There are many fish into the ocean, and indeed, VPN service markets are booming like never before. While the early days of virtual private networking (VPN) used to be dominated by large enterprises, corporations, governments, and other institutions, today VPN providers sell their “magic pill”-products for general public alike — and security sells like ice cream during a hot summer season.
While a VPN service could indeed offer good protection against many everyday threats, particularly when it comes to surveillance and privacy, choosing an insecure VPN provider could actually do just the opposite. Security is a complex concept and for that matter, there barely are mechanisms available that could establish absolute security conditions. The core question and fundament of security is the, yet unanswered, question of “whose security?”. Many secure VPN service providers advertise their neutrality and are keen to present the privacy improvement implications of their service — and surely much of that is true. Yet, a customer of such service may not know or be aware of what other security implications might follow of using their service.
Then, how an average dweller in the cyberspace could choose their security provider? It barely makes the choice easier as all of them advertise excellent results, yet say only little of who they collaborate with and trust to. In short, that question may become to be critical when the actual level of improvement to one’s level of security is considered. In the absence, or a wide range of, security institutions to the cyberspace today, the choice of VPN service provider may become to resemble that of “citizenship” in the past. Indeed, when used as a router for all network traffic, there is even truth to that assumption. Yet, in the modern cyberspace, there barely are sensible means for average users to consider, evaluate or even be aware of such conditions and affiliations.
Regulatory demands and safe-heaves of the cyberspace
Cyberspace is much more today than what it used to be during its early days back some centuries ago. One of the most prominent developments in the cyberspace has been the inception of regulatory instruments, to facilitate marketplaces, social “reach” and also strengthening the umbrella and public facade of cybersecurity. One of the domains such securitizing work has had its strongest implications is the area of “data retention” and surveillance. This, on the other hand, is highly likely something that defines much of the level of trust one can have towards any specific VPN service provider. While a provider might advertise an awesome securitizing effect of their product, they might not tell prospective customers which regulative regime they comply with and which of those have access to their traffic data.
As identities of security providers, regimes, in the cyberspace remain unspecific, one has little to no means to evaluate such dependencies. This is, however, an ongoing process, something that has had its drastic “tectonic shifts” during the years and is highly likely to experience a few more during the coming years. One of the very first criteria then is to consider regulatory demands. This might be more difficult than it used to be in the past, since, those regulatory regimes are intersecting each other increasingly and their identities are more blurred than ever. While in the past nation-states used to define much what comes to security regimes, little of that past has survived to the current security architecture of the cyberspace. As literature in science has noted, this is not so much due to their incapacity to provide security, but to the conceptual dependence on territoriality and “national identity”, both of which are largely incompatible with the global cyberspace.
Myths of absolute VPN security: Hostile Tor exit nodes
One of the popular conceptions in the world of cyberspace is that VPN’s and particularly one of its kind, the Tor network was unbreakable when it comes to security and privacy. Many who advocate such popular conceptions have, in fact, little to no understanding of actual security architecture of the cyberspace and the internal functions of those services. Failure to understand the architecture of VPN service can lead to a false sense of security too, and inability to properly consider and evaluate the level of security each VPN provider can deliver.
However secure VPN providers claim to be, each of them has at least one vulnerable and unencrypted node in the cyberspace: the exit-node. This is the place where the traffic from their customers flows back to the unencrypted and wild-west-like cyberspace. In this single node, all the encryption of the network is removed and the traffic that originated from the customer is back in the state it left. If the end-user was communicating in clear text, at this point, at the exit-node, their traffic is again clear text and thus readable to the world should they be in place to read it. Many end-users are simply not aware of this kind of architectural weaknesses, yet modern powers of the cyberspace have frequently exploited this weakness e.g. in order to survey traffic as part of their international intelligence collection efforts.
In not so distant past, for example, some US intelligence entities were reporting in public how they had analyzed Tor (like VPN) traffic originating from their “enemies in the real world”, China, North-Korea and alike. There remains to be seen some research and analysis on that how many of the Tor nodes, or VPN providers, are in fact acting as honeypots for some specific modern cyber-powers. The challenge here is, of course, that many of those who collect intelligence in that way, do in fact also deliver appropriate and robust security to the citizens of the cyberspace. This highlights the double-faced nature of security as a concept.
In that sense, there are no trusted and untrusted VPN service providers as distinctive groups of businesses, but just different sets of security regimes emerging and forming within the cyberspace.