Steps towards trusted VPNs


VPNs have become quite popular in recent years for a number of reasons, and more and more they are being touted as a privacy tool. The question is whether using a VPN does improve privacy. It is clear that VPNs are quite useful for getting access to things on the internet when direct connections are blocked. VPN providers include a number of tactics in both their client apps and server infrastructure to ensure that their users are able to make a connection. Then once users are connected, all of their traffic that goes over the VPN will see the internet from the point of view of the VPN’s server. That is how VPNs “unblock” the internet. In contrast, some are using VPNs to selectively block things, like making a system-wide adblocker.

To answer the question about whether they are a useful privacy tool, let’s start with the history of where VPNs came from. VPN stands for Virtual Private Network. They were developed by large companies with multiple offices and travelling employees. The goal was to link together all of these offices so that internal data could be freely shared between them without that data going over the internet as easily readable unencrypted plain text. Then travelling employees could also safely access the internal data via any internet connection. The key piece of this picture is that the users, employees in this case, already had to trust their VPN provider. The VPN provider was the company they worked for, and the data they were handling belonged to the company. So there was no attempt to hide user information from the VPN provider. Indeed quite the opposite: companies linked the VPN access to each employee’s “single sign-on” account. Built into the design of VPNs is full trust of the VPN provider, with the aim of keeping the data private from the internet. This setup was also by design, since many large companies wanted to ensure their employees work laptops were still going through the corporate firewall, where the company could block certain sites (e.g. malware, porn), then also monitor employees internet activity to ensure they are not exposing files that the company does not want to be public.

Virtual Private Network overview

This does not paint a good picture for a tool to protect privacy. But there is hope! It is possible to use a VPN to improve your privacy if you pay attention to some key details. For VPN services to provide privacy, you have to put a lot of trust in the people who are operating the service. The VPN provider can see all of your traffic that goes over the VPN, and they have a strong link to your user account with them. The privacy advantage of a VPN is that the destination sites cannot see which IP address your device is coming from, they will see the VPN provider’s IP address. And your ISP will see you are using a VPN, but not which sites you visit. With HTTPS, TLS, and end-to-end encryption being widespread, any encrypted content will be protected from the VPN provider also. But the VPN provider can still see where you are connecting from, which sites and services you are using, what time of day, and even potentially correlate traffic to link activities of their users. In other words, the VPN operator sees lots of metadata about you, so much so that they could paint a quite detailed portrait of your personal life if they ever did let their data be analyzed.

How to build a privacy-respecting VPN service

There are good signals that VPN services can send to show that they are tackling the real issues. For example, shipping free software clients, maintaining a warrant canary, posting a clear privacy policy describing the logging policy, and publishing the unredacted results of third party audits. If the VPN operator is doing the right thing, then VPNs can provide a relatively private way to access the internet. With a consistent track record of transparency, they can build up a trusted reputation for protecting privacy. Unfortunately, we cannot rest there since a VPN provider can change their setup quite easily, whether willingly or under duress. Maintaining consistent, regular, and transparent communications is therefore essential.

On top of that, the VPNalyzer project is working to make monitoring VPN services a lot easier and possible to crowdsource. This gives a third party perspective from some respected organizations.

Know as little as possible about your users

Many VPN providers require an account and payment information. This is usually personally identifiable information, like name, credit card information, email address, phone number, billing address, etc. The most private services have no user accounts by design. Calyx, Lavabit, and Riseup VPNs do not require any account or payment at all, so they do not have that information to give out or leak. Providers that accept payment need a way to tie payment to service, that is usually done using accounts tied to email addresses or phone numbers. Personal details are not required to make accounts and payments work. Mullvad uses a randomly generated account number only, there is no link to other identifiers unless you provide them. Additionally, Mullvad is one of the few VPN vendors that accepts cash payments. Many technically minded implementers laugh at the idea of processing envelopes of cash, but it is an effective, real world solution to minimizing personal data that software methods struggle to match.

Keep as little information as possible

The VPN servers unavoidably see lots of information about what users are doing. The default with most servers is to keep logs of that data. The longer this data is kept, the greater the risk it will be used to identify users and their activities. It does not help that standard practice for running servers is to keep logs for a long time. Many service providers keep those logs for years.

VPN providers must be clear about what logs they are keeping, and how long they are stored. Even better, they will provide information about how they do store the data that they do keep. For example, if the servers do not use full disk encryption, then it would be straightforward to recover the deleted logs. That is much harder on systems using full disk encryption.

  • A 2019 audit of IVPN showed that, at that time, the auditors confirmed that IVPN performed no “statistical logging of customer-traffic”, “logging of traffic, IP addresses or DNS requests” on the servers that the auditors were given access to.
  • Mullvad says, “we never store any activity logs of any kind.” in their no logging data policy

There are many legal ways for authorities to get private data, this is an essential part of a functioning justice system. But these powers are sadly abused in basically every country in the world, it is only a question of degrees. A VPN provider needs to represent its users legal interests, and push back on legal orders when there is the possibility they are unjust. Calyx Institute’s Nick Merrill provides the shining example in this regard. With the ACLU, he fought a legal case for over a decade to prevent unjust intrusion for his users. Ladar Levison shut down his email company Lavabit rather than allow the US Government to monitor Edward Snowden’s email account.

There are other ways to ensure that the legal processes are not abused. These include warrant canaries and disclosure when data had to be turned over via legal procedures.

Publish as much as possible as free open source software

F-Droid works to build services where free software, code inspection, reproducible builds provide a method to ensure that the software we deliver is trustworthy. VPN vendors recognize how important trust is, so the good ones work to get their apps into f-droid.org. The F-Droid community provides the best screening for ensuring Android apps are truly free software. On top of that, F-Droid flags apps for Anti-Features, which are things that users may not like, but might accept. Here are VPN clients that do maintain their free software clients in f-droid.org:

Use external auditors to confirm source code and operations

External auditors are important because they can bring fresh eyes on the source code, and good auditors are experts at finding issues in source code and server setups. And responsible organizations will publish the full, unredacted audit report once they have fixed the issues. Even if a VPN app is included in F-Droid, there are key aspects of the service that cannot be independently verified. For this, we must rely on the people who run the service to do the right thing. Audits can demonstrate that they were doing the right thing at the point of time of the audit. Here are some examples:

Publicly verifiable binaries via reproducible builds

Source code is the easiest place to conduct an audit of software, but it is the binary files that actually run on your device. Auditing binaries rarely happens since it is so much more time intensive. And yet, there are ways to change how software works without changing the source code. This can be done by injecting changes into the process that converts the source code into the executable binary. Reproducible Builds is the indisputable method for proving that a given binary was generated by given source code.

There are some generic VPN clients in Debian that are built reproducibly, but there are no Android or iOS VPN apps or branded desktop client apps that meet this standard yet. We recommend that VPN providers work with Debian, F-Droid, the Reproducible Builds group, or any other relevant project to achieve this key step.

Apple iOS

This post focuses on Android because iOS has a number of issues that make using VPNs for privacy less effective. For example, VPNs on iOS will leak IP addresses. Apple knows about this issue, yet still has not fixed it after a couple years. On top of that, it is not possible to have reproducible builds on iOS because the actual executable binaries are encrypted by Apple’s proprietary Digital Restrictions Management (DRM), so only Apple could ever reproducibly build something. If you are running Apple iOS, you are stuck trusting Apple to do the right thing, since they operate a relatively opaque, proprietary, strictly walled garden.

Run your own VPN

The VPN security model means you have to put a ton of trust in the operator. Questions of trust get much easier when you are talking about yourself or own organization. There are many projects that aim to make it as easy as possible to run your own VPN service. The good ones are all free software and have been audited, both the client source code and the server side setup.

  • Amnezia is a free service to create a personal VPN on your server.
  • LEAP VPN is a “white label” VPN setup used to build Bitmask, CalyxVPN, RiseupVPN and more.
  • Outline “makes it easy to create a VPN server, giving anyone access to the free and open internet.”
  • WEPN is a free software kit to become your own VPN provider, designed around a small hardware device.

There are also generic VPN client apps based on standard protocols:

Comparing VPNs to Tor and MASQUE

If it is privacy that you seek, then there are other tools to review. Tor is a longstanding community project that aims to make privacy proxies without compromise. Tor works similarly to VPN in that it is tunneling traffic to shared servers, the big difference is that your traffic is tunneled through three relays (in comparison to single hop VPNs). Each individual Tor relay cannot see the enough to put together a picture of who is doing what. At most, a relay can see what is done, but not who. Or that someone is accessing Tor, but not their destination. Orbot provides a VPN mode, but this is still full Tor protection, since it is just using the device’s VPN user experience to provide access to the Tor network. Tor Browser then adds whole other layers of privacy protection that can only be implemented in the internet-enabled app. This includes things like reducing metadata leaks in the HTTPS connection or web APIs, or isolating websites from each other within the browser, so they cannot read data about other sites the user has visited.

A new approach that is somewhere in between a VPN and Tor are multi-hop MASQUE relays. MASQUE is a new protocol that is similar to VPN and proxy protocols. MASQUE is built on HTTP/3 aka QUIC, so it does not stick out as much as VPN or WireGuard traffic. It also allows for multi-hop configurations. MASQUE is only newly deployed, so there is not the two decades of experience working to minimize metadata leaks in the processes for relaying traffic.

Apple iCloud Private Relay is a two hop deployment on MASQUE, which means that the Apple side can see that the user is sending traffic, and the Cloudflare side can see the destination, but not the user. That does provide a real privacy improvement over a single hop system. Unfortunately, Apple iCloud Private Relay fails most of the other tests laid out in this post. Plus given the history of NSA programs like PRISM, and the willingness for US companies like Apple and Google to take part, this setup is not clear protection from NSA and Five Eyes surveillance and targeting. It would be relatively straightforward for those kinds of agencies to correlate the data from the Apple and Cloudflare side if they have access to the metadata from both sides.

If privacy is your primary concern, then it is worth investing time into tools like Tor. If you have limited time and are mostly concerned about mass surveillance, then a good VPN is worth considering for some added privacy protection.