Is your VPN secure?

Vague on data privacy
We also learned that VPN companies don’t always do much to protect users’ data, despite advertising that they do. Of the 200 companies we looked at, 50 had no privacy policy posted online at all – despite laws requiring them to do so.

The companies that did post privacy policies varied widely in their descriptions of how they handle users’ data. Some policies were as short as 75 words, a far cry from the multi-page legal documents standard on banking and social media sites. Others did not formally confirm what their advertisements suggested, leaving room to spy on users even after promising not to.

Leaking or monitoring traffic
Much of the security of a VPN depends on ensuring that all the user’s internet traffic goes through an encrypted connection between the user’s computer and the VPN server. But the software is written by humans, and humans make mistakes. When we tested 61 VPN systems, we found programming and configuration errors in 13 of them that allowed internet traffic to travel outside the encrypted connection – defeating the purpose of using a VPN and leaving the user’s online activity exposed to outside spies and observers.

Also, because VPN companies can, if they choose, monitor all online activity their users engage in, we checked to see if any were doing that. We found six of the 200 VPN services we studied actually did monitor users’ traffic themselves. This is different from accidental leaking, because it involves actively looking at users’ activity – and possibly retaining data about what users are doing.

Encouraged by ads that focus on privacy, users trust these companies not to do this, and not to share what they find with data brokers, advertising companies and police or other government agencies. Yet these six VPN companies don’t legally commit to protecting users, regardless of their promises.

Lying about locations
A huge selling point for many VPNs is that they claim to allow customers to connect to the internet as if they were in countries other than where they really are. Some users do this to avoid copyright restrictions, either illegally or quasi-legally, like watching U.S. Netflix shows while on vacation in Europe. Others do this to avoid censorship or other national rules governing internet activities.

We found, though, that those claims of international presence aren’t always true. Our suspicions were first raised when we saw VPNs claiming to let people use the internet as if they were in Iran, North Korea and smaller island territories like Barbados, Bermuda and Cape Verde – places where it’s very difficult to get internet access, if not impossible for foreign companies.

When we investigated, we found some VPNs that claim to have large numbers of diverse internet connections really only have a few servers clustered in a couple of countries. Our study found they manipulate internet routing records so they appear to provide service in other locations. We found at least six VPN services that claim to route their traffic through one country but really convey it through another. Depending on the user’s activity and the country’s laws, this could be illegal or even life-threatening – but at the very least it’s misleading.

Guidelines for VPN users
Technically minded customers who are still interested in VPNs might consider setting up their own servers, either using cloud computing services or their home internet connection. People with a bit less technical comfort might consider using the Tor browser, a network of internet-connected computers that help guard its users’ privacy.

Those methods are difficult and may be slow. When selecting a commercial VPN service, our best advice, informed by our research, is to read the site’s privacy policy carefully, and buy short subscriptions, perhaps month-by-month, rather than longer ones, so it’s easier to switch if you find something better.

Mohammad Taha Khan is Ph.D. Candidate in Computer Science, University of Illinois at Chicago. Narseo Vallina-Rodriguez in Research Assistant Professor, IMDEA Networks Institute, Madrid, Spain; Research Scientist, Networking and Security, International Computer Science Institute based at, University of California, Berkeley. This articleis published courtesy of The Conversation.