As technology continues to develop and as citizens increasingly embrace a digital society, consumers accordingly consider methods to better protect their privacy. One method, the virtual private network (VPN), was developed in 1996 to address that need. A VPN is a secured network that protects data by creating a secure connection that shields those data from prying eyes while the user is online.1
With the advent of the Internet, new dangers arose regarding security of information that was processed online.2 VPNs were originally created with the purpose of allowing businesses to safely share data with authorized users within their own network. VPN technology has since become a versatile tool to secure anonymity of the individual users while maintaining the integrity of the data.3 In order to allow organizations to send data safely and securely, VPNs have created connections that are more secure, thereby reducing the risk of interception or hacks. While early iterations of VPNs suffered from slow transfer of data and rendered use inefficient, VPNs today are employed for a wide range of purposes.4 Businesses, for example, use VPNs to develop private connections between branch offices, allowing for safe remote access and improving workforce efficiency.5 Meanwhile, individuals can use VPNs to anonymize their behavior on the Internet or to access content that is restricted.
To understand how VPNs work, it is necessary to first explain how users connect to the Internet. When one device, like a computer or smartphone, interacts with another device, it does so through a network. The Internet is a giant network of many connections by a multitude of devices. The device that sends a request to another program is called the client, while the receiving device that processes the request is called the server.6 When data is pushed through a network, users are able to take advantage of all the Internet has to offer.7 Users usually make this connection to a network through an Internet service provider (ISP). The ISP serves as a gateway to the rest of the global network. When data is exchanged, devices send information as packets.8 A packet is a standard packaging form that breaks down into organized parts that help devices process information efficiently. The packet will contain Internet Protocol (IP) addresses for both sender and receiver as well as instructions to navigate to the correct destination, the actual data, and receipt information. Herein lies the problem. As gateways, ISPs can “view” the packets that are transmitted through them. This allows ISPs to regulate the use of their own services to manage network operations and comply with the law. But this also means that in reading such packets, ISPs gain access to user behavior and by extension, others may also gain such access. A VPN addresses this problem by creating a secure connection where packets cannot be read by the ISP.
A VPN performs its protective role as one process using three sub-steps: Authentication, Tunneling, and Encryption.
Authentication refers to the gatekeeping function within a network. Since the purpose of a VPN is to provide security and anonymity, one of the key goals is to keep unauthorized persons from entering.9 Similar to how a conductor checks tickets as passengers board a train, the network checks the credentials of the connecting device. Network administrators thus have the difficult job of maintaining authentication processes that validate credentials in a way that addresses all the potential attacks the network may face. A VPN is only as strong and useful as the method of authentication.
There are a variety of methods that can be employed to authenticate, corresponding to various levels of complexity. The most common method is encryption, which is a process of masking data from unintended recipients. Data is scrambled using a “secret language”, and are then unscrambled using a secret key, usually an algorithm that serves as a code.10 Three types of authentication that use encryption (to various degrees) include:
• The Password Authentication Protocol (PAP). PAP is one of the simplest authentication systems. When a client contacts a server, the server will respond with a challenge, requesting a user name and password. When the client responds, the name and password is sent unencrypted for authentication. The main drawback of PAP is that the lack of encryption makes this system extremely vulnerable to prying eyes. Intercepted text can be read by anyone as the lack of encryption would mean that the data would not be protected by a second layer of protection.11 Thus, an intercepting party could decipher intercepted text without any additional steps.
• The Challenge Handshake Authentication Protocol (CHAP). In CHAP, which is a slightly more complex system, a client that contacts a server receives a challenge. When the client responds, it does so using a standard encrypted algorithm and key. Thus, encrypted credentials are transmitted through to the server. For further security, CHAP sends repeated challenges intermittently throughout a connection, protecting against attempts to spoof (imitate real credentials) or take advantage of lapses12
• Extensible Authentication Protocol (EAP). In EAP, the client connects to an authenticator. The authenticator then negotiates the method of authentication. The authenticator acts as a proxy to pass the authentication information to and from the server. Once a method is agreed upon, the authentication server validates the credentials and authorizes access.13 The difference between EAP and the aforementioned methods is that EAP does not actually perform authentication; instead, it refers to the medium within which another protocol is placed.14
More recently, a new type of authentication that introduces a second layer of protection has gained popularity. Whereas the above methods employed passwords, such two-factor authentication adds another identification check in addition to a user and password combination. For example, a two-factor authentication may employ a CHAP system, then require an authentication code sent to the user by mobile phone.15
Tunneling is the heart of a VPN. A “tunnel” refers to the process of connection between a device and an endpoint. Once authenticated, a connection is made and like a physical tunnel through a mountain pass, it allows access to a destination. However, the VPN tunnel not only functions as a pathway, but also as protection. When data is sent as a packet, it conforms to a standard form that transmits data in layers. These layers contain routing information as well as the data itself. Simply put, a VPN tunnel takes a data packet that a device sends out and hides it within another medium, the network itself.
There are two types of VPN tunnels: voluntary and compulsory.16 Voluntary tunneling consists of a connection that is managed by the client. When a client connects to a network provider, like an ISP, the client will then create the tunnel to the VPN server. In a compulsory tunnel, the connection is managed by the network provider. For example, when a client makes a connection to an ISP, the ISP automatically creates a tunnel. The difference between these two configurations is that voluntary tunneling requires two steps from the client (connecting and forging the tunnel) whereas the compulsory tunneling only requires that the client connect to the ISP.17
VPNs allow users to connect remotely to a network outside the usual bounds of a local network. Thus, when a VPN tunnel is implemented, prying eyes will only be able to see that you are using a VPN. For example, an ISP would be able to detect that there is network traffic being sent back and forth with a VPN, but could not distinguish anything within the tunnel.
While tunneling is the heart of a VPN, encryption is the method by which tunneling is created and secured. The simplest and most popular way of encrypting a tunnel involves the use of Secure Sockets Layer (SSL) protocol. SSL refers to a security standard for encryption between a web server and browser.18 While there are different processes to perform encryption, the main advantage of an SSL VPN is that it only requires a traditional web browser such as Firefox or Chrome.19 Thus, SSL VPNs are easy to use and implement when compared to other types of VPNs that use specialized software that must be separately downloaded and installed.
SSL VPNs use the SSL protocol and its successor, Transport Layer Security (TLS), to create the secure connection between a client and network, and by extension the server. SSL is a common protocol that is adaptable with most web browsers and does not require any specific user expertise or effort.
In SSL, when a client reaches out to a server, the client sends cryptographic preferences which include a list of algorithms (or keys) that the client supports and can understand.20 The server then responds with a combination of algorithms from the list provided, along with other communications information and digital certificates. Next, after verifying the server certificate, the client sends a random byte string, also known as a data request, that enables both devices to compute a secret key. The secret key is a unique algorithm that is used to encrypt and decrypt data while it travels between devices. Finally, both devices will use the secret key to send each other a message indicating that the encryption process has commenced and will allow data transfers.21
While a VPN can protect data and a client’s privacy, there are some drawbacks and risks involved. VPNs facilitate anonymity and privacy on the Internet, but connections to VPNs remain limited by the quality of connection provided by an ISP.22 Thus, using a VPN to access the Internet will not change the reliability or performance of an Internet connection. Practically, because VPNs add another layer of computing, speed and reliability may actually be less efficient.23
As mentioned before, a VPN is only as strong as its authentication. Authentication processes can be subject to social engineering, viruses, and keylogging. Even if there are complex authentication processes, VPNs can be vulnerable when users are careless with their device security.24
VPNs are widely used today in workplaces to secure their networks and by individuals to maintain their privacy online. While VPNs are legal in most countries, they can be used to facilitate illegal acts. Because of the potential of VPNs to aid criminals, unauthorized VPNs are illegal in China, Iraq, and Russia, among other countries.25 Criminals and hackers will still be liable for acts committed using a VPN.
Although privacy and anonymity are strengthened, VPNs are not a full-service solution. Most VPN providers’ terms of service state that they will comply with authorities if lawful requests are made of them.26 Although they tout the value of privacy, their services do collect information about users.27 The future of VPNs remains unclear as the struggle for balancing enforcement with individual privacy continues.
VPNs are increasingly being employed to help protect and maintain user privacy online. The three steps of authentication, tunneling, and encryption allow users to make secure connections. VPN technology will continue to evolve as encryption grows more sophisticated in response to user needs. Because of the novelty of the Internet and the way people are increasingly sharing data, an understanding of security tools like virtual private networking will be fundamental towards developing balanced legal policy.