Your VPN needs a “Good Housekeeping” seal of approval
It’s time to clean up the VPN market with a “Good Housekeeping” style seal of approval. Somewhere out there, one of those well-known, independent, reputable antivirus testing agencies needs to step up to the challenge with a battery of tests and a baseline set of standards for VPNs running on devices of all flavors – Windows, Apple, and Android.
It really can’t happen too soon.
Out there in the VPN marketplace, it’s a real mess out there. There are several hundred products on the market with some providing covering all devices and others simply for one operating system. There is the confusion between VPNs and VPN proxies. And now we even have VPNFilter malware hitting routers.
It’s not just a competitive mess with VPN providers fighting it out on the comparative merits of their products – it’s a technical mess. There are no real recognized standards for what a VPN should – or should not – be doing. And there is no easily recognizable award/certificate/sticker that lets consumers simply sort out the various marketplace claims.
Certification/awards have their place
Just think about how many products you rely on – but which you haven’t tested yourself. That list includes electrical appliances, cement, cars, foods, and yes, antivirus software. There is a test or certificate which establishes the base standards – and we really rely on this to ensure that the bag of cement is really the right one, our family car is crash worthy, and that that holey cheese is really made in Emmental.
For antivirus products, the impartial work by organizations such as AV Test or AV Comparatives holds weight and is critical because consumers really can’t test the efficacy of the software themselves to root out malware. They hope that the testers are running all of those AV products through the same set of hoops without taking a backdoor payment to tweak the results.
So why not have a test/certificate for VPNs?
A short history of VPNs
The history of VPNs goes back to the 1960s as a business tool. As the “Virtual Private Name” suggests, this was a way to establish a secure, encrypted connection between computers or networks that were physically separated. With the advent of laptops and mobiles, VPNs have gotten more user friendly. Not only do business people need VPNs when on the road to connect with the home office, normal people also use them to stay private on public networks and to access their favorite online entertainment by changing virtual locations.
Are we confused yet?
While VPNs have an array of benefits, there is no unitary recipe for creating them and there are several potential combinations of protocols and encryption methods. Differences between VPN network servers can also impact performance. In addition, there are VPN proxies which that change the user’s virtual location for some apps but provide little or no encryption protection.
For most people, the differences between Point-to-Point Tunneling Protocol, Layer Two Tunneling Protocol (L2TP), and Internet Protocol Security (IPsec) are simply incomprehensible. The technical nature of a VPN is precisely why people shift to describing it in metaphor form as a tunnel. At Avira, we often describe a VPN as a registered letter that the recipient has to sign for and a VPN proxy as a forwarding note from the post office.
Technology does influence security
But beyond the metaphors, the technical differences between various VPNs do matter. A deep dive into 283 VPN-apps for Android found that a significant number actually degraded the users’ security: A whopping 84% leaked user traffic, 38% added malware or adware to the user’s device, and 18% did not encrypt the web traffic. That said, the worst statistic from the study was that less than 1 percent of users had any security or privacy concerns about these apps. Ouch! Other studies have exposed VPNs for selling user data.
Six major points for a VPN standard
What companies like Avira can do is work with other VPN developers and independent testers on a common set of verifiable standards such as AES-256 encryption, testing for DNS leaks, or the collection and resale of user data. Here are just six of the major points that should be addressed:
- Encryption – Is the data encrypted?
- DNS leaks – Are the DNS addresses encrypted?
- Usability – How easily can people use the app?
- Speed – How fast can the user connect and download content?
- Server locations – What is the geographic range of available servers?
- Data policies and logs – Is the VPN provider keeping and reselling user data?
Only one of these (3. Usability) is subjective and one is a matter of trust (6. Data policies and logs) the rest are objective. Setting some basic standards and certification between VPN providers should be more than marketing. It should be a confidence builder for consumers, letting them know that the VPN they’ve selected actually does what it should do – protect their privacy and open doors. Everything beyond that is just a technical detail.