Can a VPN protect you from government surveillance?
Nick Pearson explains the functions of a VPN, and how to best choose one that will ensure your privacy is protected.
As the global debate over online government surveillance rages on, it's reasonable to assume the use of privacy tools to foil state-spying efforts will only increase. The protection of online privacy is already a booming industry online, with a number of Virtual Private Networks (VPNs), claiming to protect your data from government intrusion. VPNs can do a lot of things, such as allowing you to get around regional YouTube restrictions, or helping you escape the online parameters of whatever censorious regime you may be living under. But can they really stop governments from accessing your data, and what will happen if a government asks an VPN for information on a customer?
What is a VPN?
A VPN, to quote Wikipedia, “enables a host computer to send and receive data across shared or public networks as if they were an integral part of the private network with all the functionality, security and management policies of the private network.” A VPN in the context of a privacy platform, is a network that ensures all the data you’re sending and receiving is encrypted and never logged, thus preventing spying. But while the acronym “VPN” has become a byword for online privacy, not all VPNs are actually privacy services – and even the ones that are may not be serious about protecting privacy.
The key issue concerns the storing of data. The European Data Directive mandates that all ISPs must store user data, which includes logs of who you've emailed and logs of what websites you've visited, for at least one year after the user leaves the ISP's service. In the US, there is no data retention law – although that may change – but ISPs are free to store data for as long as they like, and many happily do so in order to better assist law enforcement. Whether or not a VPN can protect your privacy revolves around the integrity of its own data retention policy.
A study from TorrentFreak shows, many VPNs retain user data in exactly the same way as an Internet service provider (ISP), which renders them pretty much useless as a privacy service. VPNs have to abide by the laws in their jurisdiction. If law enforcement demands a VPN hand over its data on a customer, then they must comply. But if there's no data to hand over, then a user's privacy is always protected. Sure, law enforcement could demand a VPN start logging data on a particular user (which is probably what happened in the case of HideMyAss and Lulzsec), but any VPN serious about privacy would shut down the service before complying with such an order.
Some VPNs retain data because it essentially makes their lives easier and is used to troubleshoot problems with the network. Others retain data because they believe it's necessary to comply with the law – even though that may not be the case. If they are honest, such VPNs would not market themselves as a privacy service. But not all are honest; some downright lie, and others simply hide behind the conflation of the words 'VPN' and 'privacy'.
How to choose a VPN
So if you want to use a VPN for privacy purposes, what should you do? Firstly, examine the VPN's terms and conditions closely. Make sure it's very clear about how long it stores data. If in doubt ask them. Most genuine privacy services will only retain data for a few hours maximum. Secondly, find out what the VPN will do if the laws in its jurisdiction concerning data retention changes. Any privacy service worth its salt, should be prepared to move jurisdiction if changing laws compromise user privacy (admittedly there's some grey areas here, but a commitment to moving jurisdiction is a good sign the VPN takes privacy seriously). Finally, ask the VPN how far it's willing to go to protect the privacy of its users in the face of demands from law enforcement. You may not get a straightforward answer to this question, but if a VPN has built its business on privacy commitments then it's more likely to put-up as much resistance as possible to protect its business' reputation.
Nick Pearson is the founder of IVPN. IVPN is a VPN privacy service and Electronic Frontier Foundation member aimed at journalists, people living in areas of online censorship, and privacy-conscious individuals.
Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.
ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views
People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.
Manchester Cryptoparty with FSFE