< BackWednesday, July 3, 2019

VPN security and the problem of 5, 9, and 14 eyes surveillance

This is the scenario that some articles on VPNs have built up - but while focusing on the surveillance angle, they also neglect several other critical issues for VPNS – technology, trust, and data protection.

“They” are watching you, closely surveilling your every keystroke, just because you made a single error with your VPN – you chose a VPN provider based in the wrong country.

This is the scenario that some articles on VPNs have built up - but while focusing on the surveillance angle, they also neglect several other critical issues for VPNS – technology, trust, and data protection.

The Eyes have it

As a lightening recap; the 5 Eyes, 9 Eyes, and 14 Eyes are terms for cooperation and sharing agreements between various state intelligence agencies. The big three groupings are the 5 Eyes Alliance, 9 Eyes Alliance, and the 14 Eyes Alliance. All together, these incorporate the following countries (with Israel as an added bonus).

  • Australia
  • Belgium
  • Denmark
  • France
  • Germany
  • Italy
  • Canada
  • New Zealand
  • Norway
  • Spain
  • Sweden
  • The Netherlands
  • The United Kingdom
  • The United States

The point of these articles is that these agencies can exchange information between themselves, tap into VPNs operating in their jurisdiction, and watch everything – so the only real security comes from getting a VPN which is based outside of these countries.

Let’s review the VPN basics

Virtual Private Networks began with the need of companies and governments to have secure, encrypted connections between computers that were physically separated, a way to keep people from being eavesdropped on while online. At Avira, we often describe a VPN as a registered mail that the sender and the recipient both sign for before they can open that encrypted envelope.

That said, there is no unitary formula or protocol for creating a VPN – or even an industry standard for what the minimum-security level should be. In addition, there are also VPN proxies which provide little or no encryption protection. While the precise protocol used to build a VPN does evolve over time, the goal in this transformation is to provide faster, more friendly encryption. From the Avira perspective, core VPN provider activities should include complete, strong data encryption and security, with regards to VPN evolving trends, encryption of DNS addresses, restricting user logs to performance issues, and absolutely no reselling of user data.

Trust and the mails

Within this technology framework, any VPN provider must be a trusted entity. The user should be able to believe that the content is securely encrypted, no ISP or other party is reading their messages, and their searches and online activities remain private.

By using a VPN, a person is giving the provider a boatload of private information along with the metadata about who is being contacted. And, they are doing this in the belief that the VPN provider will slide this into an encrypted envelope and move it along securely to the destination. It’s very much like trusting the mailman not to open envelops in a dark corner of the post office or to not talk about what magazines go where.

There are reasons to be suspicious

VPNs are controlled and restricted technologies in some countries. But statistically, people have far more reasons to be suspicious over what a VPN is doing than about revelations by Edward Snowden of international intelligence sharing. Studies have found numerous examples where VPNs actually damaged user security by leaking traffic details, adding adware, not encrypting user data, and selling user data. This is somehow less of a scandal than the potential inquiry of a state intelligence agency into an individual’s online activities.

What about my private data?

Any VPN provider does have access to user data – whether or not they admit to making logs of user activities or if it is stored. In addition to the trust element – does a user believe the provider or not – there is also the data protection angle. If a VPN provider is operating in the EU, they are bound to secure and protect data collected from users under the GDPR. Failure to do this means public reporting requirements, potential penalties, and a subsequently damaged reputation. This requirement does not exist equally in all countries. Like it or not, GDPR puts the onus on companies to be more careful with the private user data collected and stored.

Transparency over fearmongering

As a German company, Avira follows the strict German and European legal requirements concerning on a number of areas, but especially data protection requirements according to the GDPR. During 2018, we recorded 13 requests for information on Avira Phantom VPN user – which resulted in no disclosures of user information. Even more important, we received no National Security letters, no gag orders, or warrants from any government organization

While people may be understandably nervous about the 14 Eyes alliance and other data sharing agreements, the reality is that these agencies have no secret view into what Avira Phantom VPN users are doing. But on the other hand, we can offset this with the real experiences of users enjoying their virtual privacy and picking their virtual locations – secure in the knowledge that their online lives are being guarded by a company that takes privacy seriously.