Is Public VPN a Cyber Hero or a Cyber Zero?

Welcome back to my weekly cyber security blog and I hope you all had a wonderful week. Over the last few months, I’ve talked about the importance of good cyber hygiene, passwords, backups, awareness training, data theft and scams. This week I want to highlight something else. Something that, even if we don’t realise it does affect all more and more every day, my friends, this week let’s talk about privacy. So much of our lives are now lived online, we work remotely, socialise through our devices, bank through apps and get information from AI Search engines in our browsers, or just ask our smart speakers. What do all these things have in common? All of them record what we did, and all of them generate metadata (which is data about data) about us. Across the modern internet, our web browsing history, streaming video, music, email, instant messaging, mobile phones, tablets, and smart toothbrushes all generate data. Do we ever think about where this data goes, who has it, or what they can do with it? ?

The first step in our journey

Over the next few weeks, I will delve into this more. To start, I thought this week that I will focus on a particular area of privacy. It is surprisingly opaque considering how much it is advertised. A technology that seems to generate a good financial return for its vendors (and there are less of them than you’d think with 105 VPNs being owned by 24 companies). If you’ve watched technology or cyber related content on YouTube, you’ll be familiar with “I’d like thank Awesome-Fast-VPN for sponsoring this video”, or “I travel a lot for work and rely on Amazing-VPN to protect my data”. Influencers hype this technology, which is understandable as commission earned can be up to 40%, but do they understand what they’re pushing and when it is beneficial?

Although we think about VPN as a privacy or data protection technology, it’s worth pointing out that VPN was never actually intended to be this, well not directly. VPN which stands for Virtual Private Network is a business tool used to connect two networks together. Still commonly used by organisations for remote working, where your work laptop uses a VPN to connect to your company network to access services not available on the public internet. This is best conceptualised as a private tunnel through the internet, with everything inside that tunnel being secure.

However, VPNs are now marketed as privacy tools (or a tool to watch the Netflix catalogues from other countries). Take back your privacy, stop your internet provider, big tech, or public Wi-Fi networks from spying on you they say. So, the question becomes do they do what they claim?

Well, like many things in life, it depends. A VPN works by acting as a middleman, creating an encrypted connection between your device and the VPN provider, which then browses the internet on your behalf. This means that websites see the IP address and location of the VPN server rather than your real details. This of course can put us in a dilemma, we must trust the VPN provider more than our network provider.

You don’t get privacy for nothing (or something)

Ever heard the saying, “if you’re not paying for the product then you are the product”. This is especially true with free VPN providers. A report by Consumer Reports stated that 75% of VPN providers misrepresent their products. Search VPN in the Google Play or Apple App stores and you’ll see a ton of free VPN providers. Now, running a VPN service is expensive, so we need to ask why are they all free? Usually, it’s because they’re either monitoring what you’re doing and selling advertising, or just selling your personal data directly. It may surprise you just how much data some VPN products collect, including mouse movements and keyboard data (how fast you type and in what pattern), most likely for use in botnets, others use their mobile apps collect data like location, device ID, call information, Wi-Fi network information, phone status information, and even data on connected Bluetooth devices. Some have even been found to carrying out blockchain activities. Why would a VPN need to do anything blockchain related? Ah, it’s crypto mining on your device.

A VPN, if not trustworthy is basically a giant net scooping up personal data, either to sell on (a process known as data laundering) or to attack users directly. Many providers claim to store no logs, however, in 2022 a free VPN service aimed at Chinese users was compromised exposing over 5 billion data entries and last year, an alleged data breach at free VPN provider SuperVPN, resulted in 360 million data records being exposed, including email addresses, geolocations, IP addresses and visited websites.

When testing free VPNs, researchers found that some are not actually VPNS, instead they were simply unencrypted proxy servers monitoring the internet activity of their users, and the report I mentioned above found that 33% of free VPN providers were Chinese owned. Indeed, the key point here is, generally the purpose of free VPNS is to attract users and collect as much data of their data as possible.

Many VPN providers will make claims like hiding your IP address will take back your privacy and make you anonymous on the internet, well – no, no it won’t. Hiding your IP address will disguise where you are geographically located, and it helps against some forms of monitoring, however, using other techniques like 3rd party cookies, tracking pixels, and browser fingerprinting (which I will discuss in future posts), individuals can still be tracked through a VPN. Most websites that we use are protected by TLS encryption (the https at the beginning of the URL), which means the connection between us and them is encrypted and cannot be viewed by either an ISP or network administrator, this is true regardless of whether you use a VPN or not, meaning the VPN does not add much here.

The case for VPN

I do think that there are some instances where using a VPN is useful. A method to access geo blocked content is certainly one of them, i.e. watching the Netflix catalogue from another region, accessing websites blocked in your region when travelling, or if your ISP blocks or restricts certain types of traffic. VPNs also remain a vital tool for people located in countries which restrict the use of the internet or those at risk from deliberate monitoring.

I also think there is still some benefit when out in public, whilst I personally don’t commonly use a VPN at home (due to the resulting slow-down in internet speed), I do still use a trusted VPN when connecting to free public Wi-Fi in shops and hotels. This is where choice of VPN provider is crucial, never use a free VPN service, it’s just not worth the risk for a privacy related service. Instead, we must look at services which have been externally audited for security and to ensure that they do not log user activity. Many providers claim this, but they must be able to prove this with external auditing. I would look at services such as ExpressVPN, ProtonVPN, and Mullvad.

VPN’s do have their uses, and if we carefully select our provider and understand their limitations, they are a useful tool in our toolbox. However, they don’t guarantee our privacy (despite what the providers claim) and they do not eliminate the need to practice good cyber security hygiene.

I believe in our cyber security community and that by sharing and helping each other that we can all be safer. So, everything above is just my opinion, what’s yours? Please share in the comments below and stay safe.