The last few years have been a bumpy ride for the Virtual Private Network (VPN) industry. News has emerged about VPNs selling bandwidth, injecting adverts, selling user data, providing poor security, and at times even lying about what encryption they provide. Here at ProPrivacy.com, we are all too aware of the problems. That's why we carefully review VPNs and inform consumers about their flaws (as well as their attributes).
Just last week, news broke about a complaint that the independent advocacy group Center for Democracy and Technology (CDT) has made about the US-based VPN, Hotspot Shield. CDT has filed a 14-page complaint with the Federal Trade Commission because it feels that Hotspot Shield has been violating Section 5 of the FTC Act’s prohibition against unfair and deceptive trade practices.
The issue is explained in the ProPrivacy.com review of Hotspot Shield. As CDT states,
“ProPrivacy’s review highlights exactly what Hotspot Shield does wrong.”
Joseph Jerome from CDT also told me,
“You, as someone in the weeds on VPNs, might understand what they're doing, but the average consumer won't.”
Food for Thought
Unfortunately, consumers aren’t always aware of what's going on under the hood of a VPN. A Commonwealth Scientific and Industrial Research Organisation (CSIRO) report from earlier this year analyzed poor reviews (one or two stars) of VPNs on the Google Play Store (that had more than 500K installs and an overall rating of 4-stars). It found that,
“Only less than 1% of the negative reviews relate to security and privacy concerns, including the use of abusive or dubious permission requests and fraudulent activity.”
That is a startling statistic. It demonstrates just how vulnerable VPN consumers are to the erroneous privacy claims made by VPNs. What's more, it isn't just VPN privacy policies that must be precise and honest, but the entire of a VPN's code and infrastructure that must be tested in order to ascertain that it is actually delivering the promises it makes. Sadly, VPNs aren't currently regulated so consumers are at risk.
Now, a VPN firm called TunnelBear has decided to take matters into its own hands in order to add even more transparency to its already respected service.
The TunnelBear Third Party VPN Audit
TunnelBear is a VPN firm based in Toronto, Canada, that has just announced the results of a third party audit. In its blog post about the audit, TunnelBear explains that due to a rise in concerns over the practices of commercial VPNs, it decided to employ an independent security firm to audit its service:
“While we can’t restore trust in the industry, we realized we could go further in demonstrating to our customers why they can, and should, have trust in TunnelBear.”
The firm that TunnelBear employed to do that audit is called Cure53. In its blog post, TunnelBear candidly admits that not all of Cure53's findings were positive:
“If you’ve already looked at the results, you’ve seen that the 2016 audit found vulnerabilities in the Chrome extension that we weren’t proud of. It would have been nice to be stronger out of the gate, but this also reinforced our understanding of the value of having regular, independent testing. We want to proactively find vulnerabilities before they can be exploited.”
All the vulnerabilities that were discovered during the course of the initial audit were rapidly fixed by TunnelBear’s development team. During the follow-up audit, Cure53 found that TunnelBear had managed to plug all of the major security issues that it discovered:
“The results of the second audit clearly underline that TunnelBear deserves recognition for implementing a better level of security for both the servers and infrastructure as well as the clients and browser extensions for various platforms.”
This is fantastic news for TunnelBear’s customers. However, it also raises alarms about other VPNs. By its own admission, TunnelBear had hoped to “be stronger out of the gate.” Sadly, however, what we hope for isn’t always what we get.
When it comes to properly auditing the hundreds of lines of code that make up a VPN - especially because cryptography is involved - there are few people that can properly do the job. What’s more, funding an audit like the one that TunnelBear paid for (out of its own pocket) is far from cheap.
A Sign of Things to Come?
The good news is that other audits do already happen. In May, the results of an audit of OpenVPN encryption proved that the leading VPN protocol was secure. That report was published by the Open Source Technology Improvement Fund (OSTIF). It was paid for by contributions from many individuals and firms within the VPN industry (including ProPrivacy.com).
The OSTIF report proved the validity of OpenVPN as a form of encryption. It demonstrated that VPNs that implement OpenVPN (to the latest standards) are providing their users with strong privacy and security. However, what that audit couldn’t do was verify third party VPNs' custom clients implementation or client-side infrastructure and security. That's something that each VPN must seek to do for itself - if it wants to prove that every single part of its code is free of vulnerabilities.
Not Doing Enough
AirVPN, a well known and highly trusted VPN provider, told me that it employs white hat hackers to test its infrastructure on a regular basis:
"Our service is based on OpenVPN. About OpenVPN we co-financed an extensive audit, in addition to the normal peer reviews by security experts and community on free and open source software.
"Our software client, an OpenVPN wrapper and frontend, is free and open source software too (released under GPLv3). Source code is available in GitHub.
"We do not release any bloatware, so the remaining parts of the infrastructure needing stress and attack tests are on our side. Our infrastructure is frequently attacked by professional and authorized persons (skilled hackers) in search of vulnerabilities and, of course, the Air staff carefully analyzes the reports of such attacks. We do not advertise this activity or consider it a marketing tool, because this is the ordinary and normal behavior in the IT industry, especially when exposing services on a public network."
However, Mario Heiderich from Cure53 told me that, for VPNs not to advertize the testing they have done is counterintuitive:
"VPN providers should be loud about it, should offer transparency, should publish reports and prove to their users that they have the best in mind for them."
In addition, Heiderich told me that "having their client code on Github or the like might help - yet lots of software has critical bugs despite being open source, so there is no guarantee of any kind." That important point highlights the importance of this kind of audit. After all, there is a difference between having Open Source VPN code and having open source code that has been thoroughly independently verified.
Good... Great... Better
Don't get me wrong, in terms of transparency, AirVPN is leaps and bounds ahead of the vast majority of VPNs on the market. However, what TunnelBear has done definitely goes a step further. It demonstrates an unusually determined approach to highlighting the trustworthiness of the service.
Here at ProPrivacy.com, we applaud TunnelBear for having made the leap to pay for its own in-depth and public audit. TunnelBear can now brag more confidently about its security levels than just about any other VPN. This is a position that other VPNs will no doubt wish to emulate. As far as we are concerned, this is something that all top-end VPNs should want to do.
VPNs should be completely honest and transparent about every part of their service. TunnelBear has gone that extra mile and proven that there is a way to improve the VPN industry’s reputation. We hope that more VPNs decide to follow this excellent example.
Consumers Must Act!
Cure53 informs me that 38 days (the length of time that TunnelBear says its two audits took) of auditing costs approximately $45,000. As such, it seems highly unlikely that the majority of commercial VPNs will go ahead and follow suit.
What's more, until consumers start heeding warnings such as the ones we make here at ProPrivacy.com, they will continue to have their privacy compromised by VPNs intent on making a quick buck. Consumers need to take action by steering away from VPNs with poor privacy policies and staying clear of VPNs that make false claims on their websites. It's time for users to ditch lousy VPNs in favor of trusted and recommended services!
Opinions are the writer's own.
Title image credit: TunnelBear home page
Image credits: hvostik/Shutterstock.com, Stuart Miles/Shutterstock.com, mstanley/Shutterstock.com