VPNs aren't as protective as you think they are, says US Congress

VPN app on a phone
(Image credit: SOPA Images / Contributor)

Members of the US government are urging action against deceptive VPN marketing.

Two Democrats in the United States congress have written a letter to the Federal Trade Commission to urge chair Lina Khan "to take enforcement actions against the problematic actors in the consumer Virtual Private Network (VPN) industry," based on what they consider a serious issue: "deceptive advertising and data collection practices." 

The letter, from senator Ron Wyden and representative Anna G. Eshoo, comes in the wake of the Supreme Court's decision in Dobbs v. Jackson, which overturned the US's decades-long protections for abortion. One outcome of the Dobbs decision, the congresspeople write, is that VPNs are being recommended as a privacy tool amid concerns that browsing data, location history and even period tracking apps could be weaponized in states that criminalize abortion.

"As the recent Supreme Court decision in Dobbs v. Jackson Women’s Health Organization has amplified concerns about digital reproductive privacy, people seeking abortion are increasingly told that installing a VPN is an important step for protecting themselves when seeking information on abortion in states that have outlawed and criminalized abortion," the letter states.

Congress' criticism of VPN practices

Wyden and Eshoo argue that the VPN industry's lack of oversight, "false and misleading claims about their services," and "selling user data and providing user activity logs to law enforcement" are pressing concerns for abortion-seekers living in states that are in the process of criminalizing it. 

Multiple devices that could run a VPN

The letter bases its argument on a detailed 2021 white paper by Consumer Reports, which scrutinized 16 popular VPN providers for security and data privacy. Some of the report is dense and technical, while other sections delve into the confusing and misleading marketing language that many VPNs use to puff themselves up. One popular example was "military-grade encryption"—as Consumer Reports pointed out, "there is no specific VPN standard for 'the military,' and this term is often a red flag for security professionals."

Consumer Reports' study is strong evidence that VPNs are, at the very least, not foolproof tools for online anonymity. There's a lot of data about specific providers to dig into, but here are some particular points that stood out to me: 

  • In many VPNs’ terms of service or privacy policy, there was no evidence of robust internal procedures for audits or for preventing unauthorized access by employees. And some VPNs that had third-party security audits did not make them available to the general public or conducted them inconsistently.
  • We found that every VPN company we evaluated could do better when it comes to committing to allow users to obtain the public-facing and private user information that the company holds, including users not covered under CCPA or GDPR.
  • Many of the VPNs we tested could improve by providing specific retention periods for any data they do collect.
  • Consumers should be aware that while many VPN providers indicate that they do not keep logs, this usually cannot be verified, and in many cases logs were found on the local Windows system that included usernames, emails, IP addresses, and other potentially sensitive information.
  • Not only can VPN providers see your real IP address but companies can also use many other methods to track users, such as device fingerprinting, browser fingerprinting, web cookies, tracking pixels, and more. Websites often request data that can pinpoint people’s geographic location, such as WiFi networks, device location based on GPS, cell tower identification (CDMA or GSM cell IDs), and more. Various companies collect wide-ranging data, beyond IP addresses, and sell that information to data brokers. Many of the risks that consumers use VPNs to try to protect against are already largely mitigated through the use of HTTPS. And many risks, such as social engineering, are not mitigated by using a VPN.

Consumer Reports highlighted a 2018 case in which VPN IPVanish provided user data logs to the US Department of Homeland Security, despite its website claiming it kept no logs. But other cases have proven VPNs truthful on the subject, like a 2018 hacking lawsuit in which VPN Private Internet Access testified it could not produce any traffic data in response to a subpoena.

The point is, subscribing to almost any VPN includes some degree of risk: you're taking it on faith that they really don't keep any logs, and hiding your IP address isn't the guaranteed privacy protection some VPN marketing makes it out to be.

FTC Flag

(Image credit: Bloomberg (Getty Images))

If you're already a VPN subscriber or thinking of using one, Consumer Reports' resulting recommendations offer a concise breakdown of what to look for, and highlight three VPNs that got top marks for privacy and security. But the question now is whether the FTC will look into regulating how VPNs handle user data or how they're marketed.

Eshoo and Wyden's letter to the FTC asks the commission to "take immediate action under Section 5 of the FTC Act to curtail abusive and deceptive data practices in companies providing VPN services to protect internet users seeking abortions." Section 5, outlined here, broadly declares unlawful "deceptive practices" that can mislead consumers and empowers the FTC to enact complaints or penalties for those violations. But even if the FTC does turn an eye towards VPNs, it could be months or years before it has any real effect.

The letter's second request may have more immediate benefit to those seeking abortions: it asks the FTC to "develop a brochure for abortion-seekers on how best to protect their data, including a clear outline of the risks and benefits of VPN usage." 

FTC chair Lina Khan hasn't yet responded to the letter specifically, but the commission did publish a statement on July 11 that it is "committed to fully enforcing the law against illegal use and sharing of highly sensitive data." 

Wes Fenlon
Senior Editor

Wes has been covering games and hardware for more than 10 years, first at tech sites like The Wirecutter and Tested before joining the PC Gamer team in 2014. Wes plays a little bit of everything, but he'll always jump at the chance to cover emulation and Japanese games.

When he's not obsessively optimizing and re-optimizing a tangle of conveyor belts in Satisfactory (it's really becoming a problem), he's probably playing a 20-year-old Final Fantasy or some opaque ASCII roguelike. With a focus on writing and editing features, he seeks out personal stories and in-depth histories from the corners of PC gaming and its niche communities. 50% pizza by volume (deep dish, to be specific).

Read more
Leisure Suit Larry base jumping off a building wearing sunglasses giving thumbs up woman is skydiving behind him
Floridians appear to be frantically Google searching for VPNs in the wake of the state's invasive porn ban
TP-Link AXE75 Wi-Fi 6E router
US congressman calls again for the government to ban Chinese-made TP-Link routers: 'I would not have that in my home'
Ethernet cables plugged into a router at a quantum computing lab at the University of Chicago's Eckhardt Research Center in Chicago, Illinois, US, on Wednesday, Oct. 19, 2022. There is no cellular signal or wi-fi in the basement lab. Photographer: Taylor Glascock/Bloomberg via Getty Images
Net neutrality is dead again: US court says the FCC can't bring back Obama-era internet regulations
Mozilla Firefox logo on gradient background
Mozilla is already trying to backtrack on Firefox's controversial data privacy update, but it might be too little, too late
OpenAI logo displayed on a phone screen and ChatGPT website displayed on a laptop screen are seen in this illustration photo taken in Krakow, Poland on December 5, 2022.
If you don't let us scrape copyrighted content, we will lose out to China says OpenAI as it tries to influence US government
A phone displaying the TikTok logo in front of the US flag.
TikTok's time in the US may be ticking to a close as it makes a last stand in the Supreme Court, though Trump now says he 'opposes banning' it
Latest in Hardware
A woman wearing a VR headset with dramatic, colourful lighting across the background
'World’s smallest LEDs' could lead to accurately lit screens with 127,000 pixels per inch and much more immersive VR
The NES themed 8BitDo Retro mechanical gaming keyboard on a blue background
I love the 8BitDo Retro C64 keyboard but I'd pick its cheaper NES-themed model near its lowest price ever during Amazon's Big Spring Sale
The snazzy red and black HyperX Cloud Alpha wireless headphones float in a teal void. The microphone is attached to the headset.
The best wireless gaming headset is now even better in the Amazon Big Spring Sale, boasting a more than $50 discount
A chip being held up in an Intel fab
Intel is reportedly 'working to finalize commitments from Nvidia' as a foundry partner, suggesting gaming potential for the 18A node
Amazon box
Don't panic! The 'Do Not Send Voice Recordings' option Amazon just removed was only used by 0.03% of customers and they can still have it
Digital generated image of people surrounded by interactive transparent and glowing panels with data. Visualising smart technology, blockchain and artificial intelligence
Now I shall demand the cookies! Proposed new browsing agreement turns the tables and lets users dictate terms to websites
Latest in News
Lara Croft Unified Art
Tomb Raider developer Crystal Dynamics lays off 17 employees 'to better align our current business needs and the studio's future success'
A long bendy arm stealing money from people in a subway car
'You're a very long arm. You steal things. It's a comedy game,' explains developer of comedy game where you steal things with a very long arm
The heroes are attacked by monsters
Pillars of Eternity is getting turn-based combat to mark its 10th anniversary, and that means PC Gamer editors will soon be arguing about combat mechanics again
Image of Ronaldo from Fatal Fury: City of the Wolves trailer
It doesn't really make sense that soccer star Ronaldo is now a Fatal Fury character, but if you follow the money you can see how it happened
Junah beginning a battle in Metaphor: ReFantazio.
Today's RPG fans are 'very sensitive to feeling like they wasted time' when they die, says Metaphor: ReFantazio battle planner—but Atlus still made combat hard anyway
Image of Cersei Lanniser from Game of Thrones: Kingsroad Steam early access trailer
A new Game of Thrones RPG is coming to Steam today with a cast of 'familiar faces,' which is good because it's really the only way to tell it's a GoT game at all