Does using encryption and VPN make anyone suspicious?
By Ellen Timmer
Encryption and VPNs are useful tools to protect you from online woes. But the European banking regulator (EBA) and the French government thereby declare you a suspect. This is malicious and worrying. How does this all fit together? Privacy First explains.
Currently, you have few options to protect yourself from the boundless data greed of ad companies like Google and Meta (Facebook) with their 'free' products. One of the few options that do exist is to use a VPN (virtual private network), which replaces your own IP address with the IP address of the VPN server. So a VPN is useful for anyone who has concerns about tracking: tracking your browsing behaviour (by advertising companies) based on your IP address.
In addition, a VPN encrypts your internet connection, allowing you to use public Wi-Fi more securely, for example.
Another source of trouble are e-mail and messaging. Ordinary e-mail (e.g. via Outlook, Gmail or Thunderbird) is a notoriously insecure form of communication, which you can make more secure by encrypting your mail. Not surprisingly, the Dutch judiciary has chosen to only secure mail through one of the verified providers.
With a messaging application like WhatsApp, such encryption is already the case, but there is again the problem that it is a product of an advertising company (Meta/Facebook), with all its privacy risks. A good alternative to WhatsApp is the independent Signal (which also uses encryption).
Finally, it is recommended for everyone to also encrypt and secure data carriers (such as hard drives and USB sticks) against unauthorised access.
European banking regulator: VPN is suspect
The European banking regulator European Banking Authority (EBA) lives in a different world, as in a consultation paper on crime fighting by financial institutions, it assumes that the use of encrypted e-mail (such as the services recommended by the Judiciary) and the use of VPN can be indicative of criminal activity.
The EBA thinks that a customer's IP address belongs 'permanently' to a customer, which is not the case with VPN. After all, you can use a VPN service with several people, so everyone gets the IP address of the corresponding VPN server. However, the regulator says it is suspicious if the customer uses an IP address linked to multiple customers (which is precisely what is the case with VPN) or if the IP address is "inconsistent" with other information about the customer. Equally curious is that for high-risk customers, the EBA recommends checking the IP address more often to see if that IP address is also in use by other customers.
The consultation paper further shows that financial products with privacy-enhancing features may be indicative of criminality. It is a mistake for the EBA to assume that privacy-enhancing features would be wrong by definition. On the contrary, features like that are highly desirable and should definitely be promoted. After all, privacy does not mean that the customer is unknown, but that there are measures in place to prevent the unnecessary lying around of data. Something that is highly desirable given the very high number of data breaches, including in government.
French citizens suspected for encrypting their computers
The above fits well with the alarm raised by the French privacy organisation La Quadrature du Net (LQDN) recently read, in an article about French citizens suspected of terrorism by French authorities. Because they communicated via Signal, and had encrypted their hardware.
Communicating via Signal and encrypting your hardware is actually quite sensible, given the risks everyone faces from the data-grabbing practices of ad companies and criminals. LQDN is thus very angry with the French government, concluding that it demands full transparency from every citizen, under penalty of suspicion of crime or terrorism, violating citizens' data protection rights.
Data protection is needed
The above indicates the importance of reminding governments that data protection is needed to protect people.