VPNs aren’t as protective as you think they are, says US Congress

VPNs aren’t as protective as you think they are, says US Congress

a letter to the Federal Trade Commission to urge chair Lina Khan “to take enforcement actions against the problematic actors in the consumer Virtual Private Network (VPN) industry,” based on what they consider a serious issue: “deceptive advertising and data collection practices.” 

The letter, from senator Ron Wyden and representative Anna G. Eshoo, comes in the wake of the Supreme Court's decision in Dobbs v. Jackson, which overturned the US's decades-long protections for abortion. One outcome of the Dobbs decision, the congresspeople write, is that VPNs are being recommended as a privacy tool amid concerns that browsing data, location history and even period tracking apps could be weaponized in states that criminalize abortion.

“As the recent Supreme Court decision in Dobbs v. Jackson Women’s Health Organization has amplified concerns about digital reproductive privacy, people seeking abortion are increasingly told that installing a VPN is an important step for protecting themselves when seeking information on abortion in states that have outlawed and criminalized abortion,” the letter states.

Congress' criticism of VPN practices

Wyden and Eshoo argue that the VPN industry's lack of oversight, “false and misleading claims about their services,” and “selling user data and providing user activity logs to law enforcement” are pressing concerns for abortion-seekers living in states that are in the process of criminalizing it. 

Multiple devices that could run a VPN

The letter bases its argument on a detailed 2021 white paper by Consumer Reports, which scrutinized 16 popular VPN providers for security and data privacy. Some of the report is dense and technical, while other sections delve into the confusing and misleading marketing language that many VPNs use to puff themselves up. One popular example was “military-grade encryption”—as Consumer Reports pointed out, “there is no specific VPN standard for 'the military,' and this term is often a red flag for security professionals.”

Consumer Reports' study is strong evidence that VPNs are, at the very least, not foolproof tools for online anonymity. There's a lot of data about specific providers to dig into, but here are some particular points that stood out to me: 

  • In many VPNs’ terms of service or privacy policy, there was no evidence of robust internal procedures for audits or for preventing unauthorized access by employees. And some VPNs that had third-party security audits did not make them available to the general public or conducted them inconsistently.
  • We found that every VPN company we evaluated could do better when it comes to committing to allow users to obtain the public-facing and private user information that the company holds, including users not covered under CCPA or GDPR.
  • Many of the VPNs we tested could improve by providing specific retention periods for any data they do collect.
  • Consumers should be aware that while many VPN providers indicate that they do not keep logs, this usually cannot be verified, and in many cases logs were found on the local Windows system that included usernames, emails, IP addresses, and other potentially sensitive information.
  • Not only can VPN providers see your real IP address but companies can also use many other methods to track users, such as device fingerprinting, browser fingerprinting, web cookies, tracking pixels, and more. Websites often request data that can pinpoint people’s geographic location, such as WiFi networks, device location based on GPS, cell tower identification (CDMA or GSM cell IDs), and more. Various companies collect wide-ranging data, beyond IP addresses, and sell that information to data brokers. Many of the risks that consumers use VPNs to try to protect against are already largely mitigated through the use of HTTPS. And many risks, such as social engineering, are not mitigated by using a VPN.

Consumer Reports highlighted a 2018 case in which VPN IPVanish provided user data logs to the US Department of Homeland Security, despite its website claiming it kept no logs. But other cases have proven VPNs truthful on the subject, like a 2018 hacking lawsuit in which VPN Private Internet Access testified it could not produce any traffic data in response to a subpoena.

The point is, subscribing to almost any VPN includes some degree of risk: you're taking it on faith that they really don't keep any logs, and hiding your IP address isn't the guaranteed privacy protection some VPN marketing makes it out to be.

FTC Flag

(Image credit: Bloomberg (Getty Images))

If you're already a VPN subscriber or thinking of using one, Consumer Reports' resulting recommendations offer a concise breakdown of what to look for, and highlight three VPNs that got top marks for privacy and security. But the question now is whether the FTC will look into regulating how VPNs handle user data or how they're marketed.

Eshoo and Wyden's letter to the FTC asks the commission to “take immediate action under Section 5 of the FTC Act to curtail abusive and deceptive data practices in companies providing VPN services to protect internet users seeking abortions.” Section 5, outlined here, broadly declares unlawful “deceptive practices” that can mislead consumers and empowers the FTC to enact complaints or penalties for those violations. But even if the FTC does turn an eye towards VPNs, it could be months or years before it has any real effect.

The letter's second request may have more immediate benefit to those seeking abortions: it asks the FTC to “develop a brochure for abortion-seekers on how best to protect their data, including a clear outline of the risks and benefits of VPN usage.” 

FTC chair Lina Khan hasn't yet responded to the letter specifically, but the commission did publish a statement on July 11 that it is “committed to fully enforcing the law against illegal use and sharing of highly sensitive data.” 

Frederick Catcher

Popular in the Community