Law in the Internet Society
You did say to make it bad.


"What is a VPN?"

When the average consumer inputs this Google search, the first thing that pops up isn’t the Google dictionary result. In fact, it’s not even an option on the page. What does pop up is a link to an article written by NordVPN? , better known as the sponsor of any YouTube? video with over 10,000 views. In a world where multiple competitors have been offering the same product for years, a relatively unbiased definition should be simple enough to find. The fact that a popular brand’s attempt to sell you a VPN pops up before you even know what it is demonstrates a much larger problem. Rather than empowering people with the tools to fully take control of their own privacy, companies like Nord, Express, and Surfshark jump to charge consumers high prices for much, much less privacy than they could easily get on their own. Over the course of this essay, I will discuss what VPNs can/should do, and then discuss why many paid VPN services fail to offer the promised protections.


First things first. A VPN, also known as a virtual private network, is a tool that creates a secure connection between two networks, or between a computing device and a network. Typical categories of VPNs include Remote access, host-to-network configuration, site-to-site, and extranet-based site-to-site VPNs. Illustrations liken a VPN to a secure underground tunnel between your computer and the websites you want to reach, keeping your information more secret than it would be if it traveled through the open-air, aboveground internet.

The part of the YouTube? video you skip usually describes two main benefits of having or using a VPN. First and foremost, paid VPNs promise their users access to content they couldn’t otherwise receive based on their location. In ads targeted at Americans, plucky YouTubers? usually show skits of themselves watching shows that are unavailable in certain countries. This also makes VPNs a sensible, one-time purchase for people traveling abroad. Students doing a semester in China might purchase a VPN so that they can stay up to date on their favorite TV shows and movies, using the services they also already pay for (Netflix, Hulu, etc). This also implies that a VPN might be a good tool for people who are based in countries that block more content to do the same thing . However, this isn’t the main advertising ‘hook’ VPNs use. Companies like ExpressVPN? and NordVPN? usually make claims about privacy. Typically, this involves a story about a hypothetical person walking into an airport, completing a bank transaction on the free public wifi, and getting their banking information stolen during an ARP spoofing attack. Very Sad and scary, but ExpressVPN? can help. Similarly, companies also claim that a VPN can stop an Internet Service Provider from reading up on all of the sites you visit to sell your data and create targeted advertising. Purchasers, they claim, can rest easy knowing that their anonymous Reddit posts and weird 3 a.m. google searches are safe from any prying eyes that might use them for nefarious or uncomfortable purposes. Sufficiently scared and a little intrigued about what shows are available outside the US, a consumer may fork over $8 per month for security and a little convenience.

The problem with many of these claims is that, while potentially true, none of this stops the VPN company from doing all of the things a consumer is worried some anomalous ‘bad guy’ might do, the personal data isn’t that much more secure than simply staying on ‘padlocked secure’ HTTPS sites, and if someone really wants that cartoon that releases at different times in different countries a couple of months earlier, they can find it more easily, safely and cheaply through torrent than they would using a streamer’s website.

Sure, one could say that they’d rather roll the dice with a paid VPN service that they’ve researched before buying and trust. The problem is that, much like a simple, clear, and useful definition, unbiased research on which VPNs are best is hard to find. Companies buy review websites, and around ten minutes into a YouTube? review search, you’ll start to find channels begging you NOT to buy a VPN. Furthermore, even the largest VPN services, like ExpressVPN? , have been bought by companies with a history of collaboration with ad-injection malware companies. Furthermore, by sending your data to a VPN company, you simply trust an anomalous bag guy with venture capital firm money, along with some of your own.

If this is true, why would so many companies be allowed to make these misleading claims? The law, after all, should stop blatantly false advertisements from reaching mainstream audiences. [FTC’s role in false advertising: We have cases like Federal Trade Commission v. Bunte Bros, Inc.and, more recently, Static Control v. Lexmark that should protect us from puffed upp claims of a product’s worth.]


However, courts can be slow to adapt to the use of new technology, so it’s possible that we won’t see any meaningful legislation on the claims or use of popular VPN services for some time. In summary, while companies claim that VPNs can give you access to better content and protect your data from harmful attacks and prying eyes, they aren’t worthwhile purchases for the safety-conscious consumer. Because the court system likely won’t kick in to stop VPNs that are not useful, and, in some cases, actively harming your computer, consumers should take matters into their own hands.

A few recommendations for better alternatives:

[Rcommendations for secure browsers from Prof Moglen]. [Article on how to torrent].

I think the best route to improvement is to begin with more technical clarity. Distinguishing between proxy browsing services like NordVPN and actual layer 2 or layer 3 protocols for end-to-end encrypted networking, from IPsec and s/WAN to OpenVPN, tinc and WireGuard, will help in many ways. Once you have pointed out that the point of the latter protocols and implementations is to prevent "man-in-the-middle" attacks, your objection to the former services can be made in a sentence: They are the unnecessary man in the middle. That makes the point of the essay clear at once.

I don't understand the point about courts. Offering consumers a security service that either isn't or was not intend to be secure is obviously reachable uinder current law: in the latter instance through anti-fraud doctrines, in the former in tort, for damages caused by negligence. To the extent that terms of service limit liability or impose unfavorable procedure, the obstacles are the ones familiar to all consumers' rights litigation, but not different. The primary problems are evidentiary: how to prove that the services are weak, corrupt, or cause cascading security failures. The most immediate factual models are the global cryptographic trust providers, like Etisalat and the Dutch, who have turned out to be penetrated. You could also look at the business models of, e.g. Proofpoint, which also deliberately break net security through intentional M-in-the-M compromise, and why they are (currently) getting away with it.

But the real point would be to explain to people what to do instead. The browser, at layer 7, is evidently not the best way to achieve secure networking, But if you explain why there doesn't need to be a middle if you have two devices of your own, you can make the most important of all personal security steps crystal clear. Your personal server, a cheap piece of commodity hardware plugged in wherever you can command, borrow or buy a wired network connection, provides VPN services and privacy proxying for you (and can be securely bridging both to Tor, and to proxies outside national firewalls), so wherever you and your mobile device are, your traffic can be securely switched and concealed not by a possibly betraying third party, but by you. That's FreedomBox in a nutshell. You're almost ready to invent it.

If these suggestions are too technical to be useful to you, come see me and I'll try to cut through the jargon for you.


No. But you knew that already.

Nor was this. Tertiary sources aren't any good after secondary school. The point of the encyclopedias is to send you to secondary sources, not to be a sufficient basis for a researched conclusion.


Webs Webs

r2 - 18 Nov 2023 - 20:47:19 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM