DATE DOWNLOADED: Sun Aug 7 10:48:33 2022

SOURCE: Content Downloaded from HeinOnline

Citations:

Bluebook 21st ed.

John Park, VPN: Privacy and Anonymity for All, 2 GEO. L. TECH. REV. 129 (2017).

ALWD 7th ed.

John Park, VPN: Privacy and Anonymity for All, 2 Geo. L. Tech. Rev. 129 (2017).

APA 7th ed.

Park, J. (2017). VPN: Privacy and Anonymity for All. Georgetown Law Technology
Review, 2(1), 129-136.

Chicago 17th ed.

John Park, "VPN: Privacy and Anonymity for All," Georgetown Law Technology Review 2,
no. 1 (2017): 129-136

McGill Guide 9th ed.

John Park, "VPN: Privacy and Anonymity for All" (2017) 2:1 Geo L Tech Rev 129.

AGLC 4th ed.

John Park, 'VPN: Privacy and Anonymity for All' (2017) 2 Georgetown Law Technology
Review 129.

MLA 8th ed.

Park, John. "VPN: Privacy and Anonymity for All." Georgetown Law Technology Review,
vol. 2, no. 1, 2017, p. 129-136. HeinOnline.

OSCOLA 4th ed.

John Park, 'VPN: Privacy and Anonymity for All' (2017) 2 Geo L Tech Rev 129

-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
 VPN: PRIVACY AND ANONYMITY FOR ALL
John Park*
CITE AS: 2 GEO. L. TECH. REV. 129 (2017)
https://perma.cc/YQ5S-97HQ
INTRODUCTION ........................................................................................................................ 129

EXPLANATION .......................................................................................................................... 130

Authentication ...................................................................................................................... 131
Tunneling............................................................................................................................... 133
Encryption............................................................................................................................. 133

RISKs ........................................................................................................................................... 134

LEGAL IMPLICATIONS.............................................................................................................. 135

C O NC L U SIO N ............................................................................................................................. 13 5

INTRODUCTION

As technology continues to develop and as citizens increasingly

embrace a digital society, consumers accordingly consider methods to better
protect their privacy. One method, the virtual private network (VPN), was
developed in 1996 to address that need. A VPN is a secured network that
protects data by creating a secure connection that shields those data from
prying eyes while the user is online. 1
With the advent of the Internet, new dangers arose regarding security
of information that was processed online.2 VPNs were originally created with
the purpose of allowing businesses to safely share data with authorized users
within their own network. VPN technology has since become a versatile tool
to secure anonymity of the individual users while maintaining the integrity of
the data.3 In order to allow organizations to send data safely and securely,

. GLTR Staff Member; Georgetown Law, J.D. expected 2019; Pepperdine University, B.A.
2014. © 2017, John Park.
1 Will Nicol, Everything You Wanted to Know
About VPNs, DIGITAL TRENDS (May 2, 2017,
8:00 AM), https://www.digitaltrends.com/computing/what-is-a-vpn/ [https://perma.cc/27KX-
UHUU].
2 See Digital Disruptors, Cyber Security Is a Business Risk, FORBES (Oct. 11, 2017, 1:06 AM),
https://www.forbes.com/sites/edelmantechnology/2017/10/11/cyber-security-is-a-business-
risk-not-just-an-it-problem/#3f23c6cf7832 [https://perma.cc/SBP7-BUNH].
3 See Adrian Bridgwater, VPNs: The Past, Present, and Future, COMPUTERWEEKLY.COM
(August 2013), https://www.le-vpn.com/history-of-vpn/ [https://perma.cc/YQ7V-ZBWV].
130 GEORGETOWN LAW TECHNOLOGY REVIEW Vol 2:1

VPNs have created connections that are more secure, thereby reducing the risk
of interception or hacks. While early iterations of VPNs suffered from slow
transfer of data and rendered use inefficient, VPNs today are employed for a
wide range of purposes. 4 Businesses, for example, use VPNs to develop
private connections between branch offices, allowing for safe remote access
and improving workforce efficiency.5 Meanwhile, individuals can use VPNs
to anonymize their behavior on the Internet or to access content that is
restricted.

EXPLANATION

To understand how VPNs work, it is necessary to first explain how

users connect to the Internet. When one device, like a computer or
smartphone, interacts with another device, it does so through a network. The
Internet is a giant network of many connections by a multitude of devices. The
device that sends a request to another program is called the client, while the
receiving device that processes the request is called the server.6 When data is
pushed through a network, users are able to take advantage of all the Internet
has to offer. Users usually make this connection to a network through an
Internet service provider (ISP). The ISP serves as a gateway to the rest of the
global network. When data is exchanged, devices send information as
packets.s A packet is a standard packaging form that breaks down into
organized parts that help devices process information efficiently. The packet
will contain Internet Protocol (IP) addresses for both sender and receiver as
well as instructions to navigate to the correct destination, the actual data, and
receipt information. Herein lies the problem. As gateways, ISPs can "view"
the packets that are transmitted through them. This allows ISPs to regulate the
use of their own services to manage network operations and comply with the
law. But this also means that in reading such packets, ISPs gain access to user

4 See id.
5 See What Is a VPN, CIsco.coM, https://www.cisco.com/c/en/us/products/security/vpn-
endpoint-security-clients/what-is-vpn.html [https://perma.cc/L96Q-B2VE].
6 Difference between Client and Server, DIFFERENCE BETWEEN
http://www.differencebetween.info/difference-between-client-and-server
[https://perma.cc/5PN7-9EJW].
7 See Nicol, supra note 1.
8 What Is a Packet?, How STUFF WORKS (Dec. 1, 2000),
http://computer.howstuffworks.com/question525.htm [https://perma.cc/GBK4-53Y8].
2017 GEORGETOWN LAW TECHNOLOGY REVIEW 131

behavior and by extension, others may also gain such access. A VPN
addresses this problem by creating a secure connection where packets cannot
be read by the ISP.
A VPN performs its protective role as one process using three sub-
steps: Authentication, Tunneling, and Encryption.

Authentication

Authentication refers to the gatekeeping function within a network.

Since the purpose of a VPN is to provide security and anonymity, one of the
key goals is to keep unauthorized persons from entering.9 Similar to how a
conductor checks tickets as passengers board a train, the network checks the
credentials of the connecting device. Network administrators thus have the
difficult job of maintaining authentication processes that validate credentials
in a way that addresses all the potential attacks the network may face. A VPN
is only as strong and useful as the method of authentication.
There are a variety of methods that can be employed to authenticate,
corresponding to various levels of complexity. The most common method is
encryption, which is a process of masking data from unintended recipients.
Data is scrambled using a "secret language", and are then unscrambled using a
secret key, usually an algorithm that serves as a code.1 0 Three types of
authentication that use encryption (to various degrees) include:

" The Password Authentication Protocol (PAP). PAP is one of the

simplest authentication systems. When a client contacts a server, the
server will respond with a challenge, requesting a user name and
password. When the client responds, the name and password is sent
unencrypted for authentication. The main drawback of PAP is that the
lack of encryption makes this system extremely vulnerable to prying
eyes. Intercepted text can be read by anyone as the lack of encryption
would mean that the data would not be protected by a second layer of

9 See Secure VPN Authentication, IDCONTROL.COM (Nov. 2, 2017),

http://www.idcontrol.com/secure-vpn-authentication [https://perma.cc/VV5K-R3JF].
10 See Whitson Gordon, A Beginner's Guide to Encryption, LIFEHACKER (Jan. 27, 2014, 11:00
AM), https://lifehacker.com/a-beginners-guide-to-encryption-what-it-is-and-how-to-
1508196946 [https://perma.cc/PG56-ACN5].
132 GEORGETOWN LAW TECHNOLOGY REVIEW Vol 2:1

protection.1 1 Thus, an intercepting party could decipher intercepted

text without any additional steps.
* The Challenge Handshake Authentication Protocol (CHAP). In CHAP,
which is a slightly more complex system, a client that contacts a server
receives a challenge. When the client responds, it does so using a
standard encrypted algorithm and key. Thus, encrypted credentials are
transmitted through to the server. For further security, CHAP sends
repeated challenges intermittently throughout a connection, protecting
against attempts to spoof (imitate real credentials) or take advantage of
lapses 12
* Extensible Authentication Protocol (EAP). In EAP, the client connects
to an authenticator. The authenticator then negotiates the method of
authentication. The authenticator acts as a proxy to pass the
authentication information to and from the server. Once a method is
agreed upon, the authentication server validates the credentials and
authorizes access. The difference between EAP and the
aforementioned methods is that EAP does not actually perform
authentication; instead, it refers to the medium within which another
protocol is placed. 14

More recently, a new type of authentication that introduces a second

layer of protection has gained popularity. Whereas the above methods
employed passwords, such two-factor authentication adds another
identification check in addition to a user and password combination. For
example, a two-factor authentication may employ a CHAP system, then
require an authentication code sent to the user by mobile phone.

" How VPN works, MICROSOFT TECHNET (updated Mar. 28, 2003),
https://technet.microsoft.com/en-us/library/cc779919(v=ws.10).aspx [https://perma.cc/LLY8-
EGUC].
12 Id.
1 Jim Burns, How 802.lx Authentication Works, COMPUTERWORLD (Apr. 3, 2003, 12:00
AM) https://www.computerworld.com/article/2581074/mobile-wireless/how-802-lx-
authentication-works.html [https://perma.cc/VVH4-6N69].
1 Id.
1 Seth Rosenblatt & Jason Cipriani, Two-Factor Authentication, CNET (June 15, 2015, 1:39
PM), https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/
[http://perma.cc/AN29-P6SY].
2017 GEORGETOWN LAW TECHNOLOGY REVIEW 133

Tunneling

Tunneling is the heart of a VPN. A "tunnel" refers to the process of

connection between a device and an endpoint. Once authenticated, a
connection is made and like a physical tunnel through a mountain pass, it
allows access to a destination. However, the VPN tunnel not only functions as
a pathway, but also as protection. When data is sent as a packet, it conforms to
a standard form that transmits data in layers. These layers contain routing
information as well as the data itself. Simply put, a VPN tunnel takes a data
packet that a device sends out and hides it within another medium, the
network itself.
There are two types of VPN tunnels: voluntary and compulsory. 16
Voluntary tunneling consists of a connection that is managed by the client.
When a client connects to a network provider, like an ISP, the client will then
create the tunnel to the VPN server. In a compulsory tunnel, the connection is
managed by the network provider. For example, when a client makes a
connection to an ISP, the ISP automatically creates a tunnel. The difference
between these two configurations is that voluntary tunneling requires two
steps from the client (connecting and forging the tunnel) whereas the
compulsory tunneling only requires that the client connect to the ISP.17
VPNs allow users to connect remotely to a network outside the usual
bounds of a local network. Thus, when a VPN tunnel is implemented, prying
eyes will only be able to see that you are using a VPN. For example, an ISP
would be able to detect that there is network traffic being sent back and forth
with a VPN, but could not distinguish anything within the tunnel.

Encryption

While tunneling is the heart of a VPN, encryption is the method by

which tunneling is created and secured. The simplest and most popular way of
encrypting a tunnel involves the use of Secure Sockets Layer (SSL) protocol.
SSL refers to a security standard for encryption between a web server and
browser.18 While there are different processes to perform encryption, the main

16 Bradley Mitchell, VPN Tunnels Tutorial, LIFEWIRE (July 21, 2017),

https://www.lifewire.com/vpn-tunneling-explained-818174 [https://perma.cc/9QF9-F6JS].
17 Id.
is What Is Secure Sockets Layer?, WEBOPEDIA,
https://www.webopedia.com/TERM/S/SSL.html [https://perma.cc/4PJ8-V7V6].
134 GEORGETOWN LAW TECHNOLOGY REVIEW Vol 2:1

advantage of an SSL VPN is that it only requires a traditional web browser

such as Firefox or Chrome.19 Thus, SSL VPNs are easy to use and implement
when compared to other types of VPNs that use specialized software that must
be separately downloaded and installed.
SSL VPNs use the SSL protocol and its successor, Transport Layer
Security (TLS), to create the secure connection between a client and network,
and by extension the server. SSL is a common protocol that is adaptable with
most web browsers and does not require any specific user expertise or effort.
In SSL, when a client reaches out to a server, the client sends
cryptographic preferences which include a list of algorithms (or keys) that the
client supports and can understand.20 The server then responds with a
combination of algorithms from the list provided, along with other
communications information and digital certificates. Next, after verifying the
server certificate, the client sends a random byte string, also known as a data
request, that enables both devices to compute a secret key. The secret key is a
unique algorithm that is used to encrypt and decrypt data while it travels
between devices. Finally, both devices will use the secret key to send each
other a message indicating that the encryption process has commenced and
will allow data transfers. 2 1

RISKS

While a VPN can protect data and a client's privacy, there are some
drawbacks and risks involved. VPNs facilitate anonymity and privacy on the
Internet, but connections to VPNs remain limited by the quality of connection
provided by an ISP.22 Thus, using a VPN to access the Internet will not
change the reliability or performance of an Internet connection. Practically,

19 Margaret Rouse, SSL VPN, TECHTARGET,

http://searchsecurity.techtarget.com/definition/SSL-VPN [https://perma.cc/89HE-A37Q].
20 An Overview of the SSL or TLS Handshake, IBM KNOWLEDGE CTR. (Oct. 14, 2017, 12:44
PM),
https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy I0660_.ht
m [https://perma.cc/3U3T-NN97].
21 Id.
2 Bradley Mitchell, What Are the Advantages and Benefits of a VPN, LIFEWIRE (July 17,
2017) https://www.lifewire.com/advantages-and-benefits-of-a-vpn-818178
[https://perma.cc/WY7N-MBJW].
2017 GEORGETOWN LAW TECHNOLOGY REVIEW 135

because VPNs add another layer of computing, speed and reliability may
actually be less efficient. 23
As mentioned before, a VPN is only as strong as its authentication.
Authentication processes can be subject to social engineering, viruses, and
keylogging. Even if there are complex authentication processes, VPNs can be
vulnerable when users are careless with their device security. 24

LEGAL IMPLICATIONS

VPNs are widely used today in workplaces to secure their networks

and by individuals to maintain their privacy online. While VPNs are legal in
most countries, they can be used to facilitate illegal acts. Because of the
potential of VPNs to aid criminals, unauthorized VPNs are illegal in China,
Iraq, and Russia, among other countries. Criminals and hackers will still be
liable for acts committed using a VPN.
Although privacy and anonymity are strengthened, VPNs are not a
full-service solution. Most VPN providers' terms of service state that they will
comply with authorities if lawful requests are made of them.26 Although they
tout the value of privacy, their services do collect information about users.27
The future of VPNs remains unclear as the struggle for balancing enforcement
with individual privacy continues.

CONCLUSION

VPNs are increasingly being employed to help protect and maintain

user privacy online. The three steps of authentication, tunneling, and
encryption allow users to make secure connections. VPN technology will
continue to evolve as encryption grows more sophisticated in response to user
needs. Because of the novelty of the Internet and the way people are

2N. Madisen, What Are the Disadvantages of a VPN?, WISEGEEK (Oct. 24, 2017),
http://www.wisegeek.org/what-are-the-disadvantages-of-a-vpn.htm [https://perma.cc/LHS2-
GD93].
2 Steven Song, SSL VPN Security, Cisco, https://www.cisco.com/c/en/us/about/security-
center/ssl-vpn-security.html [https://perma.cc/YY89-GD7Y].
2 Harsh Maurya, Are VPNs Legal?, VPN MENTOR, https://www.vpnmentor.com/blog/are-
vpns-legal/ [https://perma.cc/72QW-BDSD].
26 See id.
27 See id.
136 GEORGETOWN LAW TECHNOLOGY REVIEW Vol 2:1

increasingly sharing data, an understanding of security tools like virtual

private networking will be fundamental towards developing balanced legal
policy.