filed 16 Aug 2024 Anywhere2016–2025 FILE Nº TCR-0527 min Declassified — for field use

A few years back a younger colleague — bright, careless, the worst combination — told me he didn't worry about his connection anymore. He had a VPN. He said it the way some people say they've found religion. I asked him what he thought it actually did. He couldn't tell me. He just knew it made him safe.

He was wrong about the safe part, and he was wrong in the most dangerous way: with confidence. So let me do for you what I did for him, only without the drink I needed afterward.

What it really is

A VPN is a tunnel. Nothing more mystical than that. Instead of your device talking to the wider network in the open, it builds an encrypted pipe to a server somewhere, and everything you do goes through that pipe first. The world sees the server. It doesn't see you — or rather, it sees a different address wearing your traffic.

Two things come out of this, and they're worth being precise about.

Your traffic is scrambled between you and that server. On the café Wi-Fi, the hotel network, the airport lounge — the places where someone bored and technical might be sitting on the same connection listening — that scrambling is real and it's worth something. The snoop sees noise. Good. That is the one job a VPN does cleanly.

Your address is swapped for the server's. The website you visit logs the server, not your front door. To a casual observer, you appear to be wherever the server lives. Useful for not handing your location to every site you touch, and for reaching things that pretend not to exist in your country.

That's the honest list. Hold onto it, because now comes the part the advertising leaves out.

What it does not do

The tunnel ends at the server. After that, your traffic walks out the other side and into the open internet like everyone else's. The VPN protects the journey to the server. It does nothing for the destination.

So:

  • The site you log into still knows it's you, because you logged in. The cape doesn't hide the name on the door you just opened with your own key.
  • Every cookie, tracker, and fingerprint your browser carries still rides along. Change your address all you like — your browser is still wearing the same distinctive coat.
  • The VPN company itself can see everything you route through it. You haven't removed the watcher. You've changed which watcher you're trusting, from your network provider to a business whose whole pitch is "trust us." Some deserve it. REDACTED built a fortune selling exactly the logs they swore they never kept.

That last point is the one that costs people. A "no-logs policy" is a promise on a webpage, not a law of physics. I have seen too many promises on webpages to take any of them at face value. Assume the operator can see you, and choose one you'd be comfortable being seen by.

The confidence problem

The real danger of a VPN isn't technical. It's psychological. It changes how people behave. They do things on a "protected" connection they'd never do on a naked one — log into the wrong account, click the wrong link, type the wrong thing — because a small green icon told them they were invisible. They weren't. They were merely tunneled.

A tool that makes you feel safer than you are is worse than no tool at all. The careful man with nothing trusts nothing and stays sharp. The careless man with a VPN relaxes, and relaxing is how you get caught.

How to actually use it

Run it on networks you don't control — that's where the encryption earns its keep. Pick an operator with a real reputation and a jurisdiction that isn't friendly to fishing expeditions. And keep your behavior exactly as careful as it would be on the most exposed connection you can imagine. The tunnel is a layer. It is not a disguise, it is not a cleaner, and it is certainly not absolution.

My careless colleague, by the way, got himself in trouble eventually — not because his VPN failed, but because he believed it wouldn't. Different lesson, same root.

Names moved, the operator left nameless on purpose. The principle is real, and it's cost real people.

Encryption protects the road. It says nothing about where you chose to drive.

— M.