Can VPN truly protect privacy? IBM cybersecurity executive analyzes the underlying trust risks

As virtual private networks (VPN) become widely promoted “privacy tools” in the online world, related advertisements can be seen everywhere—from websites and apps to YouTube ads—highlighting anonymous browsing and protection of personal data. In response, IBM security technology executive Jeff Crume analyzes a video, starting from actual network transmission scenarios, to break down how VPNs work, their trust models, and privacy limitations, explaining that VPNs are not a cure-all but rather a “trust redistribution” tool.

Sensitive Data Going onto Public Networks, Malicious Wi-Fi as a Common Attack Method

Crume points out that when users transmit credit card numbers, ID information, or commercially valuable data over the internet, these contents are actually transmitted via “public networks,” similar to speaking loudly in public, and may be intercepted by unspecified parties.

He specifically highlights a common attack method: in public places like cafes or hotels, attackers may set up hotspots with names nearly identical to legitimate Wi-Fi networks, tricking users into connecting. Once connected, the attacker can fully intercept and view the data even before it reaches the actual internet.

Basic Principle of VPN: Establishing an Encrypted Tunnel

To address these risks, Crume explains that the core function of a VPN is to establish an encrypted transmission channel between the user’s device and the VPN service provider.

Under this architecture, all outbound data is first encrypted, sent to the VPN provider, decrypted by the provider, and then the destination is determined. The data is then re-encrypted and forwarded to the actual website. The return data follows the same process.

Therefore, external eavesdroppers, public Wi-Fi attackers, and even the user’s internet service provider (ISP) can only see that there is a connection between the user and the VPN provider, but cannot know the actual content or final destination.

The Essence of VPN: Not Eliminating Trust, but Shifting It

Crume emphasizes that whether or not a VPN is used, “trust” cannot be eliminated—only transferred. He distinguishes trust objects in different scenarios as follows:

No VPN: Users must trust their ISP and all unknown entities that might access the packets during transmission.

Enterprise VPN: Employees remotely connect to the company’s internal network, effectively placing trust in the employer, focusing on corporate security rather than personal privacy.

Third-party VPN: Users consolidate the trust originally distributed across the internet and ISP into the VPN service provider.

He straightforwardly states that the true role of VPN is to turn “trusting many people” into “completely trusting one person or organization.”

Real Risks of Third-party VPNs

Jeff Crume points out that because VPN providers must decrypt traffic midway, they can see users’ connection destinations, IP addresses, usage frequency, and even actual data content. This leads to several significant risks:

Data monetization in free VPNs: If users do not pay, providers may profit by collecting and selling data.

Security incident risks: Even if the provider has no malicious intent, a hack could lead to user data leaks.

Legal and judicial requirements: In some countries, VPN providers may be legally compelled to hand over user records.

He reminds that the key to using third-party VPNs is not whether they are “used” but whether users truly understand who they are trusting.

Self-hosted VPNs Cannot Fully Avoid Trust Issues

For users who prioritize privacy highly, Crume mentions that “setting up your own VPN” allows all infrastructure to be under personal control. However, he also points out that even then, users must trust the VPN software itself—whether open-source or commercial—since it involves trust in the code and update mechanisms, and is not risk-free.

(Tech News: Cross-strait Peace Ambassadors Say China Doesn’t Block VPNs, Just Use One and You Can Access Everything)

This article, “Can VPN Truly Protect Privacy? IBM Security Executive Analyzes Underlying Trust Risks,” originally appeared on Chain News ABMedia.