Latest VPN Security Scandals Show (Yet Again) That VPNs Aren't A Panacea

by
Karl Bode
from Techdirt on (#56131)

Given the seemingly endless privacy scandals that now engulf the tech and telecom sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to protect data in the wake of scandals, breaches, and hacks.

Usually, consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bullet-proof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.

The latest case in point: a number of VPN providers who claim to offer "zero logging" protection were found to have not only been tracking a laundry list of user behaviors online, but doing a piss poor job securing said data. Kicking it off, Comparitech's Bob Diachenko recently discovered 894 GB worth of of user data in an unsecured Elasticsearch cluster belonging to UFO VPN, a provider whose privacy policy informs users that they aren't tracked as they travel around the internet. That wound up being, you know, not even remotely true:

"Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity."

Again, "VPN" should not be automatically associated with "secure," and the majority of these companies simply aren't particularly trustworthy. Just ask vpnMentor, which discovered last week that an entirely different group of "no logging" free VPN providers had left more than a terabyte of private user data openly exposed online without a shred of protection:

"The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.

Each of these VPNs claims that their services are no-log" VPNs, which means that they don't record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details."

The irony of consumers (justifiably) fearing for their security in the wake of massive privacy scandals, only to stumble into the arms of "security companies" that are even worse on security and privacy is just very 2020. For many of these fly by night operations, the VPN itself is just security theater, and in some instances you're actually probably better off with the devil you already know:

I don't use a VPN because I'd rather Comcast aggregate my data than some dude wearing a dolphin onesie in his basement in Zurich.

- SwiftnSecurity (@SwiftOnSecurity) April 18, 2017

That's not to say that VPNs don't certainly have their use, but folks need to exercise some good judgement and spend a little time reading and comparing recommendations from respected outlets before putting their behavior data into the hands of total randos half a world away.

External Content
Source RSS or Atom Feed
Feed Location https://www.techdirt.com/techdirt_rss.xml
Feed Title Techdirt
Feed Link https://www.techdirt.com/
Reply 0 comments