The dangers of virtual private etworks

With the heavy reliance in the Internet, endless threats have come to life; many of them are very serious that can have serious financial implications to companies and governments, not to mention the impact on national security. As a result, many countries have started enforcing laws to ensure cyber security and protect the public. One of the most controversial laws is the banning of the use of Virtual Private Network (VPN), since VPN can be a tool for criminals to conduct their shady activities undetected. Let’s have a look behind this law.

VPN traffic is a secure tunnel used for many organizations to allow their users to access corporate applications and network in a secured manner. However, the use of free VPN nowadays against eavesdropping to access banned applications in some countries, such as Skype, WhatsApp, Viber and others makes it difficult for the regulators and law enforcing agencies to monitor or filter authentic traffic from malicious traffic.

Therefore, cyber criminals exploited VPN to circumvent different laws and regulations covering different geographies and local ISPs encountering immense challenge to market their legacy/traditional voice applications and communications. Add to that the threat of ransomware which has increased many folds due to encrypted and VPN-based traffic used over authentic free VPN tunnels.  And most importantly certain terrorism acts in the recent past around the globe were identified to use encrypted and VPN-based traffic to plan and execute their terrorist activities.

Currently the Internet-based traffic especially related to Voice over IP (VoIP) and communications is categorized into the following three types, first type is the white traffic (approved traffic without malicious intent) e.g. normal Internet communications like Viber, WhatsApp, Snapchat, etc. The second type is the grey traffic (unapproved traffic without malicious intent) e.g. Internet-based calling services. Although the traffic is not for malicious intent but still it robs the telephone ISPs from their international calling revenues. Lastly, the third is black traffic (unapproved traffic with malicious intent) e.g. hackers in underground communication networks to sell, buy or steal. This is a problem for law-enforcing agencies.

The challenge is to manage grey traffic and stop black traffic. VPN services prevent law-enforcing agencies to monitor the traffic to prevent criminal or malicious activities.

Nonetheless, to monitor and inspect the traffic from security perspective will only be possible if the encryption keys are shared with the regulators and authorities. This is near to impossible with most vendors as this is against the commitment of privacy they have with their customers. In addition, if they agree to share the keys, in most cases there is no single authority for monitoring, there are a number of authorities and in case the keys are shared with all of them then the keys are no longer confidential. The same issues were identified when some governments asked for an access to Blackberry messaging services’ records which led to huge legal battles.

The impact of this law on grey traffic will cause some small level VoIP service providers to shut down. However, the law will not be able to close down black traffic for a long time, as hackers will create other tools or protocols to circumvent these controls. They always find other ways to go around any controlling measure. The key is to be continuously vigilant for any new mechanism or tool.

 The impact on customers will be huge, especially with organizations that are certified against the industry leading standards like ISO 27001, as all standards give priority to the local or regional laws over their own recommendation and good practices. VPN is used genuinely by corporates to secure their communication and access to their applications.

As for alternative, knowing that telecommunication and Internet service providers have invested a lot on their traditional voice technologies, it will be difficult to achieve the return on investment with the competition from the major VoIP service providers. Hence, it would be good to take step into the consumer VoIP market and provide relevant services that offer consumers flexibility with affordable prices, or to collaborate with existing service providers like WhatsApp, Viper and Skype to offer joint services with the telecommunication providers. With this approach, consumers are not inconvenienced and the interest of telecommunication providers is protected.