I am guessing #1 is mot wanting your internet provider (eg. AT&T) knowing what you are doing, then Netflix, Torrents, getting better deals on tickets and such, maybe activities of questionable legality?
Personally, I don't like the idea of my mobile provider profiting off knowing which applications I am using and what sites I visit.
Because it's easy to change a VPN provider if you don't like their actions, but most of us are stuck with an ISP and have no control over what they do with our data?
What exactly can they be doing with your data other than selling a list of which DNS queries you make and which IP addresses you connect to? (Which the VPN provider can also do.)
I have had this situation in-flight a few times. I just used wireguard to a server I have. If I didn't already have that set up, I would have used an SSH+SOCKS tunnel to route around the damage. No need to send all my traffic to some shady VPN provider.
They can do active attacks on you, as most people don't actively attempt to ban and absolutely block unencrypted connections (and there are also sometimes attacks on SSL stacks anyway); and like... SSL isn't really designed to protect the content of your connection anyway: due to size and timing attacks, people have deployed practical implementations of stuff like "figure out where I am looking at on Google Maps" and "figure out what movie I am watching on Netflix", and while I haven't seen a practical implementation of it yet, "learn too much about my search queries due to find-as-you-type".
(Also, if I see you making requests to some websites I can correlate it to others, just on hostname, which I would get from SNI/TLS, not DNS: like, you go to news.ycombinator.com followed by some other websites that are currently on the front page of Hacker News, I can now guess with high likelihood you are clicking on specific website links you just saw.)
As for "the VPN provider can also do that", that is like saying "what can a random stranger do with your secrets that someone you know well can't?", which is "true" sure, but not really interesting: being able to choose the company on whom you rely for security is extremely useful: I don't really have choice over my ISP, but I have choice over my VPN, and so you can't really say "these VPNs are shadier than my ISP" unless you can show the best of all VPNs is shadier than my ISP.
Meanwhile, for many people, your "ISP" on a given day might be "the local coffee shop" or "an airport" or "your brother's friend Bob": people talk about "ISP" as if it always means "AT&T", but I see even extremely technical people who "should know better" happily using WiFi provided by conferences, which is just crazy to me... you are way more likely to get messed with in some scary way by people close enough to you for it to matter than by some random entity.
> SSL isn't really designed to protect the content of your connection anyway: due to size and timing attacks, people have deployed practical implementations of stuff like "figure out where I am looking at on Google Maps" and "figure out what movie I am watching on Netflix", and while I haven't seen a practical implementation of it yet, "learn too much about my search queries due to find-as-you-type".
A VPN won't protect you from these sidechannel attacks.
Not by default, but it could. Send a monolithic stream of 1500 byte packets with some padding to obfuscate transfer rates and you can really disrupt that kind of thing.
Where did location history come into this? (IP addresses are generally not correlated to location at much more than city level.)
My point is simply that using a VPN provider doesn't change the fact that an actor has access to your DNS queries and which IPs you connect to (and where you connect from). It just changes that actor from your ISP to a VPN provider, and most VPN providers seem a hell of a lot more shady than any ISP I've dealt with.
The ISP knows who you are and where you live; the VPN provider only knows your source IP address and information gleaned from your payment method (which in many cases can be "not much", as VPN providers support pseudo-anonymous payments).
If you're doing something illegal in your own country, that seems like a good idea. If you're not, that would seem to achieve nothing other than making it much more difficult to enforce any action against the VPN provider for selling your private data.
If my VPN provider trades user data, the service will quickly deteriorate and it won't be a VPN provider for long. But even if that is the case it wouldn't be my primary concern.
I don't even live in a country were I have to fear much at all from malicious authorities, but they wouldn't even blink before trading privacy for perceived security.
I might change my opinion if there were actual consequences for sharing user data. I believe it when I see it.
Otherwise I just like privacy, information is power and I don't like to share with the state.
Well your ISP knows more about you than your VPN necessarily does. Your ISP probably has your credit card on file, with your real name, and they have your precise street address too. The VPN may have none of that, except your IP address. If somebody were to purchase your history from your VPN, they would have to also purchase the IP->name/address/etc mapping from your ISP and JOIN the two. That seems marginally better than a one stop shop.
(Of course, some people give their VPN their credit card info, so the above rationale doesn't apply for them.)
I feel like the only good reasons to use a VPN are if you're torrenting or if you want access to sites from different countries (foreign Netflix libraries, streams from state-run media channels, etc). Most VPNs worth a damn aren't going to sell you out just for torrenting movies/music/games while your ISP will.
Personally, I don't like the idea of my mobile provider profiting off knowing which applications I am using and what sites I visit.