Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:14
CT. Tea.
Speaker 0
0:16 – 1:24
Welcome to CDT's Tech Talk, where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Waslowski, and it's time to talk tech. Are all of you using a VPN to mask your internet browsing and protect your privacy my hunch is that our tech savvy listeners are all about using a VPN. But, of course, not all VPNs are created equal. CDT has launched a new initiative aimed at helping Internet users better assess the trustworthiness of VPNs. And a number of VPN providers were active partners in this process, which is awesome. Our data and privacy men's, Joe Jerome, joins us to talk about this effort and what makes for a trustworthy VPN. Welcome, Joe. Hey, Brian. Always good to be on the show. You are one of my favorite guests. So you've obviously been on the show before and talked about VPNs. But for those who may have missed an episode, shame on them. What exactly is a VPN? What does it do? First, we gotta say what the acronym means. A VPN is a virtual private network. Yes.
Speaker 1
1:25 – 2:00
So in short, they are a tool that disguises your actual network IP address. So that's basically your digital address online, and it encrypts your Internet traffic between your computer or really, you know, your phone or any network smart device. That's why these things can be so useful in the future. And they so they encrypt that the traffic between that device and the VPN server. A way to the to think about it is that a VPN acts as a sort of tunnel for your Internet traffic that prevents outsiders from mod from either monitoring or frankly modifying that traffic.
Speaker 0
2:01 – 2:03
Cool. Yeah. So why would someone use a VPN?
Speaker 1
2:04 – 3:56
That's a great question. So part of the issue is, there's a lot of unsecured WiFi out there. Everybody I mean, that's the thing. We're connecting all sorts of devices. We wanna be online all of the time. And if you're connecting to unsecured networks, anyone can see that traffic. Mhmm. So the the great example or I think the the best use case for using a VPN is you're at an airport, you're at a hotel, you're at a coffee shop, and you're just quickly clicking on to get onto the first WiFi network you can to access the Internet. I mean, I just did this when I was traveling abroad. Oh, what can I I need to access my Google Maps? I need I need Wi Fi. Instagram. Yeah. Yes, sadly. So you are trying to get online. Now you're you access the internet. If it's not secured, anyone can anyone can see that traffic. You know, it can be, you know, the evil sort of malicious hacker sitting in the corner. But beyond that, it can also be the ISP, the internet service provider. So when you're connecting to unsecured wifi, the coffee house could see that traffic. The hotel could see that traffic. If you think, you know, larger ISP is like the, you know, the Comcast's and and Charters and Verizons of the world, they can see your traffic. That's one of the reasons why you know, CDT CDT did a lot of work over the past few years on broadband privacy rules. And when those were rolled back a year ago, one of the big tools or one of the big ways to protect yourselves from all this traffic being made available was to get a VPN. Because a VPN makes it harder for the ISP to see that information. You go further beyond an ISP, VPNs are also a tool to sort of cut back on on on potential government surveillance of your traffic. Now, they're not bulletproof there. Sure. You know, defeating the NSA is no easy task.
Speaker 0
3:56 – 4:14
But, you know, they are another way to, again, stop people from seeing your traffic. Yeah. When I think of VPNs, I often think of, like, dissidents, people in countries with censorship, journalists trying to communicate with different sources, kind of more vulnerable or people with higher risk models. Right. And I think that's one of the real challenges with virtual private networks.
Speaker 1
4:15 – 4:57
People are using them for a whole host of different reasons. And you've nailed one perfectly right there. There are people in really bad spots that are using VPNs. You know, the issue here is, and this is just candid privacy and security advice, you don't just wanna be using a VPN. A VPN is not going going to be magically solving your situation if you're in a bad part of the world. That said, they are a really important tool. I mean Right. And a lot of the the VPNs that we work with are are pretty engaged in trying to, you know, evade censorship monitoring in countries like China. It's one of the reasons why you look at a lot of, like, repressive regimes, including China, including Russia, have tried to take steps to block people's access to VPNs. We've seen a lot of that in the different app stores and downloads.
Speaker 0
4:58 – 5:15
So let's talk about trustworthiness and VPNs. That's what your whole initiative is about. Yep. How did this effort come about? Who's involved in it? Who are the the VPN providers that you engaged? So this is a I think it's a multi part answer to your question here. I think it's a multi part question. So there you go.
Speaker 1
5:15 – 6:48
So part of it was, listeners might be aware that we we filed a complaint against a VPN last year, with the Federal Trade Commission. Basically, again, picking up on what happened after the broadband privacy rules, you've had a lot of VPNs say, protect your privacy. Protect your privacy from the ISPs, from the from the the government, you know, spooks from everybody. I mean, there's commercials for VPNs now. I know. It's crazy, Very exciting. Yeah. It's like a nerdy moment for everyone. I love it. You love it. I think it's sort of sad. But, in any event, it's become a thing that people are now asking about. Well, I wanna use a VPN. And the problem is there's a lot of them. Go to an app store right now and type in a VPN. You're gonna get probably, you know, a lot of ad supported VPNs, a lot of VPNs that are really from people you've never heard of. When we were first looking at this last year, a lot of just frankly random Chinese operated VPNs were some of the first things that would pop up in the Apple App Store when you search for a VPN. Raises a real trust issue. And then there was a lot there's been a lot of research that have has highlighted, security problems, privacy problems with these VPNs. And then there's sort of the fact that, again, they're exploding in terms of the fact that everybody's got a VPN right now. Facebook has a VPN. It's called a Navo. Verizon Verizon, which is collecting some of your data, is also offering a VPN to protect some of your data. You know, even Pornhub is offering a VPN. So there's just a lot of Lot of VPNs. Right. Yeah. No. I did exactly what
Speaker 0
6:49 – 6:54
what you just did. I searched on my phone and looked at VPN and you can scroll forever on the phone.
Speaker 1
6:54 – 8:18
And there are so many company. There's one Yoga VPN. No. So many. Which one do you wanna download, Brian? I mean, I'd like yoga or I'd like to think I like yoga. But, yeah. No. There's a lot to your point. Very well taken. So, you know, basically, there's a just a a lack of trust. I here's the issue. We are keep we keep telling people protect your privacy and security, use a VPN. The follow-up question is what VPN? Nobody can really answer this question and and so that's something we've tried to work with a little bit here. Other other organizations have done things like this. Shout out to, you know, that one privacy site which has been doing VPN reviews for a long, long time. But, you know, I wanna give credit to to Frederick Stromberg at Molvad who was very candid about saying that our industry lacks trust. And getting from which is actually frankly sort of ironic since a lot of the people who are using VPNs just don't trust a lot of things. Right. But you still have to trust the service. But, you know, his idea was we really need to come up with some sort of mechanism that could be signals of trust, and that's what we have launched here. It's a signals of trustworthy VPNs. You know, none of these things by themselves suggest that one VPN is better or worse than the other, but they are things that VPNs should be saying and doing to signal that they care about building user trust. So we worked with, again, Mullvad, but also VyprVPN, IVPN, TunnelBear, and ExpressVPN,
Speaker 0
8:19 – 8:51
to sort of hammer out what types of signals of trust they ought to be trying to communicate to their users or other people who are just interested in their product. That's very cool. Alright. So let's go through these signals. Alright. Because the way you did it, right, is you kind of asked a series of questions, had kind of top level things, three top level corporate accountability, data logging practices, and good security practices. Take me through what you wanna see in terms of corporate accountability and why it matters. So corporate accountability is fascinating from my personal perspective because
Speaker 1
8:51 – 11:09
I I came at VPNs thinking how do we improve their security, probably number one, but also privacy which means what they're you actually using and collecting and doing with data. But one of the real issues here again is the fact that you when I when I mean corporate accountability, it's very hard to know what's going on with a lot of these. Again, you just point out Yoga VPN. Who's behind Yoga VPN? I don't know. No idea. And so really what we were trying to this was again sort of surprising. We need a lot more transparency into who's running the show. Like, are there actual, like, people behind this VPN? That that's that's not nothing in this space because you sort of it's sort of helpful to have a name, someone you can go look at, like, do a quick Google search, see if they've actually know what they're talking about when it comes to security. Are they engaged on LinkedIn? Just like, do they have a a physical presence? Yeah. Also, how does the VPN make money? Let's be clear here. VPNs cost money to operate, and yet when you've got a whole host of these free VPNs, well, you know, if you're not paying for it, what's going on here? You're probably the product. Which is kind of the exact opposite of what you're in a lot of people are using VPNs for. They kind of don't want to be identified and don't want to be the problem. Exactly. Right? You're trying to get away from your ISP, but if, you know, the data that would be going to your ISP is now going to your VPN, have you really protected yourself in a meaningful way? Good point. So, you know, really, we think it's really important for VPNs to be clear about how they're making money. And the question gets at this, and we'd like to see VPNs explain what their business model is, what their, you know, what their revenue stream is. And then frankly, you know, moving forward, not just say, you know, we get a 175% of our money from consumer subscriptions or something like that. Yeah. Actually sort of crack open their books and prove it, which is definitely something you can do. Doesn't require a sort of security audit. It requires a basic, hey, you know, I think about CAT. We put our financials up online. You know where we're getting our money. Similarly, VPNs can do Yay transparency. Yeah. And so, you know, we'd love to see VPNs in the future sort of put their money where their mouth is. If really where they're making their money is from subscriptions and high quality privacy and security services,
Speaker 0
11:09 – 11:25
prove it. Cool. Alright. So the next one, data logging practices. I mean, you kind of alluded to this a little bit. Obviously, to run a VPN, you've gotta be you got a lot of data coming through you. Right. And I guess I've always been saying that that data logging is the the third rail of VPN politics,
Speaker 1
11:26 – 12:54
because here here's the issue. There's no standard definition of what it means to log data from a VPN. Mhmm. We sort of detail this in a a Texplanation. And and certainly if you do a quick search What's a Texplanation? Texplanation. Good good, Brian. Yeah. Is, is a sort of a I guess I wanna say a tech primer one zero one series that's been kicked off by, our our great colleague, Stan. Available at c d t dot org. Oh, man. I finished it for one. Yeah. You wanna drop the website in there. Good job. Right. But, really, you know, logging boils down to you're you're you're either logging sort of activity. So this is basically getting all of the URLs, where what webs what you're doing on each website. All the information could can be seen by ISPs, and as a result, it can also could also be seen by, VPNs. So there's there's usage law usage or activity logs and then connection logs. And connection logs are, you know, again, collecting IP addresses, time stamps, so when you logged on, when you logged off. You know, this is all, again, sort of generalized understanding of what logging means. People use logging in very, very different ways. And, you know, there's all sorts of evidence. Again, VPNs who say that we don't do any logging whatsoever, and then invariably some sort of information is revealed to is is certainly of interest to law enforcement and has been used to solve crimes. There's examples Well, I was gonna ask that. I mean, this sounds like as you go through this sort of data, this is very sensitive data for a lot of folks. Yeah.
Speaker 0
12:55 – 12:58
And would be incredibly useful, I would think, to some governments,
Speaker 1
12:58 – 14:12
and law enforcement. Do they can they have access to this? What's the process with VPNs and access to it? Well, again, it depends on what the VPN says their process is, and that gets another one of the questions that we were getting at. You know, it was what do you have clear process for law enforcement access to your information? And and not just law enforcement, public access, you know, if some other regulator comes calling or frankly if, you know, you get dragged into a lawsuit. Frankly, any responsible, mature company at this point should have a clear process when Sure. Somebody comes knocking and says give me the data. With VPNs, we think not only you should have an internal process, you should probably be public with your users about what exactly that process is, so they know what they're getting into. Another thing that we've sort of pushed is transparency reporting, which is, you know, a long standing practice that a lot of tech companies use to sort of show how often they get requests for information. We've been encouraging VPNs to do that. And so, you know, that's another one of the the the signals of trust we'd like to see. You know, clear policies in place for when you fork over data. And a lot of these VPNs will say that they don't fork over data. And sometimes, you know, they've been able to prove that, and, we think that's a good thing too.
Speaker 0
14:13 – 14:26
Great. So the last last kind of, like, pillar that you have of your three pillars here of trustworthiness, good security practices. What do you mean by that? What should VPNs be doing when it comes to securing that data that they they do have? Oh.
Speaker 1
14:27 – 19:29
Whoo. Lloyd. Good question. No. I you know I mean, it's the one you asked. So to all listeners, I I am a Luddite lawyer. Okay? I do understand security. I rely very heavily on our our expert technologists here. Security is really tough, and I think security with VPNs is incredibly difficult. They, again, are selling a product that is about boosting your security, the protocols they're using, the caliber of their services. The fact of the matter is individuals are are not in a position to assess that. You know, to be perfectly honest, it's actually one of the drawbacks of these signals of trustworthy VPNs. We're asking them to sort of disclose their security practices. But at the end of the day, I think users still need a lot more, education and VPNs need to be a little far more clear about exactly what they're doing. Yeah. You know, so, you know, some of the things that we think you should look out for and we'd like to see more of are things like independent security audits. You know, this is, again, really tough for VPNs to do because it it costs money and and time and frankly requires them to develop a relationship with the auditor that could actually, you know, open them up to accusations that they're, you know, in the public cloud. Would an audit entail? I mean, when you you say a security audit, what what is that? So the, there's the best example of that so far is one that has been done by TunnelBear, which is one of the VPNs we worked with. They engaged with yeah. It's great. It's a it's it's a yeah. It is a quite a clever name. Yeah. They, so they worked with Cure fifty three, which is a a renowned, security assessor, independent security assessor. They brought them in over a period of time, gave them complete access to their code, and just sort of said, have at it. Try and break our system. Right. And then, you know, what's really key here is that Cure fifty three was then able to sort of report out publicly its findings. You know, we had access to all of this. We were able to do this to TunnelBear systems. Here are the problems we found. That's really useful. Absolutely. And but of course, you know, it clearly puts it puts the VPN in a tough spot. Right? Yeah. Because if if if bad things come out about them, it sort of shines a spotlight on potentially bad security. But we think it's it's absolutely necessary in in this ecosystem, for companies to be doing more of this type of stuff. It's it's a it's a tough ask though. Other things that, you know, we are asking for which echo a lot of our long standing asks when it comes to better data security are, you know, things like bug bounty programs, vulnerability handling programs. You know, VPNs can have clear processes around this, and sort of incentivize people to break their systems. I mean, again, when you're offering a security product, I think you want to have as many people as possible sort of trying to break it because otherwise Good faith efforts to break it and then report it. Right. Otherwise, you're, you know, you're sort of trusting yourself internally to figure out everything that's wrong. And we found over and over again, not just in VPNs, but just in technology generally that, you know, doing everything in house isn't gonna work. We've also sort of, we'd like peep we'd like VPNs to be a little bit clearer about what they're talking about when they say they patch their systems. I think, again, a lot of VPNs will say they're doing a lot of good things. Like, we do really quick fast patching when we find problems. Well, what does does that mean? Yeah. Are Are you doing constant twenty four seven three sixty five monitoring? When you say quick quickly applying a patch, what does that mean? And if the patch goes wrong, then what? And then of course, you know, there's a real issue around, frankly, physical security and control over the servers that VPNs are using to route your traffic. Think of that. Yeah. Well, you know, it it is this is a tough question that doesn't have an easy answer. In fact, we had a really sort of vigorous internal debate about it because, you know, certainly some VPNs, they physically own their servers. So, you know, they know who they know who who physically has access to them, if somebody sort of is coming in and, like, hacking them or, you know, again, physically plugging in, others VPNs are leasing their services and they're using some sort of cloud service provider, to provide that server service. Server service. Oh, that's not a that's not a good idea. I made it close. It's fine. But Keep going. But the but the issue there is, you know, it's a real it's a real trust challenge. Do you trust the VPN that owns its entire infrastructure even though a lot of these are very small companies? Or would you prefer a VPN that is using or leasing, server space from, you know, this isn't a good example, but, you know, Amazon, AWS, or Google, basically running their servers through somebody who's currently offering cloud infrastructure. Yeah. You can make it hard. Yeah. You don't know. You can make an argument that Amazon and and Google are off could offer better security than anybody anything you could actually independently set up. But, again, if you're not disclosing that that's who you're using, it's it's one thing to say you're using
Speaker 0
19:30 – 19:51
top notch cloud providers like Amazon or Google. What if you're using some sort of fly by night cloud provider in some part of the world no one's heard of? And as you said, this is such a higher kind of, like, level of thought that it sounds like you have to be really technical to get. As I think about this, I'm like, well, you could give me all this information. I'd still be like, well, thanks. Yeah. And that and that's and that's a that's a real challenge here where,
Speaker 1
19:52 – 20:06
and we've really struggled, I think, with this process to provide useful information in a digestible format without overwhelming folks, it it's tough. I think there's room for everybody to improve. So, you know, if you look at our our resources, we've provided
Speaker 0
20:07 – 20:10
the unedited answers for And where can you find these resources?
Speaker 1
20:11 – 20:22
Cdt.org. Oh, my gosh. Of course. I think it's backslash or is it forward slash issues slash privacy hyphen data slash
Speaker 0
20:23 – 20:36
GPS. We'll we'll make sure it's on our homepage. How's that? For the foreseeable future. Hey, you know, I just want people to be clear where they can go find the resource. All right? Those slashes are really helpful. So you can find it on our website. Do the,
Speaker 1
20:37 – 21:27
VPNs that participated, can you do they have any of this information available on their website? And and this is something I I I hope we can promote in this ecosystem. So when we were talking to them and and frankly, if you go to most VPNs websites, they provide lots of useful resources. Like, what is a VPN? A lot of them do a good job trying to explain what they're doing. They provide FAQs and guidance documents. It can actually sort of be overwhelming. So, you know, one of our long standing asks to companies in general when they're interested in privacy and security is to try and like put this stuff in one place. So all of the providers have basically provided their answers and as well as, for some of them, other information at a v p at the VPN's website. So vpnright..com/trust. And we really hope that that, like, sort of picks up across the ecosystem since at least that at least standardizes
Speaker 0
21:27 – 21:47
where people can go to find this information. Yeah. And if you are, which, we've already gotten some emails today, which is wonderful even though we just released these yesterday. If you're a VPN provider and you wanna be a part of this initiative, go through the process. Who do they reach out to? Is it you, Joe Jerome? It is me. Yeah. Joe Jerome. And what's your email, Joe? Now you're asking me
Speaker 1
21:48 – 21:58
to divulge, PII. I'll I'll I'll use I'll use my, I'll use my my burner CDT email addresses. You can reach me everyone at jj@cdt.org.
Speaker 0
21:58 – 22:05
Oh, I didn't even know you had that one. I'm gonna use it all the time now. Okay. Any last words of VPN wisdom for our listeners?
Speaker 1
22:06 – 22:35
I I think everyone needs to think about using a VPN. They have very useful utility in some of the examples I talked about at the top of the show. And you know, looking forward, it's this is going to be your actually useful tool to folks, particularly, again, as we wire more and more things up. I like to think of VPNs as sort of like next generation, that's a bad phrase, but roughly akin to how what ten twenty years ago we convinced everybody that each year they had to get a subscription to antivirus software.
Speaker 0
22:36 – 23:10
Frankly, we should be giving people subscriptions to VPNs. Hopefully, we're giving people subscriptions to trustworthy VPNs. There we go. Good last plug. Alright, Joe. Always a pleasure, and thank you for joining Tech Talk. Au revoir. That's it for this episode of Tech Talk. For the very latest on what CDT is doing on data and privacy issues, which goes way beyond just VPNs and includes our push for national baseline privacy legislation, follow us on Twitter, like us on Facebook, or visit cdt.org. I'm Brian Wojciech. Thanks for listening.