Using a VPN is seen as best practice for anyone accessing the Internet whether that be for work or pleasure. Today, research from VPNpro, looking at 97 VPNs, shows that they are owned by just 23 companies. Many of these companies make it hard to know who actually owns them or where they are located. This should raise a red flag to anyone buying or planning to use a VPN.
Laura Kornelija Inamedinova, Research Analyst at VPNpro, commented: “We’re not accusing any of these companies of doing anything underhand. However, we are concerned that so many VPN providers are not fully transparent about who owns them and where they are based.
“Many VPN users would be shocked to know that data held on them could be legally requested by governments in countries such as China and Pakistan. Our recommendation is that people do a lot of due diligence on the VPN that they want to use, since they aren’t all created equal and simply using a VPN does not guarantee privacy or security.”
Importantly, VPNpro is not saying that a single company should not own multiple VPNs. After all, one size does not fit all and some will want different capabilities. The issue here is the obfuscation of ownership combined with privacy laws in the country where the company is based.
Chinese companies significant players in the VPN market
The Chinese government has taken measures to block VPNs for several years to prevent its citizens from gaining access to Western news and media. It is not just a problem for its citizens. Visitors to the country, both business and personal, can expect their traffic to be monitored if they are not using a VPN.
It will come as a surprise to many, therefore, to discover that the research shows that six companies, based in China, operate 29 VPN services. Some of these companies own multiple brands which then own multiple VPNs.
|Websites you visit
Things you type into fields
Your device information
Your IP address
|We log information and other data from your device, such as webpage addresses and data fields… (source)||We may share, sell, transmit, or otherwise make available to third parties information that does not include personally identifying information.|
Some of the Chinese owned VPNs look as if they are based in other countries. SecureVPN, also owned by HotspotVPN, appears to be a US-based product. Although there are no details of the company on the website, it gives its terms of service as being 9am-5pm EST. Most users would assume, therefore, that it is based on the Eastern side of the US.
China not the only country that VPNpro calls out
VPNpro has called out other countries where ownership of VPNs is unclear and where it believes the local legislation is not in the interests of VPN users. The latter comes down to legal data retention policies and logging. This list of countries even includes those covered by GDPR which raises a question over which piece of legislation has primacy. Some of the notable entries include:
USA: There are six companies who own 32 VPN products. Arguably, this make US companies no better than those in China. When it comes to trusting those companies VPNpro points out that it is a founding member of the 5 Eyes alliance and is a major surveillance state. This means that VPNs based in the US must comply with government requests for user data. It also adds the “NSA invests heavily in back door encryption” and the “FBI can access any data by secret subpoenas (NSLs)”.
Pakistan: Just one company with seven VPNs was identified in this report. VPNpro also uses an unattributed quote that states: “Pakistan’s 2016 cyber-crime law has been called ‘the worst piece of cyber-crime legislation in the world.'” It goes on to add the “Government can access any data without a warrant” and “data can be freely handed over to foreign institutions.” Most of the latter has come about through the war on terror.
UK: Surprisingly there is only one VPN provider with two products called out here and that is Hideman Limited. Like the US, the UK is a founding member of the 5 Eyes alliance. Over the last few years it has enacted a number of laws that provide for increased data retention and access by security services. VPNpro states the UK “gives law enforcement strong surveillance power without warrant” and “Allows authorities to hack into computers or devices.”
Enterprise Times: What does this mean
IT security best practice advice is to use a VPN especially if you are working away from the office. While it is far from universally adopted, there is an increasing adoption of the technology. However, this year we have been hit by multiple reports showing that our due diligence and choice of VPN is flawed.
The BestVPN report into data gathering and logging was a wake up for some users. This piece of research from VPNpro just adds to that by declaring ownership. Interestingly, combine the two and there are some interesting gaps.
Anyone looking to take on a VPN needs to spend time doing a lot more research especially where the user is accessing sensitive corporate data.