Through our rush to remain secure on our devices and machines, many opt for a VPN. The goal is in the name itself – virtual private network. And that name has a lot of pull. This is what we want; we want privacy.
But what happens when that privacy gives way to … a loss of privacy? As scary as it may sound, that’s exactly what may be happening. The United States Department of Homeland Security (DHS) issued a warning that their foreign adversaries had an interest in exploiting VPN services. This means the governments in other countries are interested in spying on you and believe they could use your VPN for their dirty work.
It’s really hard to know lately how to keep your information the safest. It seems like no matter what you do, you can’t protect it. In this case, the effort to protect it leaves it even more vulnerable.
Chris Krebs, the director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) wrote to two U.S. senators, Ron Wyden and Marco Rubio, in May, issuing them a warning.
“Open-source reporting indicates nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes,” he wrote.
But this was not a warning out of the blue. The two senators had written to him initially, a few months prior, out of their concern that apps created in other countries that were of a national security concern to the U.S. may pose a threat.
They were worried about mobile browsers that use their own servers to help route traffic and compress the pages before ultimately delivering them to the user, all with the goal of saving data. VPN services also reroute traffic through their own services, though they do it to alleviate concerns for privacy.
The senators noted that they were concerned about potential security risks of government employees that use VPNs, mobile data proxies, or other apps that may leave them vulnerable to the surveillance of foreign governments. The U.S. government had already identified Chinese telecom equipment posting a national security risk and last year banned the use of Chinese smartphones in military exchanges because of it.
But even six years before that, the U.S. House of Representatives recommended that Huawei and ZTE be banned because of these same concerns. Note that this was before the recent trade war between the U.S. and China that prompted Google to revoke Huawei’s Android license, though it has since been reinstated, according to Huawei.
Yet, as Krebs said in his letter, there is no U.S. policy that prevents government employees from downloading foreign VPN apps to their mobile devices.
As he also noted, the National Institute of Standards and Technology (NIST) has published guidelines for managing mobile device security.
“Mobile devices are manufactured to easily find, acquire, install, and use third-party applications from mobile device application stores,” read the guidelines. “This poses obvious security risks, especially for mobile device platforms and application stores that do not place security restrictions or other limitations on third-party application publishing.”
Krebs also told the senators that according to “open-source reporting,” the Russian government has laws that force VPN providers to participate in a system that allows the Kremlin to “access and influence Russia-based VPN providers,” such as Yandex. The Indian government advised its employees that the Chinese government uses mobile apps to collect information on sensitive Indian security installations.
What Are the Risks?
So if one government is known to be actively encouraging use of VPNs for access and influence and another is already advising its employees that other governments could be using mobile apps for spying reasons, the U.S. seems to be behind in issuing similar warnings. The CISA puts the risk of app use at a “low to moderate risk.”
While these are just warnings for government employees, shouldn’t the public have similar concerns? We already know that some VPNs are unscrupulous and collect data even after promising not to, and now there’s a threat that foreign governments may have an interest in that data as well.
Does foreign government spying concern you? Will it affect your use of VPNs? Let us know what you think about this in the comments below.