With the kind-of-launch of the Australian government's telecommunications data retention regime, there's been a plethora of advice everywhere – from “lad mags” to the tech press to political parties – with one theme: “get a virtual private network” (VPN).
Which moves Vulture South to idly wonder: do people know that a VPN on Android might only protect data emanating from the phone, and not (for example) a laptop tethered to its WiFi?
This isn't news, it's just an observation that consumer-level advice about information security is not to be trusted. To make recommendations about security you have to be the kind of obsessive that assumes nothing, takes nothing at face value and checks everything.
Vulture South can't claim that kind of attention to detail: the issue was pointed out to us by someone else. We do, however, like to test things for ourselves, so we downloaded two copies of OpenVPN (one on the MacBook Pro, one on the Samsung S5) and set to work.
TLDR: OpenVPN on Android only protects communications originating on the phone, but not a tethered PC, as we show below.
Since OpenVPN sensibly bars Traceroute, we had to infer routing with pings. Being in Australia has a distinct advantage here: the Pacific Ocean imposes big penalties on ping times.
For all the tests in the table blow, the target was www.bigpond.com, the home of Telstra's consumer-grade internet service provider.
|Device||Connection Type||VPN active?||Average of 5 pings|
|MacBook Pro||Ethernet||No||19.8 ms|
|Tethered 4G||No||54.22 ms|
|Tethered 4G||Yes||35.05 ms|
The test clearly isn't perfect, but the salient point is that the ping time over the tethered 4G connection should not be lower with the VPN on than off. At an informed guess, the shorter ping times for a tethered connection show the VPN isn't protecting the tethered MacBook Pro. Shorter ping times almost certainly mean fewer hops, which means the VPN's taken out of the picture (we'd love to know why latency was lower with OpenVPN active, but lack the tools).
This isn't the fault of OpenVPN. It happens to be the one we tested to assess the suggestion that tethering and passing traffic through a VPN on a smartphone could be a metadata dodge.
Those in the know realise that such things have limitations.
Vulture South has asked an expert to tell us whether our suspicion is accurate: that to force a VPN client to re-route what's tethered probably needs a rooted phone.
While we wait for that response, we think we have illustrated the danger of giving careless and glib advice to ordinary consumers, who don't know enough to go beyond "a VPN will make me safe" and therefore don't ask questions. ®