The recent Dobbs v. Jackson Women’s Health Organization ruling has amplified concerns about digital privacy. Many have been and are looking to VPNs for help. Over the last year, researchers found that VPN searches reached yearly peaks around key dates for the anti-abortion rulings, and they observed sharp spikes in interest in states as they passed abortion-related laws.
Unfortunately, some VPN vendors (many in the eyes of industry experts) are making privacy claims about their solutions that they do not support. Worse, many VPN apps collect vast amounts of data from their mobile users without their knowledge. These issues extend well beyond post-Roe privacy concerns and apply to enterprises that use VPNs, as well.
The topic came to a head last week when U.S. Rep. Anna G. Eshoo and Senator Ron Wyden sent a letter to the Chair of the Federal Trade Commission (FTC), Lina Khan, urging her and the commission to "address abusive and deceptive data practices by hundreds of companies providing Virtual Private Network (VPN) services.” The two noted that “the consumer VPN industry is rife with deceptive advertising and abusive data practices.”
Raising long-known issues
One important point to consider is exactly what a VPN can do versus the claims of some VPN vendors. Distilling down to the basics, a VPN establishes a secure connection between the user and the internet. It disguises the user’s IP address and sends all data traffic through an encrypted tunnel. As such, enterprises have used modern VPNs for more than 20 years to provide remote users with secure access to corporate systems.
Unfortunately, many VPN vendors have long promised complete anonymity or untraceability and protection from hackers, advertisers, and governments. Some claim “military-grade encryption,” which Eshoo and Wyden noted does not exist. Additionally, the vendor claims do not match reality. Vendors, advertisers, and governments can track people in other ways that do not require the user’s IP addresses, which is what VPNs hide.
Misleading claims are very common. A 2021 Consumer Reports review found that “three-quarters of the VPNs we looked at either inaccurately represented their products and technology or made hyperbolic or overly broad claims about the kinds of protection they provide their users.” The report cautioned that these claims could give VPN users “a false sense of security if they don’t realize that the protections offered are not comprehensive.”
In fact, many people believe these claims. That point rang true in a recent survey of 1,200 VPN users. It found that users placed too much faith in the technology to keep them safe. “Our survey results suggest that even users with high security and privacy expertise express that they feel safe with a VPN, suggesting that VPNs are successful in their marketing efforts,” said Roya Ensafi, assistant professor at the University of Michigan and principal investigator of VPNalyzer, an interdisciplinary research project that aims to analyze the VPN ecosystem.
Focus on the enterprise
The VPN privacy claims and the issues these claims raise about protecting a woman’s privacy are issues enterprises and the industry have known about for years. For example, in 2020, it was revealed that an analytics firm “used personal data from over 35 million people who had downloaded one of their 20 VPN and ad-blocking apps to power their analytics platform without consent.”
Enterprises and people seeking privacy in a post-Roe world are often advised to look for VPNs with no-log policies. Such VPN services are not supposed to store data about a user’s online activities or connections. The data not stored is expected to include personal details, payment information, and search history.
Not surprisingly, VPN vendors are highly touting their no-log capabilities these days. But Eshoo and Wyden said in their letter to the FTC it is nearly impossible to verify their claims. They noted that in various cases, VPN providers that advertise strict no-log policies had provided user activity logs to law enforcement.
Again, such issues have been known for years. In 2020, researchers at vpnMentor found that seven VPN providers that claimed not to keep any logs of their users’ online activities left 1.2 terabytes of private user data exposed, including users’ email, home addresses, clear text passwords, IP addresses, and internet activity logs.
A final word
Perhaps the Eshoo and Wyden letter will result in FTC action that helps rein in exaggerated privacy claims of some VPN providers. In the meantime, those seeking enhanced privacy protection should not believe the hype. Instead, they should look closely at the exact security offerings of each solution when evaluating and selecting VPN products and services.