Cyber espionage is in the news. In a letter addressed to Christopher Krebs, director of the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), senators Marco Rubio (R-Florida) and Ron Wyden (D-Oregon) raised the issue of VPN usage in the federal government.
Calling for an urgent investigation, the letter suggests that if US intelligence believes Beijing and Moscow to be leveraging proprietary technology to spy on Americans in other cases – such as with Huawei and Kaspersky Labs – they should be similarly concerned about citizens sending their browsing data directly to foreign entities through the use of VPN software.
The congressional letter notes that many of these applications – VPNs, mobile data proxies, and private browsers – are ‘vulnerable to foreign government surveillance’ and have been downloaded millions of times despite being based in countries that ‘do not share American interests or values’.
VPN software has become popular in recent years as consumers have grown increasingly interested in improving their online privacy and bypassing geographical restrictions on digital media. When someone decides to install a VPN on their device, they essentially choose to entrust their data with that company instead of their ISP or wireless carrier. Hypothetically, the VPN provider can analyse users’ traffic, log it, and if their policy permits, send or sell it elsewhere.
In transmitting data to servers controlled by countries with a potential interest in targeting federal employees, the senators fear this technology could be used to facilitate surveillance of the American government.
Digital self defense: Is privacy tech killing AI?
Are fears of Cyber espionage well-founded?
There is no direct evidence of deliberate cyber-espionage on the platforms in question.
Though it isn’t clear exactly what spurred the proposal, it comes just weeks after research revealed that roughly 60% of the top free mobile VPN apps on the Google Play Store and Apple App Store are from developers based in mainland China or with Chinese ownership.
Typically, legitimate VPNs have detailed privacy policies that outline their practices and preclude them from monitoring and logging their users’ web traffic. By contrast, 86% of the applications investigated had substandard privacy policies that were dangerously lacking or even hostile to user privacy. Some granted developers full access the users’ internet traffic, tracked users, and explicitly sent data to Chinese third-parties.
These findings raise important questions as to why China allows these companies to operate in defiance of its strict laws prohibiting the use of VPN software, and with whom this data is shared once it is received. Similarly, it highlights a disturbing ambiguity about what happens to huge volumes of user data, and raises concerns that millions of Americans are allowing unknown and potentially hostile entities to access their web traffic.
Though the study was not explicitly cited in the senators’ letter, it was sent just weeks after several major US tech news outlets covered the report.
Why privacy by design is like going to gym
Cyber espionage: A growing trend?
The request for a threat assessment demonstrates a trend of heightened fears in Washington that hostile governments are spying on US citizens through commercial products. Where a company sends or stores consumer data has become an increasingly relevant question for cybersecurity officials, who are beginning to assess the risks posed to federal networks by consumer platforms.
In 2017, the DHS issued a Binding Operational Directive banning Kaspersky Lab products from government systems due to fears of Kremlin interference. The servers powering the company’s cloud network – which stored user data for malware analysis – were located in Moscow, where officials believed Russian domestic law would compel the company to cooperate with Russian intelligence agencies.
Founder Eugene Kaspersky has since vehemently denied that the company works with the Russian government, and last year announced the opening of a new data centre in Zurich, Switzerland to address concerns over data privacy.
If intelligence experts deem these VPN apps a similar risk to national security, the senators have called for the same emergency directive mechanism to ban their use on government systems.
The US government is also engaged in an ongoing battle to ban Huawei and ZTE products based on similar fears that the hardware vendor’s equipment is being used to spy on unsuspecting Americans. Officials have since urged for Chinese telecommunications companies to be locked out of competing for major infrastructure projects in the US.
In their letter, Wyden and Rubio mention three mobile web browsers that use their own servers to facilitate VPN use for consumers: Dolphin, Yandex, and Opera.
In 2011, it was discovered that Dolphin, a company founded by a Chinese startup, was sending customer URL data in plain text to a remote server under its control. Citizen Lab flagged similar concerns over Baidu – another popular Chinese browser – in 2016. Yandex was created by a Russian corporation and is headquartered in Moscow. These are but a few examples of the dozens of foreign-owned ‘security’ platforms in popular use across the US.
What does this mean?
In combination with the studies that precede them, the senators’ concerns have far-reaching implications regarding the extent to which our digital lives may be subject to foreign scrutiny, and the degree to which our governing bodies are equipped to tackle wide-reaching privacy issues at the commercial level.
These events undoubtedly draw attention to the general disregard consumers pay toward the ultimate ownership and control of the digital platforms they use, as well as the failure of companies like Apple and Google to effectively curate their respective stores.
Millions of unsuspecting consumers are routing their internet traffic through servers operated by these companies, most of whom offer no safeguard against the abuse of this data. Given the extent of misinformation and obscurity surrounding their online presence, it’s clear there can be but minimal oversight of these applications at any level.
The senators’ letter highlights the potential risk posed by commercial products being used as a method of international surveillance by hostile groups. In countering this threat to privacy on a national and individual level, we must hold tech giants accountable for the curation of their own platforms, and question the extent to which our leading bodies are capable of identifying and apprehending these threats without the breach of our digital liberties.
William Chalk is a cybersecurity journalist and senior researcher at Top10VPN.