A couple of weeks ago a lengthy article on Medium described how easy it is for somebody to collect data from users connected to a public WI-FI network. If you have not read it yet you should do it.
It has been an open secret for a long time that public WI-FI networks, where you do not need a unique username and password for access, are a safety hazard. Yet most people do not seem to worry at all to use them without any safety precautions. And that despite the fact that basic protection is pretty easy to accomplish, with the help of a VPN (virtual private network). As Wikipedia explains, a VPN “extends a private network across a public network”. It lets a computer or mobile device create a secure connection to a dedicated server, thus encrypting traffic that is being sent in between. While, as always, no guaranteed security exists, it is a good way to make sure your chat conversations, photo uploads and WordPress login data is not being compromised while you are connected to the open airport, hotel or café WI-FI (An increasing number of apps and sites use the TLS protocol which encrypts your data as well, but it’s not always supported).
There is a problem though: VPN usage is far from mainstream. While I do not have any statistics, just go and ask your friends if they know what a VPN is and if they use it when they are on an unsecured WI-FI connection. Most will answer no to both questions. Some will respond “yes” to the first question when they realize that they rely on a VPN to connect from home to their company network. Even though there are plenty of well-functioning and affordable VPN services out there, and even though VPN support is built into most of the leading devices and operative systems, VPNs are still a niche phenomenon. Despite their benefits.
But there is a chance that VPN technology is finally getting more attention even among mainstream users: An increasing number of Internet Service Providers (ISP) around the globe are starting to offer their customers VPN services, either complementary or for a fee, with very different purposes.
In summer reports surfaced about a service offered by the New Zealand-based ISP Slingshot. The so called “Global Mode” lets customers access media streaming sites based in other countries by pretending to be a user from the respective country. Judging from the product description, a Slingshot customer opting for Global Mode does not need to do anything. Instead Slingshot takes care of assigning a foreign IP (e.g. an U.S. IP address in order to access Netflix USA). So customers do not really have to deal with the setup of a VPN, and they do not benefit from the security advantages either (since they cannot choose when to use the VPN). But they are being introduced to the whole idea of being able to control who the servers they visit think they are, which is another benefit of a VPN: depending on the VPN provider you choose, you can get be identified by sites and apps as a person accessing from a range of different countries.
The Swedish ISP Bahnhof meanwhile is actually providing its customers with a free anonymous VPN service. By doing that, the company wants to circumvent legal requirements to store customer data for law enforcement purposes, and thus providing customers with a higher level of privacy than what they are allowed to offer for the connection to the Internet. Since many users will share the VPN services and IP address that are being used, and since Bahnhof does not have to retain VPN data, the result is an additional level of privacy. The service is designed for use on a Bahnhof-operated web connection. Nevertheless the initiative promotes the concept of VPN functionality to the customers, who are being offered an additional VPN service that they can purchase in order to encrypt their connection even on public WI-FIs.
This week, the Swiss telecommunications giant Swisscom was the latest to launch a VPN service. Unlike the previously mentioned products this one, called Safe Connect, is specifically promoted as a way to protect personal data on an open WI-FI. For a monthly fee customers can purchase access and use the Safe Connect app to initiate a secure connection whenever needed.
Whether VPN usage indeed can reach some kind of mass adoption is obviously far from certain. Even the initiatives mentioned are just a drop in the bucket. On the other hand, there are probably more ISPs out there that have come up with similar features. In the post Edward Snowden era and with constant news about massive hacker attacks and data leaks, the overall demand for better security is already changing the Internet landscape. Just the fact that WhatsApp added end-to-end-encryption to its Android app speaks volumes. Also investors are pouring money into the VPN sector. Just recently Berlin-based startup Zenmate picked up $3.2 million in financing. That would not have happened if there would be no indicators for growing demand. Hola, another free VPN provider, boasts 36 million users.
ISPs jumping on the train and offering VPN services themselves is a big step, I believe, because it leads to additional trust. Many of the existing VPN providers are somehow affiliated with the Internet “underground”, which can raise questions about reliability and trustworthiness. If major telecommunications providers run their own VPNs, that issue disappears – since users are completely “naked” to them already when surfing the web. They basically have nothing to lose. For the ISPs it is a great way to generate some additional revenue or to increase goodwill among customers.
VPNs are useful for many purposes. But alone for the fact how popular public WI-FI has become, they should belong to the basic security toolbox every users knows about and is able to run if necessary.