Leaf&Core

Google Wants You To Route All Your Data Through Their VPN

Reading Time: 5 minutes.
Screenshot from Google's One site, linked here

via Google

Facebook bought WhatsApp, a communication service that rivaled the usage of Facebook, Instagram, Twitter, Snapchat, and others. They spent $18 billion, on a largely unprofitable service. What lead them to decide to buy a communication service? After all, they already had Facebook Messenger. What did they need another chat app for? Well, if you can’t beat your competition, buy them, and Meta (then just “Facebook”), decided they didn’t want to compete with WhatsApp. But how’d they come to that decision? By spying on users, of course! Facebook can spy on users across the web, but how could they have known how much business they were potentially losing to a separate app? A VPN.

A VPN, or virtual private network, is a sort of secure tunnel for internet traffic. Depending on the service and how it works, data goes through one network and out another side, obscuring both the origin and the content in transmission. Websites you land on will have limited information about you, and no one can spy between your computer and the site. Popular uses for a VPN include logging into your workplace network, securing your web browsing from public WiFi sniffers, pretending to be in another country to watch TV shows, and ensuring your internet service provider (ISP) can’t spy on your network traffic. The more security-focused VPNs will encrypt your traffic, pass them through their network, and send them to your destination, ensuring no one can read your internet usage in between.

Facebook’s VPN didn’t work like that. In fact, it was basically a man-in-the-middle attack. They used it to spy on every piece of internet traffic going through their service to figure out what competitor to buy.

Why do I mention that? Well, Google wants you to know what all paid Google One subscriptions now get VPN access. Unlike Facebook, they’ve stated that user privacy is of the utmost importance, and they will not spy on users. Despite that, I still feel like I’m watching a repeat.

Google One VPN and Security

Last week, Google announced that all Google One subscribers, not just premium subscribers, will get access to their VPN. Google One gives users many features of an iCloud account, like device backup, photo storage, and, for 2TB-level premium users, a VPN service. The VPN service has been available for over a year now, but last week Google opened it up to all Google One subscribers. They may have been using it as a selling point for the top-tier service, or decided to simply use their most dedicated users to test the service out.

When Google first introduced their own VPN service, they had a third party, NCC Group, do a security review of it. If you’re in tech, the format will be familiar, so feel free to read it and the late 2022 update here. Google still had three medium-severity issues, ten low-severity issues, and nine observations in the most recent report. This isn’t too bad, and Google did fix the most dire issue from their first report, a permission escalation attack on Windows. Reading through it, it seems like the VPN by Google One is secure enough for most use. It’s not perfect. There are a number of ways that an attacker could hijack traffic on your local machine, but that’s not the real concern, is it? I think most people assume that Google’s VPN is secure from all but the most targeted and extreme external attacks. The real issue is the phone call coming from inside the house.

NCC Group did find ways that Google could violate their privacy policy. Basically, Google as a whole or just someone at Google could find ways to peek at your data, as well as track your unique user ID and tag metadata. Between both reports, Google didn’t fix these. All it would take is a loophole or slight change in the privacy policy for Google to turn this into a data vacuum, sucking up everything you use it for. We have no real proof they aren’t doing it besides Google’s word.

How valuable to you is Google’s word? For me, the fact that Google could do evil is enough for me to believe they might.


One call out I want to make that might make Android developers chuckle: Google isn’t encrypting information in SharedPreferences. NCC Group’s suggestion was to… use Google’s own Jetpack Security library for encrypted local variables. Without it, the app could expose identifying user data on a rooted device. It’s a small risk, and one that users of rooted devices understand they’re taking, it’s just funny, to me, that NCC Group’s suggestion was for Google to use Google’s libraries. The little things you miss inside a large company that, really, is like 20 normal-sized companies.


Use a VPN… Just Maybe a Different One

I’m not going to say Google’s VPN is bad, insecure, or a privacy nightmare, like I would for most of Google’s services. I doubt they’re currently using it to spy on all the data going through your VPN tunnel. I actually think this looks pretty safe. At the same time, I would not be surprised if they’ve found some loophole to grab small amounts of data in other ways. It’s just too hard to trust the devil, even if they come to you with, what appears on the surface, to be a strong promise and a good deal. Google did away with their “don’t be evil” motto a long time ago.

However, you should use a VPN. It’s not only handy for watching shows that aren’t available in your country, it’s also fantastic for privacy and security, as long as you get one from a trustworthy company. With your data encrypted in transit, and no logs stored on the servers, your actions online can be hidden from wifi sniffers and your ISP, who may want to grab that data for nefarious (and profitable) purposes. Because a VPN can also gobble up data, it’s important to pick one that focuses on privacy first. Among those I recommend ProtonVPN, from a company that makes privacy-focused email and other online tools, Mozilla VPN, from the makers of Firefox, one of the best browsers for privacy and security (and my #1 pick!), and NordVPN, one of the less expensive yet still private options. I’ve been using it for years, and many of my devices are always connected to NordVPN servers.

ProtonVPN and NordVPN specifically call out that they don’t store logs and couldn’t even hand anything over to police if they were asked, not that they’d comply with requests easily. Meanwhile, Mozilla has plenty of tools to protect your privacy that you can bundle together, like their fantastic email relay service and even phone number relaying, that enables you to spin up aliases that forward to your actual email address or phone number.

An iCloud Option

For iCloud users, there’s another option, iCloud Private Relay. The privacy features of this work much like a VPN, encrypting your data and obscuring its origin. However, you can’t change your location. It’ll either be your general area or, if you choose to limit it, your country and time zone only. These are the same limitations of Google’s VPN. Meanwhile, NordVPN, for example, lets me easily set my location to another nation, such as Germany. The EU has strong privacy laws, and Germany’s anti-hate speech laws also can make your internet viewing experience a bit more pleasant on some websites.

I’d only recommend iCloud Private Relay to people who already have an iCloud+ account, either for storage or other iCloud services, who don’t want to download another app and mostly use Apple devices, as it’s not available for Android. It is handy for non-technical people, as you can set it and forget it.

Start Focusing on Privacy Now

Whatever you do, you should start taking your privacy far more seriously. It’s never too late to start locking down your digital life. As we move into a more AI-focused world, with data being a tool that can predict our location, what we say, what we shop for, and more, it might be best to keep our private data private. Besides that, increasingly in formerly “free” countries, it’s becoming harder, even illegal, to even get basic healthcare. Women, trans people, and other LGBTQIA+ people may find their data just isn’t as safe as it used to be. Start locking it down now, before you can’t anymore. Just… perhaps don’t turn to the very companies who make their money collecting your data? Google’s one of the largest violators of your privacy, why would you trust them with everything you do online?

Google One’s VPN service certainly looks secure. While it doesn’t allow you to change your location, as other VPNs do, it does seem easy to set up for Android users. If you already have a Google One account, and haven’t used a VPN before, you may want to try it out. As for me? I spend so much time trying to keep my data away from Meta, Google, and others, and this just feels like a deal with the devil. Still, for some of Google’s most dedicated users, the devil you know is better than the unknown.


Sources and Further Reading:

 

Exit mobile version