Fee-fi-fo-fum, do I want Google to sniff my network traffic, all of it?

library
crime | hacking | security

Google is getting a lot of publicity for a business venture called Project Fi.

Dubbed rather grandly as “a new way to say hello,” the service seems to be a joint project with US mobile providers Sprint and T-Mobile.

You’ll need a Nexus 6 phone and an invitation to get on board at the moment, but fi, ah, if you do, your mobile data experience will leap automatically between cellular and Wi-Fi networks, depending on what’s available.

The idea is that you’ll save money, because when you’re not using 3G or 4G, you’ll be on an unmetered wireless connection that’s part of your $20/month flagfall fee.

When you do wander onto 3G or LTE (4G), you’ll pay the low, low price of just $10/GB for your data.

To a non-American like me, in a part of the world where internet access is readily available, but at a price, and who looks at US fixed-line data speeds and costs with some envy…

…that doesn’t seem super-cheap.

I can pay $4/GB for 3G/LTE data access, no contract or flagfall, pay-as-you-go, with free Wi-Fi whenever I’m in range of the provider’s wireless networks.

Actually, it’s as low as $2/GB if I do half of my work in the small hours of the morning.

Where Google’s plan differs in an added-value way is this:

There are two providers in the game, meaning more LTE and more Wi-Fi access points to choose from.
Handover between Wi-Fi and the cellular network is automatic, just as it is on the cellular network alone.
The service runs through a Google VPN, at least when you are on the Wi-Fi network.

VPN to the rescue

The VPN, short for virtual private network, is a good idea to cushion the problem of using open Wi-Fi access points.

If the access point has been hacked, or there are wireless sniffers (eavesdroppers) in the vicinity – and you may as well assume both – then an open access point means your data can be recorded, and your network traffic easily diverted or modified along the way.

Indeed, that’s the reason we recommend using your own VPN when you are on the road and connecting via it’s-safer-to-assume-they’re-dodgy networks.

VPNs encrypt all your network traffic, even innocent-looking packets like pings, between your device and your home, head office or service provider.

Only once the traffic has made it safely home is it decrypted it for transmission onto the open internet.

Sure, it can be sniffed from then on, but at least you are no less secure than if you were sitting at home, or in the office.

You’ve removed the uncertainty of the eavesdroppable and possibly-tainted path through the free-for-all of open Wi-Fi.

But, as numerous Naked Security readers have pointed out in comments and tips, setting up a VPN is as easy on your mobile device as it is difficult on your own server at home.

True, a VPN server is not terribly hard if you use the free Sophos UTM Home Edition, but you do have to configure and connect a spare computer (or virtual machine), and then install and configure the UTM firmware first.

It’s fairly easy, and excellent value at $0, but it isn’t just a simple button-click.

If you haven’t done anything like it before, you will probably need to ask an IT-savvy friend to help.

Google, by providing the VPN in the cloud, will bypass the need to ask your chums for favours.

For many people, that alone, and the simple (if surprisingly uninexpensive, at least to me) pricing plan, will probably be very attractive.

The real cost of free $20/month+$10/GB

The real question is, “Do you want your VPN to terminate inside Google’s infrastructure?”

As we mentioned above, once your mobile traffic exits the other end of your VPN, it’s back to normal, and subject to the same sniffability, hackability and monitoring for targeted advertising as usual.

And if you run a VPN via your home ISP, there’s certainly a risk of trouble, whether it’s hackers inside your ISP, dud security on your home router, or lawful interception deeper in the network.

Google has a pretty good record of not getting hacked, even if it rather dodged a bullet with some of its Android vulnerabilities. (The crooks seem to have ignored them so far because they’re still finding they can simply invite users to install malware, instead of using subterfuge and exploits.)

Google will bypass your home router for your mobile device VPN, because the VPN terminates in Google’s network, not yours.

And lawful interception regulations apply to all ISPs, not just Google.

Yes or no?

Even with all of the above plus points, however, some people will have a short answer to, “Do you want your VPN to terminate inside Google’s infrastructure?”

Project Fi will give Google access to yet more information and metadata about your online habits, in addition to what it gets from search, ads, YouTube, Gmail and more.

So those people will answer, “No.”

At $20/month plus $10/GB, will you really gain on the roundabout what you’ll lose on the swings?

Follow @duckblog

Sophos UTM Home Edition

Prefer to run your own VPN at home for your laptops and mobile devices?

Try our award winning UTM.

The Home Edition includes all the Sophos UTM features: a VPN, email scanning, web filtering, web application security, and everything you need to keep up to 50 devices on your home network secure, 100% free for home use.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

Better yet, you get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage throughout your household, right from the UTM web console.