VPNs and Trust

TorrentFreak surveyed nineteen VPN providers, asking them questions about their privacy practices: what data they keep, how they respond to court order, what country they are incorporated in, and so on.

Most interesting to me is the home countries of these companies. Express VPN is incorporated in the British Virgin Islands. NordVPN is incorporated in Panama. There are VPNs from the Seychelles, Malaysia, and Bulgaria. There are VPNs from more Western and democratic countries like the U.S., Switzerland, Canada, and Sweden. Presumably all of those companies follow the laws on their home country.

And it matters. I’ve been thinking about this since Trojan Shield was made public. This is the joint US/Australia-run encrypted messaging service that lured criminals to use it, and then spied on everything they did. Or, at least, Australian law enforcement spied on everyone. The FBI wasn’t able to because the US has better privacy laws.

We don’t talk about it a lot, but VPNs are entirely based on trust. As a consumer, you have no idea which company will best protect your privacy. You don’t know the data protection laws of the Seychelles or Panama. You don’t know which countries can put extra-legal pressure on companies operating within their jurisdiction. You don’t know who actually owns and runs the VPNs. You don’t even know which foreign companies the NSA has targeted for mass surveillance. All you can do is make your best guess, and hope you guessed well.

Tags: , , , ,

Posted on June 16, 2021 at 6:17 AM24 Comments

Comments

kai June 16, 2021 7:02 AM

I’m surprised this is only coming to light now. I know that if I were in a TLA and wanted to spy on VPN encrypted traffic, I’d set up a quality, stable and mid-priced VPN service. It wouldn’t be the most expensive, it wouldn’t be dirt cheap, but it would be a good service, run at an arm’s length from whatever agency I worked for, and it would quietly hoover up anything I wanted it to…
This is why I laugh when people blindly say to me “Use a VPN, it’s more secure!”

Tatütata June 16, 2021 7:16 AM

This was often discussed here over the years, at least in the comments.

My use for VPNs isn’t “privacy” and “security”, but to access geolocated content, and occasionally loop-back and other tests. A revealing one allowed me see that book seller X with “free shipping” actually based its prices based on the IP address, with something like a 3:1 range.

Rj June 16, 2021 7:33 AM

I have used various VPNs for about 20 years. I do not use them to hide my identity or my location; I use them to secure the data flowing over them, and to restrict access to whatever is beyond the encrypted endpoints. For this kind of use, it is better for me to run the VPN myself, so I know the owner, location, and laws are that apply. People think of the VPNs that are marketed on radio shows, etc. as hiding their identity, but the most common use for a VPN is that which I have described, especially when a lot of work went remote during the pandemic. For many non-technical people, this was the first they ever heard of a VPN, so of course a new market was created to exploit their relative ignorance.

Boris June 16, 2021 7:58 AM

@Kai – they don’t even need to go to that expense.

Commercial VPN endpoints are limited in number, they only need to set up monitoring of traffic from these endpoints. That way you have a concentrated feed from everyone that believes they have something to hide.

Clive Robinson June 16, 2021 7:59 AM

@ Bruce, ALL,

And it matters. I’ve been thinking about this since Trojan Shield was made public.

Some years ago now @Nick P and myself had concluded there was no safe way to cross boarders, and there was no way you could trust Law Enforcment in any given jurisdiction.

The conclusions we came up with are probably still up on this blog.

One salient point is that the trust issue of “citizen -v- State” actually applied as “State -v- State”

The only reason “Trojan Shield” or the earlier attacks on encrypted phones or even earlier encrypted email[1] could happen was when States were prepared to cooperate.

Thus a citizen could gain an advantage when states were not going to cooperate. Thus sending traffic through VPN’s or servers in States that did not trust each other could be leveraged in the citizens favour if care was used (VPN only solutions are not “sufficient care” OpSec wise though).

Thus you need atleast four jurisdictions.

1, That the first party is in.
2, That the second party is in.
3, A nation that does not trust the first parties nation.
4, A nation that does not trustcthe second parties nation.

And importantly that the third and fourth nations do not trust each other either.

Whilst this might sound a tall order tax havens and the like “don’t trust” other nations by default as their economic model does not work. Hence the Reason “The Panama Papers” had such fall out.

[1] Both of us had assumed that any third party solution to private communications was unlikely to be secure agsinst a state for a whole heap of reasons even before Lavabit’s issues made it obviously true[2],

https://legaltimes.typepad.com/files/lavabit-brief-doj.pdf

https://blogs.law.nyu.edu/privacyresearchgroup/2016/04/from-apple-to-lavabit-the-ecpa-and-the-legal-struggles-surrounding-encryption/

[2] The exception to the rule was when a sufficiently powerfull organisation can fight back with all the legal weapons at it’s disposal and is willing to do so. Something we considered was not going to happen for financial reasons. But we were in part wrong, and had forgotton that sometime state agencies are stupidly over confident,

https://www.emptywheel.net/2016/03/10/doj-to-apple-start-cooperating-or-youll-get-the-lavabit-treatment/

The result as we know was the FBI and DoJ psychos having to pull the rip cord or very likely face case law the opposit of that they were trying to establish.

echo June 16, 2021 8:15 AM

I have tended to avoid exposure to the US jurisdiction for a long time. It’s simply too much of a nightmare even for something as trivial as hosting a personal hobby website about fluffy bunny rabbits. I wouldn’t step foot in the US without A.) Medical insurance and B.) Legal insurance (which most people forget).

I use a VPN for administrative not security reasons. In the case of misfortune the jurisdictions which apply have better jail conditions and human rights law in practice than the US or UK. I do not advertise nor discuss what VPN I use nor what legal arguments apply to covered actions if for no other reason than A.) I have no wish for the government to change the relevant law and B.) If criminals got a whiff of the legal arguments they might use them and generate too much heat.

I like excitement as much as the next person but tend to avoid exciting people and externally generated excitement. As I have said to people from time to time being boring is being secure.

gggeek June 16, 2021 8:56 AM

Much like Rj, I was shopping recently for a VPN that would guarantee me a fixed, dedicated IP address so that I could authenticate to those client’s networks which require source address whitelisting.

After testing a couple of the best known brand names with a good reputation and decent pricing, I came to the conclusion that, for any moderately tech savvy user, vpns are totally not worth the trouble.

I spent a grand total of 4 hours setting up wireguard on a free-tier instance on aws, and now have something cheaper, faster and more trusted than any of the consumer-grade vpns in the market.
As a bonus, no need to install buggy client software on the local computer – the standard wireguard client is both nimbler and more stable.

Interesting discoveries I made while shopping around:
1. there are countless sites doing vpn reviews, but very few of them focus on the privacy/liability issues instead of just measuring download speed and features;
2. there’s a big company with a shady past in web advertising which has recently been on a buying spree, so many of the well known vpns are now owned by the same (us based) parent org. The guy picked as cto for the vpn business is one previously famous for having set up a bitcoin exchange which got “hacked” and lost millions… surely a very reassuring thing for anyone looking for secure computing :-O

wiredog June 16, 2021 9:27 AM

As others have pointed out, the best use case for VPNs is encryption of data in transit, followed by accessing services that try to limit use to certain locations. Privacy (especially against governments) is basically impossible online. And encrypted in transit is mainly for use against private actors. Just assume that, if it really wants to, the KGB can read your mail.

intind44 June 16, 2021 9:37 AM

I dont want to spill anyones secrets or anything, but I had some strange occurances with my Nordvpn. Im not 100% convinced its as secure as they advertise. I switched over to Mullvadvpn to try it out as I have heard good things from security/privacy people.

A VPN is absolutely mandatory for me. I have a very hostile ISP that literally will MITM, serve forged https certs, and packet inject.I have 24/7 portscans targetting my firewall and they wont hesitate to try to exploit a vulnerability to get into my network if they can. Thank gosh for immutable disposable browsers. I would never have believed it if I didnt see it for myself. They block Tor, and many privacy minded websites such as tails.org and qubes-os.org. Its out of control. I use Whonix regualrly for some stuff, TOR is just so slow and gives issues on many geo located sites. And I am starting to trust that less and less with all of those malicious exit nodes that will steal your creds.

Clive Robinson June 16, 2021 9:58 AM

@ echo, ALL,

As I have said to people from time to time being boring is being secure.

If only that were true…

Mostly those who would breach your security can neither see or hear you nor do they care to, thus they no not if you are boring or not.

The mistake people are making is the multi millennium old one of,

“I’ve not been attacked so I must be safe/secure.”

In a target rich environment such as the Internet were EVERY ONE IS VULNERABLE your probability of being attacked is aproximately the same as every one else of equal technology usage. Thus it boils down to the number of attackers and just how many people they can attack in any given time frame at your technology level.

Thus I don’t connect my compuyers to the Internet or any other external communications network, and just use an old phone for browsing with cookies and javascript eyc usually turned off.

Are my computers secure? Well I know I could attack them successfuly if I had to, so the answer is no. But are criminals using those sorts of attack, well not that I’m aware of.

Would anyone be able to attack them without me being aware of it, well if you throw enough resources at the problem, things do become possible. But is it probable?

Well that’s when your “be boring” comes into play. People only devote significant resources if they see a return / profit on it be money, power, or status. Well on those three there is no profit and no return just sunk costs.

Which just leaves the “loony two tunes” and “Dark Triad” types. They do things for reasons that make non sense or profit.

Some see things as a challenge and tend to do no real harm. Others for “ego food” reasons want others to know they have “captured the flag” but again aside from some graffiti type harm they generally are more anoying than harmfull.

As you go into the mental murkiness of the Dark Triad then things get weird, some are sadists and will not just do harm it will be structured harm so they can go for the death by a thousand cuts to prolong your pain thus their pleasure. As for the “paths” be they psycho or socio they have an objective what it is generaly does not matter they just go for it because you are of less importance to them than an inanimate object that just has to be removed. Finally there are the ones that have a really significant problem, these are the narcissists, what they want is for you to treat them as deities or similar, they can make stalkers look tame and the only way to deal with them is for them to be gone for good put in a place where they can do no harm what so ever. Mostly the way they are dealt with is make them somebody elses problem but whilst that moves the problem from you it just puts it on someone else. There are other solutions but imprisonment in the usual way does not work because they just start again on being released. But that is true for all those in the Dark Triad as far as we can currently tell there is no cure, so the eventual solution to them is the one nature applies to us all.

intind44 June 16, 2021 10:19 AM

@echo

“I wouldn’t step foot in the US without A.) Medical insurance and B.) Legal insurance (which most people forget).”

Dont forget your bullet proof vest too. There are so many mass shootings going on almost daily. A very scary time.

@Clive

“There are other solutions but imprisonment in the usual way does not work because they just start again on being released.”

Three years and counting im afraid.

Steve Shockley June 16, 2021 10:21 AM

It’s simply too much of a nightmare even for something as trivial as hosting a personal hobby website about fluffy bunny rabbits

Link?

Lamont Granquist June 16, 2021 10:54 AM

VPNs are like front door locks for most people, they don’t have to be perfect.

Most people are just trying to hide their traffic from their ISP, from companies like Google, and to bypass geolocation to access services that are geofenced for one reason or another.

The worst that most people do is download movies and TV shows off torrents and they want to avoid getting strikes from their ISP. Even if the CIA is really running NordVPN, its like speeding 8 mph over on the freeway. That isn’t what the CIA would be going after by doing that, and they’re not carefully collecting those logs in order to hand over to the RIAA/MPAA and bust every American who illegally downloads.

The stated reason why AN0M was shut down was also that the SNR was dropping and it was becoming less useful, so its fairly unlikely that they’re running NordVPN and trying to spy on everything.

If you’re actually doing something much more high stakes, then you might have to worry a lot more. Most people using those services aren’t.

Its a lot like doorlocks, and most people probably just have two kwikset locks on their front door that someone who is moderately skilled could get through in a minute or three (if they didn’t just bust a window to get in).

intind44 June 16, 2021 11:05 AM

@gggeek

“I spent a grand total of 4 hours setting up wireguard on a free-tier instance on aws, and now have something cheaper, faster and more trusted than any of the consumer-grade vpns in the market.
As a bonus, no need to install buggy client software on the local computer – the standard wireguard client is both nimbler and more stable.”

Many VPN’s claim to keep zero logs, and we can debate whether or not that is accurate or what other nonsense might be collecting the logs instead. However, regarding AWS I know they definitely keep logs. Therefore being “Trusted” would have to be subjective to the user and use case. If you don’t care if AWS has your logs why not care if your ISP has them instead? Whats the difference?

I was considering grabbing a Linode vps and doing the same, and then I thought about the level of difficulty that a motivated overzealous gov entity would require in order to get my data from either a VPS or my VPN datacenter in another country such as sweden. Any way you look at it someone is going to have your data.

Arclight June 16, 2021 11:10 AM

As others have pointed out, a “commercial VPN” solution is useful if you just need to protect your traffic from being viewed and interpreted by the public WiFi provider at your coffee shop, school or apartment building or by a nosy ISP that cares what you download. Regarding surveillance by your home government, it may actually provide youi with less protection, since you are now generating traffic to/from a foreign endpoint that is not covered by any of your nation’s privacy laws, as watered-down as those may be.

intind44 June 16, 2021 11:30 AM

@Lamont Granquist

I agree with you 100% However, only recently did I witness the amount of malicious packet injection going on. Malicious code being injected into your browser as you surf the internet. Quite frankly I have no idea if some government entity is running NORDvpn or not, all I know is when I was connected to the vpn and went to check my email. The website I checked my email at was being served a forged cert that didnt match what is was supposed to be. There might be 100 different ways this could have happened. It may even be locally on my end. How might somoene compromise a vpn connection? Perhaps a MITM from my ISP using a Nordvpn ssl cert. Maybe my Nordvpn gui Client is vulnerable some how. The skeptic in me wonders if a government can demand SSL Certs from VPNs since they dont keep logs, and MITM your traffic, at which point it becomes viewable. You might never know.

Regarding the use case in general, its possible im just being targeted for some reason. But I dont have multiple ISP connections to check and see if the same behavior persists on other lines. Its prolly just me.

Clark Gaylord June 16, 2021 12:39 PM

The “P” in “VPN” is unfortunate; it should be considered silent, as in pseudo-science or psnakeoil.

In order to be effective, encryption must be end-to-end, and the vast majority of traffic on the Internet that should be encrypted already is, and comes with an established trust model. What is exposed are the network addresses of the endpoints, and perhaps the DNS queries.

The location obscurity of tunneled traffic has some potential value, but much less than VPN providers want you to believe.

Great point about the leverage these providers might be subject to from their home countries, or “guests” in those countries, for that matter (whether GRU or CIA or whatever).

By all means, use VPN to circumvent content restriction stupidity, but never believe it’s buying you “security” or “privacy”.

And this goes double for your “Enterprise VPN” that your corporate IT Security foists on you. It is the poster child pseudo-security stupidity, and only benefits the company that sold the bill of goods.

Amateur techguy June 16, 2021 12:59 PM

I want to have an “encrypted tunnel”. I’m an average guy, not a pro so I can’t set up my own. I know none are 100%. Having used Protonmail for a few years, I use Proton VPN.
Really slows my connection. My biggest issue is websites that detect the Proxy & won’t let me access their sites. Seem to be more of those now.

Winter June 16, 2021 1:07 PM

Contrary to what people seem to think here, VPNs can be useful for privacy and security. Especially, when you travel a lot.

I remember Cory Doctorow describing his personal setup some years ago (sorry, could not find a link). He pays for a proxy server in Sweden from a provider he trusts. He does all his internet via a (trusted) VPN over this proxy server.

As he travels a lot, and is polical active (=has enemies), he feels more safe this way when using local internet services.

His threat model does not include the NSA, GRU, FSB, Mossad et al. so this setup looks rather appropriate.

I think I too could live with that.

Clark Gaylord June 16, 2021 1:39 PM

The “P” in “VPN” is unfortunate; it should be considered silent, as in pseudo-science or psnakeoil.

In order to be effective, encryption must be end-to-end, and the vast majority of traffic on the Internet that should be encrypted already is, and comes with an established trust model. What is exposed are the network addresses of the endpoints, and perhaps the DNS queries.

The location obscurity of tunneled traffic has some potential value, but much less than VPN providers want you to believe.

Great point about the leverage these providers might be subject to from their home countries, or “guests” in those countries, for that matter (whether GRU or CIA or whatever).

By all means, use VPN to circumvent content restriction stupidity, but never believe it’s buying you “security” or “privacy”.

And this goes double for your “Enterprise VPN” that your corporate IT Security foists on you. It is the poster child of pseudo-security stupidity, and only benefits the company that sold the bill of goods.

Ralph Haygood June 16, 2021 3:38 PM

As a consumer, you have no idea which company will best protect your privacy. You don’t know the data protection laws of the Seychelles or Panama. You don’t know which countries can put extra-legal pressure on companies operating within their jurisdiction.

So, Mr. Schneier, it would seem there’s an opportunity, at least for a public service and maybe even for a profitable business, in cataloging the laws and, more importantly, the historical behaviors of countries around the world with respect to data privacy. Because I agree – and I speak from experience – that it’s a lot of work to track down the relevant information about even one country.

Of course, some people say, “It doesn’t matter; you can’t trust anyone.” But of course, that’s like saying, “Any plane may crash,” which is true, but most of us still fly from time to time. There are practically meaningful differences among countries in kinds and degrees of respect for data privacy, so a well researched and maintained catalog of these differences would be valuable.

vas pup June 16, 2021 3:52 PM

@echo.
I share many points in your post.

@Bruce said:
“You don’t know which countries can put extra-legal pressure on companies operating within their jurisdiction.”

Wow!
If you don’t have answer, than just think where and why Snowden is currently living.

I assume that in Western world (G7)only France has kind of real independent voice:

1.Own nuclear triad.
2.No foreign military presence on its territory.

But sometimes economical pressure in combination with legal pressure is very effective, e.g. towards Switzerland.

My bet, 98% that this post would be deleted, but Big Brother will have it. Bitter joke.

metaschima June 16, 2021 4:23 PM

Thank you Bruce, I totally agree with you and I’ve started similar things in the past. VPN is the perfect honeypot for intelligence agencies. People wanting to stay “anonymous” will think it’s a great idea so they won’t be tracked, but what if the FBI is running the server? I’m not saying that everyone who wants anonymity is up to no good, but just privacy will do for most people. Well, most people don’t even care about that.

Jon June 16, 2021 4:44 PM

There is another way:

Sign up for dozens of them, and flood them with crap. Throw around what looks like reasonable stuff, but are in fact nonsense.

Also throw in a few “canaries” – Send over one VPN “The deal is going down in room 2304 at the Hyatt, 9pm” and see if room 2304 gets raided at 9:01…

This alternative is not cheap – thus only the poor (and/or stupid) criminals will get caught. Which is typical of law enforcement everywhere.

J.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.