The US government thinks VPNs based in other countries are a threat, but the question of trustworthiness is more complicated than mere physical addresses.
By Max Eddy
A story broke quietly back in late May, and I’ve been chewing on it ever since. It recounted how members of the US Congress did a lot of hand-wringing about the threat posed by foreign VPNs. The concern from lawmakers was that if you use one, a foreign government could eavesdrop on your activity. Foreign companies, it asserted, might be more susceptible to pressure from governments, and these foreign VPNs could hand over personal information or even the contents of your online activities.
That might all be true, but it’s no less true for domestic VPNs. A VPN creates an encrypted connection between your device and a server controlled by the VPN company. Your traffic travels through the tunnel, hiding it from snoopers on a local network and from your ISP—which, ironically, Congress has said can spy on you for profit. When your traffic reaches the VPN server, it then exits out to the internet before making the return trip.
This does effectively put VPNs in the role of your ISP in that they can potentially see everything you do online. It’s one of the big concerns about VPNs as an industry, and it’s true for all VPNs. A VPN based in the US could eavesdrop on your activity, hand over your information to US law enforcement, or succumb to pressure from US intelligence agencies. These are the risks of using any VPN, and they are not substantially changed by simply moving the offices of that company to a different location.
Location, Location, Location
As an example of the kinds of steps VPN services take to assure you of your privacy, Private Internet Access issues you a user ID when you create an account. This is separate from the information you provide to process your subscription payment. If it’s working correctly, this means that the company could not identify an individual user even if compelled by law or if law enforcement seized its servers.
VPNs often exist in many places at once. AnchorFree, the company behind Hotspot Shield VPN, is based in California with an office in Zurich, Switzerland. The company says it operates under US and Swiss legal jurisdiction. Is it a foreign VPN? AnchorFree’s product is widely rebranded and sold by other companies, some based in the US and some not. Are those foreign VPNs?
VPN companies often have offices in one country while operating under the legal jurisdiction of another. VPN companies also maintain server fleets around the world. Any of these locations might be different from where the VPN company is under legal jurisdiction.
That said, legal jurisdiction matters, because that’s the framework under which your data is going to be protected. Looking at the British Virgin Islands, VPN companies have played up how local law enforcement will not simply accept warrants issued from other governments. Instead, those warrants have to jump through additional hoops before they can be applied to a company there. Similarly, VPN companies in places such as Germany and Switzerland have emphasized those countries’ strong privacy laws.
I should note here that it’s difficult to verify that using a service in a particular location will actually help keep your data safe.
Location can also have emotional value. Some readers have told me that they cannot trust companies based in Eastern Europe because of their association with Russian hacking groups. Others have told me that any VPN based in the US is unacceptable because of this country’s history of mass surveillance. VPNs based in Hong Kong (as semi-distinct from mainland China) are often attacked with accusations that the surveillance state must have a tight grip on them. Many make a similar argument against allowing Huawei to provide internet infrastructure equipment.
These companies often counter with the argument that the city’s special rules make it an excellent location for private data.
In fact, there’s a strong case to be made that the US has one of the most aggressive surveillance and data collection operations in the world. Social media companies are sometimes given National Security Letters by the DHS, which require them to hand over information and not disclose they have done so. The NSA operated what is perhaps the largest data interception operation the world has ever seen, one that affected US citizens as well as overseas targets.
Additionally, the NSA has been accused of taking advantage of the United States’ critical position in data infrastructure, tapping the lines through which global internet traffic flows and allegedly copying it in real time—perhaps ironically, given that the US makes the same argument against Huawei, as mentioned above. That’s not to mention the information-sharing agreements that allow numerous allied nations, including the US, to swap intelligence regardless of location. Given all this, it’s hard to argue with people who see US-based VPN companies as a potential risk.
It Does (and Doesn’t) Matter
If everything is working correctly, there should be little difference between a foreign VPN and one that has some or all of its offices in the US. The math that makes encryption work doesn’t respect boundaries. Likewise, the measures to protect user privacy and security are well understood and can be implemented anywhere. Many VPN companies choose where to base their companies in order to benefit from local privacy laws or perhaps to elicit an emotional response on the part of consumers.
What does matter is when VPN companies don’t encrypt things properly or when they, by ignorance or willfulness, don’t follow best practices to protect the privacy of their users. A poorly secured VPN might be foreign, but it could also be headquartered down the street from you. Instead of wondering about where companies are headquartered or what “values” they have, Congress should be supporting methods for users and researchers to verify the claims made by VPN companies.
The security industry is full of marketing built around fear, uncertainty, and doubt—collectively called “FUD.” A lengthy discussion about foreign VPNs in the halls of Congress falls into that category, especially when the group concludes that whatever threats exist are minimal. FUD always has a purpose, and instead of asking what the best location is for a VPN company, perhaps we should be focusing on why this conversation happened in the first place.
Originally published at https://www.pcmag.com on July 19, 2019.