SECURITY TIP OF THE MONTH
Protecting your privacy online – it’s not just for criminals and hackers. Nik Rawlinson explains why we should all take steps to cover our tracks
As governments and hackers snoop on our digital traffic, the case for virtual private networks has never been stronger. So the security tip of the month? Install one. Our feature explains how to pick a winner.
Virtual Private Network (VPN) technology is perhaps best known as a sneaky way of spoofing your location so you can watch Netflix US in the UK. It’s also a valuable tool for any business with a mobile workforce, allowing employees to access the company network without having to worry about remote security. But even if you’re not trying to hide your location, or log into a corporate server, installing VPN software and subscribing to a reputable service is a must – because the number of threats to your online security is growing.
For example, it’s alarmingly easy easy for criminals to spoof a Wi-Fi network, setting up a dummy hotspot that looks like the real deal, but which allows them to spy on any data that passes between the computer and the net. Your passwords, credit card information and more could be at risk – and if you’re working remotely, sensitive customer information could also leak. That can be disastrous for your business, and it could leave you open to blackmail, or punitive fines for failing to uphold your data protection obligations.
VPNs reduce your exposure enormously, by encrypting your connection from end to end. The data that passes between your laptop, tablet or phone and the public access point is secured, and immune to even sophisticated eavesdropping. It goes without saying, however, that you do need to trust your VPN provider. And with so many to choose from, how you do pick the right one?
YOU (OFTEN) GET WHAT YOU PAY FOR
When choosing a VPN, price is an obvious comparison point – but the cheapest option almost certainly isn’t the best. It costs money to operate a VPN, so if you find a provider offering free or very cheap services, ask yourself how they’re paying the bills.
Because let’s be clear: although the connection between your laptop and the VPN is secure, the provider can see everything you’re doing, and can even interfere with your traffic. We haven’t heard of a reputable VPN provider actively snooping on its users’ data, but unscrupulous providers could insert their own content (such as adverts) into the download stream, or selectively throttle access to certain sites and services.
For these reasons, we would always recommend signing up with a paid service. You’re buying peace of mind, and an expectation of support when required.
LOCATION, LOCATION, LOCATION
Consumer VPNs often advertise the availability of exit nodes in a wide variety of countries. This is useful for accessing sites or streaming services that might not be available in the UK.
In a business context, that probably isn’t such a concern – but geographic reach is still an important issue. If you work with sensitive data that you don’t want to slip outside the legal jurisdiction of your home country, a VPN allows your staff to work from anywhere in the world, without a risk of the data being intercepted by local agencies. It’s vital to ensure your provider has access points where you need them.
A related issue is capacity. VPNs are becoming more and more popular as users become aware of the dangers of going online unprotected, so a provider that doesn’t have plenty of servers in the right places is likely to be slow today and slower tomorrow.
Since different providers have different numbers of subscribers to accommodate, it’s impossible to say how many servers is “enough” – but ask your chosen provider about load and availability, and don’t be swayed by companies that advertise thousands of servers without saying how many users they’re shared between.
PRIVACY AND THE LAW
When it comes to jurisdiction, it’s not only the outlets that are important: you also need to consider the national base of your chosen provider. The UK, US, Canada, Australia and New Zealand all operate under the “Five Eyes” (FVEY) agreement – described by Edward Snowden as a “supra-national intelligence organisation that doesn’t answer to the known laws of its own countries”. In short, these countries routinely share surveillance data – and have been known to help one another out by spying on each others’ citizens.
So, if you choose a VPN provider based in the US, your online activities might not be immediately recorded within the UK. But if the British authorities want to know what you’ve been up to, they can easily ask their US counterparts to subpoena the provider’s records and pass them back to the UK authorities.
FVEY isn’t the only formal data sharing agreement in operation. There are additional “Nine Eyes” and “Fourteen Eyes” arrangements involving Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain and Sweden. And while close allies such as Japan, Israel and South Korea might not have a legal obligation to share surveillance information, they may choose to do it anyway.
In short, if you really want to keep your browsing habits to yourself, you’ll need to find a provider based in one of the world’s more obscure jurisfictions – such as NordVPN in Panama, Perfect Privacy in Switzerland or ExpressVPN in the British Virgin Islands, all of which operate beyond Fourteen-Eyes territory.
THE ISSUE WITH LOGS
While the standard advice is to steer clear of FVEY countries, there may be benefits to choosing a provider that co-operates with the law. Back in 2011, UK-based VPN provider Hide My Ass ( hidemyass.com) was forced to hand over logs relating to the online activity of a user who had been been implicated in several major hacking operations. Some users were outraged at what they saw as a betrayal of their trust, and declared their intention to switch to a service that didn’t store such logs. Yet, as the company made clear on its blog ( blog.
hidemyass.com/lulzsec-fiasco), no-one ever promised that using a VPN would make you untouchable. “It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences,” it explained. More significantly, HMA pointed out that services claiming to keep no records at all “are more likely to have their entire VPN network monitored and tapped by law enforcement, thus affecting all legitimate customers”.
For the record, Hide My Ass states that it only logs the times at which users connect to and disconnect from its service – purely for the sake of identifying abusive users – and doesn’t store any details of what you’re actually looking at.
ADDITIONAL SECURITY
If you’re concerned that the VPN service you’re using isn’t entirely secure, or you want the highest possible degree of anonymity, it’s possible to connect to multiple VPNs in sequence, feeding their data through each other and heavily obfuscating your location and identity.
You can do this manually, by signing up with several providers and connecting to each one in turn without disconnecting any that are already active. A more elegant solution is to use a dedicated multi-hop (or “cascade”) service, which will automatically route your traffic through a series of anonymising servers. Anybody wanting to intercept your data would need to compromsie multiple different networks to obtain anything useful. Romanian provider VPN.ac implements double hops, while Switzerland’s Perfect Privacy can route your connection through up to four servers in sequence.
BEYOND THE VPN
While a VPN prevents outsiders from spying on your active connections, it offers only partial protection against services that track you using cookies, or by analysing your system configuration. After all, if the sites you visit can positively identify you, that negates some of the privacy benefits of running a VPN in the first place.
VPN providers often provide additional security features to close off such tracking methods. NordVPN incorporates an optional service called CyberSec, which not only intercepts cookies, it also blocks ads and malware. Even better, it can cut the link between DDoS command servers and an infected PC, by checking a list of servers found to be hosting malware or DDoS control points, before passing on a user’s domain look-up request to the DNS server. Any positives will throw up a warning, and unless the feature is disabled through the VPN settings, you won’t be able to proceed any further. This gives you an opportunity to deal with the infection, and saves bandwidth too.
BUSINESS VPN ADMINISTRATION
Several VPN providers offer packages tailored for business users, which simplify onboarding staff and managing both billing and use. One popular choice is Tunnelbear ( tunnelbear.com/
teams), as recommended by privacy-focused search engine DuckDuckGo ( spreadprivacy.com/how-to
choose-a-vpn). Team subscriptions offer centralised billing, easy user management and flat pricing, at $69 per user per year. Each user can connect up to five devices simultaneously.
VyprVPN, which bills itself as the world’s most powerful VPN, offers a dedicated IP address and dedicated server on its Business Cloud service, which starts at £320 per year.
It’s also possible to set up your own VPN server: the feature is conveniently built into Windows 10, and can be configured in just a few simple steps:
1O pen Control Panel and use the search box to find Network Connections. Pick “New Incoming Connection…” from the File menu and, on the pane that launches, choose which users should be able to use the VPN server you’re setting up.
2C lick
Next, confirm that you want connections to come over the internet, then click Next again. Choose which networking options should be accessible remotely (leave at least TCP/IPv4 ticked), then click Allow Access. Your VPN is now active.
3
To make it easier to connect to your VPN server, it’s a good idea to sign up for a free dynamic IP address. These days this feature is likely to be built into your router, so you can configure it from there. For example, on BT and Plusnet hubs you’ll find the relevant settings in the Advanced Settings section.
4
Finally, you need to tell your router to forward incoming connections to the VPN server. If there isn’t a predefined VPN option, you’ll need to create a new rule to forward incoming connections on port 1723 (Point-to-Point Tunnelling Protocol) to the machine hosting your VPN.
ALL-ROUND PROTECTION
Don’t make the mistake of thinking that a VPN is only for your PC. Most VPN providers allow you to make at least two simultaneous connections, so you can also use it on your phone or tablet when you want to connect to a public Wi-Fi hotspot.
You don’t even need to download an app: both iOS and Android have VPN support built-in. On iOS, you can find it under Settings | General | VPN; on Android it will be in your Wireless and Networks settings, although the precise location varies on different devices. Once you find it, just enter the server and login settings – and perhaps download and install a security certificate if prompted – and you’re ready to browse in safety.