As more internet users strive to take more control of their online privacy, Virtual Private Networks or VPNs have surged in popularity. VPNs work by creating an encrypted connections tunnel between a browser or device and the VPN provider’s network, protecting traffic through potentially hostile local network conditions. They assist in obscuring oneself from ISPs and shielding personal information flowing through non-secure public WiFi found in airports, coffee shops, conferences, and hotels. Advocates, including CDT, and regulators routinely advise individuals to consider using a VPN if they are particularly concerned about protecting their online privacy.
But the basic security, privacy, and usability of VPNs vary widely and it can be extremely difficult for users to assess the reliability of any given VPN provider’s privacy and security practices, as evidenced by CDT’s complaint last summer against AnchorFree’s Hotspot Shield VPN. While there have been several well-meaning efforts to develop best practices for VPNs, it remains difficult for privacy advocates and technical experts to recommend a specific commercial VPN service. It is also hard for responsible VPN providers to differentiate themselves on their privacy and security bonafides in the marketplace.
To address these challenges, CDT will bring together VPN providers, privacy and consumer advocates, technical experts, and other stakeholders focused on internet infrastructure to create best practices and an enforceable code of conduct for protecting user data with VPNs. CDT believes any successful guidance on privacy and security in VPNs will address the following five issues:
- Standard definitions: Terminology around VPN security practices can be unclear for users and for companies. Data logging practices continue to be especially confusing, and standard definitions will provide more clarity for VPN providers and allow users to compare practices among different services.
- Disclosures and transparency improvements: Alongside differing technical definitions, users must be able to easily understand how a VPN provider makes money, their corporate or individual ownership structure, and even where the company is physically located. This information can help users learn more about the quality of VPN service they are getting and what the potential motivations of the VPN provider may be.
- Security audits: Because of the importance of security to the entire operation of a VPN and the difficulty of assessing security on the part of end-users, VPN providers should commit to third-party audits that identify new and emerging security vulnerabilities in their services. The general security practices — and deficiencies — of VPNs should be made public.
- Lawful access procedures and transparency reporting: Where and when information collected or possessed by VPNs can be shared with governments, public authorities, or law enforcement around the globe is a crucial question at the heart of user trust. Responsible VPN providers must have policies and procedures in place when governments or courts come calling. Some tech companies have responded to this pressure through efforts like transparency reporting, guidance for law enforcement, and active legal challenges, and we believe VPN providers should follow suit.
- Addressing different user threat models: VPN users can face different privacy and security threat models and possess different degrees of technical knowledge. It’s unclear what obligations VPNs have to their most vulnerable users and how those obligations should scale to other consumers of commercial VPNs.
While addressing privacy and security challenges online is difficult, improving the practices of VPN providers could offer users some assurance that they can take a meaningful step to protect their information online. VPN providers, as purveyors of a privacy tool, can serve as a model to other industries and technologies trying to compete on privacy and security protections.
If you are interested in participating in this effort, please contact me at [email protected]