Rep. Eshoo and Senator Wyden Urge FTC to Address Deceptive Data Practices by VPN Providers

July 14, 2022
Press Release
Letter Comes as VPNs are Being Recommended to Protect Data of Those Seeking Abortions

WASHINGTON, D.C.U.S. Rep. Anna G. Eshoo (D-CA) and Senator Ron Wyden (D-OR) urged the Chair of the Federal Trade Commission (FTC) Lina Khan to address abusive and deceptive data practices by hundreds of companies providing Virtual Private Network (VPN) services for individuals. A VPN is an online service that purports to give users more security when connecting to the internet. However, the consumer VPN industry is rife with deceptive advertising and abusive data practices.

In their letter, the lawmakers describe several abusive practices in the consumer VPN industry, including promoting false and misleading claims about their services, selling user data and providing user activity logs to law enforcement, despite promises of ‘total anonymity,’ and a lack of oversight of the industry in general. As states criminalize abortion and women are increasingly told that installing VPNs will protect them when seeking information on abortion, this breach of privacy poses a real and immediate risk to women seeking reproductive care.

The lawmakers wrote:

“In December 2021, Consumer Reports (CR) found that 75 percent of leading VPN providers misrepresented their products and technology or made hyperbolic claims about the protection they provide users on their websites, such as advertising a ‘military-grade encryption’ which doesn’t exist. Advocacy groups have also found that leading VPN services intentionally misrepresent the functionality of their product and fail to provide adequate security to their users. We’re highly concerned that this deceptive advertising is giving abortion-seekers a false sense of security when searching for abortion-related care or information, putting them at a higher risk of prosecution.”

A PDF of the letter can be found HERE and the full text is below:

Dear Chair Khan,

We write to urge you to use your authority to take enforcement actions against the problematic actors in the consumer Virtual Private Network (VPN) industry, focusing particularly on those that engage in deceptive advertising and data collection practices. The VPN industry is extremely opaque, and many VPN providers exploit, mislead, and take advantage of unwitting consumers.

As the recent Supreme Court decision in Dobbs v. Jackson Women’s Health Organization has amplified concerns about digital reproductive privacy, people seeking abortion are increasingly told that installing a VPN is an important step for protecting themselves when seeking information on abortion in states that have outlawed and criminalized abortion.  This advice has also been applied to general privacy-related concerns and has brought VPNs into the mainstream among American internet users and resulted in a significant market boom. 

It’s extremely difficult for someone to decipher which VPN service to trust, especially for those in crisis situations. There are hundreds, if not thousands, of VPN services available to download, yet there is a lack of practical tools or independent research to audit VPN providers’ security claims.  Interested consumers refer to online recommendations to select which VPN provider to trust, and many of the most frequently visited third-party review sites and blogs  profit from partnerships with specific providers. Even more troubling, some VPN review websites are owned by companies that also offer VPN services. 

Many popular VPN services also spread inaccurate information on their websites. In December 2021, Consumer Reports (CR) found that 75 percent of leading VPN providers misrepresented their products and technology or made hyperbolic claims about the protection they provide users on their websites, such as advertising a ‘military-grade encryption’ which doesn’t exist.  Advocacy groups have also found that leading VPN services intentionally misrepresent the functionality of their product and fail to provide adequate security to their users.  We’re highly concerned that this deceptive advertising is giving abortion-seekers a false sense of security when searching for abortion-related care or information, putting them at a higher risk of prosecution.

Leading groups advise women seeking abortions that VPN with ‘no-log’ policies can be trusted to protect their data.  While many popular VPN providers aggressively market their ‘no-log’ policies which allow users to anonymously surf the web, it’s nearly impossible to verify their claims.  In various cases, VPN providers that advertise a strict ‘no-log’ policy have provided user activity logs to law enforcement.  In 2020, a report uncovered that seven VPN providers which claimed not to keep any logs of their users’ online activities left 1.2 terabytes of private user data exposed, including users’ email, home addresses, clear text passwords, IP addresses, and internet activity logs.  This is extremely harmful, especially for internet users who are now relying on VPNs to keep their reproductive health information confidential.

VPN services have also been exposed for collecting, and, in some cases, abusing, user data. In 2020 it was revealed that a leading analytics firm used personal data from over 35 million people who had downloaded one of their 20 VPN and ad-blocking apps to power their analytics platform without consent.  Notably, the apps didn’t reveal their connection to the analytics firm. Another study found that 75 percent of Android VPN apps report personal user data to third-party tracking companies and 82 percent request permissions to access sensitive resources, including user accounts and text messages. 

With abortion illegal or soon to be illegal in 13 states and severely restricted in many more, these abusive and exploitative data practices are simply unacceptable. We urge the Federal Trade Commission (FTC) to take immediate action under Section 5 of the FTC Act to curtail abusive and deceptive data practices in companies providing VPN services to protect internet users seeking abortions. We also urge the FTC to develop a brochure for abortion-seekers on how best to protect their data, including a clear outline of the risks and benefits of VPN usage.

Thank you for your attention to this important matter.

Sincerely,

###