Full disclosure: I run a cybersecurity company. This post contains no affiliate links, and is meant on a purely informative basis. I wanted to nuance the discussion about VPNs in Hong Kong and digital privacy, because it’s a topic I care alot about, so I wanted to make sure people in Hong Kong who wanted VPNs had as much information as they could on how to evaluate them, with a few examples. This post is tailored for the Hong Kong situation, but can be read more broadly. Happy to accept translations into Mandarin/Cantonese if needed.
With the recent establishment of Beijing’s resolution to enact a national security law the Hong Kong legislature could not, there has been a surge of demand for VPNs in Hong Kong, with suppliers like Surfshark reporting spikes in sales of “over 700%”, which represents a “week’s worth of sales in just 1 hour” and with surges of demand also reported by providers like NordVPN. There is a genuine fear that Mainland China is collapsing the civil liberties of Hong Kongers and bringing with it more mainland rules across all elements of life, from banning certain expressions of dissent to define an element of “state subversion”, an infamously broad statue the Chinese state has used previously to detain dissidents.
In Mainland China, the Internet is placed behind the Great Firewall, and users have to use VPNs to access the open Internet. This article serves as a basic guide to the technology and other privacy-enhancing methods Hong Kongers and others around the world might want to look at.
What is a VPN?
A virtual private network allows people to log onto a private network with their devices and treat it as if they had accessed the Internet through that private network. VPN providers commonly build their networks on top of open source protocols, some of which feature encryption by default such that your communications with that network are protected. They can be used to define regional restrictions on content such as those imposed by the Great Firewall by connecting to networks placed in different regions of the world that don’t have those restrictions.
Paired with other software such as Wireshark, you can ensure that the connection is encrypted and you should have control over the data you get from the private network you choose.
In practice, you’ll likely use a VPN provider that has networks already set up around the world and that you can have access to. Most of these providers will have different custom configurations.
What are some considerations for VPNs?
You’ll want to consider whether or not your connection is encrypted/protected, what technology your VPN runs on, and where your VPN provider is based and who owns your VPN. One important thing to note is that while VPNs block your traffic from being recorded by your ISP (Internet Service Provider) if implemented properly, they can still leak your traffic to attackers, and the VPN in question can record your browsing.
VPNs are good for circumventing geography-based restrictions such as the ones China imposes in the Great Firewall or other content-based restrictions that work country-by-country. However, there are ways of detecting whether or not you are accessing a VPN and your DNS information can leak, showing your real location, if you don’t configure them correctly. Also, you won’t get any additional security from using a VPN when you’re browsing the web — you should ensure you’re connected to websites with encrypted DNS and HTTPS (there should be a lock in the browser URL if so).
You should ensure that any VPN you’re using has a no-log policy and that they don’t have an ownership group that has commercial incentives or government-backed incentives to track you. Ideally, they are also hosted on open source software such as Github so anybody can read the code, and they should have independent third parties come do security audits. Most will announce those audits in their blog and this result should be searchable.
If you wanted anonymity and privacy for your Internet surfing, you should consider using Tor and Tor bridges in order to disguise your use of Tor. While this is quite technical, it is an anonymous system that works even within mainland China. Many of the commercial VPN providers in mainland China may be monitored by the government — so they’re not good choices for a VPN in Hong Kong.
What are some VPNs that might fit the bill?
NordVPN: Has a no-log policy, that has been verified by PWC. Good international network of providers, so many geographies to pick from. Based in Panama, so technically, out of the reach of both Chinese authorities and the Fourteen Eyes network of Western intelligence agencies. Panama has recently enacted a privacy law covering personal privacy. In terms of encryption, NordVPN claims to be using IKEv2/IPsec to form VPN tunnels, OpenVPN (which has open source code, and is routinely audited by free/open source programmers) and their own variation of Wireguard called NordLynx. Be aware that the link before this is a marketing page link where they are incentivized to exaggerate as much as possible — though the technologies cited are often seen as robust VPN softwares.
However, you should be aware that NordVPN was affected by a security breach that could have left it vulnerable to a difficult but possible “man-in-the-middle” attack, where VPN connections actively connecting to the Internet at large could have been picked up by a remote attacker — there was confirmed instances of an unauthenticated access.
This link, from an affiliate of NordVPN, shows a bit of technical analysis as to the usage of exit nodes and collection of user data and concludes that NordVPN is likely not collecting user data as they claim, at least not in a trivially obvious sort of way.
Pricing-wise, it’s $11.95/month, or $6.99/month if you sign up for a year ($83.88 USD billed every year), or $4.99/month if you sign up for two years ($119.76 billed every two years) or $3.49 per month for three years with a one month refund policy ($125.64 billed every three years). There’s a strong incentive for them to basically try to hook you onto the longest plan possible, and cost savings come with that. In practice, you’ll want to try out the software and see if it works for your needs before you commit to anything. The three year plan comes out to about 974.16 HKD billed every three years.
ProtonVPN: Having been around since 2016, it is based in Switzerland. It has servers in 50 countries including Japan, Singapore, Australia, South Korea and Canada, and is audited by SEC Consult. They also put their code up on Github, which allows others to audit it and ping any bugs or vulnerabilities. This is the sibling of ProtonMail, which is an established brand for private email. There are clients on the Android and iOS stores.
The no-logging policy derives from ProtonMail’s no-logging record, which has more of a track record with emails — they are both under the umbrella of their mother Swiss corporation Proton Technologies AG. This means that in theory, that in most cases, there is no data to track down.
In criminal cases however, ProtonVPN like with ProtonMail will cooperate with the Swiss authorities as they are required to do so under Swiss law and enable logging. There were 1,484 of those orders complied with in 2019, including 129 that were foreign requests approved by Swiss authorities. In effect, this is a legal backdoor of sorts — while the default is no tracking, governments can require tracking. ProtonVPN will contest some legal orders, including from governments it considers to be human rights violators: “We rejected the request on account of the Turkish government’s human rights record and will take the case to Swiss courts if the Turkish government files for an international proceeding.”
ProtonVPN will only comply with legal binding orders that have been approved by Swiss authorities and at least with ProtonMail, it has said that the contents of encrypted communications are not revealed, however it will reveal IP data and metadata as to who accesses the service. Under Article 271 of the Swiss Criminal Code, it is an offence to comply with foreign requests that do not go through Swiss authorities. There are no cited cases involving the Chinese government or state in the canary warrant, though people should be aware that Switzerland is increasingly looking to economically integrate with China. That said, Switzerland was one of the 22 states that signed a joint letter to the UN Human Rights Council that condemned China’s treatment of Uighers in July 2019. Out of the requests from foreign jurisdictions, seven came from Asia as a whole.
ProtonVPN has a free plan with limitations if you want to start trying it. There’s a paid plan for about 48 Euros per year for the basic, and a Plus plan at 96 Euros per year. With a two year plan, you can save up to 34% compared to 20% with the annual plan. The basic plan would run you about 405.52 HKD a year, making it slightly less expensive than other options for VPNs in Hong Kong.
Mullvad: Mullvad is based in Sweden, and does not have a free trial. It has servers in 36 countries around the world including Canada, Australia, Japan and Singapore, including several set up with the Wireguard protocol, which emphasizes security-first. They’ve been audited by Cure53 and Assured AB in a reported penetration test. Their code is uploaded on Github and are open source for people to verify. It also offers IPV6 integrations, allowing for a fuller connection to different web services, a good option if you want to explore all of the Internet you can with a VPN in Hong Kong.
Mullvad is probably the best option for technical security, though it should be noted that its Sweden base means that it is technically hosted in a Fourteen Eyes country in deep intelligence cooperation with other European states as well as the US and UK. It’s also harder to set up, doesn’t offer yearly discounts, and doesn’t have an Android client yet. But if you’re really big on privacy up to cash payments, Mullvad might be the best solution for you– just don’t expect a smooth onboarding.
PrivacyTools.io is a great listing of privacy tools that has more exemplars and stricter criterion, including the number of marketing tools a VPN uses — which can be indicative of its cultural stance on tracking and logging user data. Note that being careful about VPN selection is important here. Understanding the incentives and structure behind a VNP network is probably the most critical along with their current practices.
For example, a host of VPNs including Private Internet Access are, despite their name, owned by Kape Technologies, who previously developed advertising apps until they changed their name. Their original apps were treated as malware by companies like Malwarebytes and Symantec — it is important to be critical about who owns VPNs and manages them, since when you connect to a VPN in Hong Kong or anywhere else, you are essentially trusting the person or organization who manages the VPN with all of your web traffic.
What other digital-privacy enhancing tools should I look at?
There’s a selection of other tools you might want to look at when it comes to digital privacy and security that go beyond VPNs, which plug a small hole in the personal security ecosystem. This website lists a few examples. You might want to consider using privacy-preserving web browsers and search engines such as Firefox and Duckduckgo , extension browsers that automatically default connections to be secure (HTTPs Everywhere), and others that help you keep your privacy from ads and content distribution networks.
You’ll want to consider your management of passwords, and two-factor authentication methods in order to protect against more baseline attacks from potential digital attackers.
In short, a VPN is a good way to get ahead of geography-based restrictions and content restrictions, and it might be a good way to hide your traffic patterns from your Internet Service Provider — but it isn’t a cure-all.