A virtual private network (VPN) is a good way to make sure the wrong people can't observe your Internet activity. A business VPN lets employees access the company's local network securely from anywhere. A commercial VPN lets travellers avoid snooping by untrustworthy service providers and bypass local censorship.

When you do this, you're putting your trust in the VPN provider and application. If they're good, they give you privacy at little risk. A VPN that violates your trust is much worse than none at all. If you subscribe to a service or download an app for the purpose, be sure to do your homework.

Espionage by VPN

In the United States, the use of foreign-run VPNs by government employees has become a security concern. The biggest concern is mobile VPN client applications that hold their own root TLS certificates. The TLS (or SSL) system relies on a hierarchy of certificates for authenticating domains. Whoever provides the root certificate can claim any certificate is authentic.

This allows the VPN's server, if its owner is unscrupulous enough, to impersonate the destination site, such as an e-commerce site. By doing that, it can decrypt all traffic to and from the site, while passing through the data so everything looks legitimate from both sides. This is the classic "man in the middle" attack.

If the virtual private network does this, it has access to all the information which passes through, including personal messages, credit card numbers, and tax file numbers. It can use the information for personal identity theft or state-level espionage.

Applications that install their own root certificates aren't always evil, but they generally come in shades of grey. Facebook got bad publicity for distributing a research application which did this, and Apple came down hard on it. The aim wasn't identity theft, but it did let Facebook collect more information on users than it should have been able to.

Employing a VPN that spies on its users is far more dangerous than not using a VPN at all. It feeds all the transactions by a person, company, or government office to a malicious actor. This is a serious concern in any country, not just the USA.

Choose a VPN you can trust

This isn't to say that using a VPN is a bad idea. A good one provides privacy that may be crucially important. The point is that you're putting your trust in it, so you need to choose one that deserves to be trusted.

There are two cases to consider.

If you're an individual trying to protect your privacy, many providers offer you VPN services that hide your Internet activity from anyone monitoring it. People travelling to countries with a censored Internet will find the service useful. Some services are well known and are most likely trustworthy. VPNs that offer a free plan with no limits attached deserve more scrutiny. They aren't there just to help you out; they're making money somehow. It could be by collecting and reselling your personal information.

Businesses that want their employees to connect securely from remote locations use a different kind of VPN. Technically it's about the same, but it terminates in the company's local network. They can set up their own software or use a third-party service. Using a service is simpler, but it had better be one with a solid reputation for respecting user privacy, and the client software needs to be trustworthy.

In both cases, you need to choose a VPN provider and software with a good business and technical reputation. The cheapest one isn't usually the best.

When planning your network strategy, you need to identify and stay with the most trustworthy providers and applications. We can help you to make choices that you can be confident in, so that your information stays safe. 

Contact us to learn how we can help you find the best infrastructure, strategy, and security options.