Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

'Get a VPN to defeat metadata retention' is good advice. Sometimes

Test shows tethering to VPN-on-smartphone is no magic data-erasing rainbow

With the kind-of-launch of the Australian government's telecommunications data retention regime, there's been a plethora of advice everywhere – from “lad mags” to the tech press to political parties – with one theme: “get a virtual private network” (VPN).

Which moves Vulture South to idly wonder: do people know that a VPN on Android might only protect data emanating from the phone, and not (for example) a laptop tethered to its WiFi?

This isn't news, it's just an observation that consumer-level advice about information security is not to be trusted. To make recommendations about security you have to be the kind of obsessive that assumes nothing, takes nothing at face value and checks everything.

Vulture South can't claim that kind of attention to detail: the issue was pointed out to us by someone else. We do, however, like to test things for ourselves, so we downloaded two copies of OpenVPN (one on the MacBook Pro, one on the Samsung S5) and set to work.

TLDR: OpenVPN on Android only protects communications originating on the phone, but not a tethered PC, as we show below.

The Test

Since OpenVPN sensibly bars Traceroute, we had to infer routing with pings. Being in Australia has a distinct advantage here: the Pacific Ocean imposes big penalties on ping times.

For all the tests in the table blow, the target was www.bigpond.com, the home of Telstra's consumer-grade internet service provider.

Device Connection Type VPN active? Average of 5 pings
MacBook Pro Ethernet No 19.8 ms
Ethernet Yes 378.70 ms
WiFi No 17.84 ms
WiFi Yes 395.14 ms
Tethered 4G No 54.22 ms
Tethered 4G Yes 35.05 ms
Phone WiFi No 20 ms
WiFi Yes 523 ms
4G No 30 ms
4G Yes 557 ms

The test clearly isn't perfect, but the salient point is that the ping time over the tethered 4G connection should not be lower with the VPN on than off. At an informed guess, the shorter ping times for a tethered connection show the VPN isn't protecting the tethered MacBook Pro. Shorter ping times almost certainly mean fewer hops, which means the VPN's taken out of the picture (we'd love to know why latency was lower with OpenVPN active, but lack the tools).

This isn't the fault of OpenVPN. It happens to be the one we tested to assess the suggestion that tethering and passing traffic through a VPN on a smartphone could be a metadata dodge.

Those in the know realise that such things have limitations.

Vulture South has asked an expert to tell us whether our suspicion is accurate: that to force a VPN client to re-route what's tethered probably needs a rooted phone.

While we wait for that response, we think we have illustrated the danger of giving careless and glib advice to ordinary consumers, who don't know enough to go beyond "a VPN will make me safe" and therefore don't ask questions. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like