Using a VPN is often one of the first things remote workers learn. For those of us who haven’t stepped foot in our offices for months, VPN usage now is ingrained in our daily computer lives.
But as VPNs have gotten more popular, they’ve also become harder to secure. Many VPNs make the claim that they don’t retain or log your movements. As reviewers have found, this isn’t necessarily the case, even if the company states it is so in their privacy disclosures.
Last year, a series of reports were published (one by VPNcrew, the other by VPNmentor), that demonstrate current privacy issues and the potential for VPN data leaks. This is because many VPNs that claim not to log or store your data are in reality keeping track of your digital movements. While it is certainly true that you get what you pay for (the VPN providers mentioned in both reports are typically free or at the lower-cost end of the market), you should still review all providers carefully.
The reports document that potentially 20 million users have had their private data leaked because of these poorly implemented VPNs, either because of coding errors or because the vendors were trying to deliberately harvest their customers’ data. Interestingly, the VPNs all received high ratings on the Apple app store. Clearly, many of these ratings are undeserved.
The leaked data included email passwords and home addresses, along with connection activity. The data was found by researchers on an unprotected Amazon Web Services account, run by a parent company based in Hong Kong called Dreamfii HK Limited. The VPNs included those from Free VPN, Flash VPN and others that are owned by this parent company. This illustrates a second problem: some of the VPNs deliberately hide their ownership details. Another issue is that some VPN providers are owned by a data collection app called Sensor Tower, including Free and Unlimited VPN and Luna VPN. Many of these apps are being investigated by Apple and Google for privacy violations.
Security researchers have contacted the appropriate authorities and Internet resource providers. Some of the leaks were fixed and some of the vendors are still doing business and still have their apps listed on the Google and Apple app stores.
In addition to this problem, there were a series of data breaches where three services (NordVPN, VikingVPN and TorGuard) had their encryption keys stolen or their security compromised. NordVPN took 19 months to disclose its breach. And, most recently, there was a massive breach of Pulse Secure VPN credentials that was posted online on numerous hacker forums.
The issue with VPN evaluations is that there aren’t consistent standards that VPN companies must meet. However, there are still a few authoritative sources for reviews.
The best professional software reviewers, such as those at PC Magazine and The New York Times’ Wirecutter site, combine both subjective and objective tests to figure out whether a VPN provider is actually delivering on its privacy promises — along with measuring its performance and other characteristics. Both sources are worth exploring because they can be helpful with your own selection if you are in the market for a new and more capable (and presumably more private) VPN. Note that PC Magazine is focused on Windows VPNs and has more hands-on insights. The Wirecutter review is better for VPN beginners and covers their privacy issues in depth.
There are several weak spots for VPNs: the first and most obvious is where they maintain their connection logs. You want to understand this because, despite claims to the contrary, the vendors could be selling your data to third parties. The PC Magazine and Wirecutter reviews are worth reading to see what they have learned on this front.
Next up is the potential for leaked DNS data and IP addresses. There are various tests to examine this, including the DNS Leak Test and the IPLeak test. Part of the testing involves examining whether the VPN really supports IPv6 protocols. There are other tests to check for leaks of Web Real-Time Communication session information (mostly used by mobile devices) that are also covered by IPLeak. If you want to do these tests yourself, compare the output when not using any VPN to what they show when you turn on the VPN. (Here is a detailed explanation of what to do and alternative testing tools.)
The third problem has to do with sub-standard encryption protocols. Today, the minimum is using the OpenVPN protocol with 256-bit encryption keys. This is an open-source protocol that has a huge collection of contributors and has “a reputation for better speeds and more reliable connections,” as the PC Magazine reviewers state. A newer protocol is WireGuard VPN, which is used by NordVPN and Mullvad. It shows a lot of promise but isn’t easy to use in its existing implementations. There are problems with free VPNs as well. “If a company isn’t getting its revenue from users, it’s coming from another source. That almost always involves tracking and selling your information to other businesses and advertisers,” the Lifehacker reviewers say. The one possible exception is ProtonVPN, which has a solid reputation.
Finally, you should consider what customer data is collected by the vendor as part of the sign-up process, how that information is protected and under which legal jurisdiction the company operates. Some jurisdictions, such as Panama and Switzerland, have rules that prevent companies doing business there from handing over this data to law enforcement. And some VPN vendors, such as McAfee’s TunnelBear, do regular security audits of their code and publish the results.
As you can see, picking the right VPN isn’t a simple task, and you should have a healthy distrust for the vendor’s claims, especially on privacy. Doing thorough research before choosing a VPN provider is essential.
As always, remember that when it comes to matters of cybersecurity, Network Solutions has your back. From SSL certificates to a robust small business cyber security solution, we’re here to help you keep your organization safe online. Just let us know what you need.