Foreign VPN apps need a close look from DHS, senators say

The Department of Homeland Security should assess the security threat posed by foreign VPN applications to U.S. government employees, a bipartisan pair of senators says.

Some popular VPN apps send a phone’s web-browsing data to servers in countries interested in targeting federal personnel, raising “the risk that user data will be surveilled by those foreign governments,” Sens. Marco Rubio, R-Fla., and Ron Wyden, D-Ore., wrote in a letter to DHS Thursday. VPN providers promise to obfuscate the physical location of a web browser, but users are generally at the mercy of those companies’ decisions to collect and log data.

The senators cite government warnings about products made by Chinese telecommunications companies and Russian antivirus vendor Kaspersky Lab as examples of the surveillance that certain foreign technology can enable. (Kaspersky and Chinese companies Huawei and ZTE have denied those allegations.)

“If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia,” states the letter to Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency.

If a DHS assessment finds foreign VPN apps to be a threat to U.S. national security, the department should issue a Binding Operational Directive (BOD) barring their use on government smartphones and computers, the senators advised. In September 2017, DHS issued a BOD banning Kaspersky products on federal civilian networks.

You can read the full letter below.

[documentcloud url=”https://www.documentcloud.org/documents/5731855-020719-Wyden-Rubio-VPN-Letter-to-DHS.html” responsive=true]