Because the Learn section of TalkRights features content produced by CCLA volunteers and interviews with experts in their own words, opinions expressed here do not necessarily represent the CCLA’s own policies or positions. For official publications, key reports, position papers, legal documentation, and up-to-date news about the CCLA’s work check out the In Focus section of our website.
The vast majority of the time on computers or smartphones is spent connected to the internet browsing websites, watching online videos, using social media, etc. An individual’s internet history can reveal some of his or her most personal information, including sexual orientation and political ideology. Despite the interest in keeping our internet activity private, much of it can be logged or monitored to varying degrees by the internet service providers (ISP), law enforcement agencies, and the very websites that we visit. Fortunately, virtual private networks (VPN) can add an additional layer of privacy while browsing the internet. This article explains how VPNs work and explores their privacy implications.
What is a VPN and How Does It Work?
To understand how a VPN service works, it is instructive first to understand the basics of a standard internet connection. A computer connects to the internet via a modem that is often provided by one of the ISPs, such as Rogers or Bell. Each ISP issues a unique series of numbers known as an IP address to each one of their customers’ modems. An ISP is able to trace a modem’s IP address back to the customer under whom the modem is registered. An IP address can also be used by anyone to track the general geographical location of a device that is connected to the internet.
Our interactions with a website typically consist of our modem sending electronic requests to receive information that is stored on the website’s server. This process involves several steps. First, an initial request is sent from our device to our ISP which then routes the request to the web server storing the information. After receiving the request, the web server sends the information back to our IP address. The information transmitted during the entire process can be monitored and logged by the ISP. The web server can also keep a record of the information that it sends to any particular IP address.
A VPN service essentially acts as a secure middle-man between our ISP and the website server. When a VPN service is turned on, our ISP connects our device to a VPN server. Unlike a normal internet connection, all of the information that travels between the VPN server and our device is encrypted and unable to be deciphered by the ISP. This secure connection is known as a “VPN tunnel”. When you use a VPN, an encrypted request is routed by the ISP directly to the VPN server— not to the web server. After receiving the request, the VPN server sends its own request using a new IP address to retrieve the information from the website’s server. From the perspective of the web server, it is the VPN’s IP address—not the IP address of the end user— that is requesting the information. The VPN server encrypts the information received from the website’s server and sends it back to our IP address. Not only is the ISP unable to decrypt the information, but since the encrypted information is sent directly from the VPN to our device, the ISP is also unaware of the website from which the information originated.
There are three main privacy implications of using a VPN while browsing the internet. First, to comply with the Copyright Act, Canadian ISPs keep a temporary record of each IP address that it assigns to a modem. In addition, an ISP is able to maintain a record of the websites visited and the content downloaded by an IP address, although the extent to which any ISP engage in such practices is unclear and it is unlikely that an ISP is actively monitoring their customer’s internet activity. Nonetheless, the information transmitted along a standard internet connection can be monitored and made available to law enforcement upon a warrant. By using a VPN service, one’s internet activity will be encrypted and unable to be deciphered by the ISP. From the perspective of an ISP, the IP address assigned to a customer’s modem is simply receiving encrypted data from a VPN server. It should be noted, however, that just as an ISP is ordinarily able to monitor the information received from a web server, the VPN service is able to similarly monitor the requested information that it receives from the web server. This information is only later encrypted and sent from the VPN server back to our device. Nevertheless, many VPNs have an express policy of not recording a user’s internet activity (but make sure you read and understand that policy when you’re choosing a VPN!).
Second, unlike the United States, Canadian internet service providers are not able to share a customer’s personal information such internet history with third parties without their express consent. However, laws are often subject to change, and it is entirely possible that ISPs in the future will be able to share such information without consent. Since a VPN ensures that a user’s internet activity is encrypted, ISPs will be unable to sell information about a customer’s internet history.
Finally, websites themselves maintain a record of the IP addresses that visit their site. The IP address, in turn, allows these websites to track the general location of the user’s device. By using a VPN service, it is the VPN’s IP address—not the user’s own IP address—that is requesting the information from the web server, effectively masking the identity of the end user.
Just as we may expect mail to remain private from mail carriers or phone conversations to remain private from telecom providers, there ought to be an expectation that our internet activity to remain private. Although the extent to which an ISP monitors and records one’s internet activity is unclear, the fact that ISPs are often not forthcoming and transparent about their practices is troubling. For those who are privacy conscious and want their internet activity to remain private, a VPN is a useful tool to add an additional layer of privacy while browsing the internet.
 For more information see Shuler, Rus. How Does the Internet Work? Pomeroy IT Solutions, 2002, web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm.
 Websites that use encryption such as HTTPS will encrypt the data that is sent to and from the website and the user’s device. However, unlike the case with a VPN service, an HTTPS encryption does not prevent an ISP from recording that your IP address has visited the site. is still able to monitor the fact that your device is connected to the website.
 The current law is unclear as to whether Canadian VPN service providers are required to retain IP address logs. Many VPN’s have an expressed policy of not maintaining a record of the customer’s IP addresses.
 For information about the recent American Senate vote to repeal an FCC ruling preventing American ISPs from selling their consumer’s data to third parties see Fung, Brian. “What to Expect Now That Internet Providers Can Collect and Sell Your Web Browser History.” The Washington Post, 29 Mar. 2017, http://www.washingtonpost.com/news/the-switch/wp/2017/03/29/what-to-expect-now-that-internet-providers-can-collect-and-sell-your-web-browser-history/?utm_term=.603c26013a26.
For more information regarding the situation in Canada see Braga, Matthew. “No, Your Canadian Internet Service Provider Can’t Sell Your Information as in the U.S.” CBCnews, CBC/Radio Canada, 31 Mar. 2017, http://www.cbc.ca/news/technology/us-fcc-internet-privacy-legislation-marketing-ads-canada-1.4046512.