VPNs 'need better industry standards' to tackle privacy, security concerns, experts say

Experts and industry insiders are calling for commercial virtual private network providers to adopt more stringent privacy and security guidelines in the wake of a damning report by British and Italian researchers. 

Commercial VPNs charge customers to help them bypass internet restrictions and encrypt their internet data to avoid snoops and official surveillance. The restrictions could be imposed by a government, like China’s Great Firewall, a business or even a school.

Or at least that is the idea. But a new study released this month by researchers from the Queen Mary University of London (QMUL) and the University of Rome showed that fourteen of the world's most popular VPN services were "leaking customer data". 

"There are hundreds of commercial VPN companies out there, they don’t [care] about security or privacy," Robert Knapp, chief executive and co-founder of Bucharest-based CyberGhost VPN, told the South China Morning Post. 

Knapp said that there was a lack of industry standards to ensure that VPN companies live up to minimum privacy and security requirements. 

His concerns reflect those of the British and Italian researchers, who warned that claims made by providers on security, privacy and even technical matters like download speed or number of servers "have not received a sufficiently detailed scrutiny". 

The researchers found that many supposedly impartial VPN "review" sites were in fact linked to the companies they purported to be assessing. 

Customers are exposed to large amounts of misinformation, "which makes it hard for them to properly tell apart vague and bold claims typical of product advertisement campaigns with actual facts," the report said. 

VPNs can be big business. In recent years, VPN providers HotSpot Shield and ZenMate have landed investments of US$62 million and US$3 million, respectively, while in June 2014, security firm AVG Technologies acquired VPN provider HideMyAss for US$60 million. 

Progress has been made on developing community standards, said Gareth Tyson, a lecturer at QMUL's School of Electronic Engineering and Computer Science, and one of the authors of the study. 

"I'm not sure standards in this particular area could ever be enforced in a legal sense," he said. "It would perhaps be more about getting a 'rubber stamp' for adhering to the gold standard." 

Knapp said consumers should be better educated by VPN providers about what to look for, and that more scrutiny was needed to ensure companies live up to basic privacy and security standards. 

Some VPN providers do not offer more stringent privacy protection because it can disrupt the user experience, for example blocking websites that routinely track visitors or displaying pop-up warnings about potential data leakage, he said.

"We lose a lot of users this way," he added.