Virtual Private Network (VPN): Privacy, information security concerns

 Virtual Private Network (VPN): Privacy, information security concerns

Lagos lawyer Olumide Babalola examines the privacy paradox situations that users encounter when making choices on the use of VPNs

Introduction

Since the Federal Government’s ban or suspension of Twitter in Nigeria in June 2021, more citizens have become aware of the Virtual Private Network (VPN) as an alternative route to circumvent the political censorship of the most-utilised social media network and keep tweeting regardless. With the uneven scramble for VPN came the expected misinformation on how the technology could invariably subject users to identity theft or financial scam once they logged into the platform and this expectedly scared most people off anything VPN up till this moment.

This article seeks to: (i) simplify the concept of VPN by reproducing some of its definitions from different perspectives; (ii) highlight its purpose and benefits and; (iii) clarify the likely privacy issues associated with the use of the technology.

What is a VPN?

A VPN is simply a private network that is routed on a public network (e.g the Internet) in an anonymous form and thereby protecting the privacy of the users from snooping or other privacy-impacting evils. It is a set of tools which allows networks at different locations to be securely connected using a public network as the transport layer. (Jim Harmening, Computer and Information Security Handbook (2009). VPN is a technology that establishes private network connection though a public network like the internet.  (Derrick Rountree, in Security for Microsoft Windows System Administrators, 2011). It is built on top of existing physical network providing a secure communication mechanism for data and other information transmitted between two users. (Vlado Damjanovski, in CCTV (third edition) 2014). In conclusion, VPN is simply a private network exchanging information over a shared infrastructure while preserving the privacy of such information. Ultimately, VPN is a connection method used to add privacy to private and public networks like Wi Fi, Hotspots or the Internet. (See Matheo Varvello et al ‘VPN: A privacy- preserving decentralised virtual private network’ (2019).

Why was the VPN created?

Recently, the human folk’s explicable dependence on the Internet for almost every activity has increased the privacy and security concerns and complicated by the number of devices connected to the Internet per time. The nature of the Internet as a public space which is constantly invaded by cyber attacks and remotely controlled by some unidentified but more-equipped surfers emphasised the need for the vulnerable ‘netizens’ to access the Internet in a private sphere without the fear of snooping or eavesdropping by unknown elements, hence the invention of VPN in 1996. (See David Crawshaw, ‘Everything VPN is new again’ (2020). Zhipeng however says VPN was created as a solution to the scourge of cyber-attacks and hijacked control of the Internet by allowing better security and always providing anonymity to the users. (See Zhang Zhipeng, ‘VPN: A boon or trap? (2018).

How does the VPN work?

VPN works with the creation of private virtual ‘tunnels’ or ‘paths’ or ‘channels’ that allow users to communicate or exchange data from end-to-end within the tunnels as enabled by the Internet (in most cases). The personal data traveling through the VPN tunnel are encrypted (i.e by converting readable texts into incomprehensible gibberish) as a security measure to ensure the information gets to the desired recipient untampered since they eventually  pass through an unsecured platform – the Internet. (See M. Gupta, ‘Building a Virtual Private Network’ (2003).

When users connect to VPN, their personal data travel-sequence is as follows:

1. VPN platform on users’ device encrypts personal data.

2. Sends it to the VPN server through a secure connection.

iii.       Data goes through the Internet Service Provider (ISP) but they cannot snoop because of encryption.

1. When the data gets to the recipient, the encrypted data is then decrypted for the user to understand the information.

2. The flow is repeated where a reply is sent. (See David Janssen, ‘VPN explained: How does it work? Why would you use it? (2021).

What are the benefits of VPN?

Most Nigerians would not have known about the existence of the VPN technology until the unprecedented Twitter shutdown in June 2021. Apart from allowing users to bypass certain online censorship restrictions, the following are some other benefits of VPN:

1. Anonymity online: Users’ IP addresses and location are hidden by VPN.

2. Data security: By encryption, it becomes almost impossible for users’ data traffic to be hijacked by hackers or tracked by government surveillance.

3. Secure browsing of public networks: Generally, free Wi Fi networks are unsafe but when users access such platforms via VPN, they become anonymous and unidentifiable users.

4. Bypass geographical restrictions: Sometimes frequent air travellers, are frustrated when they are in transit and cannot use certain websites or apps (like WhatsApp calls (UAE) and Facebook in China for example) VPN enables them to bypass such censorship even when within such regions and they stand no risk of identification.

5. Improves Internet connectivity: Depending on the quality of VPN and the geographical location of the ISP’s base station, it has been repeatedly argued that VPN may improve Internet connectivity under certain circumstances.

What are the privacy and data security concerns of VPN?

Although data shared via VPNs are encrypted to ensure informational privacy, the VPN platforms however raise their own peculiar privacy concerns.

1. Moving from Internet privacy to the realm of Intranet privacy-trust worries. Using VPN involves a choice between a known devil (i.e the VPN service providers) and unknown angels (the identity thieves, hackers, government surveillance and digital busy bodies). Since users run from the larger Internet risks, they would have to trust VPN service providers (Intranet) not to misuse personal data collected for untoward purposes which may negatively impart users’ privacy. A number of VPNs, in fact, use tracking systems of users’ data.

2. Privacy violation by third-party service providers. Since VPN service providers are commercial entities that engage other third-party service providers (like cloud service, etc.), users’ data are also susceptible to the risk of misappropriation by these third parties whose businesses and data management practices may neither be regulated nor within the control of users, hence raising its own species of privacy and data security concerns.

3. Cyber security lapses. The growing popularity and utility of VPNs have also increased their cybesecurity porosity owing to the less attention service providers devote to securing users’ data. In emphasising the information security risks that comes with inadequate cybersecurity by some VPN service providers, Boxley puts it succulently that: ‘Not only is their basic architecture for transmitting data over third-party servers risky, but there are too many ways in which they flout best practices for secure, private data transfers.’ (See Don Boxley, Jr. ‘Overcoming the dangers of virtual Private Networks’ (2019).

Conclusion

VPNs, like every other digital product, cannot wish away its data security vulnerabilities and privacy anxieties. Without necessarily speaking for or against the use of VPNs, the privacy paradox situations continue to stare users in the face when making choices on the use of VPNs, however, it is advisable for users to apprise him/herself with the invasion in the product before use.

Twitter, tweeting, common sense …

From the Twitter front: it’s tweeting, tweeting; testing, testing; mutual common sense sprouting, after 100 days of furious combat, pitting the right to free speech against the imperative for security.

The post-combat signal is “soon” — but then, how soon is soon?

Which side won?  Neither.  But either is richer in mutual common sense and respect, which seem to suggest a new amity, in which rights are pushed with due sensitivity to the primacy of peace and security.

To be sure, both sides have been bruised.

The government has come under a heavy flak of rights attacks, in the impassioned scarecrow of daring, swaggering, preening autocracy, the very opposite of democracy — or what do you call a mass body of yakking, screeching citizens, via Twitter, suddenly struck dumb, by executive fiat?

Twitter, the bruised hero and champion of free speech, appears though more subdued on the bottom line sector, than on the free speech front.

As its excitable army got clobbered into quiet, its combat cover got smashed.  Without their “freedom of speech” din, Twitter couldn’t consummate its jumbo multi-million dollar advert deals — at least from the Nigerian sector, of its booming global market!

True, a few broke through the ban, to squeal their protest, daring the sitting order to crack down on them.  But such rights — or is it rogue? — sorties, in fashionable dissent, hardly secures the nourishment Twitter craves, in activating its grotto of free tweeting to jumbo profits!  It’s the bottom line, stupid!

A rather humbling experience, it must have been, for an otherwise dashing global shaman, with a rather unfazed body language: tweet — sense or nonsense — or be damned!  Not any more!

Which brings Hardball to the original issue: Twitter is only a tool.  It’s not good.  It’s not bad.  But the end to which it is pushed can be either.  That is where free speech clashes with right to peace and security.

Well, the age-old democratic balance is fine — and that can’t be taken for granted, after the heinous era of the divine rights of European kings and all the subject horror of that blue blood peril.

In the eternal vigilance of the succeeding epoch of democracy, citizens must rally to preserve their rights from from the Leviathan state.  But that Leviathan too is sworn to protecting all.  Common sense is then the mid-point, where the state delivers on its security mandate without riding rough shod over citizens’ rights.

That was the dangerous juncture Donald Trump (ironically then, captain-in-chief) breached before Twitter voluntarily yanked him off, after the former POTUS used its platform to galvanize the mob of his Big Lie, to storm the US Capitol on January 6.

That was the dangerous juncture Twitter breached in Nigeria by turning the blind eye, even as its platform became the preferred choice for hauling hate and fake news, both potent cocktails, to launch insurrection and brandish anarchy.

So, let there be a fresh start.  Let the horde tweet their rights.  Let Twitter corral its bucks.  But let neither fire chaos and anarchy — for the dead don’t, indeed can’t, claim democratic rights.

It’s in that happy mix, though from testy tension, that democracy can deliver progress.  If that hard lesson is learned from the Twitter ban, then Nigerians are winners.