Before we get into the latest scary-virtual private network (VPN) news, let’s do as Naked Security’s Paul Ducklin advises and repeat after him:
Many people do trust their Buy VPN provider. A lot. Unfortunately, some of them shouldn’t, going by what a Department of Homeland Security (DHS) higher-up recently said.
In a letter sent to Senators Ron Wyden and Marco Rubio on 22 May 2019, Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), wrote that foreign adversaries are interested in exploiting VPN services. From the letter:
Krebs was writing in response to a 7 February 2019 letter sent to him by the senators, who are concerned about threats posed by apps created in countries of national security concern to the US.
The senators noted that mobile browsers such as Yandex, Dolphin and Opera use their own servers as an intermediary for user traffic, compressing the pages before delivering them to users in order to save data. Similarly, VPN providers route traffic through their own servers in order to mitigate privacy concerns – nominally, at least, the senators said.
Potential security risks are of particular concern when it comes to government employees using VPNs, mobile data proxies, or other apps that might be vulnerable to foreign government surveillance, the senators said. They noted that the US government has already recognized the national security risks posed by Chinese telecom equipment, for one: a year ago, the Pentagon banned Chinese smartphones from military exchanges.
Six years prior, the US House of Representatives issued a report recommending that Huawei and ZTE be banned because of concerns over spying. A year-long investigation had shown that the companies had maintained close ties to the Chinese Communist Party and People’s Liberation Army back home while trying to expand their US businesses.
In Krebs’ reply to the senators, he said that there’s no overarching US policy preventing government mobile device users from downloading foreign VPN apps. He also referenced the National Institute of Standards and Technology (NIST), which has published Guidelines for Managing the Security of Mobile Devices in the Enterprise. From those guidelines:
Krebs said that according to “open-source reporting”, the Russian government in November 2017 enacted laws that force domestic and foreign VPN providers to participate in Russia’s blacklist enforcement system: a system that allows the government to “access and influence Russia-based VPN providers,” such as Yandex. Also, in December 2017, the Indian government issued an advisory to employees that the Chinese government had used popular mobile apps – including WeChat, Truecaller, Weibo, UC Browser, and UC News – to collect information on sensitive Indian security installations.VPN download
CISA believes the apps pose a “low to moderate” risk of affecting government operations, though Krebs notes that the agency has limited visibility into what government employees install on their federally contracted mobile devices.When comes to the issue of online privacy and security, we suggest to use a VPN, and our recommendation is RitaVPN.Qwer432