• United States

That VPN may not be as secure as you think

News Analysis
Feb 13, 20193 mins

Researchers found some subscription VPN services have programming errors that cause leaks, monitor user traffic, and lack privacy policies — all reasons to set up your own VPN server.

ipsecurity protocols network security vpn2
Credit: Getty Images

If you’re a VPN subscriber and have ever wondered just how secure the supposedly encrypted pipe that you’re using through the internet is — and whether the anonymity promise made by the VPN provider is indeed protecting your privacy— well, your hunches may be correct. It turns out several of these connections are not secure.

Academics say they’ve discovered a whopping 13 programming errors in 61 separate VPN systems tested recently. The configuration bungles “allowed Internet traffic to travel outside the encrypted connection,” the researchers say.

The independent research group, made up of computer scientists from UC San Diego, UC Berkeley, University of Illinois at Chicago, and Spain’s Madrid Institute of Advanced Studies (IMDEA) with International Computer Science Institute, write in the Conversation this month, some of which is redistributed by Homeland Security Newswire, that six of 200 VPN services also scandalously monitored user traffic. That’s more serious than unintended leaks, the team explains — users trust providers not to snoop. The point of a VPN is to be private and not get monitored. VPN use ranges from companies protecting commercial secrets on public Wi-Fi to dissidents.

Some botches are actually “defeating the purpose of using a VPN and leaving the user’s online activity exposed to outside spies and observers,” the researchers say.

Other problems the team discovered include that some VPNs allegedly lie about the server locations. “We found some VPNs that claim to have large numbers of diverse Internet connections really only have a few servers clustered in a couple of countries,” the researchers wrote. They say they found at least six VPNs faking routings through certain countries when they were actually going through others. That possibly creates potential legal issues for the user, depending on local laws.

Other trouble areas included privacy policies. Fifty of the 200 VPN providers that were tested had no privacy policies published on their websites at all, the group says.

The main problem, however, isn’t the coding foul-ups or monitoring by providers. It’s that the end users aren’t sophisticated enough to determine if the product they’re using is wonky. They don’t have the technical skill, and there aren’t any standardized accountability provisions in place for any kind of meaningful analysis of the vendors — other than the privacy rhetoric on the companies’ websites. If the users knew of a problem, they could simply change vendor.

Solutions to the VPN security problem: create your own VPN server, government regulation

The group is trying to deal with the issue. One angle they’re using is to advise VPN users to create their own VPN servers — not difficult, apparently.

Another strategy they’re trying is to get the government to regulate the VPN industry. Some of the group filed public comment with the U.S. Government’s Federal Trade Commission (FTC), stating that they think the $15 billion VPN industry has problems (pdf). “The reality is the VPN ecosystem is highly opaque,” they write in their study (pdf). There are no tools, audits, or generally available independent research available for users, they explain. And the FTC needs to sort that out.

The whole problem is exacerbated by VPNs using affiliate program-supported review sites for publicity, the filing says. The group says that’s not impartial enough, making it hard to sort the good providers from bad.


Patrick Nelson was editor and publisher of the music industry trade publication Producer Report and has written for a number of technology blogs. Nelson wrote the cult-classic novel Sprawlism.

The opinions expressed in this blog are those of Patrick Nelson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.