VPNs are intended to guard your privacy online, but are they also a spying threat?

That's what two US senators are worried about. On Thursday, Senators Ron Wyden (D-Oregon) and Marco Rubio (R-Florida) called on the Department of Homeland Security to investigate foreign-based VPN apps for possible national security risks.

"Millions of consumers have downloaded these apps, some of which are made by foreign companies in countries that do not share American interests or values," they wrote in a letter.

To protect your privacy, VPNs encrypts your internet connection. All the traffic from your computer is instead routed through a private server run by the VPN provider.

The approach can prevent an ISP from snooping on what websites you like to visit. But on the flip side, you're effectively pushing your internet traffic to a server under someone else's control. That has Wyden and Rubio concerned. Foreign govenments that want to spy on US government employees could compel local VPN providers to hand over their servers, the two warned in their letter.

"We urge you to conduct a threat assessment on the national security risks associated with the continued use by US government employees of VPNs," reads the letter.

The two senators did not provide evidence of any VPN-based cyberespionage. But they point to recent US efforts to stop technology sales from Chinese vendor Huawei and Russian security firm Kaspersky Lab over similar spying fears.

"If US intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia," the letter adds.

It isn't clear if a specific vendor or incident provoked the senators to bring up the VPN issue today. But one past study carried out by review site 10TopVPN found that many free VPN apps are based in China or have some Chinese ownership.

In response to the senators' letter, the Department of Homeland Security told PCMag: "As a matter of policy, we don't comment on congressional correspondence and will respond as appropriate."

But if DHS does conclude there's a risk, the two senators want the federal government to issue an order banning foreign-based VPN use on government computers and devices.

PCMag has reviewed many VPN services—some are based in the US, while others are based in places such as Panama, Canada, or Seychelles, meaning they operate outside of US legal jurisdiction. But knowing this information can give you a good idea about whether your VPN provider will ever need to hand over data to a local government.

Further Reading

Security Reviews