I understand why no one would want to trust Google and after Snowden's revelations, I don't see why anyone should.
But when it comes to the largest VPNs such as ExpressVPN or Nord VPN, it is impossible to tell who is truly behind them. You cannot put a name on physical person in charge which is very worrying. And since the NSA is known to use front companies to spy on people [1], why couldn't they be behind all these other VPNs? At least, we know who runs Google.
Privacy enthusiasts often seem blind to this risk. I think it's quite likely that virtually all of these VPN providers are run by either state agencies or organized criminals. As the person who personally ran almost all Tor exits for a brief period in the early 2000's, I am here to tell you that if you cannot definitely identify the operator of your VPN or proxy service, then you probably should not use it.
That differs between people, I personally would not mind the NSA running ExpressVPN as a covert outlet because than I at least know for certain my is kept secret by a secure state operator that has incentives aligned with my personal interests.
Any other operator runs the risk of becoming high jacked by other state operators. If you can hack Sony, break DNC email servers, hospitals for records, manipulate windows server functionality or create Stuxnet than a VPN is a cake walk.
A VPN was until this offering from Google a trolley problem. I gladly pay for Google products because they work for me. I even upload my porn to Google Photos because of the superiority of their streaming capabilities coming from the youtube backend.
NordVPN is incorporated in Caymans or smth like that. Partly to protect itself from all the legal stuff. In reality it's not huge secret it's real name is Tesonet from Vilnius, Lithuania (which has solid legal system and collaborates with FBI, CIA, etc).
I'm pretty sure it's based in Panama and being a global brand, NordVPN must have offices in a lot of locations, but it's main one is in Panama, which is a pro data privacy country. Moreover, even if some security agency would ask for user data, Nord does not keep logs and has most of its servers operate in RAM only.
Snowden's revelation that the NSA was in Google's network had their engineers pissed, and they immediately changed their architecture to make it more secure, encrypting internal connections. That doesn't make me want to use them less. And Snowden was compromised by Russia even before he went there.
> In order to provide peace of mind for our users that their activity is private from the VPN operator and from potential attackers, VPN by Google One does not log user activity on the network or other information that could reveal personally identifiable information about them. The following data is NOT logged by the VPN for a given user:
● Network traffic, including DNS
● IP addresses of the devices connecting to the VPN
So if I'm reading that correctly, they DO log who's using which IP address at which time. Which makes sense for abuse tracking, but means this really isn't the service to use for torrents.
EDIT: actually, from the whitepaper [0] it sure looks like they don't even get that much - you authenticate with one set of servers and then get a token to pass to the VPN tunnel servers via 'RSA Blind Signing', and so the tunnel servers never know the account that they're proxying data for. That's actually pretty awesome, if the service as implemented matches the service as described.
From the linked pdf in the footnotes, looks like they are rolling their own network protocol:
"At launchtime, the VPN protocol will be a Google proprietary protocol; however, to ensure a high throughput while minimizing battery consumption, we will soon adopt IPsec as the data tunnel protocol due to its native support in Android.
We may eventually use other protocols, such as Wireguard, as their native support improves or on platforms where no specific protocols have a specific advantage."
> Coming soon: Increase your online security with the VPN by Google One
Translation: Coming Soon: Tell us all about yourself and everything you do by signing up to our new service Google One. It comes with a VPN! Trust us, we won't tell!
> iOS, Windows, and Mac coming soon
It seems that some think you can fool people all the time with 'services' like this but companies like Google don't ever learn from their own mistakes. [0] [1] Phrases like 'Privacy and security is core to everything we make.' is another snake-oil tagline which is another branded trap. Not falling for this one.
> Google will never use the VPN connection to track, log or sell your browsing activity
But Google doesn't need your browsing history via the VPN connection. It only needs you to continue using the same browser you normally do, so that they can do their normal cookie tracking for Ads...
That's a pretty insightful question. If people use the outbound addresses of these VPNs for disproportionately abusive activities then the reputation of those IPs and netblocks will eventually decline. It could come to pass that you wouldn't be able to establish a accounts from these IPs or, if you did, it would be in some kind of penalty box initially. That would go for all major providers, not just Google accounts.
I seriously doubt that you'll get that benefit from this service. When I use the Google VPN on my Android, my outbound IP is part of a completely separate AS they dedicate to this purpose, not on AS15169 like all Google's own outbound traffic.
What is Google One? Is this the service formally known as Google Apps or some other service? I find it hard to keep track of all their products because they change so much.
You also get more storage for Gmail and Google Photos (if you didn't enable compression), occasional discounts/free trials for paid Google services and ability to speak to "Google experts" if you have a problem.
I am not surprised by the level of criticism in the comments here.
However, paid Google services may be cancelled but they have terms of service.
For example, Google Workplaces (used to be called GSuite) states that they use none of your data for advertising and make privacy claims. I am a relatively new customer and I believe it. On the other hand, there are good alternatives like ProtonMail and FastMail for people who don’t trust Google.
I have been paying for both ProtonMail and FastMail for quite a while, but I find my personal workflow better with Google Workplaces: things like automatic email and calendar integration and also Cloud Search that lets me search every digital artifact in my life from one place.
What finally convinced me was that both my former employer CapitalOne and also my current employer Olive AI trust Google Workplaces, so why shouldn’t I.
So the solution is for consumers to read a 60 pages legal document written in font 6 for each service they subscribe to, and which may change on short (or no) notice?
Of course people make their decisions based on trust.
Well, you have great alternatives. ProtonMail is rolling out secure storage, they already have VPN service that I am currently using, and some calendar support. FastMail is also a very good all around service.
Plenty of room for people to make their own choices.
Fortunately Intelligence services won't provide their snooping services for law enforcement. You can use torrent, and stay anonymous from everyone else.
Btw. other VPN services are not secure from intelligence services either. If anything NordVPN and others get extra scrutiny and monitoring allocated for them.
Can somebody explain to me what the point of this is? You cannot pirate, since google certainly cooperates with legal entities, you cannot avoid tracking, well, because google.
So I am really interested in an answer here: Is there any beneficial use case for this?
They say it's security? How is this more secure than regular HTTPS? What do I gain by paying for this?
"Google will never use the VPN connection to track, log, or sell your browsing activity¹"
"1. Some minimum logging is performed to ensure quality of service, but your network traffic is never logged and your IP is not associated to your activity."
Even with that fairly well spelled out promise, I trust google about as much as I trust $RANDO_VPN, so... hardly at all?
Does this mean your incoming IP, or your outgoing IP? And if payment info or Google identity is associated with your activity, why would they need to bother associating an IP to your activity?
If you read the article then you would already know the answer to this question. They are using a blinding protocol so that the service that terminates the VPN is unaware of the identity of the user.
And yet this product is being built by an advertising company who's business model revolves around tracking your online activities to sell you to advertisers, which makes me deeply suspicious that there isn't some way using this makes you more trackable (by them) than using a different VPN
It says that personally-identifying information is not present on the VPN endpoint and no user data is logged, only service metrics with no identifiable information. Specific data logged and not logged appears on page 4 and 5 of the whitepaper.
That's what I was getting at. It makes Fi slightly less sticky for me if I am also going to get the VPN feature with the Google One that I also pay for.
I find it strange that they’re tying this VPN to a subscription with drive, gmail, and google photos. Who cares if the VPN logs are anonymizes if I’m using the VPN to upload all my files and send emails to the same account as the VPN?
Unless I’m mistaken it just appears to be for Android phones ? I guess I can see some value in it, but will no doubt be heading for the Google graveyard in 18-24months !
It's been included with their Google Fi service for a while. Unless they are planning on killing Google Fi their VPN service is going to stick around I would assume. But they did just kill off my nest secure I bought, which was very disappointing.
You would have to be a complete idiot to use this. You might as well put a Google Nest camera in your bedroom and let Google and their contractors watch you. Oh, wait.
Google One has customer support. Largely, Google One is paid support Google consumer products,. That's actually one of the main selling points. Since this is a feature of a particular Google One tier, it comes with support.
> 2) it will probably be cancelled in 18 months
Probably not.
> 3) they already spy on me enough with search, android, google keyboard, gmail
How would being a VPN (for Android only) provider change that? It doesn't increase Google's ability to spy on you, and it decreases other people's ability to. Which, insofar as your private information is valuable to Google, it makes sense for them to do as effectively as possible, even if you take the most cynical view of their motives.
> It doesn't increase Google's ability to spy on you
You're going to have to prove that. Your Android device doesn't send ALL your traffic to Google today. Using this would send ALL your traffic to Google. that 100% means it increases Google's ability to spy on you.
What they're doing - cryptographic blinding that separates authentication from user session - is probably the best approach at subscriber privacy I've seen so far.
> What they're doing - cryptographic blinding that separates authentication from user session - is probably the best approach at subscriber privacy I've seen so far.
Is there really an issue if it gets cancelled? You can just get a new VPN. It’s not like other google products where you’re going to lose data or have to rebuild systems.
It's still a pain setting up a new one and learning its quirks. If there was a compelling reason otherwise, might be worth it. Can't think of any upside myself, even the price isn't good.
Geographical IP relocation seems like a common reason to use it. Also just because Google may have access to some information it doesn't mean that everyone else has.
You can't stop companies from gathering information when you interact with their services but you can do things to avoid having all that information aggregated (it would require using different IP addresses for different services, so a VPN can help, among other things).
Some public networks (like those at airports and coffee shops) still do sketchy things like injecting ads into HTTP sites and breaking DNS. A VPN is a great solution to these problems.
VPNs are to allow you to connect to a private network over a public network. They are not about user privacy. Once you hit that private network, privacy is determined by other protocols, not the VPN itself.
I know he was also referencing the VPN, but this also comes with Drive storage and other "benefits" in the Google ecosystem. I mean, these days terrabytes cost peanuts so it probably doesn't make a difference.
But when it comes to the largest VPNs such as ExpressVPN or Nord VPN, it is impossible to tell who is truly behind them. You cannot put a name on physical person in charge which is very worrying. And since the NSA is known to use front companies to spy on people [1], why couldn't they be behind all these other VPNs? At least, we know who runs Google.
[1] https://web.archive.org/web/20131016033046/http://www.foreig...