Security Experts:

Google Announces New VPN for Google One Customers

Google announced on Thursday that Google One customers can now use a new virtual private network (VPN) service that will provide them an extra layer of protection when they go online.

Google One is a subscription-based cloud storage and backup service. The new VPN by Google One is available to customers who have subscribed to a 2 TB plan or higher. The 2 TB plan costs $9.99 per month or $99.99 per year.VPN by Google One

The VPN service will initially only be available in the United States on Android — it will be rolled out over the next weeks and it can be enabled from the Google One app.

However, Google says it plans on expanding it to more countries and operating systems — including Windows, macOS and iOS — in the coming months.

“We already build advanced security into all our products, and the VPN extends that security to encrypt all of your phone’s online traffic, no matter what app or browser you’re using,” said Larissa Fontaine, director of Google One. “The VPN is built into the Google One app, so with just one tap, you can rest assured knowing your connection is safe from hackers.”

Google has also released a whitepaper with some technical details on its new VPN, as well as the source code for the client library to allow users and experts to check how it handles data.

The company says the VPN does not log user activity or data that could reveal personally identifiable information. This includes network traffic, IP address, connection timestamp, or the bandwidth used.

“We will have external security experts audit VPN by Google One end to end, including the server-side implementation, and publish a report on our VPN privacy protections,” Google said in its whitepaper.

While the VPN offer might seem attractive to some users, security experts are not convinced that Google will not use any data for its own benefit.

“A VPN by one of the largest data collection companies in the world is a scary thought,” Joseph Carson, chief security scientist and Advisory CISO at PAM solutions provider Thycotic, told SecurityWeek. “This initially makes me think that it is not exactly a VPN product which is meant to be a virtual private network which typically means that no one can see your data requests. This might be more of a No One Else But Us (NOEBU) will get your data. When products advertise themselves as a VPN, it must be absolutely clear about who it protects against and also whom it is giving access to your entire data communications history to. I hope that this is truly a security motive to make people safe from cybercrime and not one to try and get more data under the disguise of a security solution.”

Dirk Schrader, global VP at New Net Technologies (NNT), a provider of IT security and compliance software, commented, “The Google VPN service is nothing more than a bloated ‘security feature’. It encrypts the last mile, however, that doesn’t solve the issue with these apps that are using weak encryption or no encryption at all. It simply moves the point where the data will be unprotected to a different place, the tunnel end of Google’s side.

“This VPN feature might make it more difficult to conduct Wi-Fi attacks, but not much more. When Google states that the VPN will hide the user’s location to prevent third parties from tracking them, what is the use of this protection if Google sells the collected data to the exact same third party? Google should use its powers and knowledge to help these app developers apply stronger encryption, instead of deviating from the real problem.”

*updated with comments from security experts

Related: No Patch for VPN Bypass Flaw Discovered in iOS

Related: Industrial Systems Can Be Hacked Remotely via VPN Vulnerabilities

Related: Juniper Launches Adaptive Threat Profiling, New VPN Features

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.