A VPN is an online service that purports to give users more security when connecting to the Internet.
However, said the lawmakers, the consumer VPN industry is rife with deceptive advertising and abusive data practices.
The letter by Anna G. Eshoo (D-CA) and Ron Wyden (D-OR) describe several abusive practices in the consumer VPN industry, including promoting false and misleading claims about their services, selling user data and providing user activity logs to law enforcement, despite promises of ‘total anonymity,’ and a lack of oversight of the industry in general.
“We urge you to use your authority to take enforcement actions against the problematic actors in the consumer VPN industry, focusing particularly on those that engage in deceptive advertising and data collection practices,” they said.
The VPN industry is extremely opaque, and many VPN providers exploit, mislead, and take advantage of unwitting consumers, the lawmakers added.
In India, a directive from the Indian Computer Emergency Response Team (CERT-In) has also sought additional compliance requirements for all VPN providers whose users are in the country.
The new rules, to be effective from September 25, require VPN service providers along with data centres and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years.
Leading VPN service providers NordVPN, Surfshark and ExpressVPN have removed their servers from India over the new directions.
The US lawmakers said it is extremely difficult for someone to decipher which VPN service to trust, especially for those in crisis situations.
“There are hundreds, if not thousands, of VPN services available to download, yet there is a lack of practical tools or independent research to audit VPN providers’ security claims,” the letter read.
Many popular VPN services also spread inaccurate information on their websites.
In December 2021, Consumer Reports (CR) found that 75 per cent of leading VPN providers misrepresented their products and technology or made hyperbolic claims about the protection they provide users on their websites, such as advertising a ‘military-grade encryption’ which doesn’t exist.
Advocacy groups have also found that leading VPN services intentionally misrepresent the functionality of their product and fail to provide adequate security to their users.
“VPN services have also been exposed for collecting, and, in some cases, abusing, user data. In 2020 it was revealed that a leading analytics firm used personal data from over 35 million people who had downloaded one of their 20 VPN and ad-blocking apps to power their analytics platform without consent,” the letter said.