While Edward Snowden’s PRISM revelations failed to spark much widespread outrage among the general public, an apparent spike in the uptake of Virtual Private Networks suggests the online privacy market could be entering a golden period. But when commerce is driven by fear there is plenty of opportunity for exploitation and many privacy-concerned citizens may be lulled into a false sense of security over services that won’t protect their data.
In the two months after the NSA’s spying programme was uncovered by the Guardian, IVPN – the Virtual Private Network platform I work for – saw a 56% increase in sign-ups to our platform. Following this spike we decided to run a survey, asking our subscribers what motivated them to sign-up to a VPN. Out of the eight anti-online privacy programmes we listed (ranging from SOPA to the Patriot Act) PRISM came top by a clear margin, with a 28% share of the vote. These findings were backed-up from a number of other VPNs, who said they’ve also seen an increase in interest since the revelations. Not to mention the much publicized numbers released by privacy-orientated search engine DuckDuckGo, which reported a 50% traffic increase in the wake of PRISM.
The fact internet users are becoming more privacy-conscious is certainly encouraging, but readers who are technically minded may have already spotted a slight problem with the above findings: VPNs won’t protect you from the type of surveillance detailed in Snowden’s leaked documents.
PRISM involved creating backdoors into major online services, allowing the NSA to monitor the content of emails and other communications. VPNs will prevent evesdroppers from knowing where you’re located and the contents of your traffic. But they won’t prevent someone accessing Google’s or Facebook’s servers, where your personal information is stored.
But the problem goes deeper than this. Some VPNs have been disingenuously cashing in on privacy fears before the emergence of PRISM – and are continuing to do so. To understand how, you need to understand how VPNs protect your privacy beyond that of an ISP. The vast majority of ISPs operate a data retention policy of some kind. This means they store information on users, such as your IP address (which uniquely identifies you) and web logs (which record every website you’ve visited). In Europe data retention is mandated and there are some in Washington who want to take the same route. But even though it’s not written into law, we know US ISPs retain data anyway, in order to cooperate with law enforcement investigations.
VPN privacy-services supposedly offer protection from this data retention, by keeping logs for no more than a few days (or in some cases a few minutes). If there’s no data stored then it’s impossible for a VPN to cooperate with law enforcement requests to access it. Many VPN customers sign-up because they assume this is the case. But it’s frequently not. In fact, some VPNs have even worse data retention policies than ISPs. For instance HideMyAss, which is perhaps the most popular VPN on the market, retains data for two years, and this was only acknowledged after the company handed a hacker over to the FBI.
Despite PRISM being met with some cynicism by the population, the rising interest in privacy tools suggests the wider community is not quite as apathetic toward privacy as we may think. But at the same time we should not fall into the trap of believing there is a magic bullet to solve the problem of overzealous government surveillance. Even widely used, open source, tools such as TOR have their vulnerabilities. The best tools in the fight to reclaim our online freedoms are education and the support of activist organisations – such as the Electronic Frontier Foundation – in order to continue to pressure our political system and keep the issue on its agenda.