Turning To VPNs For Online Privacy? You Might Be Putting Your Data At Risk | KERA News

Turning To VPNs For Online Privacy? You Might Be Putting Your Data At Risk

Aug 17, 2017
Originally published on August 21, 2017 11:03 am

Worried about Internet companies snooping on your online browsing? You might turn to something called a virtual private network to protect your privacy. But researchers say these networks can themselves be insecure.

Earlier this year, the federal government rolled back rules that would have prevented Internet service providers from tracking your activity online.

Comcast, AT&T and other providers are now allowed to track and sell your personal data too — with much less fear of regulatory action. (Major providers insist that they don't sell their customers' browsing histories.)

One solution is a VPN, which is like a dark, secret tunnel you use to go from your computer to a website. While you're inside the tunnel — clicking on Instagram photos or checking your bank account — third parties can't see what you're doing. The data are encrypted.

There are lots of reasons people around the world use VPNs: to hide location, to access work networks, even to avoid government censorship. Loraine Kanervisto, a software engineer in Seattle, downloaded a VPN on their computer and cellphone to prevent spying.

"The more I read about how much power my Internet service provider is getting, the less inclined I am to share that data with them willingly," Kanervisto says. (Editor's note: Kanervisto uses the pronouns "they," "them" and "their.")

NPR reached out to six popular VPN companies and all have seen double-digit increases in downloads since Congress repealed Internet privacy rules.

Ryan Dochuk, co-founder of TunnelBear, says his company had a 200 percent increase in the usual amount of people joining from the U.S. in March, when the federal rules were rolled back, and demand continues to be strong.

"Before, where there were services that might collect a chunk of your browsing habits, like Google or Facebook, this change allows U.S. ISPs to collect 100 percent of your Web browsing and sell it to third parties," he says.

Internet providers handle customer privacy in different ways. Some say you have to opt in for them to sell your data. Nuala O'Connor, president of the Center for Democracy & Technology, a privacy advocacy group, says because of Internet-connected devices, providers can see more than the websites you browse.

"The Internet is in everything — increasingly in your house, in your smart water meter, in your refrigerator, in your toothbrush. The Internet service provider to your home knows a whole bunch of stuff about you," O'Connor says.

So, who cares whether Time Warner Cable or Verizon knows when I turn off my lights or whether I stock my fridge with Swiss or cheddar?

For one thing, those data points can be used to target advertising, O'Connor says. And she worries the government or private companies could use the information to deny services, like health insurance — or even water.

"You can think of water rationing in certain parts of the country being enforced via your smart water meter or your other devices," O'Connor says. "So it's a level of intrusion into the home and into your daily lives that we think people should be really mindful of and guard against."

Some VPNs promise anonymous browsing for free or just a few dollars a month; they claim not to share your data. But these services don't always deliver on their promises.

"If you're not careful with choosing your VPN service provider, the medicine might be worse than the illness," says Nick Feamster, a computer science professor at Princeton University. He says tens of millions of people have downloaded VPNs — and many don't realize they're not as secure as they claim.

In the first major review of VPN providers, researchers from across the globe tested nearly 300 free VPN apps on Google Play. What they found was alarming. Nearly 40 percent injected malware or malvertising. And nearly 20 percent of the apps didn't even encrypt user traffic.

This month, the Center for Democracy & Technology filed a complaint with the Federal Trade Commission alleging the VPN Hotspot Shield collects data and intercepts traffic. If true, that would be a direct violation of claims by the company's policy to "never log or store user data."

Amid all the VPN angst, the app TunnelBear is fighting for its reputation. To verify it is committed to protecting user security, the company became the first in the industry to complete a third-party audit.

Feamster, with Princeton, says that's very encouraging — even though the most recent audit turned up some vulnerabilities.

Experts say the safest option is to set up your own VPN server and connect to it, or use Tor to browse the Web anonymously. But Feamster admits most people won't do that.

For now, he suggests researching a VPN before using it and to think of it as a supplemental tool, not a privacy solution. He advises reading the VPN service provider's privacy policy to see whether it collects or retains any user information that could be traced back to you — and if so, for how long.

If you're looking to use a VPN, this comparison chart is a good resource. And, if you're feeling adventurous enough to build your own, Ars Technica provides this helpful guide.

Copyright 2017 KERA. To see more, visit KERA.

ROBERT SIEGEL, HOST:

This March, the federal government rolled back rules that would have prevented Internet service providers from tracking your online activity. Well, now Comcast, AT&T and the like are allowed to take that personal data and sell it with much less fear of regulatory action. From KERA in Dallas, Lauren Silverman reports that more people in the U.S. are downloading something called a virtual private network, hoping that will keep their activity hidden.

LAUREN SILVERMAN, BYLINE: Picture a virtual private network like a dark, secret tunnel you use to go from your computer to a website. While you're inside the tunnel - say, clicking on Instagram photos or checking your bank account - third parties can't see what you're doing. The data is encrypted.

LORAINE KANERVISTO: I hadn't ever felt like I needed to use a VPN in the past, but the more I read about how much power my Internet service provider is getting, the less inclined I am to share that data with them.

SILVERMAN: Loraine Kanervisto is a software engineer in Seattle. She says there are lots of reasons people around the world use VPNs - to hide location, access a work network, even to avoid government censorship. But she downloaded a VPN on her computer and cell phone because she doesn't want her Internet service provider spying on her.

She's not alone. NPR reached out to six popular VPN companies, and all have seen double-digit increases in purchases since Congress repealed internet privacy rules. Ryan Dochuk is co-founder of the VPN called TunnelBear.

RYAN DOCHUK: Before, where there was services that might collect a chunk of your browsing habits like Google or Facebook, this change allows U.S. ISPs to collect 100 percent of your web browsing and sell it to third parties.

SILVERMAN: The ISPs handle customer privacy in different ways. Some say you have to opt in for them to sell your data. Nuala O'Connor with the Center for Democracy & Technology says the policies can be confusing, so you need to do your research, especially because ISPs can see a lot more than the websites you browse.

NUALA O'CONNOR: The Internet is in everything - increasingly in your house, in your smart water meter, in your refrigerator, in your toothbrush. The Internet service provider to your home knows a whole bunch of stuff about you.

SILVERMAN: O'Connor says it's possible the government or private companies could use that information to deny services like health insurance, even water.

O'CONNOR: You can think of water rationing in certain parts of the country being enforced via your smart water meter or your, you know, other devices. So it's a level of intrusion into the home and into your daily lives that we think people should be really mindful of and guard against.

SILVERMAN: Which brings us back to virtual private networks. Many of them promise anonymous browsing for free or just a few dollars a month. They claim not to share your data. Closer inspections revealed there are cracks, even trap doors hidden inside.

NICK FEAMSTER: If you're not careful with choosing your VPN service provider, the medicine might be worse than the illness, (laughter) so to speak.

SILVERMAN: Nick Feamster is a professor of computer science at Princeton. He says tens of millions of people have downloaded VPNs, and many don't realize they're not as secure as they claim. In the first major review of VPN providers, researchers tested nearly 300 free VPN apps. What they found was alarming. Nearly 40 percent injected malware. And, as so-author Narseo Rodriguez says...

NARSEO RODRIGUEZ: To our surprise, basically we found that 20 percent of applications were actually not encrypting any traffic at all.

SILVERMAN: Not encrypting it at all.

RODRIGUEZ: At all, yeah.

SILVERMAN: Meaning that pitch-black tunnel you were promised is nothing more than a see-through straw. Before Loraine Kanervisto chose her VPN, she did her homework. But she admits...

KANERVISTO: Essentially I'm paying this company with the hopes that they are delivering on what they're advertising. It is a gamble.

SILVERMAN: The safest option, according to Nick Feamster with Princeton, is to set up your own VPN server or use the privacy software Tor. Most people won't do that. So for now, think of a VPN as a supplemental tool, not a privacy solution. Lauren Silverman, NPR News. Transcript provided by NPR, Copyright NPR.