With so many VPN applications becoming increasingly available on Google Playstore and Apple App store, many users who make use of these applications have firm belief in the ability of the VPN service providers to protect their online privacy by making sure that communications between them and the VPN server is hidden to the rest of the world. With this assurance, users can carry on with online activities, having unhindered access to services hitherto unavailable to them. Because of this, diverse subscribers- the good, the bad, and the ugly- have all jumped on the privileges that VPN provides. The question then is how far can VPN protect a user from law enforcement agents?
VPN is short for Virtual Private Network. It is a service that allows remotes users access to an internal network by assigning them IP addresses from the internal network and ensuring that communications between the users and the VPN server remain encrypted. By dialing into a VPN server in US, a user from China, gets assigned an IP address registered to a company in US, making all services available to US internet users available to such user. Many users have been able to use this to circumvent Netflix regional restrictions and have access to Netflix contents originally not available in their region. Other users from countries where social media platforms like Facebook, Instagram and the rest are restricted have also resorted to the use of VPN to have access to these services.
Since everyone on the internet only sees your VPN provider’s assigned public IP and believes your internet traffics originate from the US when you are actually in China, does it mean when cyber attacks are launched using VPN, the user can not be fished out by law enforcement agents? There are two instances we will be looking into: a user in China who hides behind VPN to access services that have been shut down by the Chinese government and a user in Kenya who subscribes to to a VPN provider in the US and uses the service to launch an attack on a server in Malaysia.
Denying users in a particular region access to some services on the internet involves filtering all out-bound traffics from IP addresses registered to that country. Just like telephone dialing codes, the Internet Assigned Number Authority ensures easy identification of IP locations through a carefully designed method of IP assignment. When a user in China uses a VPN which assigns him/her a US address, all policies configured to deny access to IP addresses originating from China from access a particular internet service becomes ineffective. This is because the source IP has changed. At this point, how will the Chinese authorities determine that an offence has been committed, identify and punish the offender?
With the help of the ISP, the authorities can discover the use of VPN services but may not be able to find out what services were accessed using VPN especially if the servers hosting the services are not resident in China. So, can the use of VPN be said to constitute a breach? Assuming Facebook is blocked in China and a user from China uses VPN to access it, how will the authorities identify such a user. The process would involve, first of all, identifying traffics sourced in China to VPN service provders. Then get the VPN providers to share user logs. This will be counter productive as neither the VPN provider, obviously not resident in China, nor Facebook will be willing to cooperate with the Chinese authorities since the use of Facebook does not constitute an offense to them. So how then can the country ensure such issue never comes up? Simple! By ensuring that access to VPN providers outside China is block and that VPN providers in China do not provide IP addresses outside the ones registered to China. That way, all policies put in place for users in the country will be effective on VPN users.
The second scenario involves the use of VPN to carry out an attack on a server with the hope of covering up all traces. It is also used by cyber criminals to send emails and carry out romance scam via online dating sites. When a fraud is committed, either through email spamming, phishing or any other method, the unique identifier used to identify the perpetrator is the source IP. What happens when the source IP leads to US instead of the actual country where the traffic originated?
Unlike the first scenario we looked into, this could constitute a crime in all three countries involved- the country where attack originated, the country of VPN provider, and the country where attack was carried out. Authorities in these countries will have to work together to unearth the criminal. This will involve a reversed process similar to data de-encapsulation in the OSI model. First, the attacked reports to the local authorities who must then work with the owner(s) of the platform on which the attack/fraud was performed. At the end of this stage, the source IP of the attacker should have been gotten from the server. The source IP at this stage is the IP address of the VPN provider in America. The authorities, armed with evidence of the attacks extracted from the server, must then head to America and convince the VPN provider through the authorities in US to provide the original source IP of the perpetrator. With the original source IP provided, authorities in the country where the attack was initiated will then begin the process to unmask the attacker by contacting the Internet service provider that owns the source IP. The Internet service provider will then provide details of the customer who was assigned the IP address. At this point, it is game over. It could take some time but eventually, the user will be unmasked.
In conclusion, the use of VPN protects, depending on the degree of usage. It does not give you a one hundred percent protection as providers are bound by law to comply with authorities in event that such service has been used to perpetrate frauds or cyber attacks.