“The VPN industry is extremely opaque, and many VPN providers exploit, mislead, and take advantage of unwitting consumers,” US lawmakers Anna G. Eshoo and Ron Wyden said in a letter to the US Federal Trade Commission (FTC), urging the authority to “take enforcement actions against the problematic actors in the consumer Virtual Private Network (VPN) industry.” In their letter, the lawmakers describe several abusive practices in the VPN industry, including promoting false and misleading claims about their services and selling user data and providing user activity logs to law enforcement.
Why now? Ever since the US Supreme Court overturned federal abortion protections, women have been concerned about their digital health privacy. “People seeking abortion are increasingly told that installing a VPN is an important step for protecting themselves when seeking information on abortion in states that have outlawed and criminalized abortion. This advice has also been applied to general privacy-related concerns and has brought VPNs into the mainstream among American internet users and resulted in a significant market boom,” the lawmakers explained. VPNs allow users to establish a secure connection between their device and a private server, making it harder for third parties to monitor their online activity.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
Why users can’t trust all VPNs: “It’s extremely difficult for someone to decipher which VPN service to trust, especially for those in crisis situations. There are hundreds, if not thousands, of VPN services available to download, yet there is a lack of practical tools or independent research to audit VPN providers’ security claims. Interested consumers refer to online recommendations to select which VPN provider to trust, and many of the most frequently visited third-party review sites and blogs profit from partnerships with specific providers. Even more troubling, some VPN review websites are owned by companies that also offer VPN services,” the lawmakers pointed out.
False claims of protection: “Many popular VPN services also spread inaccurate information on their websites. In December 2021, Consumer Reports (CR) found that 75 percent of leading VPN providers misrepresented their products and technology or made hyperbolic claims about the protection they provide users on their websites, such as advertising a ‘military-grade encryption’ which doesn’t exist. Advocacy groups have also found that leading VPN services intentionally misrepresent the functionality of their product and fail to provide adequate security to their users,” the lawmakers wrote in their letter. “We’re highly concerned that this deceptive advertising is giving abortion-seekers a false sense of security when searching for abortion-related care or information, putting them at a higher risk of prosecution,” the lawmakers added.
“No-logs” policy cannot be verified: Many leading VPN providers advertise a “no-logs” policy, meaning they do not collect or maintain any logs of user activity. The lawmakers remarked that “it’s nearly impossible to verify their claims” because “in various cases, VPN providers that advertise a strict ‘no-log’ policy have provided user activity logs to law enforcement.” To illustrate their point, the lawmakers cited a 2020 report that uncovered that seven VPN providers which claimed not to keep any logs of their users’ online activities left 1.2 terabytes of private user data exposed, including users’ email, home addresses, clear text passwords, IP addresses, and internet activity logs.
Abuse of user data: The lawmakers also pointed out that VPN services have abused user data in some cases. “In 2020 it was revealed that a leading analytics firm used personal data from over 35 million people who had downloaded one of their 20 VPN and ad-blocking apps to power their analytics platform without consent. Notably, the apps didn’t reveal their connection to the analytics firm. Another study found that 75 percent of Android VPN apps report personal user data to third-party tracking companies and 82 percent request permissions to access sensitive resources, including user accounts and text messages,” the lawmakers explained.
What should the FTC do? “We urge the Federal Trade Commission (FTC) to take immediate action under Section 5 of the FTC Act to curtail abusive and deceptive data practices in companies providing VPN services to protect internet users seeking abortions. We also urge the FTC to develop a brochure for abortion-seekers on how best to protect their data, including a clear outline of the risks and benefits of VPN usage,” the lawmakers wrote.
The contrast with India: While in the US, lawmakers are trying to improve privacy and strengthen protections available for citizens by preventing unscrupulous VPN apps from collecting user data, in India, the government has demanded that VPN apps collect more information from users. The new cybersecurity directions issued by the Indian government, among other things, requires VPN service providers to maintain detailed information on customers such as their names, contact details, the purpose of using the service, IP address, etc, for a period of at least five years and possibly logs of web activity for a period of 180 days. These requirements have resulted in three major VPN providers—Surfshark, NordVPN, and ExpressVPN—announcing that they will pull out their servers from India.
Other measures by the US government to protect sensitive health and location data: In light of the Supreme Court judgement, US FTC on July 11 published a blog post committing to use the full scope of its legal authorities to protect consumers’ privacy when it comes to location, health, or other sensitive data.
“Among the most sensitive categories of data collected by connected devices are a person’s precise location and information about their health. Smartphones, connected cars, wearable fitness trackers, ‘smart home’ products, and even the browser you’re reading this on are capable of directly observing or deriving sensitive information about users. Standing alone, these data points may pose an incalculable risk to personal privacy. Now consider the unprecedented intrusion when these connected devices and technology companies collect that data, combine it, and sell or monetize it. This isn’t the stuff of dystopian fiction. It’s a question consumers are asking right now.” — Kristin Cohen, Acting Associate Director, US Federal Trade Commission (FTC) Division of Privacy & Identity Protection
Separately, US President Joe Biden signed an executive order directing federal agencies to protect abortion access and the online privacy of patients seeking reproductive healthcare and two US bills have been introduced to protect a person’s reproductive health data by limiting the personal reproductive health data collected, used, or retained by a service.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- How Location And Health Data Can Be Misused And What The US Government Is Doing To Protect Users
- “You Don’t Need To Have A Blanket Law That Treats Everyone As A Criminal”, Says Dr. Joe Hall Of Internet Society On India’s Cybersecurity Directions
- Surfshark Shuts Down Its Indian VPN Servers After ExpressVPN. Who’s Next?
- Do VPN Providers Have To Store Web Activity Logs Of Users? Yes And No