Is VPN really safe to use for the protection of privacy?

Qingxuan Guo

Your internet service provider can sell your browsing history to the highest bidder. This news prompted the public to seek tools that could hide their browsing history. Earlier, the US House of Representatives voted to repeal the previous Federal Communications Commission's clause that prevented Internet service providers from selling user data. That night, VPN searches soared to a five-year high. At the same time, some people began to sell their web browsing history on eBay. In addition, an Internet user who opposed the vote launched a campaign to buy the legislator’s web browsing history. Forrester, a technology company, is committed to the field of privacy protection. Its chief analyst Fatemeh Khatibloo pointed out that because the Federal Communications Commission’s terms have not yet taken effect, the way Internet service providers handle user browsing privacy has not changed.

VPN redirects Internet traffic, hides the user's login terminal location, and encrypts the content transmitted by the user on the Internet, so that any interceptor, including Internet service providers, cannot read the user's information. People started to use VPN to protect their privacy. According to statistics, people who support and continue to use VPNs for privacy purposes are motivated largely by emotional factors, including a strong desire to protect their privacy online, general apprehension of surveillance and data monitoring, not just from Internet service providers (ISPs), but also from governments and tech companies such as Facebook and Google.

But is VPN really safe? In fact, the VPN encrypts the data so that other online entities cannot read the data. The technology utilizes complex ciphers such as 256-bit AES encryption, RSA or Twofish. There is no proper key to decrypt; the data is absolutely inaccessible. This makes VPN protection one of the safest modes of protecting data from other online entities.

However, as the Internet service providers, VPN can own the user's browsing history data. Recently, a security researcher discovered that VPN services may accidentally leak the user's real IP location information. An investigation shows that 23% of the VPN services on the market leak the user’s real IP location through the browser’s WebRTC technology. WebRTC is enabled by default in most mainstream browsers. It is recommended to temporarily disable the browser’s WebRTC. Features. Paolo Stagno, a senior security researcher, revealed on the Internet that he researched the 70 VPN services on the market and found that 16 VPN services leak the user’s IP location through WebRTC. Paolo Stagno said that it may be possible that more VPN services outside the sample also have this vulnerability.

Although there are now well-reputed VPN service providers, users still need to carefully read VPN privacy protection and other hidden terms. In 15 years, Hola, the free VPN operator, sold its user information to paying users of the Luminati service. In short, as the Internet is fast developed, cyber crimes have also become very common, and various incidents of stealing user information and frauds have frequently been exposed. Adopting reasonable protective measures is undoubtedly far better than passively solving the problem, but in the choice of VPN, we must be cautious.

Namara Moses, Wilkinson Daricia, Caine Kelly, Knijnenburg Bart P. 2020. “Emotional and Practical Considerations Towards the Adoption and Abandonment of VPNs as a Privacy-Enhancing Technology”. Proceedings on Privacy Enhancing Technologies, Vol 2020, Iss 1, Pp 83-102 (2020)

ALESSANDRO ACQUISTI, LAURA BRANDIMARTE, GEORGE LOEWENSTEIN. “Privacy and human behavior in the age of information”.  SCIENCE30 JAN 2015 : 509-514

Julian Jang-Jaccard, Surya Nepal, “A survey of emerging threats in cybersecurity,” Journal of Computer and System Sciences, Volume 80, Issue 5, 2014, Pages 973-993, ISSN 0022-0000, https://doi.org/10.1016/j.jcss.2014.02.005.

R. Younglove, "Virtual private networks - how they work," in Computing & Control Engineering Journal, vol. 11, no. 6, pp. 260-262, Dec. 2000, doi: 10.1049/cce:20000602.

Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar, and Vern Paxson. 2016. An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps. In Proceedings of the 2016 Internet Measurement Conference (IMC '16). Association for Computing Machinery, New York, NY, USA, 349–364. DOI:https://doi.org/10.1145/2987443.2987471