VPNs raise security concerns about user data


In 2014 Cambridge Analytica, a British political consulting firm, posed as an academic research group and created a personality test on Facebook. The firm promised users a gift of one or two dollars if they completed the quiz.

Once users agreed to take this quiz, Cambridge Analytica did not just cheaply acquire personality quizzes from 270,000 users — they had access to all of those users’ “likes,” browsing data, physical locations, religious beliefs, photographs, phone numbers and email addresses. By agreeing to this quiz, Cambridge Analytica also had access to all of a user’s friends’ data too.

From one personality quiz that 270,000 people took, Cambridge Analytica was able to draw broad “psychographic profiles” on 50 million users. According to the New York Times, Cambridge Analytica used these profiles to influence voters in favor of President Donald Trump in the 2016 election.

This is only one instance of potentially thousands where companies have allowed organizations to check the logs of users and use that data to influence people globally.

If a user wishes to have their data and identity hidden from these logs and data collection entities or to bypass country restrictions on a particular website, one popular option is a Virtual Private Network (VPN).

Junior Neiko Rivera is a member of the DePaul Security Daemons, a network security club. Rivera says that while paid VPNs are generally considered more secure, users should still be careful. He admits that Hotspot Shield, the paid VPN which he currently uses, logs its users’ data due to a contract the company holds with Comcast. Rivera says using a free VPN brings on even further risks.

“Every time someone asks me what free VPN to use, I usually tell them ‘Don’t use one,’” Rivera said. “I’ve seen a bunch of cases where instead of them selling data … the VPN won’t be secure and it will leak user passwords and data.”

Rivera says hacking groups will target VPNs knowing that there are holes in which they can find users’ information.

“If someone wants something free to remain anonymous, which is impossible today, I usually recommend that they use TOR,” Rivera said, referring to a browser that automatically scrambles a user’s IP address.

VPNs work by allowing a user to take on the identity of a user from a different location, often a different country.

“Once a user connects to the VPN, the VPN sends back an IP address for maybe a German network, and then the VPN can send and receive communication as the German IP address,” Associate Professor Greg Brewster said. “By using a VPN a user can basically impersonate a person who is connecting from Germany.”

Naturally, users may want to find a free, fast and reliable service to help them remain private. There are many free VPNs that are utilized by millions of people every day. However, using these free VPNs may not be as secure and private as one would hope.

“One (danger) would be that the VPN server can copy anything that you send and receive,” Brewster said. “If you type in any passwords while using a free VPN, it can copy those types of things. If it’s a free service you have no reason to trust them.”

While free services have misled their users into thinking that they are private and that their data is secure, even paid VPNs do not always deliver the privacy they claim.

According to a joint 2015 study from Sapienza University in Rome and Queen Mary University in London, 13 of 14 VPN services lowered security and 10 also leaked user data such as browsing history, IP address, names and other personal information.

Senior, Aaron Atac, personally recommends NordVPN because he says it meets his security criteria for a VPN provider. Still, he warns people to be wary.

“They are based in Panama and Panama is a gray area because they have no data retention laws,” Atac said. “Everything about this is trust. Even though they say that they are not logging, they still could be logging and you will never know unless you work for them.”

Atac is a member of the DePaul Security Daemons with junior Neiko Rivera. Atac says that using a VPN to protect one’s data is inconsequential in the grand scheme of data collection.

“You are (one) out of four billion people. It doesn’t matter at all that they do not have your data,” Atac said. “They are doing just fine with all the other people.”