Friday, October 8, 2021

The Business of VPNs

Brian X. Chen (via Roustem Karimov):

The reality is that web security has improved so much in the last few years that VPN services, which charge monthly subscription fees that cost as much as Netflix, offer superfluous protection for most people concerned about privacy, some security researchers said.

Many of the most popular VPN services are now also less trustworthy than in the past because they have been bought by larger companies with shady track records.


For several years, I subscribed to a popular VPN service called Private Internet Access. In 2019, I saw the news that the service had been acquired by Kape Technologies, a security firm in London. Kape was previously named Crossrider, a company that had been called out by researchers at Google and the University of California for developing malware.

In the last five years, Kape has also bought several other popular VPN services, including CyberGhost VPN, Zenmate and, just last month, ExpressVPN in a $936 million deal. This year, Kape additionally bought a group of VPN review sites that give top ratings to the VPN services it owns.

Nick Heer:

According to a May 2021 Restore Privacy report, Kape bought Webselenese and its vpnMentor and Wizcase review websites. Both websites aggressively push their top three picks which, funny enough, are all owned by Kape. Wizcase also publishes reviews of security software, and picks Intego as the best antivirus software for the Mac; Kape also owns Intego.

But if you were browsing either review website, you would probably miss Kape’s ownership. While a legitimate news organization would typically display conflicts of interest in immediate context, the word “Kape” appears nowhere in the on-page text, nor does it appear on the dedicated ExpressVPN review page. Wizcase’s “About” page says that the review site “believe[s] in transparency” and the footer on every page claims that it is an “independent review site”. vpnMentor says that its “reviews are not based on advertising” and its claims of honesty make it a “powerful transparency tool for the internet”.

Joseph Menn (via Hacker News):

When a senior executive at virtual private network company ExpressVPN admitted to working on behalf of a foreign intelligence service to hack American machines last week, it stunned employees at his new company, according to interviews and electronic records.

Nick Heer:

This is a more comprehensive look at ExpressVPN’s sketchy history and its ownership that leave me with the impression that the world of VPNs is mostly bullshit. The honest take is that these products help users circumvent geographic restrictions, particularly for things like streaming services. I am convinced that, if streaming companies and media rightsholders were less concerned with nit-picking contracts and more focused on providing a great experience, there would be far less demand among everyday users for VPNs.


8 Comments RSS · Twitter

I had been running ExpressVPN a year ago but didn't like the connection time so I disabled it and went for NordVPN. After reading the article I deleted everything that had ExpressVPN on it.

I thought the idea was to be reasonably anonymous so those sniffing your traffic had a more difficult time putting together a profile. A directed attack on a VPN by one player could end up providing them a history dump that includes everything about a session that could also include info that identifies you, but the size of a dump for just one VPN location for just a few days would be MASSIVE, right? Sort of like the undated resignation letters Huey Long allegedly made folks sign, perhaps (who knows what “secrets” of your internet life live in a dump that could be sold soon) you’ve got something personally damming somewhere, but Google and Amazon aren’t 100% sure it’s you and probably will never see it.

TL;DR - Isn’t this lack of “safety” a completely different game than simply wanting to interact digitally with extra anonymity? And the latter is why you use a vpn, right?

Not to defend PIA specifically, but I find it interesting that they have been around for a long time, are pretty renowned for their no-logging policy, and yet no one in the Apple-Centric podcast / blog / media community ever talked about them (and they're supposed to be aware of tech, right?), unless it's recently to criticise them, and the whole VPN industry, now that Apple is offering a VPN-Like service. Also of note that most VPN providers haven't advertised with Apple-centric media influencers until recently.

It's somewhat amusing to see Google, who literally spies on everything that happens on their platforms as their revenue model, calling out someone else for being "spyware".

As for why use a VPN if web security is so good? Primarily, it's to shield your internet connection from your own ISP.

Try living in a country where the laws require your ISP to store your entire internet connection's metadata history, which is available without a court order, by both governmental, and non-governmental organisations, down to your local suburb's council, or animal-protection charities with prosecutorial powers. Or, where any employee of any company (and Apple has employees here) can be compelled to provide security compromises to a company's products to facilitate government access, with significant jail terms for refusing to comply, and resigning to "avoid the problem" is considered non-compliance.

>As for why use a VPN if web security is so good? Primarily, it's to shield your internet connection from your own ISP.

Yes, but now the tricky question becomes: can you trust your VPN provider more than your ISP? Or perhaps even less?

@someone I mentioned PIA twice in 2015, used the product myself, and have been covering both sides of the VPN issue since long before iCloud Private Relay. My point is not that VPNs are bad but that the situation isn’t as simple as it’s often portrayed, and whether the tradeoffs make sense for you depends on your particular situation.

If you need true anonymity with high performance, check out - they're based in Sweden where they're not required to keep logs, and thus won't.

@Soren I can trust my VPN provider, who doesn't maintain a physical business presence in my country, more than I trust my federal government, and federal police service. My VPN's business is worth more to them than my net worth, and if they break their word to one client, they break it to all of them.

A government has no substantial competition - it's not like you can elect a different country to manage your own, merely a different team in the sporting game of politics, who rely on the same federal policing and security apparatus, and largely have a greater affinity and loyalty to those they politically oppose, than they do to the electorate.

Leave a Comment