DHS's Anti-Protest Gestapo Tactics Headed To Other Major Cities, Starting With Chicago
 

Latest VPN Security Scandals Show (Yet Again) That VPNs Aren't A Panacea

(Mis)Uses of Technology

from the not-a-magic-bullet dept

Wed, Jul 22nd 2020 6:40amKarl Bode

Given the seemingly endless privacy scandals that now engulf the tech and telecom sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to protect data in the wake of scandals, breaches, and hacks.

Usually, consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bullet-proof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.

The latest case in point: a number of VPN providers who claim to offer "zero logging" protection were found to have not only been tracking a laundry list of user behaviors online, but doing a piss poor job securing said data. Kicking it off, Comparitech's Bob Diachenko recently discovered 894 GB worth of of user data in an unsecured Elasticsearch cluster belonging to UFO VPN, a provider whose privacy policy informs users that they aren't tracked as they travel around the internet. That wound up being, you know, not even remotely true:

"Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity."

Again, "VPN" should not be automatically associated with "secure," and the majority of these companies simply aren't particularly trustworthy. Just ask vpnMentor, which discovered last week that an entirely different group of "no logging" free VPN providers had left more than a terabyte of private user data openly exposed online without a shred of protection:

"The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.

Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details."

The irony of consumers (justifiably) fearing for their security in the wake of massive privacy scandals, only to stumble into the arms of "security companies" that are even worse on security and privacy is just very 2020. For many of these fly by night operations, the VPN itself is just security theater, and in some instances you're actually probably better off with the devil you already know:

That's not to say that VPNs don't certainly have their use, but folks need to exercise some good judgement and spend a little time reading and comparing recommendations from respected outlets before putting their behavior data into the hands of total randos half a world away.

Filed Under: privacy, security, vpn

6 Comments | Leave a Comment

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 22 Jul 2020 @ 7:00am

    man built = fallible

    panacea...SAT word that I still don't know if I'm pronouncing correctly.
    Yeah, anything online is hack-able.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 22 Jul 2020 @ 7:00am

    Always a weak point

    There is a certain amount of trust required in our communications systems. Like the trust in our government, it has been eroded quite a bit in recent years.

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 22 Jul 2020 @ 7:06am

    Buyers beware

    The message seems to be, be careful which VPN provider you choose. Some of them are shady. Free doesn't appear to be associated with good.

    There has also been some cases recently where even with competent VPN providers users opted to use static IP addresses which is a value as it gets around the usual VPN address blocking some websites use (I think Netflix does this and I know Craigslist does this) but is extremely harmful to the whole anonymity thing.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 22 Jul 2020 @ 7:40am

      Re: Buyers beware

      "The message seems to be, be careful which VPN provider you choose"

      The real message is that real security is an ongoing process. Anyone who thinks that applying one form of protection is enough to forget about the entire process is a fool. You need to keep vigilant, makes sure you're using other methods to protect yourself and be willing to switch your toolkit entirely should something not be performing to acceptable standards.

      But, yes, making a good decision about your provider upfront is important, and a big part of that is that you get what you pay for. Free is fine, but that means you have to be extra careful. It's notable that all of the free VPNs included in the above report appear to be randomly generically named VPNs I'd never personally heard of before, all running out of Hong Kong. Given recent political events, you have to be pretty lax in your choice of security to what could be a potential Chinese government proxy just because it was "free".

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

DHS's Anti-Protest Gestapo Tactics Headed To Other Major Cities, Starting With Chicago
 
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Wednesday

06:40 Latest VPN Security Scandals Show (Yet Again) That VPNs Aren't A Panacea (6)
03:36 DHS's Anti-Protest Gestapo Tactics Headed To Other Major Cities, Starting With Chicago (53)

Tuesday

19:42 Tech And COVID-19: MLB Rolls Out Remote Cheering Function In Its MLB App (6)
14:37 DOJ Indicts Cyprus National Who Apparently Hacked Ripoff Report And Deleted Negative Reviews (6)
12:17 Court Tells Trumpian Head Of US Agency For Global Media That He Can't Fire People From The Open Tech Fund (At Least For Now) (10)
10:45 A Case Where The Courts Got Section 230 Right Because It Turns Out Section 230 Is Not Really All That Hard (11)
10:40 Daily Deal: Averox Business Management Solutions (0)
09:45 Why Is The US Trying To Punish Hackers For Accessing Vaccine Research We Should Be Sharing With The World? (71)
06:27 Study: Community Broadband Drives Competition, Lowering Costs (4)
03:29 The FBI Is Abusing The All Writs Act To Gain Access To Millions Of Travel Records (6)
More arrow
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.