54 comments

[ 2.5 ms ] story [ 112 ms ] thread
So to hide your traffic from CoffeeShopSSIDThatMightBeLoggingEverything, route it through a Google-VPN-that's-guaranteed-to-log-everything? Nice try, Google!
The pitch is presumably "to hide your traffic from CoffeeShopSSIDThatMightBeMITMingYou, route it through a Google-VPN-that's-logging-everything-but-at-least-not-injecting-malware".

Technical users like you and I can already set up our own VPN-server-that-logs-nothing. This would serve the needs of others, who currently have the options of (a) be MITM'ed or (b) get scammed by some shady offshore company because it was the first search result for "vpn service".

That pitch is too obscure to work legitimately with most users. Hence, they will cajole users that don't understand the privacy tradeoffs through the VPNs in some other way (very much in line with their current behavior).
(comment deleted)
There may be some good here.

My vpn is often blocked at airports and the like. I doubt the would dare block a google server.

Use SSH as a SOCKS proxy on port 80 / 443.

If you want a Google Server, use Google Compute Engine :)

Everything is blocked for me at airports... Unless I pay a stupid amount of money per hour. Of course they would dare blocking Google (and anyone else) servers.
Hey look, it's yet another way to route all of your data through Google's servers. I'm certain there's no hidden agenda there.
better them, who already have most of my info, than some random coffee house with who-knows-what for security.
There are thousands of VPN providers, some better some worse, but if you pick well your data can be safe from US government. By picking Google VPN, you are essentially giving away all your privacy to inspect to NSA. Kind of funny when you think about it :)
From the screenshots, this seems more like something built into a future version of Android that might automatically engage when joining unsecured networks.

It's hard not to see an offer of at least some form of security to be a net positive in that case.

>automatically

If they don't provide an easy and apparent way to turn that off, this is the word that always sets off alarm bells in my head.

Think of it this way: this is worse than any other option, but still better than nothing. As such, it's great as an opt-out default: it steps in exactly where the users would otherwise be using "nothing", thus actually eliminating the "nothing" level as an option.
What if using google's service for your vpn would actually make it easier for them to get the data _you are trying to hide_ than compared to not involving GOOGLE as your _vpn service_ at all.

Honestly, how are everyone's alarms not going off right now? Google fiber, alright, at least I get fucking 1 gbps. Google VPN?? A VPN?? Keep Google/<substitute-3-letter-agency-of-the-day> in charge of what you use to hide your illegal torrents?? Genius.

I think it's because you're coming from a position of insufficient cynicism.

Are you torrenting, or planning terrorist acts, or whatever else, on your mobile connection? You're crazy. I would never do anything I'd want to hide from the government on my phone; it's already got that mysterious baseband coprocessor running god-knows-what with direct DMA access to main memory. Adding a VPN pipe directly to the manufacturer doesn't make me any more potentially-spied-on than I already was, since the ISP already, effectively, had arbitrary code execution and their own backchannel.

Security professionals don't avoid smartphones altogether, of course; they just use them only as conveniences for "unclassified" day-to-day operations.

(comment deleted)
VPN is a better tool for mass-surveillance, DMA access is better for targeted attacks., no ?
>doesn't make me any more potentially-spied-on than I already was

That's the logic that brought us ads plastered all across the web, with nothing sanctified, including the _content_ of the web page. 'I mean, we _already_ see them anyway, what's the difference if they're blinking/videos/popups? I mean, we don't have to look.'

And yes, I pretty much use my mobile as less as I can, just for these reasons. I'd never use it willingly as long as there's even a trace of google in android. However, can you elaborate more on the coprocessor? Maybe some additional reading? I'm very interested in what possible surveillance do they have in the hardware itself.

P.S - At this point, I'd rather use apple than google. At least apple can't tie my activities to my search results, which is an insanity that the world will come to terms with several years down the road, and then repent.

Likelihood Google is collecting your info: High to Certain.

Likelihood Bob the Tomato's Coffee Shop is collecting your info: Low.

It's not Bob I'm worried about, it's the NSA prompting Bob's ISP to watch for my MAC to connect to any of their customer's routers.
And you think the NSA is having a particular difficult time monitoring what routes through Google servers?
Okay, let me be more clear: I don't expect the NSA to care much about me. I'm a Canadian citizen. I would rather my phone automatically suggest to me a VPN that ends up piping all my data to a country that doesn't have specific reason to be interested in me, than that I route my data in-the-clear over networks that are operated by governments who do have reason to care about me (because I'm one of their citizens and their laws apply to me, and they might want to figure out if I'm breaking them, etc.)

Android phones are sold globally, remember. There are much worse places to "moor your ship", data-wise, than the US. If this VPN circumvents Chinese Internet censorship, for example, then it's a win by sheer numbers, whatever it does to US domestic citizens.

In by that you're thinking Google could legally ship that in China without China having backdoor access to it?
(comment deleted)
Hell of a lot more difficult time than they are having monitoring the coffee shop's servers
The Coffee Shop itself? Low. Other people in the coffee shop? High

Airport itself? Low Other people in the airport? High

It's not necessarily the place itself, but anywhere there's open (or easy to get) WiFi, the chance of nefarious users increases dramatically.

> Other people in the coffee shop? High

Citation needed. I get that it's trivial to actually do, but do you have any studies that show that a lot/any WiFi is being sniffed and/or MiTM'd? The most I've seen is airports and so on tracking people via MAC addresses or the WiFi AP names they request.

Google isn't holding a gun to anyone's head and making them use their services. If you feel that Google potentially having access to your data is worse than some other potential threat that can exist then by all means use that open wifi.
OR, you can use any other VPN service.

That is, if you believe the company that is operating behind it.

Like If you can really & absolutely trust any other VPN provider. The better thing to do is to have 10 VPN servers and re-route traffic among them :P
Hey look, it's an informationless comment in response to what may be an interesting find!

If you're worried about a Google VPN provided by the Google Operating System you run, I think you may have your knee-jerk circuits prioritizing incorrectly.

Arguably, that operating system is open source, and at the least, decently vetted. If you disable spyware like Google Play Services, it's likely to be reasonably safe. On the other hand, routing data through Google's servers is a distinctly different proposition.
And arguably logging everything that goes over a VPN doesn't increase the value of ads for someone that's already using you for search and email. What gain would there be there?

> Arguably, that operating system is open source, and at the least, decently vetted

The one provided pre-installed by Samsung and Verizon. Right.

> If you disable spyware like Google Play Services, it's likely to be reasonably safe.

Ah, so we're going with the "well it feels safer" school of computer security.

Do you work for Google? I don't know how you can actually argue that sending all of your traffic through Google's servers won't give them more chances to look at the traffic you are sending them.

"The one provided pre-installed by Samsung and Verizon. Right."

For the average user, yes. Developers can go deeper and install a version that's not just binary blob installed on your phone.

Don't question the Google Surveillence Machine. You'll rile up the Google Apologists.
I know. :( I make a comment, and it gets a bunch of upvotes, and then the Google fans roll in, and downvote it back into oblivion.
It's quite sad actually into what future we're running into, so many people just don't care.
If you really care, just buy a VPN connection of your own. I did, for around $50 a year - and I can connect to it on port 80, so no firewalls even get in the way. Easy.
Seems like a good place to plug one of my favorite osx apps, https://www.getcloak.com. Blocks your Wi-Fi connection on open networks until it's able to secure a vpn connection to one of the many services they use (aws, rackspace, etc)
How does Google benefit from being a VPN server? Obviously they get to track web usage patterns for analytics and reinforcing their search algorithm. But what the other thing a VPN does is hide that same information from the tunneled through networks. And who else is pushing for the use of public wifi? AT&T and Comcast. But neither of them are in the advertising business so don't have a reason to be collecting the same information that Google makes their money off of. But what Comcast and AT&T do make their money off of is providing telecommunication service. How would AT&T feel about their public wifi being used for, say, handling VOIP calls to T-Mobile telephone customers? Or Google telephone customers.

Net neutrality promises that AT&T won't be able to discriminate VOIP but Google doesn't trust them. This VPN is a hedge so they won't have their traffic interfered with when they compete directly with the traditional telecom providers.

To freeze out the likes of Verizon's X-UIDH
Some ISPs are in the advertising business to some degree, with DNS redirection and even sometimes direct ad injection. One of the other things the VPN will do, semi-ironically, is prevent this.

I suppose Google's philosophy on advertising is similar to how they feel about operating systems: if they can't make money on something, they want to ensure that no one else can, either.

If they're going to discontinue their service after a couple of years (like they did on countless occasion, last one being Google Code), then no thank you.
That's probably their next attack target. VPNs. Put out this awesome new 'secure' service for free, suddenly make everyone aware of VPNs and what they are, and how they are suddenly the most important thing for security, through subtle ads and 'techcrunch-y' articles. BAM, people start switching in droves, other reliable and cheap VPN service providers start losing business, google reader (but the service actually stays up this time, just logging like hell, and eventually becomes _necessary_ to use google services, because SECURITY!) yada yada

How is google allowed to repeat this again and again is beyond me

That's probably their next attack target. VPNs. Put out this awesome new 'secure' service for free, suddenly make everyone aware of VPNs and what they are, and how they are suddenly the most important thing for security, through subtle ads and 'techcrunch-y' articles. BAM, people start switching in droves, other reliable and cheap VPN service providers start losing business, google reader (but the service actually stays up this time, just logging like hell, and eventually becomes _necessary_ to use google services, because SECURITY!) yada yada

How is google allowed to repeat this again and again is beyond me

Based on openvpn? or what technology are they using?
I usually have a hard time connecting to VPN over public wifi, even when I use servers that are designed to be connectable even if there's a firewall in the way. This is true of servers I've set up myself and it's true of servers from commercial VPN providers like HideMyAss. Even if there isn't active manipulation or blocking from the firewall, it just seems that the connection is rarely strong or consistent enough to keep the tunnel from breaking all the time.

I have had better luck with a SOCKS proxy hosted at my home, but it's still not as good as VPN.