Verizon’s VPN: security boon or privacy boondoggle?

Verizon, ostensibly aiming to better protect its customers’ data on mobile devices when using Wi-Fi while turning a gentle profit, is now offering a virtual private network.

The wireless-service provider is marketing its Safe Wi-Fi VPN as an ad-blocking privacy protector and charging users $3.99 per month, after a 30-day free trial. Verizon customers can download it through the MyVerizon app for Android or iOS.

As VPN services like Verizon’s face increasing governmental obstacles to adoption across the globe, the key to their success is in the details.



READ MORE ON VPNs

Looking to hide your traffic from ISPs? Not all VPNs are equal
For want of a VPN, Guccifer 2.0 was lost
How to protect yourself when using airplane Wi-Fi


As with any VPN (including that of Avast, which sponsors The Parallax), Verizon’s new app works by rerouting your Internet traffic to appear to come from another Internet Protocol address. It can thus block targeted ads that rely on your device’s IP address.

Unlike some other VPNs, including Private Internet Access and NordVPN, it doesn’t work across multiple devices or platforms. And while on first glance, it appears to cost about half as much per month as some competitors, it doesn’t significantly decrease in price, the longer the license lasts, the way some other apps do.

A more important detail: Verizon’s app, which, judging by its privacy policy, is largely based on McAfee’s VPN service, does not disclose how much user traffic it logs, or which kinds of information it collects.

McAfee’s privacy policy states that its VPN service “automatically collect[s] information about your interactions,” including details on what you’ve searched for, which services and apps you’ve used (and how much time you’ve spent using them), which websites you’ve visited, and where your Internet traffic has gone.

This includes extensive details on the user’s devices, apps, and networks, including:

internet protocol (IP) address, cookie identifiers, mobile carrier, Bluetooth device IDs, mobile device ID, mobile advertising identifiers, MAC address, IMEI, Advertiser IDs, and other device identifiers that are automatically assigned to your computer or device when you access the Internet, browser type and language, language preferences, battery level, on/off status, geolocation information, hardware type, operating system, Internet service provider, pages that you visit before and after using the Services, the date and time of your visit, the amount of time you spend on each page, information about the links you click and pages you view within the Services, and other actions taken through use of the Services such as preferences. We may collect this information through our Services or through other methods of web analysis….

Verizon did not respond to a request for comment.

When compared to other commercially available VPN services, the Verizon VPN is far less forthcoming about its data collection practices. That’s not surprising, says Travis Biehn, technical strategist and research lead at cybersecurity company Synopsys. But it’s also not just a Verizon problem, he argues.

“Historically, the problem with the VPN is that it’s centralized. You have no idea if the traffic will be logged, modified, or dropped. It’s possible when using any VPN that they do this,” Biehn says. And that’s despite a recent concerted effort to hold VPNs more accountable for the services they offer, including comparison charts, annual evaluations, and reviews at respected software review sites.

Nevertheless, VPNs retain their popularity in part because they’re much easier to use than the Tor Project’s method of obfuscating Internet traffic. They’re effective enough that a handful of authoritarian regimes around the globe treat their unapproved use as a serious Internet crime, with punishments for violators ranging from thousands of dollars to years in prison, as one Chinese man found out.

Two big players on the international cybersecurity scene have recently banned VPNs. China banned VPNs that it has not approved on March 31, though there are ways around the restriction. A violation of that ban can result in a fine of $2,200.

Russia banned VPNs last November, with a similar caveat: VPN users could be fined approximately $5,000, while VPN providers could face a fine of $11,000. Fines for consumers and providers in the United Arab Emirates are in the hundreds of thousands of dollars. Russia and the UAE join Iran, Oman, and Turkey with VPN restrictions. Iraq, Belarus, North Korea, and Turkmenistan have fully banned their use.

“If you’re using a VPN to access a news site blocked at the country level, the fact that you’re using a VPN at all could get you flagged,” Biehn says. “That makes you part of a marked population, which is self-defeating.”

And while he recommends Tor for people who are concerned with evading state-level surveillance, there’s no question that VPN usage appears to be on the rise. Audience-profiling company GlobalWebIndex reported in 2017 that 25 percent of Internet users around the world use a VPN at least once a month. While 50 percent of VPN users reported that they use the software to access entertainment like Netflix, 31 percent said they use it to anonymize their Web browsing, and 18 percent say they use it to evade government surveillance.

A representative of NordVPN said in a statement to The Parallax that the company’s American user base jumped 250 percent following the repeal of U.S. Net neutrality protections. Similarly, ExpressVPN and Private Internet Access, both independent VPN providers, recently reported spikes in the use of their services.

While the risks inherent in capriciously using a VPN are apparent, the consequences for not can be dire: Just ask Guccifer 2.0, the Russian hacking operation of the 2016 U.S. election caught by the FBI in part because of a lapse in VPN coverage.