Skip to Main Content
< BackWednesday, July 3, 2019

VPN security and the problem of 5, 9, and 14 eyes surveillance

This is the scenario that some articles on VPNs have built up - but while focusing on the surveillance angle, they also neglect several other critical issues for VPNS – technology, trust, and data protection.

“They” are watching you, closely surveilling your every keystroke, just because you made a single error with your VPN – you chose a VPN provider based in the wrong country.

This is the scenario that some articles on VPNs have built up - but while focusing on the surveillance angle, they also neglect several other critical issues for VPNS – technology, trust, and data protection.

The Eyes have it

As a lightening recap; the 5 Eyes, 9 Eyes, and 14 Eyes are terms for cooperation and sharing agreements between various state intelligence agencies. The big three groupings are the 5 Eyes Alliance, 9 Eyes Alliance, and the 14 Eyes Alliance. All together, these incorporate the following countries (with Israel as an added bonus).

  • Australia
  • Belgium
  • Denmark
  • France
  • Germany
  • Italy
  • Canada
  • New Zealand
  • Norway
  • Spain
  • Sweden
  • The Netherlands
  • The United Kingdom
  • The United States

The point of these articles is that these agencies can exchange information between themselves, tap into VPNs operating in their jurisdiction, and watch everything – so the only real security comes from getting a VPN which is based outside of these countries.

Let’s review the VPN basics

Virtual Private Networks began with the need of companies and governments to have secure, encrypted connections between computers that were physically separated, a way to keep people from being eavesdropped on while online. At Avira, we often describe a VPN as a registered mail that the sender and the recipient both sign for before they can open that encrypted envelope.

That said, there is no unitary formula or protocol for creating a VPN – or even an industry standard for what the minimum-security level should be. In addition, there are also VPN proxies which provide little or no encryption protection. While the precise protocol used to build a VPN does evolve over time, the goal in this transformation is to provide faster, more friendly encryption. From the Avira perspective, core VPN provider activities should include complete, strong data encryption and security, with regards to VPN evolving trends, encryption of DNS addresses, restricting user logs to performance issues, and absolutely no reselling of user data.

Trust and the mails

Within this technology framework, any VPN provider must be a trusted entity. The user should be able to believe that the content is securely encrypted, no ISP or other party is reading their messages, and their searches and online activities remain private.

By using a VPN, a person is giving the provider a boatload of private information along with the metadata about who is being contacted. And, they are doing this in the belief that the VPN provider will slide this into an encrypted envelope and move it along securely to the destination. It’s very much like trusting the mailman not to open envelops in a dark corner of the post office or to not talk about what magazines go where.

There are reasons to be suspicious

VPNs are controlled and restricted technologies in some countries. But statistically, people have far more reasons to be suspicious over what a VPN is doing than about revelations by Edward Snowden of international intelligence sharing. Studies have found numerous examples where VPNs actually damaged user security by leaking traffic details, adding adware, not encrypting user data, and selling user data. This is somehow less of a scandal than the potential inquiry of a state intelligence agency into an individual’s online activities.

What about my private data?

Any VPN provider does have access to user data – whether or not they admit to making logs of user activities or if it is stored. In addition to the trust element – does a user believe the provider or not – there is also the data protection angle. If a VPN provider is operating in the EU, they are bound to secure and protect data collected from users under the GDPR. Failure to do this means public reporting requirements, potential penalties, and a subsequently damaged reputation. This requirement does not exist equally in all countries. Like it or not, GDPR puts the onus on companies to be more careful with the private user data collected and stored.

Transparency over fearmongering

As a German company, Avira follows the strict German and European legal requirements concerning on a number of areas, but especially data protection requirements according to the GDPR. During 2018, we recorded 13 requests for information on Avira Phantom VPN user – which resulted in no disclosures of user information. Even more important, we received no National Security letters, no gag orders, or warrants from any government organization

While people may be understandably nervous about the 14 Eyes alliance and other data sharing agreements, the reality is that these agencies have no secret view into what Avira Phantom VPN users are doing. But on the other hand, we can offset this with the real experiences of users enjoying their virtual privacy and picking their virtual locations – secure in the knowledge that their online lives are being guarded by a company that takes privacy seriously.

Important: Your current Windows version is outdated and no longer supported.
For your security, we recommend switching to Windows 10 before downloading Avira software.
Update your Windows version here.
Wichtig: Ihre Windows-Version ist veraltet und wird nicht mehr unterstützt.
Zu Ihrer Sicherheit empfehlen wir Ihnen den Wechsel zu Windows 10 vor dem Download unserer Software.
Hier können Sie Ihr Windows aktualisieren.
Important: Votre version actuelle de Windows est obsolète et n’est plus prise en charge.
Pour votre sécurité, nous vous conseillons de passer à Windows 10 avant de télécharger le logiciel Avira.
Mettez à jour votre version de Windows ici.
Importante: Tu versión actual de Windows está desactualizada y ya no es compatible.
Por tu seguridad, te recomendamos que instales Windows 10 antes de descargar la solución de Avira.
Actualiza aquí tu versión de Windows.
Importante: La tua attuale versione di Windows è obsoleta e non è più supportata.
Per la tua sicurezza, ti consigliamo di passare a Windows 10 prima di scaricare i software Avira.
Aggiorna la tua versione di Windows qui.
Importante: Sua versão atual do Windows está desatualizada e não tem mais suporte.
Para sua segurança, recomendamos que troque para o Windows 10 antes de baixar o software da Avira.
Atualize sua versão do Windows aqui.
Важно: ваша версия Windows устарела и больше не поддерживается.
Из соображений безопасности перед загрузкой ПО Avira мы рекомендуем перейти на Windows 10.
Обновить Windows вы можете здесь.
Belangrijk: Uw huidige versie van Windows is verouderd en wordt niet meer ondersteund.
Voor uw veiligheid adviseren wij u om over te stappen op Windows 10 voordat u de Avira-software downloadt.
Update uw Windows-versie hier.
Önemli: Kullanmakta olduğunuz Windows sürümü eski ve artık desteklenmiyor.
Güvenliğiniz için Avira yazılımını indirmeden önce Windows 10 sürümüne yükseltmenizi öneririz.
Windows sürümünü buradan güncelleyin.
重要 : 現在お使いの Windows バージョンは古いため、サポートされなくなりました。
安全のため、Avira ソフトウェアをダウンロードする前に Windows 10 に切り替えることをお勧めします。
こちらより Windows バージョンをアップデートしてください
重要信息 : 您当前的 Windows 版本已过时,并且不再受支持。
为了安全起见,我们建议您在下载 Avira 软件之前切换到 Windows 10。
在此升级您的 Windows 版本
重要資訊 : 您當前的 Windows 版本已過時,並且不再受支援。
為了安全起見,我們建議您在下載 Avira 軟體之前切換到 Windows 10。
在此升級您的 Windows 版本