VPN services - only bringer of salvation or also source of danger?

VPN apps encrypt all network traffic between an external device and a company's servers, consumer VPNs also ensure that traffic between the user's own device and a VPN provider is encrypted and transmitted to the public Internet far away from the user's location. This obscures the true source of the data packets and actually makes the user harder to track. An additional sense of privacy and thus anonymity also arises due to the fact that VPN is the abbreviation for Virtual Private Network, so the word "private" almost suggests itself. In truth, however, the "private" part of a VPN is not really about users being anonymous. The P in VPN actually just refers to the idea of using a public network to transmit traffic that used to be over a private circuit or leased line and was therefore considered part of the corporate LAN.

Deceptive anonymity

However, the apparent anonymity is deceptive: Anyone who has ever used a corporate VPN, which is very likely in the Corona era, knows that precise identification is necessary before entering the VPN, e.g. with a password or a 2FA token. So the company knows who you are before anyone connects. The conclusion: data traffic is protected from surveillance by public eavesdropping, but there is no anonymity just because a user is in the virtual castle of the corporate network. In short, the VPN itself knows who they are and sees what they are doing. Even if the routers through which encrypted VPN packets are transmitted don't. And that's a good thing, because it means that users share a corporate network only with other people who are (hopefully) supposed to be there, and thus can also be held accountable for their behavior, rather than being lumped in with a group of unknowns in critical situations.

So what is the problem with the protocols?

As mentioned above, consumer VPNs can ensure that data is encrypted locally and transmitted unencrypted to the public Internet in a completely different part of the world. They thus disguise the physical location and thus the country in which the user lives. For many people, this is the main added value of a personal VPN service. It allows them to bypass censorships applied by ISPs in their own country. However, it also means that users put a lot of trust in the VPN provider, as they end up becoming the new ISP, where it is also not clear to what extent they are conducting surveillance or not. Many VPN providers emphasized that "they don't keep logs at all" and therefore they could not hand over anything to government agencies even if they wanted to. The catch, however, is that in many countries there are legal mechanisms that can force a service provider not only to keep logs for certain individuals, but also to keep quiet about the fact that they do.

The fact that this VPN monitoring may be more frequent than assumed is made clear by a recent case that was reported in a VPN mentor.Report was published, and where the site's researchers came across numerous user logs from seven consumer VPNs operating out of Hong Kong, all belonging to one main provider. (Note: VPNMentor earns affiliate revenue from links to and coupons for select VPN companies it recommends). Michael Veit, IT security specialist at Sophos, adds, "According to the platform, a misconfigured cloud database exposed about 1 billion database records with about 20 million users, including activity logs, clear-text passwords, Bitcoin payment information, support messages, personal device information, technical data or account information. This is despite the fact that, according to VPN Mentor, the affected VPN providers advertise on their websites that they adhere to the zero-logging policy, meaning that they do not create any logs."

Of course, VPNs are a good thing, but like almost everywhere else, blind trust is not a good idea. Users should keep the following things in mind:

1. no VPN makes a person anonymous or magically changes an identity just because one uses the technology. While websites visited via VPN do not display their true network location, it is important to note that they are still the same person behind the browser.

2. switching a VPN service is ultimately nothing more than switching to another Internet service provider. So you should make the same claims here. Your VPN provider can log a lot of your data and see where it comes from, just like the ISP. However, it is important to note that a VPN company may be subject to different laws than a regular ISP.

3. regardless of VPN usage, if you upload data to the cloud in general, you should never store it publicly for all to see unless you specifically intend to do so. By default, data should be locked down. You should not upload what you want to remain absolutely private, and you should not collect data in the cloud that you potentially want to permanently delete at some point.

Source: Sophos