A long list of well known VPN brands have been called out very recently for automatically installing root CA certs on the devices of their clientele, as per Appesteem.
VPNs have gained a mass appeal over the past few years, with much of that success having barrelled over because of raised awareness regarding online data selling practices. It seems that quite literally no online platform, mainstream or otherwise, is safe from taking private user data and selling it to advertisers or other corporations. Social media platforms such as Facebook, Instagram, and TikTok might yet be the worst offenders, but there's plenty of blame to go around. No website lets users fully disable cookies; there's always something "necessary" needed by the websites.
In light of such rampant data stealing, much of which occurs entirely without user consent, safe alternatives are a rare lifeline. Apple's iOS 14 Tracking/Transparency features were lauded at launch, and were staunchly opposed by social media conglomerate Meta as well. VPNs climbed in popularity since they not only make user data anonymous online, but they also allow access to websites and content that's found overseas. Netflix and HBO Go certainly became a lot more useful after VPNs swung by.
With all of this in mind, for VPNs to conduct any sort of business on a user's device without their permission seems like a betrayal of the exact same core audience that the services invite. However, let's dig deeper: what is a root CA cert? Well, root Certificate Authority certs are essentially a form of digital authentication. The installation of one is essentially used by the software at hand to confirm whether or not the user is who they say they are. Think of root CA certs as digital IDs attached to new software.
However, unlike your average ID, they run the risk of exposing much more than just a singular account. If any third party were to gain control of a device's root CA cert, the end result would be nothing short of catastrophic. This party would then have access to virtually everything in that relevant device: contacts, passwords, ID, you name it. It's why states such as Russia are actively attempting to have all citizens download state issued versions of root CA certs. It's a new age of digital surveillance.
For VPNs to go through with such practices without asking for informed consent or making the process optional is to more or less betray their own core audience.
Vector created by gstudioimagen1 / freepik
Read next: Hello Passkeys, Goodbye Passwords: Android Is Introducing Password- Replacing Keys That Will Be In Sync With Your Google Account
VPNs have gained a mass appeal over the past few years, with much of that success having barrelled over because of raised awareness regarding online data selling practices. It seems that quite literally no online platform, mainstream or otherwise, is safe from taking private user data and selling it to advertisers or other corporations. Social media platforms such as Facebook, Instagram, and TikTok might yet be the worst offenders, but there's plenty of blame to go around. No website lets users fully disable cookies; there's always something "necessary" needed by the websites.
In light of such rampant data stealing, much of which occurs entirely without user consent, safe alternatives are a rare lifeline. Apple's iOS 14 Tracking/Transparency features were lauded at launch, and were staunchly opposed by social media conglomerate Meta as well. VPNs climbed in popularity since they not only make user data anonymous online, but they also allow access to websites and content that's found overseas. Netflix and HBO Go certainly became a lot more useful after VPNs swung by.
With all of this in mind, for VPNs to conduct any sort of business on a user's device without their permission seems like a betrayal of the exact same core audience that the services invite. However, let's dig deeper: what is a root CA cert? Well, root Certificate Authority certs are essentially a form of digital authentication. The installation of one is essentially used by the software at hand to confirm whether or not the user is who they say they are. Think of root CA certs as digital IDs attached to new software.
However, unlike your average ID, they run the risk of exposing much more than just a singular account. If any third party were to gain control of a device's root CA cert, the end result would be nothing short of catastrophic. This party would then have access to virtually everything in that relevant device: contacts, passwords, ID, you name it. It's why states such as Russia are actively attempting to have all citizens download state issued versions of root CA certs. It's a new age of digital surveillance.
For VPNs to go through with such practices without asking for informed consent or making the process optional is to more or less betray their own core audience.
Read next: Hello Passkeys, Goodbye Passwords: Android Is Introducing Password- Replacing Keys That Will Be In Sync With Your Google Account
