How Dangerous Is Your Foreign VPN?
A story broke quietly back in late May that I have been chewing on ever since. It recounted how members of the US Congress did a lot of hand-wringing about the threat posed by foreign VPNs. The concern from lawmakers was that if you use a foreign VPN, then a foreign government could eavesdrop on your activity. Foreign companies, it asserted, might be more susceptible to pressure from foreign governments, and that these foreign VPNs could hand over personal information, or even the contents of your online activities.
That might all be true, but it's no less true for domestic VPNs. A VPN creates an encrypted connection between your device and a server controlled by the VPN company. Your traffic travels through the tunnel, hiding it from snoopers on a local network and from your ISP—which, ironically, Congress has said can spy on you for profit. When your traffic reaches the VPN server, it then exits out to the internet before making the return trip.
This does effectively put VPNs in the role of your ISP, in that they can potentially see everything you do online. It's one of the big concerns about VPNs as an industry, and it's true for all VPNs. A VPN based in the US could eavesdrop on your activity, hand over your information to US law enforcement, or succumb to pressure from US intelligence agencies. These are the risks of using any VPN, and they are not substantially changed by simply moving the offices of that company to a different time zone.
Location, Location, Location
VPNs are fundamentally privacy tools, and if they do a bad job protecting customer privacy then they'll hopefully do a bad job competing in the market. In fact, a lot of the (frequently questionable) discourse surrounding VPN companies is whether they are truly keeping your information private. VPNs generally seek to at least position themselves as trustworthy stewards of your information, usually by defining company policy that forbids the collection of user information, publishing a privacy policy that explains the details, and building privacy into their actual product. A recent trend is for companies to commission third-party audits of their product, to bolster claims of trustworthiness.
As an example of the kinds of steps VPN services take to assure you of your privacy, Private Internet Access issues you a user ID when you create an account. This is separate from the information you provide to process your subscription payment. If it's working correctly, this means that the company could not identify an individual user even if compelled by law or if law enforcement seized its servers.
VPNs often exist in many places at once. AnchorFree, the company behind Hotspot Shield VPN, is based in California with an office in Zurich, Switzerland. The company says it operates under US and Swiss legal jurisdiction. Is it a foreign VPN? AnchorFree's product is widely rebranded and sold by other companies, some based in the US and some not. Are those foreign VPNs?
VPN companies often have offices in one country while operating under the legal jurisdiction of another. VPN companies also maintain server fleets around the world. Any of these locations might be different from where the VPN company is under legal jurisdiction.
That said, legal jurisdiction matters, because that's the framework under which your data is going to be protected. Looking at the British Virgin Islands, VPN companies have played up how local law enforcement will not simply accept warrants issued from other governments. Instead, those warrants have to jump through additional hoops before they can be applied to a company in the British Virgin Islands. Similarly, VPN companies in places like Germany and Switzerland have emphasized those countries' strong privacy laws.
I should note here that it's difficult to verify that using a service in a particular location will actually help keep your data safe.
One way VPNs seek to protect customers, and market themselves, is through the location of the company. NordVPN, for instance, is based in Panama, a fact it advertises as privacy and security boon to customers because of local law. ProtonVPN is keen to point out that it is Swiss. When I review a VPN, I usually list its location and legal jurisdiction alongside the VPN protocols and privacy policy, because effectively, a VPN company's location is another feature.
Location can also have emotional value. Some readers have told me that they cannot trust companies based in Eastern Europe, because of their association with Russian hacking groups. Others have told me that any VPN based in the US is unacceptable because of this country's history of mass surveillance. VPNs based in Hong Kong (as semi-distinct from mainland China) are often attacked with accusations that the surveillance state must have a tight grip on them. Many make a similar argument against allowing Huawei to provide internet infrastructure equipment.
These companies often counter with the argument that the city's special rules make it an excellent location for private data.
In fact, there's a strong case to be made that the US has one of the most aggressive surveillance and data collection operations in the world. Social media companies are sometimes given National Security Letters by DHS, which require them to hand over information and not disclose they have done so. The NSA operated what is perhaps the largest data interception operation the world has ever seen, one that affected US citizens as well as overseas targets.
Additionally, the NSA has been accused of taking advantage of the United States' critical position in data infrastructure, tapping the lines through which global internet traffic flows and allegedly copying it in real-time—perhaps ironically, given that the US makes the same argument against Huawei, as mentioned above. That's not to mention the information sharing agreements that allow numerous allied nations, including the US, to swap intelligence regardless of location. Given all this, it's hard to argue with people who see US-based VPN companies as a potential risk.
It Does (and Doesn't) Matter
If everything is working correctly, there should be little difference between a foreign VPN and one that has some or all of its offices in the US. The math that makes encryption work doesn't respect boundaries. Likewise, the measures to protect user privacy and security are well understood and can be implemented anywhere. Many VPN companies choose where to base their companies in order to benefit from local privacy laws, or perhaps to appeal to an emotional response on the part of consumers.
What does matter is when VPN companies don't encrypt things properly, or when they, by ignorance or willfulness, don't follow best practices to protect the privacy of their users. A poorly secured VPN might be foreign, but it could also be headquartered down the street from me. Instead of wondering about where companies are headquartered or what "values" they have, Congress should be supporting methods for users and researchers to verify the claims made by VPN companies.
The security industry is full of marketing built around fear, uncertainty, and doubt—collectively called FUD. A lengthy discussion about foreign VPNs in the halls of Congress falls into that category, especially when the group concludes that whatever threats exist are minimal. FUD always has a purpose, and instead of asking where the best place is to put a VPN, perhaps we should be focusing on why this conversation happened in the first place.
Gloss