'Just Use A VPN' Isn't A Real Solution To The GOP's Decision To Kill Broadband Privacy Protections
from the snoopvertising-incorporated dept
Not too surprisingly, VPN providers say they're seeing an interest spike in the wake of lawmakers' full frontal assault on consumer broadband privacy protections. The attack on the rules comes as the broadband industry is suffering from an overall decline in competition, something of notable concern to privacy advocates. Some VPN providers were quick to use the debate as a marketing opportunity, with VPN provider Private Internet Access taking out a front page ad in the New York Times shaming the 50 Senators who sold consumer welfare down river in exchange for AT&T, Comcast, Verizon and Charter campaign contributions.
VPN provider NordVPN says it has seen an 86% spike in new subscriber inquiries since the effort to kill the rules began, something it's quick to note happens every time privacy is threatened by myopic lawmakers worldwide:
"Such spikes in user interest in VPNs are not unusual - whenever a government announces increase in surveillance, people turn to privacy tools. We saw similar spikes back in November when UK passed the law dubbed ‘The Snoopers Charter’ or after the revelation about CIA surveillance by the Wikileaks. We are worried about the global tendency to invade Internet users’ privacy, and we are glad we can offer a reliable tool that helps people keep their information private. We want to stress that privacy tools are needed every day, not only during such moments - to protect yourself from ever-growing online security threats and increasing surveillance."
When ISPs were busy lobbying to have the rules killed, they were quick to insist that they don't really collect much data about consumers anyway (patently false). They were also quick to try and argue that killing consumer broadband privacy protections isn't that big of a deal -- because consumers could just protect themselves by using encryption and a VPN. One particular study (pdf) by the telecom-sector funded Information Technology & Innovation Foundation put it this way:
"ISPs do not have nearly the visibility critics suggest. First, as the cost of processing has continued to drop, the number of online services and sites that use encryption has dramatically increased. As a result, ISPs will have less and less insight into customers' Internet usage. Second, any customers who have a heightened sensitivity to privacy concerns are able use tools like Virtual Private Networks (VPN) or even onion routing to obscure online communications. Third, ISPs only have a partial view of subscriber online behavior since most use multiple devices and service providers."
This argument has also been pushed around by many folks that aren't keen on additional government regulation, but want to convince themselves the erosion of privacy protections in a captive, uncompetitive market isn't that big of a deal. But as Princeton computer Scientist Nick Feamster pointed out a year ago, ISPs know an alarming amount about you via DNS records, deep packet inspection, location data tracking and other commercial surveillance. And neither encryption nor VPNs alone are enough to ensure your private data isn't being tracked, collected, stored, and sold:
"Traffic from VPNs doesn’t simply disappear: it merely resurfaces in another ISP that can subsequently monitor user activity. The opportunities for observing user traffic are substantial. For example, in a recent simple experiment that postdoc Philipp Winter performed, web requests from Tor exit relays to the Alexa top 1,000 websites traversed more than 350 Internet service providers considering the DNS lookups from these exit relays, the traffic from these exit nodes traverses an additional 173 Internet service providers."
Meanwhile, Feamster was also quick to point out that the myriad of internet-of-broken-things devices in most homes usually aren't compatible with VPN use:
"VPN clients are typically for desktop machines and, in some cases, mobile devices such as phones and tablets. As previously discussed, IoT devices in homes will continue to generate more traffic. Most such devices do not support VPN software. While it is conceivable that a user could set up an encrypted VPN tunnel from the home router and route all home traffic through a VPN, typical home gateways don’t easily support this functionality at this point, and configuring such a setup would be cumbersome for the typical user."
As Wired quite correctly points out, a VPN also won't help you if your wireless carrier is installing snoopvertising locally on your phone (remember CarrierIQ?). Nor is it a bulletproof solution for ISPs like Verizon that have creatively started modifying user packets to covertly track subscribers around the internet. Nor does it prevent you from an ISP charging you more to opt out of data collection (something AT&T and Comcast have both flirted with). A VPN also won't protect you from companies that have flirted with providing worse customer service based on your credit score.
And, of course, in using a paid-for VPN service, you're basically just moving the area of attack. Now, instead of your ISP snooping on you, you need to worry about the VPN company, because they get the same insight into your traffic patterns as your ISP. And while many VPNs insist that they don't monitor, record, or track this stuff, not all do, and there's been little done to see if various VPN companies are telling the truth. Certainly, many VPN companies stake their entire reputation on privacy and not snooping through your surfing data -- and hopefully the potential risk to their reputation for not being honest about that stops abuses, part of the problem is that no one really knows. Kevin Riggle has a good post outlining why you should be skeptical and careful, if you think a VPN is the answer to your privacy concerns.
Long story short, you're going to hear a lot of people say "just get a VPN" in the wake of Congress' decision to sell your privacy down river for ISP campaign contributions. But a VPN isn't a silver bullet that magically compensates for fading regulatory oversight of an uncompetitive (and anti-competitive) telecom sector, where neither regulatory authority nor competition impede these companies' hoovering up of consumer data. A VPN is just one tool for anybody hoping to protect their traffic from the ever-expanding, watchful gaze of your now unshackled broadband provider, and it may not even be a very good one. And it's a problem if people jump on VPNs thinking that it's "the solution." It is not.