• United States



Foreign VPNs raise the bar against U.S. government spying

Jul 20, 20133 mins
Data and Information SecurityGovernmentPrivacy

Foreign virtual private networks can make snooping more difficult for the U.S. because the service providers are immune from the Patriot Act

Foreign providers of virtual private networks trying to cash in on recently uncovered U.S. government surveillance can increase the level of secrecy of Web activity, experts say.

However, no VPN vendor, foreign or domestic, sells a bulletproof defense against government snooping, given the resources and sophistication of spy agencies. However, using a service outside the U.S. does make the task of tracking and logging someone’s Web activity more difficult.

Privacy jitters reached new heights last month following reports that the U.S. National Security Agency is collecting massive amounts of private data on citizens from telephone and Internet companies, such as Verizon, Google, Facebook and Microsoft. The court-approved data gathering is legal under the post-9/11 Patriot Act.

A VPN is essentially an encrypted tunnel between a computer and the service provider, which effectively hides the customer’s IP address and Web activity.

Romania-based CyberGhost is one of the latest VPN providers to try to use U.S. government spying to market its services. For the next two weeks, the company is selling a year’s subscription to its service for as low as 5 euros, or roughly $6.50.

Such promotions rankle some security experts. “It’s poor marketing feeding on the fears of people and that’s just wrong,” John Pirc, research vice president for NSS Labs, said on Friday.

CyberGhost is not the only foreign VPN provider to sell its services in the U.S. Others include Avast, VPNSwiss, ibVPN and PureVPN.

Foreign VPNs can make snooping more difficult for U.S. government agencies because the service providers are immune from the Patriot Act. If the provider does not keep any logs on its subscribers, then collecting data would be even more difficult.

But having a foreign VPN provider won’t guarantee secrecy from a determined NSA. While the agency’s capabilities have never been fully disclosed, experts believe it is one of the most technically savvy organizations in the world.

[Also see: Could China blocking VPNs lead to spying on business?]

If a foreign VPN service is in a country friendly to the U.S., then it could be forced to hand over data related to people suspected of terrorist activity. In addition, government agencies are capable of planting malware to collect data directly from a suspect’s PC or gather phone records.

“Someone is going to see what we’re doing someplace,” said Rick Holland, an analyst with Forrester Research.

Also, VPNs are as susceptible to hacking as any other technology, so the U.S. government could break into the network and gather communications on its own.

“I don’t know whether NSA can break the VPN encryption, but I certainly know that NSA, or whoever, can hack the company providing the VPN,” said Anton Chuvakin, an analyst with Gartner.

Foreign VPNs are not an option for U.S. companies because of the latency problems in routing Web browsing and other activities through a VPN on an overseas network. Such transmissions from a core network to an intermediary are sometimes referred to as backhauling.

“There’s a big trend to try to eliminate backhauling as much as possible and have local presence,” Holland said.

Congress adding stricter privacy protections to the Patriot Act is the best way to protect privacy. Apple, Google and Facebook, which promise customer privacy with their services, have joined civil liberty groups in lobbiyng Congress to change the law.

“If there’s some kind of corporate lobby for this stuff, may be that will move [changes in the law],” Holland said.