The potential for a foreign-based VPN to spy on the US government is real, according to the Department of Homeland Security. But whether foreign-made VPN apps are widely used across US federal agencies is currently unknown.
"While there are advantages to the use of VPN applications, they are not without risk," DHS Cybersecurity Director Christopher Krebs told US Senator Ron Wyden (D-Oregon) in a letter made public on Tuesday.
Krebs was responding to an earlier call from Wyden and Sen. Marco Rubio (R-Florida) for the department to investigate whether foreign-owned VPN applications pose a national security risk. "Millions of consumers have downloaded these apps, some of which are made by foreign companies in countries that do not share American interests or values," the senators said at the time.
VPNs, or virtual private networks, encrypt your internet connection and route traffic through a server controlled by the VPN provider. This can make the applications appealing to consumers worried about their privacy or who want to visit the web from a server located in another part of the world.
However, VPNs do have one big privacy drawback: You're effectively pushing your internet browsing history to a server under someone else's control. This can allow them to monitor and collect your data. Although many VPN providers refrain from keeping logs on customer traffic, the senators worry foreign governments such as China and Russia could strongarm a local VPN company to hand over user data.
Krebs agrees about the potential dangers. "If a US Government employee downloaded a foreign VPN application originating from an adversary nation, foreign exploitation of that data would be somewhat or highly likely," he said. "This exploitation could lead to loss of data integrity and confidentiality of communications transmitted over the application."
Other data such as phone contacts, user history, photographs, and geolocation could be collected, Krebs warned. However, his letter refrains from supplying any evidence of actual cyberespionage occurring over a VPN application. Krebs only references public reporting about how "nation-state actors" have demonstrated the intent and capability to leverage VPN services for malicious purposes, but he doesn't point to any specific case. (In March it was revealed a suspected Iranian hacking group targeted enterprise VPN provider Citrix.)
Despite the potential threat, Krebs said DHS has rated the spying risk from VPN applications as a "low to moderate impact" on US government operations. "The number and identity of government-operated mobile devices that have downloaded foreign VPN applications is unknown. There may be no such devices," he said.
Nevertheless, the department plans to coordinate with federal government partners to reduce the security risks associated with foreign-controlled VPNs. "These efforts include establishing a common baseline of protection, guidance on risk mitigation, technical assistance, or training," Krebs said.
Whether the agency will recommend a federal ban on foreign-made VPNs isn't clear. So far, DHS hasn't commented on the letter to Wyden. However, many popular VPN providers are not based in the US or in China or Russia. They can operate in countries such as Panama, Switzerland, or Seychelles in order to avoid the risk of a major government going after their customer data.
No matter the VPN service you select, it's a good idea to read the provider's privacy policy, so you won't be caught off guard by any data-collection practices.