There’s an old saying: Sometimes the cure is worse than the disease. That seems to be the case for virtual private networks (VPNs), which are suddenly very popular following the U.S. government’s recent decision to let internet service providers (ISPs) keep collecting and selling data about their customers' internet usage.
Would you use a VPN service run by this guy? Credit: Ronald Sumners
While some paid VPN services do indeed route your data anonymously through countries with stricter privacy laws, others may just be scammers trying to make a quick buck. Consider the case of MySafeVPN as a cautionary tale.
Nicholas Deleon first wrote about MySafeVPN at Motherboard after he received a suspicious email message from the "Plex VPN team." The email claimed that Plex, a popular media server app, had added a VPN arm to its business, and the VPN was known as MySafeVPN. This Plex-developed program, the message continued, would keep Anglophone users safe from their countries’ increasingly intrusive laws.
This didn't seem like something Plex would do, and indeed Scott Olechowski, Plex's co-founder, was horrified to find out about MySafeVPN’s claims and denied that his company had anything to do with MySafeVPN. Nor was Plex the only media server cited in MySafeVPN’s e-mails; others claimed that Boxee, a former Plex rival, was now coming back as a VPN service.
How did MySafeVPN get the email addresses of Plex and Boxee users? Both Plex and Boxee suffered data breaches a few years back, and someone with a little money to spend on the black market could easily have bought copies of those databases to acquire vast lists of email addresses.
Furthermore, MySafeVPN may not have any idea how to run a virtual private network. Troy Hunt is a well-known Australian security expert who blogs about online security and runs the invaluable HaveIBeenPwned website, which lets you check to see if your email has been part of a data breach. He, too, received the "Plex VPN team" email.
Hilariously, Hunt found that MySafeVPN's website was itself not secured with HTTPS, a free and easy method of privatizing web traffic. (Every site that requires you to log in with a password ought to be secured with HTTPS.) Furthermore, the certificate for MySafeVPN's website led to an empty, and also unsecured, page.
Rather than simply slinking off in shame, MySafeVPN has doubled down on its claims, lashing out at users on Twitter. The company claims that it has every right to claim support from such well-known companies as Microsoft, Symantec, AVG and Trend Micro, because its employees either used to work at those companies, or still do and moonlight for MySafeVPN.
Never mind the fact that Hunt looked up the company's stated address on Google Maps and learned that it seems to be headquartered in a storefront Vietnamese restaurant in Toronto. (Although in all fairness, the restaurant has a respectable 3.5 stars on Yelp.)
Unlike Hunt, Motherboard's Deleon succeeded in getting through to a human on MySafeVPN’s phone line. The results were not encouraging. The man on the other end lied to him about being affiliated with Plex. When Deleon tried to correct him, the man accused Deleon of receiving sexual favors from Plex chief Olechowski and called Deleon a "nerd in front of a computer."
The company’s bizarre behavior was not confined to phone conversations. On Twitter, a MySafeVPN employee (perhaps the same man as in the phone conversation) hurled a racial slur against Kelvin Zhang, a high school software engineering enthusiast, then accused Zhang of Photoshopping the whole exchange. A MySafeVPN employee (again, maybe the same guy) has even tried his luck on an ill-conceived Reddit thread about the service.
The point of this article isn't just to point out that you might want to think twice about using MySafeVPN. Rather, it’s to illustrate that for every boneheaded security decision the government makes, there will always be scammers, cybercriminals, and malicious hackers waiting in the wings to profit off it.
Using a VPN has pros and cons; don't buy the first one you hear about just because you're worried about corporations mining your data. (You should also be worried about shady VPN services mining your data.) Truth be told, corporations have been doing that sort of thing for a while, and while there are big political and moral issues at stake, it doesn’t pose an immediate, critical threat to your personal privacy or well-being.
Also, you probably shouldn’t give your business to companies that deal primarily in lies and verbal abuse, but it’s not as though a similar situation has never happened before.