Skip to content

On VPN Privacy and the Workplace (and school)

Good article today on Lifehacker about some of the issues using a VPN that touches on two of my new favorite subjects: VPN privacy and remote work. A reader wrote in asking if they could use a VPN at their soon-to-be residence, which is paid for, and whose Internet access is provided for, by the university where their spouse works.

One of my favorite parts of the article is this:

Some bored IT worker doesn’t care if you’re wasting time online (usually)

Before I went remote, when I had a desk in an office where I had coworkers who saw me on a regular basis, I’d run into the worry of whether I was somewhere monitoring what people were doing on the system. I had some coworkers who swore I was somewhere with a little window on my desk, watching web traffic scroll down my screen like Tank in The Matrix, but I never had any such thing. I think one of my ex-coworkers even had the idea that I was sitting at home monitoring their online habits after hours, which was patently ridiculous because: a) I left work at work to the greatest degree and b) I was busy writing and acting in plays after hours, which I would have preferred doing during hours, as it was.

As it stood, our managed services provider partners had the responsibility of monitoring edge equipment like routers and firewalls, so we didn’t concern ourselves with it internally. The only monitoring of web traffic they did was concerned less with content and more with the amount of bandwidth between our offices and their data center. Even when filtering was available going through their data centers’ web connections, we didn’t request any filtering outside of anything else they may have had in place for all of their customers, including us.

Our staff could also access the Internet outside of the MSP connections, but we didn’t monitor what anybody was doing. The only time that we even came close to any sort of monitoring was when we deployed an early wireless mesh network at one building. The system came with monitoring and when I’d log into the control panel –usually to see what any of the nodes were up to, if someone told me the wireless there was slow or something– I’d see which sites were being accessed, generally by all users. I was too busy and lacking interest to see what any particular user was up to. But I will say the people in that building used a ton of bandwidth going to Facebook.

It was a slightly different situation on the student network at the alternative high school program. On that network, I purposely deployed an Untangle gateway server (with OpenDNS for extra filtering) in order to monitor and filter what the students were up to. From the time I came on board, it was known that students would go online and do whatever they wanted. Whether it was general non-educational web surfing, social media, downloading music, whatever, students used a free and open Internet connection as such. And they were teens. Who could blame them? They didn’t even have web filtering or parental controls in my day. Even at school.

At some point, this situation became unacceptable and I came up with the Untangle gateway server as the solution. The server itself came with an app that I set up for filtering of categories and content, as well as the ability to filter specific websites. OpenDNS had the ability to filter sites via categories that they had compiled, too. And usually once or twice per month, I’d take a look at the Untangle logs to see what new websites the students were going to, in order to block them. A few of the more clever students would find some way around the filtering, usually through proxy websites. One of them, a really smart young man who has since passed away, unfortunately, went so far as to have fresh proxy websites delivered to his email. I’d block one and he’d go to another one, a game we played until he graduated.

I didn’t monitor any specific students, however. That was never an intention of mine or anybody else’s. We got the data we needed from monitoring and filtering the connection, not the individuals, and nobody ever got in any trouble because of our actions.

In the case of the reader who wrote in, it’s just as likely that there’s nobody sitting in the university’s data center monitoring what they themselves are specifically doing on the university’s Internet. But, as the author says, there may be flags in place in the case of certain content being downloaded or sites being accessed, specifically through DNS requests. Web browsing over HTTPS, and probably requests sent to devices like Google assistant, are sent encrypted, so the university (their ISP in this case) may not be able to know what’s being sent, but without the reader’s using DNS over TLS (like Cloudflare’s 1.1.1.1), the university can know which websites are being accessed. Same goes for you at home, by the way.

If that’s okay to the reader, then they don’t need to use a VPN. Otherwise, if they want to use a VPN, there a bunch of different options these days. Most of them have apps for Windows, MacOS, iOS, Android, and Linux (including ChromeOS).

As the article also states, they can find a router with VPN client software. ASUS makes routers that come with client software. Some Netgear routers come with it as well. On the higher end of the price and feature scale, so does Synology’s lineup of routers and access points. And if you’re more technically inclined, you can use an alternative firmware on a router and get this functionality or even set up a Raspberry PI. And if you’re really, really technically minded, you can set up a VPN with Linode or DigitalOcean or other such service online for this purpose.

#

It’s important to note that VPNs will only hide what you’re doing from your ISP. The VPN therefore will know what you’re up to, so your trust is placed into them instead of your ISP. Because of this, if you’re using a VPN, you’ll most likely want to use one that doesn’t log what you do, if you’re that interested in your privacy.

In the case of the reader, I would definitely want to use a VPN. I don’t know what their use case is fully, but knowing what I know, I’d want to go with a router with enough horsepower to make sure that I was able to use all of the allotted bandwidth. Hopefully they’re being provided with a router in their residence that can accept a downstream connection. Then they can use their own router with a VPN configured. This is mostly because they’re using cameras and devices that use Alexa. It might be easier to just put the VPN on the outside connection than on every single device they may find themselves using.

I don’t know what his spouse’s job is, but given the climate around universities and academic freedom, unless the university says don’t encrypt, I think it would be a good idea to encrypt with a no-log VPN, and use that service for as much of their surfing as they deem necessary. Yes, it will slow down their connection, but it may offer some peace of mind. Instead of the university knowing exactly what they’ve been up to, the school might have to do some digging and either be unable to find out or unwilling to go as far as necessary to find out, something about their web usage habits.

#

As for your web surfing with your employer, common sense says if your employer hands you a machine for your work, only do work on it, nothing of a personal nature. We did not monitor anything on the laptops that we were loaning out, but that doesn’t mean that your employer is the same. There’s obviously a use expectation, so it’s better to be on the safe side and use your own equipment for your own Internet usage. Unless you are IT and you know how it all works and you’re the person who might be doing the watch watching and nobody’s watching you and you know how to subvert it, in which case, knock yourself out.