VPNs: Privacy Protection...Sometimes

The eighth radio column for my new series on CBC Radio’s Ottawa Morning. Hallie Cotnam and I discuss why Facebook’s Onavo VPN is raising eyebrows for violating user expectations of privacy.

Listen to the column.

Privacy First?

This week Apple requested that Facebook change it’s virtual private network (VPN) app, Onavo, from the App Store. Apple cited a violation of the App Store privacy policy as the reason for the request. In response, Facebook removed the app entirely, though it is still available for Android. What’s going on here? Aren’t VPNs supposed to protect your privacy?

The Network

Computers and other devices on a network broadcast a lot of information. That information says a lot about what those devices are being used for. Most devices send a mix of encrypted (secured & obscured) and clear communication traffic.

On wifi, any communication is can be see by anyone within range and while most wifi networks are encrypted, that encryption is typically broken. On both wired and wifi networks, the owner of the network can view communications in the clear.

This is why banks, stores, and other sensitive pages (like app logins) use encryption to secure web traffic. They want to ensure that only the devices involved in the communication know the details. If you’ve ever seen the padlock icon in your browser then you’ve used this technology, called HTTPS.

Think of network communications like a conversation between two people (the user and the website). Communication in the clear is like a series of postcards sent back and forth. Anyone that sees the card knows who was talking, when they were talking, and about what.

When communications are encrypted properly, those postcards change to letters. Now, someone seeing the communications only know the two people who are communicating and when they are communicating…not what they are talking about.

What is a VPN?

A virtual private network is a tool that creates an encrypted connection between a device and the VPN host over the internet. This connection is called a tunnel. In essence, it creates a private network over a public one.

This shifts all of your clear communications to encrypted ones…to a point.

Now instead of communicating directly with a website, your device uses the VPN to communicate with the VPN provider who then communicates with the destination network.

All traffic between your device and the VPN provider are encrypted. This effectively protects your traffic on any public network…until it reaches the VPN provider.

From there, communications use their normal method. Either clear or encrypted.

This is a critical detail. Communications are only encrypted to the VPN provider, then they use the type of communication specific by the destination.

Uses

By design, a VPN is very useful for protecting your traffic on untrusted networks.

Using the wifi at the coffee shop? Everyone could see the details of your activity and the metadata of your encrypted activity. If you use a VPN, they would only be able to see the encrypted connection to the VPN. This is a key privacy use of a VPN.

Another common use of VPNs is to provide access to protected resources. Larger organizations often use VPNs to allow remote access to internal tools. Because they run the VPN service, the VPN tunnel (from the device to the network) exists somewhere in the organizations network. This means they can create a secure route between the exit of the VPN tunnel and the internal tools.

Some VPNs advertise as a way to choose where your traffic is accessing services from. By selecting the exit point of your VPN tunnel, you can surf from Canada but appear to be surfing from the United States. The most common use of this technique is to avoid geo-blocking.

Geo-blocking is when a site or service uses the assume physical location on an IP address (where traffic is coming from) to deny or allow specific services. Most users see this in a service like Netflix. If you’re in the United States, the Netflix catalog is significantly different than the Canadian one.

Some services—like Hulu, HBO Go, etc—aren’t available in Canada at all. Avoiding the geo-block is the only way to access them from Canadian soil.

It needs to be said that avoiding the geo-block on purpose is typically a violation of the terms of service for these sites and could result in account cancellation.

Oh No, Onavo

Back to the case at hand. Facebook acquired Onavo in 2013. At that time, Onavo offered a number of products around analyzing user behaviour.

The VPN protect—Onavo Protect—was designed to provide privacy protection and the other advantages a VPN brings with one large exception. Onavo analyzes and monitors the traffic in order to draw insights into what apps and activities are gaining in popularity.

When Facebook acquired the company, this activity continues. Facebook mined the Onavo Protect data in order to discover new apps and trends among it’s user base.

In fact, for those users diligent enough to read the Onavo privacy policy, it clearly states the activities it undertakes. The problem is that very few users read and truly understand the implication of these policies.

Recently Apple updated it’s privacy guidelines for the App Store. Apple is a strong proponent of user privacy and Facebook’s activities with Onavo run afoul of the updated guidelines. This is not the first time the two companies have disagree on user privacy and it probably won’t be the last.

Legalities

Onavo is somewhat transparent with their activities. They certainly don’t hide the fact that they track user activity but the onus is on the user to shift through the Terms of Service and the Privacy Policy to figure this out.

In the VPN market, it’s not uncommon for service providers to call out specific terms of service or clauses in their privacy policies that they believe protect and shield users.

A common claim is “no logs”.

Typically, information is logged when a user connects to a VPN. These logs are where Facebook gathers the information about Onavo users. Some VPN providers have setup their systems so that they record little to no logging information.

These highly automated configurations are harder to troubleshoot in the event of a error or issue but the companies are making a conscious trade off. They cannot mine information they don’t collect.

Additionally, they cannot provide information to law enforcement or various government agencies under lawful request if that information doesn’t exist.

The key questions here—and remember, IANAL—is whether or not the VPN provider is operating in a jurisdiction where they can be legal compelled to enabling logging. That’s a different request compared to writing new code in order to weaken a system.

The simple rule? Don’t rely on VPNs as a privacy tool from government or law enforcement requests. They are designed to protect your internet access from malicious actors on the network you are using.

Safety First

VPNs are a great tool when it comes to user privacy on public networks. If you regularly use public wifi, connect to wifi at conferences, or generally travel often, a VPN is a solid, reliable way to protect your privacy on those networks.

That protection though comes with a cost. You are now pushing all of your traffic to your VPN provider. That choice requires that your trust your VPN provider.

Regardless of VPN choice, you still need to verify that your sensitive surfing (backing, shopping, logging in, etc.) is still encrypted by your browser.

When you understand the advantages of a VPN for these use cases, it’s hard to find a more effective way to protect your privacy on public networks.