Big Telecoms with Questionable Motives are Starting VPN Services




We are in a world where everyone is trying to get a hold of your information. Corporations and governments want to know what you’re buying, what you’re saying, and essentially what you’re thinking.

The world is waking up to the Internet’s privacy problem, and an arms race has started between groups trying to harvest your information and activists trying to protect your information from unwanted intrusion. As this race heats up, one of the primary issues facing Internet users today is exposure of their IP address, which is often directly tied to their identity online. A VPN is touted as a good solution to this issue, as it masks an individuals traffic by mixing it with the traffic of other users to make tying specific actions to specific users difficult.

The key features that a VPN service needs in order to be private are:

-Privacy – Ideally, the service should not retain any logs of user activity. If logs are retained, the privacy policy of the service must strongly state that your information is not shared with other companies or governments.
-Security – The service should rely on strong encryption that cannot be easily broken.
-Leak Protection – The service should be well engineered to prevent data from exiting the device through the regular connection rather than the VPN.

Recently, we have seen a rise in big telecoms touting new VPN services as add-ons to their other services. On the surface these might seem like a good idea, until we think about why these companies would want to create a VPN service. There is a massive difference between a VPN service and a privacy focused VPN service.

Why you need to trust your VPN provider:

When you establish a tunnel to a VPN server, you are tunneling all of your traffic to that server. This means that the VPN server can see everything that an Internet Service Provider can see. They can see which sites you visit, which services you use, and harvest all kinds of information about you. You are trusting your VPN provider to keep your data private or to not retain any data at all.

Then you have to consider these new VPN services that are ran by the big telecoms. Many users are getting VPNs specifically to get their data away from their ISP who is probably collecting and selling their information. These companies have a horrible privacy track record, and place profit over privacy at any and all cost to the user.

The three services i’m going to talk about today are Verizon Safe VPN, AT&T Secure Wifi VPN, and Sprint Secure Wifi.

A little history on Verizon, AT&T, and Sprint:

All three companies are involved in NSA surveillance
Their involvement has been increasing over time, despite bad press
AT&T toyed with the idea of monitoring all customer traffic for ads, charging users more to opt-out
The AT&T surveillance program ended after about a year

If you do more independent research about these three companies, you’ll find that they have throttled or blocked services in the past, installed supercookies on people’s devices, sold or traded customer information with affiliates and governments alike, and you’ll find that they are in general enemies of privacy.

So why would Verizon, AT&T, and Sprint suddenly want in the privacy and security game?

Data. Remember earlier where I mentioned needing to trust your VPN provider? These new services want to get at all of your data in a world where it is increasingly difficult to see what you’re doing at any given moment.

All three of these services have questionable privacy policies that allow excessive data collection and sharing:

Sprint Secure Wifi

You’ll notice that while there’s a lot of language about security on this app. There’s zero mention about privacy.

And here in their privacy policy they explicitly state that they monitor every site you visit with timestamps, and that they share the data with “affiliated companies.”

Verizon Safe VPN

If we take a look at Verizon’s privacy policy you are referred to McAfee’s privacy policy, which includes some gemstones such as:

and…

And finally we have AT&T Secure Wifi VPN

AT&T has such a poor privacy record that they should be disqualified from use outright, but I gave them the benefit of the doubt and read some documentation. The Android app refers back to the AT&T generic privacy policy, which explicitly states repeatedly that they do not “sell your personal information to advertisers.” This is interesting, as we know that AT&T has sold personal information in the past.

There’s some word games and lawyerspeak at play here. Their privacy policy does permit selling “aggregate” analytics data. So they bundle your data together with the data of other people in order to “anonymize” it. The problem is that de-anonymizing the data isn’t all that hard. (pdf warning) So the privacy threat still exists, and AT&T gets to sell your data without directly selling your “Personal Information” as they have narrowly defined it in the privacy policy.

They also leave room for greater collection and sharing “with your permission.” And as we all have experienced with privacy policies in the past, using the application is giving consent. This creates another legal loophole where you’ve given them “permission” to engage in other types of sharing that are broader than defined in the policy.

Use a Real VPN and Get Real Privacy

Find out if your VPN service can prove that it does not collect user information. And if the service is made up of activists that actually care about privacy. Do not trust large corporations that are directly tied to surveillance to protect your privacy!

About Derek Zimmer

Derek is a cryptographer, security expert and privacy activist. He has twelve years of security experience and six years of experience designing and implementing privacy systems. He founded the Open Source Technology Improvement Fund (OSTIF) which focuses on creating and improving open-source security solutions through auditing, bug bounties, and resource gathering and management.

VPN Service

Similar Articles:

TLS 1.3 is Coming – an Opportunity for Amazon, Google and Microsoft to End Censorship

TLS 1.3 is Coming – an Opportunity for Amazon, Google and Microsoft to End Censorship

The Long-term Decay and Re-birth of Innovation in Security and Privacy?

The Long-term Decay and Re-birth of Innovation in Security and Privacy?

Police chiefs want new data-sharing treaty with U.S. as privacy questions linger

Police chiefs want new data-sharing treaty with U.S. as privacy questions linger

Advice to Google: Stop invading wireless privacy with location history

Advice to Google: Stop invading wireless privacy with location history