With online privacy coming under increasing attack, it’s no surprise that more and more activists, and privacy-conscious internet users, want to shield their internet activity from potential evesdroppers - be they state institutions or private companies. Along with free tools such as TOR and I2P, one of the most popular methods of avoiding online surveillance is signing-up to a commercial Virtual Private Network. Indeed, there is no shortage of VPN companies on the market, promising to give their customers security, anonymity and peace-of-mind while browsing. But, with the government seemingly waging war against online privacy, is it inevitable politicians will push for a ban?
VPNs on the rise
Since the PRISM scandal broke, VPN usage has been on the rise. IVPN saw a 56% increase in sign-ups in the two months following Edward Snowden’s revelations. We also ran a survey amongst our customers back in August, which saw PRISM listed as the top reason for new VPN sign-ups. This increase in interest was mirrored by a few of our competitors, who also saw an uptick in business following the revelations.
Of course, the irony is a VPN will not protect you from the type of surveillance described in the PRISM documents. As you probably already know, the PRISM programme involved the NSA creating a backdoor into Google, Facebook and other web services, allowing them to access the data held in accounts. VPNs may encrypt your traffic, and obscure your IP address, but if you upload a picture to Facebook, or send an email via Gmail, then that information is stored on Google and Facebook’s servers. The only way to stop the NSA accessing that data is to avoid creating it in the first place.
But VPNs are still likely to catch the attention of governments, not because they undermine PRISM, but because they undermine data retention practices. ISP-level data retention is, generally-speaking, when your internet service provider records the times you access the internet and what IP addresses you connect to, allowing authorities to determine your activity, down to the websites you’ve visited. Data retention has been mandatory in Europe since 2006, with all ISPs forced to store data for the entirety of a user’s subscription and up to two years after they unsubscribe. However, due to fierce opposition within certain EU states, the law may be significantly altered next year.
In the US both the Obama administration and Republicans have, at one time or another, pushed for a law similar to the EU Data Retention Directive. But although Washington’s ambitions haven’t yet been realised, US ISPs still practice data retention voluntarily, with some storing web logs for two years. VPNs may not protect users from PRISM, but they do threaten ISP-level data retention.
A warning shot appeared to have been fired back in June, when both Mastercard and Visa outlawed payments to a number of popular VPN providers. This action followed a high profile case involving a hacker from the group Lulzsec, who had his anonymity compromised because the VPN he was using retained user data (either voluntarily, or because it had been forced to by the FBI). Either way, the revelation caused a major breakdown in trust between VPNs and their customers. Since that incident we’ve also seen the UK government recently announce plans to implement a nationwide internet content filter that – among other things – will ban VPNs from being accessed.
So are VPNs’ days numbered? Well, thankfully VPNs can be located all over the world and many companies use them in order to privately access their company intranet, making a blanket ban very tricky. Of course, governments could follow the UK’s lead and stealthily ban VPNs via content filters, under the guise of ‘protecting the children.’ But it must be said circumventing the UK’s content filter - or opting out - is not that difficult (although it may make you more noticeable to the authorities).
The other avenue the government could take is to force VPNs to retain customer data - and it’s certainly possible that the EU’s data retention law could be interpreted to encompass VPNs also. But for this to work in the US, lawmakers would probably need to implement a larger-scale data retention law that encompasses ISPs. Politicians will surely have to wait until the PRISM revelations are a more distant memory, before trying to push any mass surveillance legislation past the American people.