NZ Skeptics Articles

VPN companies and their claims

Tim Price - 2 October 2023

Personal VPN services are all the rage now, and you may have watched or heard a lot of “host-read advertising” for them on YouTube and popular podcasts. They purport to provide fantastic advantages, while also making alarming claims about who is out to get your personal data on the internet. Today I’m going to analyse some of those claims, using my 20-something years of Internet Service Provider (ISP) industry experience.

VPN services like ExpressVPN and NordVPN all provide essentially the same service, which is to use an app on your device to securely connect to one of their servers somewhere else in the world. This has the effect that your data is encrypted and unreadable by anyone that might be listening along the way. There are other advantages and disadvantages, that we’ll go into shortly, but that is the fundamental service that a VPN provides.

Who are they?

While other VPN providers do exist, the three that you’ll hear most commonly advertising are:

ExpressVPN

Owned by ExpressVPN International Ltd, founded by Peter Burchhardt and Dan Pomerantz in 2009, and registered in the British Virgin Islands.

In 2021, ExpressVPN was acquired by Kape Technologies, a British company that also owns other VPN services such as CyberGhost, ZenMate and Private Internet Access.

Surfshark

Surfshark VPN is a product by Surfshark, a Netherlands-based company. The company was founded in 2018 by Vytautas Kaziukonis, a Lithuanian entrepreneur and technology enthusiast.

In mid-2021, Surfshark began the process of merging with their competitor Nord Security and created a new umbrella company called Cyberspace. Cyberspace is registered in the Netherlands, but both Surfshark and NordVPN continue to trade under their respective names in their original jurisdictions.

NordVPN

NordVPN was established in 2012 by a group of childhood friends from Lithuania. According to various sources, the founders of NordVPN are Tom Okman, Eimantas Sabaliauskas, and Jonas Karklys.

NordVPN is operated by Tefincom & Co., S.A., a company registered and operated under the laws of Panama.

What do they claim?

No-log service

The big three all claim that they provide a “no-log service”, meaning that they do not log user access or activity, and therefore cannot provide that data to law enforcement on-demand. The reality, however, is more complicated.

If we take them at their word, that they don’t log user data, then we must look at the laws in the countries that they are registered and the countries that they operate their services. In terms of their countries of registration, all three are registered in countries that have no mandatory data retention laws, but do impose data protection legislation. As ExpressVPN is registered in the British Virgin Islands, it is covered by the Virgin Islands Data Protection Act (2019). Surfshark, being registered in the Netherlands, is covered by the EU’s GDPR (2018) legislation. NordVPN’s home country of Panama recently enacted their own data protection laws through Executive Order 285/2021. All the aforementioned data protection acts very broadly specify two important directives; The right to privacy of personal communications and documents, and the right to access information contained in databases.

In terms of the countries in which they operate however, this is where it gets complicated.

For example, on April 28th, 2022, the Indian Computer Emergency Response Team (CERT-In), under the Ministry of Electronics and Information Technology, issued a new directive that asked VPN providers to collect and store user data for up to five years. In response to this, ExpressVPN announced it would move its India-based servers to Singapore and the UK, and NordVPN outright rejected India’s new regulation and chose to shut down its Indian servers instead. Meanwhile Surfshark attempted to work around the new law by converting its physical Indian servers to Virtual Servers based out of Singapore, with Indian IP addresses.

Other countries have similar data retention laws already, or are implementing them now, so it is only a matter of time before this anonymity goes away. New Zealand and Australia, for example, have the Telecommunications (Interception Capability & Security) Act 2013 and The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 respectively, which broadly, and very vaguely, could be interpreted to include in-country VPN providers, and a requirement for them to provide legal intercept to each respective country’s Police and Security services on-demand. This has yet to be tested, but in my opinion it is only a matter of time.

ISPs can’t be trusted and will sell your data!

This one is especially egregious, and features prominently in the advertising copy provided to hosts to read. Let’s break it down into three parts: Can ISPs be trusted; Can they intercept your data; Can they sell your data?

Can ISPs be trusted? I build and run ISPs for a living, so I think that they can be trusted, but I’m biased. The key thing to remember is that in New Zealand we have a very competitive residential internet market. ISPs that play silly games and garner mistrust in their customers don’t keep them, and tend to go out of business. I would certainly trust your NZ-based ISP over a VPN provider in another country.

Can VPN providers intercept your data? Yes, but that’s a complicated answer. New Zealand ISPs are required to provide legal intercept capabilities to New Zealand Police under TICSA legislation. This act was passed under urgency on November 5th, 2013 by the National-led Government, and opposed by many (including ISPs and carrier networks) due to a lack of public consultation, its potential impact on civil liberties, and the cost of compliance for network operators. The government introducing new legal intercept regulations without industry consultation came as a shock to many, and for some was a financial hit that they couldn’t afford. Customer data interception was not something that ISPs did as a matter of course, because it’s expensive and complicated, and with margins for internet services already razor-thin, and getting worse, it wasn’t something that many ISPs already had setup. It’s important here to not confuse network monitoring and metadata analysis with data interception. Most ISPs already had sophisticated metadata analysis and monitoring systems that looked at where traffic was flowing on their networks, so that they could capacity-plan and steer traffic more efficiently. However this data is anonymised and doesn’t contain any actual customer data payload, just metadata about the source and destination of the data, and some other useful metrics. In reality the legal intercept capability operated by ISPs is strictly controlled, and only used when official legal requests are made by the appropriate authorities.

Can ISPs sell your data? No, ISPs are subject to strict rules and regulations that protect the personal information and privacy of their customers, and they must not disclose or sell such information without consent or a lawful reason. According to the New Zealand Privacy Act of 2020, Internet Service Providers (ISPs) are considered “Agencies” for the purposes of the enforcement of the Act, and are thus required to comply with the contents of the Act. The Act goes on to specifically forbid the disclosure of personal customer information to third parties without the express consent of the customer in question, or without other legal precedent. Australia has similar legislation, and in fact most countries except for the United States of America have consumer protection legislation, like the EU’s GDPR. When it comes to the USA, they had a very brief fraternisation with doing the right thing, by introducing the FCC’s online privacy regulations in 2016, before they were struck down by Congress and the changes signed into law by Donald Trump in April 2017.

Dubious and exaggerated claims like these are often made by VPN services. In May 2019 the Advertising Standards Authority of the UK upheld a complaint against Tefincom SA trading as NordVPN that claimed that NordVPN vastly exaggerated the risks of using public wireless without a VPN. The ASA found that the ad was misleading, because it exaggerated the risk of data theft on public Wi-Fi networks, and implied that users were unprotected by any encryption or security measures. The ASA ordered NordVPN to ensure that their future ads did not make such claims without adequate evidence. In January 2023 another complaint was upheld against NordVPN by the ASA for implying that NordVPN protected the user against malware, without adequate substantiation.

Man in the middle attacks

A common refrain is that a man-in-the-middle attack is possible on your data, and that a VPN will protect you. Man-in-the-middle means that an attacker would need to be in the communication path between you and the website that you are accessing. If you are in your own house then this is almost impossible, as you are connected to your own home internet connection, which then connects via a series of internet service providers, before reaching the destination website. The only place that a man-in-the-middle could place themselves is inside your home internet connection, which is very unlikely.

However, if you are not in your house, and you are using public Wi-Fi rather than mobile data, then there may be a risk. For genuine websites HTTPS or SSL will protect your data, even from man-in-the-middle attacks - and most websites are protected with SSL these days. Your browser is also particularly good at detecting and blocking fake SSL websites, if an attacker manages to convince your browser to visit a similar looking, but ultimately fake, website. However, most security advice is that you should not access your financial information or other personal data over public Wi-Fi without a VPN, so a VPN would certainly provide more security in that situation. In addition, some banks will not allow you to access internet banking from outside your country of origin, so a VPN’s ability to make it appear that you’re in a different country may come in useful if you’re travelling abroad.

Source-IP based marketing and tracking

One common claim from VPN providers is that websites track you based on your IP address, and that online shops offer you ever-increasing prices the more times you visit their site. This may be true, but a VPN does not solve this problem.

Your IP address of your home internet router, and the IP address that your phone gets from its mobile provider, are allocated out of a pool of IP addresses shared by all customers of that ISP. In some cases that IP address will be ‘static’, in that it won’t change when you disconnect and reconnect, but most of the time they are dynamic and you’ll be allocated a new, random one, every time your router reconnects to the internet. Some ISPs even go to the extent of forcefully disconnecting customers periodically so that they will be forced to get a new IP address. This is how it is throughout the rest of the world too, so it doesn’t make much sense for social media companies to track you based on your IP address, because you could be anybody. In fact, in this case a VPN may make the problem worse, as they funnel and concentrate multiple customers’ connections to websites through the same VPN exit point and the same IP address. In reality, websites are using cookies to track users, and IP addressing has very little to do with it.

Genuine Benefits

There are some other genuine benefits to be had from VPNs.

The additional level of additional security that VPNs offer can be useful when traveling and using an untrusted Wi-Fi internet, if you do not have access to a corporate VPN solution.

VPNs can make you appear to be in a different country, which can be useful for unlocking video content on platforms such as Netflix that geographically lock their content. This is also useful sometimes for online purchases, as some online shops offer vastly different rates for different geographies.

The Downsides

VPNs can be slow

This is mostly down to physics, but some of it also stems from how the internet is designed. Your device must connect to a VPN server somewhere in the world for the service to work. That server could be extremely remote; depending on your use-case, it could be as far away as 20,000kms. The content must then be retrieved to that server before being delivered to you, which could be another 20,000km (although realistically it will probably be somewhat shorter). The worst-case scenario might be that the total distance for the data to travel is in excess of 40,000km. Data takes at least 400ms to travel that distance and back, which might not sound like a lot, but in internet terms it really is, and can have a noticeable impact on your perception of how fast and responsive the internet is to use.

The other factor to consider with VPNs and speed is the internet design aspect. The internet has been moving content physically closer to users for many years now. If you download a YouTube video, a Windows or Apple update, or even browse Stuff.co.nz, a lot of the larger content is coming from a local (to you) Content Delivery Network (CDN) cache run by a company like Google, Cloudflare, Akamai or Fastly, and hosted by your ISP or another ISP locally in New Zealand. CDNs use information about your IP address and the DNS servers that you use to select a local cache to deliver content from. This improves your user experience, because your download starts sooner and runs faster. When you add a VPN to the mix you disrupt this design, by making it look like you are located in a different country - so your content will be delivered from further away, and will be slower as a result.

IPv6

The last thing I want to mention is IPv6.

IP version 6, or IPv6, was first introduced in the 1990s by the Internet Engineering Task Force (IETF) as a replacement for IPv4. Traditional IPv4, which is the foundation of the modern internet and has been around since the 1970s, was seen as becoming a problem as the internet experienced rapid growth. IPv4 only supports 4,294,967,296 (4.3 billion) total public IP addresses, whereas IPv6 was designed to support 340,282,366,920,938,463,463,374,607,431,768,211,456 (3.4 × 10^38) addresses - more than the theoretical total number of particles in the observable universe! However, the adoption of IPv6 by the internet industry has been slow, to say the least; a lot of ISPs have not started looking at it yet, and most ISP customers are not aware that it exists. Where it has been implemented, though, it is generally enabled by default, and customers are using it without even realising. 2Degrees, for example, enables IPv6 by default for all their ISP customers.

The troubling part of IPv6, in the context of VPNs, is that your device will always prefer to use IPv6 over IPv4 if it is available, and VPN services vary wildly in how they handle IPv6. Some block it, and some “leak” it, which is a way of saying that the IPv6 traffic generated by your device will not use your VPN. The upshot of this is that if you are provided with an IPv6 address on the network that you’re connected to, and you connect to a VPN, if that VPN doesn’t support IPv6 or otherwise deal with it in some way, your traffic will not use the VPN and will be subject to all the security risks that the VPN is supposed to protect you from. ExpressVPN and NordVPN have an “IPv6 Leak Protection” mechanism built into their client which simply blocks IPv6 to avoid having to deal with it. Surfshark does not support IPv6, recommends that you disable it on your device and provides instructions on their website on how to do that on various devices. However, given that most people have never heard of IPv6 I doubt that many people are actively going and looking for this and they are just oblivious to the risk.

Conclusion

In conclusion, while VPNs can provide valuable privacy and security benefits, they are not a one-size-fits-all solution. The effectiveness of VPNs varies depending on your specific circumstances and needs. It is important to assess the pros and cons, understand their limitations, and use VPN services for the right reasons. As the digital landscape continues to evolve, staying informed about changes in laws and technologies is crucial to make informed choices regarding your online privacy and security.