October 1st, 2020 |
VPN providers are investing significantly in wall-to-wall advertisements with a singular purpose: instill fear.
Their mantra is simple — without us, you won’t have security and privacy. And people are buying into this hype. ExpressVPN, IPVanish, Surfshark, CyberGhost and NordVPN are all touting the same message: Be secure and keep your data private with our VPN Service!
As consumers clamor for security tools simple enough for the masses, the VPN industry has latched onto consumer fear. The VPN industry has even evolved to have dedicated media outlets and research organizations that actively evaluate and rank the providers. The number one metric at the top of the ranking criteria – Security.
The problem is that none of these VPN providers offer any level of security. On average, not only do these providers not offer security, but even the privacy story they push falls apart very quickly.
First, some foundations — security and privacy are mutually exclusive. Privacy is not security and security by its very nature undermines privacy. In fact, privacy and security override and neutralize each other. Security identifies intent and mitigates breaches of integrity. Privacy, on the other hand, is exclusively about data confidentiality even if that data is malicious.
Keeping data private impacts the visibility security requires to determine integrity. Integrity checking often requires visibility for security functions that operate beyond the two communicating end-points. Here are a couple of examples of how security and privacy counter each other:
- For some time, New York City Police relied on “Stop and Frisk” as a tool to help improve security. Opponents said that this infringed on the privacy rights of the individuals being searched. Proponents said that the invasion of privacy was necessary to improve security.
- Another example is an issue that arose after 9/11. The administration was conducting warrantless wiretapping on American citizens. The administration was emphatic that without it the country would be at risk, while many were up in arms claiming that this infringed on the American people’s constitutional right to privacy. *Full disclosure, I was the whistleblower that identified and reported to congress the then-current administration’s warrantless wiretapping mechanism.
By default, the VPN providers’ focus on privacy means that security is sacrificed. So they can not claim to offer security while they offer privacy — and vice versa. However, even the privacy capabilities they offer is at best anemic. In reality, their privacy services are limited to anonymity and nothing more.
There is a very important place for anonymity in today’s world for those in oppressed societies such as Iran, Russia, China and North Korea. Anonymity is invaluable for those that are isolated and need to communicate with the outside world. Many believe they are getting security and privacy when using VPNs. However, they are not getting anywhere near the services they were sold on.
After all these years it’s still not clear to me if the cybersecurity industry itself understands the difference between security and privacy, much less clarifying the difference for the market. A persistent and inappropriately placed “S” continues to mislead the market. HTTPS, TLS, SSL and even IPSec are not secure nor are they security. They exclusively provide privacy! The VPN providers have leveraged the cybersecurity industry’s confusion to generate fear and uncertainty that sells a security service that has no security component to it. This is simply marketing departments-gone-wild deception.
What’s worse is that recently it has come to light that many VPN providers are unable to meet the fundamentals of their privacy commitments either. Several VPN providers, including NordVPN, recently disclosed that their systems were hacked. The details that followed highlighted out-of-control organizations that are at best “winging it”.
Either through carelessness, immaturity or rapid growth many VPN providers lack the processes and controls that are expected of organizations that sell privacy and security capabilities. Many just can’t stand up to even basic scrutiny of their many advertised claims – especially their privacy claims.
In the case of NordVPN, they have had not one but two critical compromises that undermined their service. Though they were hacked in March of 2018, they did not disclose the compromises until late 2019. Nord admitted that they were not aware of the compromises until a few months before their disclosure. They were operating compromised servers for 1.5 years. This clearly highlights that Nord does not have adequate processes and systems to manage their infrastructure.
Here is a breakdown of the two ways Nord was compromised. First, a remote management server used by their vendor who manages some of their servers was compromised. This breach gave the attackers access to the Nord servers used by customers. Second, Nord’s cryptographic keys were found to be on sale in the darknet. These keys could be used to unlock any of their customer’s private communications. These keys go beyond unlocking user confidential information to physically geo-locating them. It is uncertain if the cryptographic keys were stolen as a byproduct of the remote server compromise or as part of a separate incident.
On their part, NordVPN blamed their vendor for the compromise. However, it is unheard of for a provider, especially one who purports to be in security and privacy, to blindly outsource complete control of their systems to third-parties. This defies any logic whatsoever.
Could you imagine if your bank operated this way? For some people, the privacy these VPN providers offer is more valuable than money. In oppressed countries, people bet their lives on the promises that these providers have made. How many times did the secret police smash down a door in the middle of the night to drag somebody’s loved one away, never to be seen again because a VPN provider’s system sat compromised due to neglect? And if you believe that this is a stretch, I remind you of Willy Sutton’s famous words when asked why he robbed banks — “because that’s where the money is.” Where else would an oppressive and militant regime go to uncover dissenters?
The VPN service providers are operating in the Wild-Wild West. Nord is but one of multiple VPN providers that have been compromised – and that’s just what has been disclosed. It would be interesting to see what a thorough examination would uncover. These providers are writing checks that they do not have the technology, nor the competence, to cash. Yet, it does not preclude them from continuing to prey on the fears and concerns of the masses despite knowingly making false promises.
In their continued quest for sales and customers, it is also widely believed that the various VPN providers are waging war on one another in an effort to embarrass and undermine each other. This is very much in the same fashion as another wild-wild west industry of crypto-exchanges and mining entities that were constantly compromising and D/DoSing one another. They did this to make their competitors unavailable so they can steal the business or create reputational damage.
Ultimately, VPN providers are promoting services they just don’t have – Security. And they are overselling the benefits of the limited capability they do have – Anonymity. Along the way, they have shown a lack of the control necessary to ensure the integrity and privacy of their systems, much less their customers. And finally, many VPN providers are engaged in a back-channel civil war to defame one-another at the customers’ expense.
The concept the VPN providers sell gives hope to the people who need and sometimes bet their lives (such as dissidents) on the providers’ false claims. Yet, they unknowingly live under threat because their desperation forces them to believe the misleading marketing.
Following in the footsteps of anti-virus packages, VPNs could have been the next generation of consumer security. Security is complex and most people have a tough time understanding all of the nuanced bits and pieces. Consumers have bought into their concept because they are desperate for the benefits VPN providers are selling. Instead, VPN providers have opted to act like used-car dealers of the cybersecurity industry, pushing fear-mongering, marketing fluff, recklessness and in-fighting that victimizes customers every bit as much as any hacker.