The VPN privacy paradox

Nov. 27, 2018
Why VPN privacy is not as private as users think

To protect their digital privacy, internet users are increasingly turning to Virtual Private Networks (VPNs) to securely navigate the web without risk of being monitored. It has recently come to light, however, that using a VPN does not guarantee a completely secure experience - in many cases, it’s quite the opposite.

Users must trust VPN providers with substantial amounts of their private network data since VPNs act as a funnel through which all of their private data must travel in order to browse securely. As a result, providers have the ability to see a great deal of information about their users if they choose to do so, including every website they visit, who they interact with, where they are located and numerous other aspects of their “internet life.” I call this the VPN Privacy Paradox –  when consumers trust a VPN to protect their data, they are putting that data into the hands of the VPN providers.

Because VPN companies have access to a wealth of data, they can log everything a user does online and then create individual profiles for each of their users (even when they claim their products are “no-log” or “non-tracking”). This depth of knowledge on an individual internet browser can be - and is - sold to marketers, and in turn, used to serve micro-targeted ads back to them based on their activity that was assumed to be secure.

Marketers love this valuable user data because it enables them to create highly specific marketing profiles and therefore serves more effective ads. VPNs, of course, can charge handsomely for that supercharged data. Consumers do NOT love this when they know about it. The fact is, though, many VPN companies are not at all transparent about this practice, which leaves most users fully unaware that their personal internet activity is being sold to marketing firms by the very companies they’re assuming are keeping them safe. This practice is wildly prolific and completely unacceptable.

Time for Transparency

Privacy products by definition demand a more intimate, trusting and open relationship with the user than other products. Although the practice of monitoring and selling a user’s browsing data is completely (but unfortunately) legal, the act of doing so in the VPN sector is particularly manipulative because there is an inherent user assumption that data is protected and will not be used for other purposes. Some companies do disclose this “logging” in their privacy statement, but it is often buried in the labyrinthine “Terms & Conditions” legalese that even the most seasoned internet users rarely take the time to read. The real problem occurs when companies purposely mislead or obfuscate their logging policies to make users believe they are receiving a secure, untracked connection to the internet.

The industry requires a paradigm shift away from this nefarious and untruthful practice of surreptitiously logging and selling user data. Users demand truly secure browsing - or at least transparency.

Moving toward “truly secure”

One of the most direct ways to educate consumers on VPNs starts with the providers being more transparent about the way they manage their user's privacy. In partnership with industry VPN vendors, the Center for Democracy and Technology (CDT) – an independent nonprofit policy advocate that aims to strengthen individual rights and freedoms on the Internet – recently launched a campaign to bring awareness to these security concerns and rebuild trust in VPNs. CDT created a set of questions called Signals of Trustworthy VPNs that any VPN provider should be able to answer about their business model, aiming to help users to assess the reliability of a given VPN provider’s privacy and security practices.

Questions that VPNs will now have to answer to qualify as a “Trustworthy VPN” include:

  •  Question 1: What is the public facing and full legal name of the VPN service and any parent or holding companies?
  • Question 2: Do these entities have any ownership in VPN review websites?
  • Question 3: What is the service’s business model (i.e., how does the VPN make money)?
  • Question 4: Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated?
  • Question 5: Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?
  • Question 6: Do you have a clear process for responding to legitimate requests for data from law enforcement and courts?
  • Question 7: What do you do to protect against unauthorized access to customer data flows over the VPN?
  • Question 8: What other controls does the service use to protect user data?

Each of the above questions provides new considerations that do not currently exist for consumers when exploring VPNs. VPN providers can take the next step in educating consumers by responding to each of these questions publicly. Being transparent with consumers by giving them answers to privacy concerns dictated by an independent third-party like CDT allows consumers to make more informed decisions on the products they are buying and the extent to which they protect privacy. 

Unfortunately, many vendors in the VPN sector have lost touch with the mission that VPNs were built to achieve – a sense of security and privacy in users’ personal internet browsing data. We hope that CDT’s efforts in collaboration with industry providers will be the first step in an ongoing practice to improve consumers perceptions of VPNs, oust predatory VPN practices, and restore users’ right to privacy in internet browsing.

About the author: Sunday Yokubaitis is the CEO of Golden Frog, guiding the company's global strategy and vision. He is proud to work with a passionate team that's committed to delivering a secure and open Internet experience to people around the world. Visit Golden Frog to learn more about privacy, security and the importance of access to a free and open internet.