The Uneasy Relationship Between VPNs & Intelligence Agencies

The uneasy relationship between intelligence agencies and VPN services has been well documented over the years.

Whether it be the Snowden leaks that came to light almost a decade ago, or ExpressVPN employees reportedly questioning management as to why an executive “formerly worked on a United Arab Emirates spying and hacking operation called Project Raven,” it has clearly had an impact on the online security landscape.

Here’s our take on the links between VPNs and intelligence agencies, and why it’s bad news for anyone who values privacy above all.

Overview of VPNs & Intelligence Agencies

It makes sense that intelligence services are interested in being able to crack the methods of encryption used by VPNs and other forms of technology. After all, they strive for backdoor access when it comes to communication, and have previously sought out agreements with tech companies under which they would ensure special access for spy agencies into their products, according to whistleblowers. 

One such example would be tech giant RSA Security, which were paid $10 million by the NSA to favor and promote a random number generator cryptography system called Dual Elliptic Curve (Dual EC). Reuters reported that Dual EC was chosen to encrypt software used by a wide range of RSA Internet and computer security programs.

The only problem is, the NSA could exploit Dual EC to access encrypted data.

Dual EC was also added as a cryptography solution by the National Institute of Standards and Technology (NIST) in 2006, with the non-regulatory government agency seen as a trusted resource. After all, in their own words: “NIST’s mission is to promote US innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

In 2014, Dual EC was inevitably removed from their list of recommendations. The original plan may have been to see Dual EC implemented more widely, allowing better access for intelligence agencies to get their hands on more data. 

Snowden, Backdoors & the NSA

Edward Snowden is the one to thank for the majority of historical leaks surrounding VPNs, as the whistleblower confirmed what many security experts had suspected for years.

In 2013, it came to light that US and British intelligence agencies “had successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions, and emails, according to top-secret documents revealed by the former contractor.”

Currently exiled in Russia, Snowden faces up to 30 years in prison as the US Department of Justice has charged him with violating the Espionage Act.

A year later, Der Spiegel reported: “According to an NSA document dating from late 2009, the agency was processing 1,000 requests an hour to decrypt VPN connections. This number was expected to increase to 100,000 per hour by the end of 2011. The aim was for the system to be able to completely process “at least 20 percent” of these requests, meaning the data traffic would have to be decrypted and reinjected. In other words, by the end of 2011, the NSA’s plans called for simultaneously surveilling 20,000 supposedly secure VPN communications per hour.”

It serves to highlight that intelligence agencies are especially interested in VPNs, and it’s worth paying attention to how encryption works with any VPN provider you plan to sign up with. 

Crossrider/Kape

Israeli/UK-based Kape Technologies made headlines when they purchased ExpressVPN for $936 million in September 2021. At the time, we noted that they were “formerly known as Crossrider until a name change in 2018.” They decided to do so after Crossrider became synonymous with adware as the company “previously allowed third-party developers to hijack users’ browsers via malware injection while redirecting traffic to advertisers and collecting private data.”

It’s not the best start, while much is made of the fact that Koby Menachemi is a co-founder who served as the Chief Executive Officer at Crossrider. As you can see on his LinkedIn page, he spent three years working at the Israeli equivalent of the NSA or GCHQ: Unit 8200. It’s a soft link and one that doesn’t necessarily lead to too much concern when all is said and done. However, it’s another reminder that the surveillance industry isn’t always far removed from online privacy. After all, they’re often two sides of the same coin. 

Dan Gericke of ExpressVPN

This leads us to the present day and the recent news that ExpressVPN’s chief technology officer Dan Gericke had admitted to working on behalf of a foreign intelligence service to hack American machines. It was codenamed Project Raven, as the UAE worked to keep tabs on a wide range of targets, including human rights activists and journalists. 

This led to Edward Snowden himself weighing in on the topic via social media:

It’s reasonably damning, and it caused staff to question why Gericke was picked in the first place. 

ExpressVPN issued a response detailing why they hired the former government contractor, arguing it would help to protect their users in the long term:

“To do that job effectively—to do it, as we believe, better than anyone else in our industry—requires harnessing all the firepower of our adversaries. The best goalkeepers are the ones trained by the best strikers. Someone steeped and seasoned in offense, as Daniel is, can offer insights into defense that are difficult, if not impossible, to come by elsewhere. That’s why there is a well-established precedent of companies in cybersecurity hiring talent from military or intelligence backgrounds.”

Why Does it Matter?

You’d have to be pretty naive to think it doesn’t matter if worldwide intelligence agencies are keeping tabs on your online movements. It’s an issue that is felt no matter your political leaning, and it doesn’t matter if you haven’t done anything wrong. Ethically, and morally, you have a right to online privacy. 

For example, I’m based in the UK, and I don’t like the idea of my government spying on me, especially if they’re bypassing encryptions to do so. I’m even less fond of the concept of being spied on from overseas. 

Intelligence backdoors are a major vulnerability that could potentially be exposed by other countries. As the New York Times reported in 2017: “Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.”

In other words, security flaws are likely to be found by other intelligence services or hackers, which is bad news for any users affected.  

It’s also worth noting that agencies such as the NSA or MI5 hire the keenest minds in the business, all while big data analytics continue to improve, which enables them to sift through what they’ve collected more effectively with each passing year.    

Changing privacy landscape

Times have changed since the early 2010s, and we’re now living in a privacy-conscious landscape, especially when it comes to personal data. VPN’s have worked to fill the need for a commercial, online solution, helped in part by open-source projects, audits, and a strong community of privacy experts who keep an eye on any developments. 

It seems like intelligence services have a role to play, whether it be looking for potential vulnerabilities or using what they’ve learned in a defensive strategy. 

What to Look For From a VPN 

Ideally, the best VPN service will have no links to intelligence agencies, whether it be via ownership or staffing. All VPNs claim to have your best interests at heart, and many have taken steps to prove it. But, be sure to take a deeper look into their company before entrusting them with your data.

Third-party audits are usually the name of the game and were cited by ExpressVPN following the news about Project Raven: “To begin with, we’ll be increasing the cadence of our existing third-party audits to annually recertify our full compliance with our Privacy Policy, including our policy of not storing any activity or connection logs. This is just a first step, and we will continue to strive to earn your trust.”

Here’s a rundown with a trio of great independent VPNs with an emphasis on security. 

NordVPN

NordVPN is always a great choice if you’re worried about privacy, with clear ownership and a range of additional security features.

When questioned about their ownership NordVPN co-founder Tom Okman told ZDNet: “NordVPN is a leading VPN service provider in the world. Its brand is owned by Tefincom — a company based and operating under the jurisdiction of Panama. We chose Panama to incorporate NordVPN as it provides one of the best legislative environments for the security- and privacy-oriented product, while allowing other operations to remain global. NordSec is built by a team of specialists from all over the world, with offices located in Lithuania, the UK, Panama, and the Netherlands.” 

Mullvad 

Another reliable place to look is arguably Mullvad. It’s co-owned by Daniel Berntsson and Fredrik Strömberg, and they say: “Our conviction has remained unchanged through multiple serious offers of acquisition and outside investment. Words are cheap of course, but consistent action over the course of more than a decade is not.”

If you’re looking for a VPN provider that ticks all of the boxes in terms of privacy and transparency, Mullvad has you covered. It is lacking in some respects, but that’s tempered by an affordable asking price, as well as a sustainable business model that has seen the monthly fee remain the same since it was launched back in 2009.

ProtonVPN

Our third choice would be ProtonVPN. Our review notes that: “As an offshoot of ProtonMail, they’ve made major strides over the past few years, and offer a great service when looking at the strength of their privacy features.”

It is extremely easy to find out about ProtonVPN, thanks to a clear ownership structure and a dedication to providing transparency. Their address is clearly listed on their website, while there are no potential jurisdictional issues as it is based in Switzerland.

Final Thoughts

Even if you haven’t done anything wrong, it’s probably smart to be wary of intelligence agencies and governments cozying up with VPN providers. However, it is fair to say that some of the best cryptography experts have worked for Three Letter Agencies in some shape or form, and that doesn’t mean that they won’t be able to put their skills to good use for their new employers. 

Perhaps it’s not as big of a red flag as you might have thought, but it’s still enough to get the likes of Edward Snowden worried about the possible implications of weakening cryptographic architecture. 

For example, in July 2019, the governments of the United Kingdom, the United States, Australia, New Zealand, and Canada issued a joint statement, concluding that: “tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format. Those companies should also embed the safety of their users in their system designs, enabling them to take action against illegal content.” 

They went on to explain their point of view: “A coalition of more than 100 child protection organizations and experts from around the world have all called for action to ensure that measures to increase privacy – including end-to-end encryption – should not come at the expense of children’s safety.”

Of course, the safety of youngsters is an exceptionally important priority, but “Think of the children” is a lazy cliche that is often used to justify censorship by exerting moral authority with the use of emotional blackmail.

They’re asking for VPNs to defeat the purpose of their business model, which is to provide an encrypted connection that can’t be viewed by anyone else. The fact that they’re still asking is a good thing, especially if you pick a VPN service that has no logs anyway.