- Google will roll out a VPN service for Android users in the US through the Google One app.
- The service will cover the entire activity of an Android device, so it won’t be app-specific.
- There are some concerns about user privacy, but Google is looking to clear them off with independent audits.
The Google One app on Android is about to get a VPN layer that will help users encrypt their online activity with a single tap. Google says this will work universally no matter what app or browser is used, so whatever the Android device streams, downloads, or sends as data packets over the internet will be encrypted. As it’s typical for a VPN (virtual private network) service, the user’s real IP address will be masked, and there will be no tracking from third-parties.
Google promises amazing performance, which is always an element to watch out for in VPN services. The tech giant operates a network infrastructure of a size and technical sophistication that can support any claim they make on that part, so this is not something that we wouldn’t expect from them.
The main issue with a VPN service by Google is the user’s privacy. Google is the largest and most powerful advertising company in the world, operating a massive network of data collection and exchange, so trusting them isn’t exactly easy. Google specifically says they will never track, log, or sell people’s browsing activity and that the VPN servers will feature in-built security that will prevent correlations between online activity and identity.
Additionally, Google has open-sourced the libraries used for the VPN client and promised to pass its end-to-end systems through independent auditing in 2021. This will lift any fog of doubt about the privacy and security of the VPN by Google One.
It is important to point out that the whitepaper of the product does mention some “minimal” data logging action, which can be summed up in the following items:
- Use of the service in the last 28 days. This metric collects how often the service was used in the last 28 days, but it does not track the specific times they used the service nor the duration of the usage, nor the amount of data used.
- The number of recent attempts by a user to set up a VPN session to ensure that the user does not exceed the maximum number of allowed concurrent sessions. User IDs are encrypted and therefore cannot be personally identified by the concurrent session check.
- Server error logs without request or response data.
- Aggregate throughput
- Aggregate VPN tunnel uptime
- Aggregate VPN tunnel setup latency
- Aggregate Total bandwidth rate
- Aggregate Packet loss rate
- Aggregate VPN tunnel failure rates
- Aggregate VPN tunnel retries
- Aggregate Service/Server CPU and memory load
- Aggregate VPN tunnel setup error rates
When Google offered a VPN service through Project Fi, they did clarify that while the service wasn’t storing any user data or traffic, they would actively monitor for abuse against the local regulations and applicable laws. Also, if any courts or the government ordered user data, they would comply with the requests, sharing whatever they had. The VPN by Google One looks like it’s based on the same service, so it would be safe to assume that the same user data handling approach would be followed here too.
Dirk Schrader, Global Vice President at New Net Technologies (NNT), has provided us with the following comment on Google’s VPN service:
The Google VPN service is nothing more than a bloated ‘security feature’. It encrypts the last mile, however, that doesn’t solve the issue with these apps that are using weak encryption or no encryption at all. It simply moves the point where the data will be unprotected to a different place, the tunnel end of Google’s side. This VPN feature might make it more difficult to conduct WiFi attacks, but not much more. When Google states that the VPN will hide the user’s location to prevent third parties from tracking them, what is the use of this protection if Google sells the collected data to the exact same third party? Google should use its powers and knowledge to help these app developers apply stronger encryption, instead of deviating from the real problem.
VPN by Google One will become available on the Android platform and for US-based users only in the coming weeks. By 2021, Google will expand the service to more countries and more platforms like iOS, Windows, and macOS.
The cost for a Google One plan that includes the VPN for Android was set to $9.99 per month or $99.99 / year. This tier also includes 2 TB of storage across Gmail, Drive, and Photos, and an option to add your family.