VPNs And Privacy: Using Virtual Private Networks May Put Your Data At Risk : All Tech Considered With Internet providers able to track and sell your browsing data, people who want to keep their activity hidden are turning to virtual private networks. But VPNs can themselves be insecure.

Turning To VPNs For Online Privacy? You Might Be Putting Your Data At Risk

Turning To VPNs For Online Privacy? You Might Be Putting Your Data At Risk

  • Download
  • <iframe src="https://www.npr.org/player/embed/543716811/544259829" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

People in the U.S. who want to keep their activity hidden are turning to virtual private networks — but VPNs are often insecure. Stuart Kinlough/Ikon Images/Getty Images hide caption

toggle caption
Stuart Kinlough/Ikon Images/Getty Images

People in the U.S. who want to keep their activity hidden are turning to virtual private networks — but VPNs are often insecure.

Stuart Kinlough/Ikon Images/Getty Images

Worried about Internet companies snooping on your online browsing? You might turn to something called a virtual private network to protect your privacy. But researchers say these networks can themselves be insecure.

Earlier this year, the federal government rolled back rules that would have prevented Internet service providers from tracking your activity online.

Comcast, AT&T and other providers are now allowed to track and sell your personal data too — with much less fear of regulatory action. (Major providers insist that they don't sell their customers' browsing histories.)

One solution is a VPN, which is like a dark, secret tunnel you use to go from your computer to a website. While you're inside the tunnel — clicking on Instagram photos or checking your bank account — third parties can't see what you're doing. The data are encrypted.

There are lots of reasons people around the world use VPNs: to hide location, to access work networks, even to avoid government censorship. Loraine Kanervisto, a software engineer in Seattle, downloaded a VPN on their computer and cellphone to prevent spying.

"The more I read about how much power my Internet service provider is getting, the less inclined I am to share that data with them willingly," Kanervisto says. (Editor's note: Kanervisto uses the pronouns "they," "them" and "their.")

NPR reached out to six popular VPN companies and all have seen double-digit increases in downloads since Congress repealed Internet privacy rules.

Ryan Dochuk, co-founder of TunnelBear, says his company had a 200 percent increase in the usual amount of people joining from the U.S. in March, when the federal rules were rolled back, and demand continues to be strong.

"Before, where there were services that might collect a chunk of your browsing habits, like Google or Facebook, this change allows U.S. ISPs to collect 100 percent of your Web browsing and sell it to third parties," he says.

Internet providers handle customer privacy in different ways. Some say you have to opt in for them to sell your data. Nuala O'Connor, president of the Center for Democracy & Technology, a privacy advocacy group, says because of Internet-connected devices, providers can see more than the websites you browse.

"The Internet is in everything — increasingly in your house, in your smart water meter, in your refrigerator, in your toothbrush. The Internet service provider to your home knows a whole bunch of stuff about you," O'Connor says.

So, who cares whether Time Warner Cable or Verizon knows when I turn off my lights or whether I stock my fridge with Swiss or cheddar?

For one thing, those data points can be used to target advertising, O'Connor says. And she worries the government or private companies could use the information to deny services, like health insurance — or even water.

"You can think of water rationing in certain parts of the country being enforced via your smart water meter or your other devices," O'Connor says. "So it's a level of intrusion into the home and into your daily lives that we think people should be really mindful of and guard against."

Some VPNs promise anonymous browsing for free or just a few dollars a month; they claim not to share your data. But these services don't always deliver on their promises.

"If you're not careful with choosing your VPN service provider, the medicine might be worse than the illness," says Nick Feamster, a computer science professor at Princeton University. He says tens of millions of people have downloaded VPNs — and many don't realize they're not as secure as they claim.

In the first major review of VPN providers, researchers from across the globe tested nearly 300 free VPN apps on Google Play. What they found was alarming. Nearly 40 percent injected malware or malvertising. And nearly 20 percent of the apps didn't even encrypt user traffic.

This month, the Center for Democracy & Technology filed a complaint with the Federal Trade Commission alleging the VPN Hotspot Shield collects data and intercepts traffic. If true, that would be a direct violation of claims by the company's policy to "never log or store user data."

Amid all the VPN angst, the app TunnelBear is fighting for its reputation. To verify it is committed to protecting user security, the company became the first in the industry to complete a third-party audit.

Feamster, with Princeton, says that's very encouraging — even though the most recent audit turned up some vulnerabilities.

Experts say the safest option is to set up your own VPN server and connect to it, or use Tor to browse the Web anonymously. But Feamster admits most people won't do that.

For now, he suggests researching a VPN before using it and to think of it as a supplemental tool, not a privacy solution. He advises reading the VPN service provider's privacy policy to see whether it collects or retains any user information that could be traced back to you — and if so, for how long.

If you're looking to use a VPN, this comparison chart is a good resource. And, if you're feeling adventurous enough to build your own, Ars Technica provides this helpful guide.