Two US senators have called for an urgent investigation into whether foreign-owned Virtual Private Networks (VPNs) represent a risk to national security.
Ron Wyden and Marco Rubio signed a joint letter to the director of the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency (CISA), Christopher Krebs.
It points to the popularity of mobile data-saving and VPN apps, many of which have been downloaded millions of times by Americans despite being made by companies “in countries that do not share American interests or values.”
“Because these foreign apps transmit users’ web browsing data to servers located in or controlled by countries that have an interest in targeting US government employees, their use raises the risk that user data will be surveilled by those foreign governments,” the letter continued.
In fact, they claimed, the US has already recognized these risks, by banning federal use of Kaspersky Lab products for fear of the influence of the Kremlin, and urging that Chinese telecommunications companies be locked out of competing for major infrastructure projects in the US.
“In light of these concerns we urge you to conduct a threat assessment on the national security risks associated with the continued use by US government employees of VPNs, mobile data proxies and other similar apps that are vulnerable to foreign government surveillance,” the letter concluded.
“If you determine that these services pose a threat to US national security, we further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers.”
A study of the 30 most downloaded apps in the UK and US last year by Top10VPN found over half (59%) had links to mainland China.
“We found a few apps that explicitly stated that users’ internet activity was logged, which we have never seen anywhere else with VPNs. VPN policies usually state that they never ever log data,” explained head of research, Simon Migliano, at the time.
“We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy.”