VPNs are all the rage these days, because they’re supposed to boost your privacy and stop you being tracked.
In fact, “VPN” has become a word in its own right, pronounced vee-pee-en, and it’s a crowded market with companies advertising online, on TV and even in print media to compete for your consumer dollars.
Most VPNs have a free app you can download, but you typically need a paid subscription to make it work or to unlock premium services.
The app will scramble all the network traffic between your device and the company’s servers, and unscramble it and release it onto the internet from there – perhaps even in a different country – which does indeed disguise the true source of your data packets, and therefore makes you harder to trace.
But the connection with privacy, and by association, with anonymity, comes from the fact that VPN is short for virtual private network, which has the word “private” right there in the name.
In truth, the “private” part of a VPN isn’t really about you being anonymous or pretending to be someone else.
The P in VPN really just refers to the idea of using a public network to transmit traffic that in the olden days would have gone across a private circuit or a leased line, and was therefore considered and managed as part of your company’s LAN, or local area network.
In fact, if you’ve ever used a company VPN – and in this era of coronavirus lockdown, it’s very likely you have – you will be well aware that your corporate VPN makes you identify yourself exactly, perhaps with a password and a 2FA token, so the company knows who you are before you connect.
Your traffic is private from surveillance as it traverses the public network, because VPNs use encryption to shield the raw network packets from being sniffed out, but your traffic is not anonymous once you are inside the virtual castle of the company network.
In short, the VPN itself knows who you are and sees what you get up to, even if the routers through which your encrypted VPN packets travel do not.
And that’s a good thing, because it means that you’re only sharing that company network with other people who are supposed to be there (you hope!) and who can be held accountable for their behaviour, rather than with a random bunch of unknown strangers.
What about the logs?
As we mentioned above, consumer VPNs can arrange to decrypt your traffic and surface it onto the public internet far away from where you are, so they not only disguise your physical location (which does indeed improve your privacy somewhat), but also let you disguise your country of residence.
For many people, that is the primary value of a personal VPN service – it lets them bypass censorship that may be applied by ISPs in their own country, and it also lets them bypass so-called geoblocking that stops them watching overseas TV shows and movies or accessing other region-limited content.
But it also means that you are putting an awful lot of trust in the VPN provider, because that provider essentially becomes your new ISP, so you need to be aware of the extent to which they do (or don’t) follow the surveillance and monitoring laws in the various countries where they operate.
Many VPNs tell you that “they don’t keep any logs at all”, and therefore that they would have nothing on you that they could hand over to law enforcement even if they wanted to.
But many countries have legal mechanisms whereby various authorities – with without a warrant, depending on the jurisdiction – can compel a service provider not only to start keeping logs for specific individuals, but also to keep quiet about the fact – in other words, they have to keep logs of your traffic, but they are gagged from warning you up front, and they can’t tell you even if you ask.
This legal peculiarity led to a trend, a few years ago, of so-called “warrant canaries“, which were like canaries in coal mines that signalled dangerous gases by falling unconscious and dropping off their perches. Companies would regularly put notices into web pages or documents to say that they were not currently under any sort of gagging order. The idea was that removing the “negative gag” notice, which would essentially be a legal requirement if a gag order were applied, would therefore act as if the company had added a “positive gag” notice. This would therefore comply with the letter of the law, if not exactly its spirit. This sort of legal sophistry is not widely used any more, not least because it turned out to be quite confusing.
Of course, some VPNs will assure you that this can’t happen to them (and therefore indirectly to you) because their companies are registered in countries where such legal provisions don’t exist.
But any VPN knows where you are and, to some extent at least, who you are while you’re using the system, and may even need to keep what amount to in-memory logs – ephemeral data, to use the jargon term – for some or all of each session, just to make the service work reliably.
What you have to assume, therefore, is that anything they know about your traffic for the purposes of handling it while you are online never gets saved anywhere permanent, whether by accident or design.
And history suggests that ephemeral data – stuff that should evaporate forever from memory once it is no longer needed, and never get written to disk or forwarded to another server – has a way of surviving when it shouldn’t.
After all, in recent memory, both Google and Facebook admitted that, sometimes, passwords you had typed in during the login process – data that was only ever supposed to be held in RAM and get scrubbed after it had been validated – had accidentally been sent off in plaintext and saved in logfiles deep in their respective systems.
Facebook discovered in 2019 that it had committed hundreds of millions of passwords to disk, and set about finding and purging them; Google also admitted that it had incorrectly been saving away some passwords – we don’t know how many, but we know that the data went back for 14 years to 2005.
In other words, logging the unloggable is easy to do even if you genuinely set out not to do it, and even if you are two of the biggest internet companies out there, with large and well-funded cybersecurity teams.
What happened this time?
According to a report published last week by VPNMentor (note: VPNMentor earns affiliate revenue from links to and coupons for selected VPN companies that it recommends), its researchers stumbled across copious user logs from seven VPNs operating out of Hong Kong.
(VPNMentor named the affected services as follows: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN.)
Further digging suggests that these seven products were all rebranded from one main provider – software and IT services are often sold in this way, with the same (or very similar) code and back-end systems forming the core of offerings from several different licensees.
As you have probably guessed by now, this data wasn’t supposed to be publicly accessible, but was exposed via a cloud database – ElasticSearch, in this case – that had not been correctly configured.
According to VPNMentor, about 1 billion database entries relating to approximately 20 million users (so that’s an average of 50 items per user) were exposed, including various data fields including:
Activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, direct Paypal API links.
So not only did these VPNs collect data that they ought not to have retained at all, such as plaintext passwords, but they inadvertently exposed it publicly.
Furthermore, VPNMentor claims that “[a]ccording to their respective websites, every VPN [on the list] provides military-grade security features and zero logs policies to reinforce their users’ information security.”
Or, it would seem, don’t follow “zero logs” processes at all.
What to do?
The burning question here, especially with many of us working away from the office these days, is, “Do I need a VPN now I’m working from home?”
We discussed this topic in our weekly Naked Security Live video, back in April 2020 when UK and US lockdowns first started:
Watch directly on YouTube if the video won’t play here.
Don’t forget that you can use the cog icon to turn on captions.