A Virtual Private Network (VPN) allows an organization to set up a secure and encrypted Internet connection, wherever a user is based.
By using a VPN, data transmitted between a device and a server is encrypted, providing privacy and security. The ramifications of this on end-user privacy are significant: masking an IP address, securing VPN connections to private networks, and adding a layer of security when on public Wi-Fi.
In essence, a VPN enhances your online privacy, security, and freedom by creating a virtual secure tunnel for your employee’s internet traffic. However, understanding the ethical intricacies of different countries’ approaches to VPNs is paramount for international enterprises.
On the surface, it can appear that the rules and regulations placed upon enterprises are all for the same reason – to keep citizens safe. However, digging into the ethical terrain of VPN and user data shows that it’s not that simple: every government has their own driving ethos.
China still represents massive economic potential: international enterprises are increasingly finding their footing in the market, and the number of externally-invested organizations continues to grow year-on-year.
For organizations with Chinese offices, VPNs represent a structural piece of network architecture, granting the ability for international collaboration. However, the CCP has a vested interest in maintaining the Great Firewall, which monitors and restricts online content for its citizens.
They simultaneously acknowledge the fact that foreign investments largely demand VPNs.
As a middle ground, enterprises may use this tooling, but only with pre-determined providers and services that comply with local censorship laws; this includes backdoor access to the contents of each data packet, which can still be monitored.
Non-compliant services an outright ban: despite this, a black market for unapproved VPNs persists, with some providers openly advertising their ability to bypass government oversight.
While it’s tempting to condone the Chinese government’s surveillance as uniquely authoritarian, other governments around the world are placing increasing suspicion upon the exchange of information facilitated by VPNs.
Understandably so: cyberattacks are spiraling in number, and increasing geopolitical tensions shed a suspicious light on VPN tunnels’ ability to hide internet traffic. In 2018, the EU cracked down on organizations’ security measures. The GDPR’s primary goals are to protect the personal data of EU citizens and to empower them with greater control over how their information is collected, stored, and used.
By establishing stringent guidelines and robust enforcement mechanisms, enterprises are forced to enhance customer data security. Discussions around encryption directly support the usage of enterprise VPNs.
Come 2024, however, the EU is placing increasing scrutiny upon online visibility. The Electronic Identification, Authentication and Trust Services (eIDAS) decision is an ongoing debate surrounding online accountability. The original eIDAS ruling sought to implement a European Digital Identity Wallet, a government app for storing personal information like driver’s licenses and bank cards.
More recently, eIDAS 2.0 seeks to not only confirm digital identity – but to change how browsers handle information. One of eIDAS 2.0’s demands is for browser makers to trust government-approved Certificate Authorities (CA). These cannot be blocked or removed from browsers’ trusted certificates, even if websites otherwise fail to meet security requirements of their root stores.
Requesting a copy of the CA would allow the government to impersonate the website and use a man-in-the-middle attack to intercept and decrypt HTTPS traffic between the site and its individual users.
Consequently, the government can monitor user’s online activities on the site at any time without the browser being able to block the certificate.
In this scenario, a VPN would become ineffective, as the government would be able to intercept the VPN traffic at the browser level. For now, however, eIDAS 2.0 remains tightly contested – business VPNs are still important methods of enterprise protection.
In 2022, the Indian government released its latest VPN ruling: all VPN providers are required to store extensive user log data, and hand it over when requested by police and law enforcement. While not a blanket ban on VPNs, the Narendra Modi-led government has made one thing explicitly clear to Indian VPN providers:
“If you want to pull out, frankly, that is the only opportunity you have”.
With otherwise no comment on international VPNs, it’s for now assumed that relying on servers outside of India is safe.
Corporate VPNs encrypt all web traffic, and routes it via an intermediary server. For a piece of technology so architecturally uncomplex, it demands a whole host of ethical considerations. Largely due to the international distribution of VPNs, an organization needs to consider its own cultural fit within a country’s wider VPN rulings.
To work this out, your VPN provider should be a partner. Alongside this, there needs to be a critical ethical and regulatory question to answer:
Knowing how your VPN provider protects your employees, data, and assets is vital to assessing its ethical fit.
End-to-end ownership allows for maximum transparency in this – furthermore, you need to confirm that they have the knowledge and skills to maintain the VPN tooling to the highest degree. An extensive public sector client list is a good sign to look for – those clients typically require the most secure and resilient solutions.
Rather than assuming your provider is handling sensitive corporate data ethically, choose a VPN partner. This should strategically align with not just your security goals, but have a similarly cross-borders scope that your organization needs.
Perimeter81’s VPN replacement offers security beyond mere encryption, by segmenting network access by role, reducing latency of your teams, and bringing access visibility to the edge of your corporate network.
Get started with a demo today to see how Perimeter81 bulletproofs regulatory compliance.