Chinese heft in VPN and India’s vulnerability in a quantum-computing era

“The hunger of a dragon is slow to wake, but hard to sate.” ― Ursula K Le Guin.Kevin Kane and his team of five at Ambit Inc., a US-based post-quantum network-security startup founded in 2019, have been working to create a quantum-resistant virtual private network (VPN) application. The reason: China’s near-monopoly in the world’s free VPN market and the vulnerability of traditional security infrastructure in the dawning era of quantum computing. With traditional transport layer security (TLS) infrastructure becoming increasingly vulnerable with the rise of quantum computing, the startup aims to “serve as a defensive maneuvering force” for its customers. Indeed, securing networks in view of the next big computational race may be a big challenge. But at the same time, it also throws open a plethora of opportunities. So, where does India stand in this rapidly changing dynamics of cyberspace and computing?The country is a booming hub of user data and is among the most exposed in the world to cyberattacks. It ranks second in terms of VPN usage globally, according to data furnished by vpnMentor, a VPN review website. However, more than half of the leading free VPN apps available in the country over the Internet have Chinese links. One of the most-downloaded free VPN services in India is Chinese-owned Turbo VPN. It has clocked 25 million downloads in the country over the past two years. Given India’s market size in terms of VPN consumption and the standoff with China, the possession of Indian user data in Chinese clutches is unsettling. Free VPNs which are owned or operated by Chinese companies are subject to intrusion, censorship, and manipulation of the Chinese Communist Party (CCP). China’s control over the free VPN market speaks volumes about its vested interests. 78396737Furthermore, the personal data shared with VPN service providers is being protected using TLS protocol. This protocol is not only broken but also is known to have vulnerabilities that allow unscrupulous actors to intercept and record Internet traffic. This Internet traffic can be decrypted using quantum computers that have the capability to decipher even ‘gold standard’ encryptions used to secure VPNs, banking transactions, biometric data, etc. The personal information of the users using these services would be rendered vulnerable to exploitation by malicious actors.That brings us to the most important question. Is there a way out?What the future holdsSoon, quantum computers will render all encryption standards obsolete, including AES-256. The said Advanced Encryption Standard is the most common method employed currently to secure sensitive data and is considered unbreakable by the existing computing programs.“Quantum computers can be highly beneficial to scientific developments due to the new, speedy way of performing computing. However, they could be used to break currently used cryptography and undermine the protection of personal data,” says Paul Lanois, director - technology, outsourcing, and privacy at European law firm Fieldfisher.This has given rise to an urgent need for developing quantum-safe cryptography, or cryptography which doesn’t compromise security even when the attacks originate from quantum computers. For instance, the US-based National Institute of Standards and Technology has invited experts from around the world to collaborate and develop the best solution to the quantum-computing threat.According to Ambit Inc’s CEO Kane, personal information secured with standardised post-quantum cryptography gives individuals the greatest protection from would-be bad actors. Moreover, the free VPN service providers claiming to have ‘no data-logs’ policy might actually be storing and retaining user data without one’s knowledge.Kane says the startup has built AmbitVPN keeping in mind the pace of development in quantum technologies, detection, tracing, and the prying eyes of third-party organisations and, therefore, it is an effective quantum-resistant VPN, improving upon the WireGuard protocol.“Our vision is to provide what we call enduring digital privacy. We want all your Internet traffic to be encrypted by quantum-resistant cryptography,” Kane explains, adding that “We have servers all over the world and we don’t log the user’s Internet traffic. The keys you use stay on your device; we never even have them.”Improving on a modern networking protocol, WireGuard is more efficient and technologically superior than existing protocols and AmbitVPN has proved to be 1,000x faster to connect than OpenVPN. It is also able to reduce telecom throttling over a mobile network, Kane says. AmbitVPN recently entered into a co-branded VPN deal with a Singapore-based telecom company. The dragon’s eyeAmbitVPN may be the immediate security solution in the age of quantum computing, but another major threat to VPNs and personal user data — the Chinese dominance — continues to hover overhead.“It’s obvious that the CCP seeks to expand its influence around the world, especially in East Asia,” Kane points out, adding, “The CCP doesn’t like free speech. It doesn’t like individual privacy and has no distinction between private business and government business. If you are a business in China, you are controlled by the CCP. The CCP has no separation of powers, no independent judicial system to protect an individual’s rights.”What makes a country like India even more vulnerable in such a scenario is the fact that VPN data offers a treasure trove of information about the browsing behavior of users, their attitudes, beliefs, and other sensitive details. “China has a very clear vision of its digital sovereignty and is ruthless in its implementation of that vision. Part of China’s strategy is to cast a very wide net in terms of its intelligence gathering, and VPN data is a valuable source of information about foreign consumer’s Internet activity,” says Simon Migliano, head of research, Top10VPN. 78396724Coming to the attitude of Indians towards Internet and free VPN services, the country ranks third globally in terms of mobile VPN downloads with over 57 million downloads in the past one year, The Economic Times has reported, citing a report by Top10VPN. When it comes to accessing the dark web, India tops the charts with 26% of the country’s population using it, followed by Russia at 22%, according to VPNmentor.Over a 12-month period, the most popular VPN provider globally has been Turbo VPN with 51.3 million downloads, a report by Top10VPN shows. The Chinese VPN provider has a registered office in Singapore under a listed firm called Innovative Connecting. The firm has developed a number of other basic free VPNs, including VPN Proxy Master and Snap Master VPN, and is also a part of the Five Eyes — an intelligence alliance comprising Australia, Canada, New Zealand, the UK, and the US. These countries are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence. The VPN service providers’ ties with western powers along with mainland China could be a recipe for disaster. While free VPN apps seem to be popular amongst the users, the privacy policy of some of the leading VPN players is ambiguous with uncertainty around retention of user data logs and data sharing.“The lack of transparency is a major issue affecting mobile VPN apps. It’s far too easy for a VPN app to be approved for download from app stores with only the bare minimum of information about who is offering the service. There is literally no accountability in many cases,” Migliano points out.Both Google and Apple are responsible for demanding a higher standard of transparency and accountability from VPN developers. However, despite being aware of the issue, they have remained silent for long.The Chinese-owned VPN service provider updated its privacy policy to exclude the mention of transfer of users’ personal data outside of the European Economic Area to countries such as China or Singapore, after Top10VPN reported about it in its investigation.The policy now reads, “We may transfer personal information to countries other than the country in which the data was originally collected. These countries may not have the same data-protection laws as the country in which you initially provided the information. When we transfer your personal information to other countries, we will protect that information as described in this privacy policy.”While it has done away with the direct mention, the indirect reference to sharing of data is enough to incite suspicion. It goes on to say that except for limited exceptions, TurboVPN doesn’t automatically collect users’ personal information. However, it did not cite any information about the exceptions.“If there’s any ambiguity at all around data collection and sharing in a VPN privacy policy, it should immediately raise a red flag. Consumers should only use a VPN whose policies in this area are detailed, clear, and easy to understand,” says Migliano.Similarly, FortiClient, a VPN application developed by Fortinet Inc., is being used by large Indian corporations to remotely connect to their organisation’s respective networks. Last year, the California-based cybersecurity company called upon itself legal troubles from the U.S. Department of Justice over its friendly relations with China.The company’s board of directors has a member of Chinese origin. Its founder, Ken Xie, is a Chinese-born American who according to Taiwanese legislator Lin Chun-hsien is on good terms with the CCP.Last year, Fortinet settled allegations over violation of the False Claims Act and agreed to pay USD545,000 to settle claims that it illegally sold Chinese-made equipment to the US government. Fortinet acknowledged tampering with product-origin labels, which resulted in Chinese technology getting mislabelled as American and being sold to the US military.Imagine the risks if large Indian companies use applications developed by such companies to operate and transfer data. Many of these VPN service providers cannot be even easily located as they have a barren online presence and a dispersed structure at the top. Most do so to evade regulation.Migliano explains that while there are providers based in locations such as Europe with strict data regimes, many are deliberately based in territories with minimal regulation. While this may benefit users as the data is stored outside the jurisdictions of authorities that may want to gain access to it, the practice also leaves the door open to abuse by unscrupulous operators, he adds.“If a software or tool developer has no online presence, no website, and no details on the organisation, then my advice would be to stay clear from such software and not to trust the developer,” says Fieldfisher’s Lanois, who is also an attorney admitted to the bar in California, New York and District of Columbia.The bottom lineThe conversation around quantum computing, its potential, and threats has long been driven solely by global tech giants. Governments across countries, though willing to spend billions of dollars, have remained silent on whether they have developed the quantum capability or have a certain level of quantum technology already in their possession.China, which controls a hegemonic share of the free VPN market, may be downplaying its own capabilities in quantum computing to its own strategic advantage. It would be a disincentive for China — especially since it has invested multi-billion dollars in quantum computing — to admit that it can now decrypt the rest of the world.(Graphics by Mohammad Arshad)

from Economic Times https://ift.tt/2HJjmsP
via IFTTT