Why the war on VPNs is one Netflix can't win

Security is more important than licensing deals.

Illustration by D. Thomas Magee

Netflix has started blocking users who try to bypass country-based content restrictions by using a VPN, beginning its enforcement last week with Australian subscribers. The problem is, by forcing customers to turn off their VPN, Netflix is putting them at risk of being maliciously hacked.

Netflix is trying to protect copyright, local distribution rights and contracts. It would be a totally reasonable idea if the only people who used VPNs were a minority of duplicitous streaming thieves, trying to sneak a peek at Doctor Who in Malaysia. And that's how Netflix is trying to sell it -- except its VPN user base is hardly a minority, and most people who use VPNs, like enterprise businesspeople, use them for security and privacy protection.

Netflix's solution to its problem is about to create a huge new one -- for millions of people who aren't trying to trick the service out of a Canadian show in the US. One year ago, UK-based GlobalWebIndex estimated that 54 million people use VPNs to watch Netflix every month (Netflix declined to comment to Variety on GWI's numbers).

What Netflix is asking (er, forcing) its customers to do is, well, insane from a privacy and security perspective. That a company might insist you use 123456 as your password because it solves an internal problem for them sounds ... ludicrous. Except that's pretty much what Netflix is doing by disallowing widespread use of a security tool as critical as a VPN.

I'm guessing that the very real security issues are why Netflix decided to make all US military bases exempt from VPN blocking. Not military personnel, mind you, just the bases. Soldiers and military personnel stationed and living off bases abroad will still have to give up the security of a VPN to watch Daredevil when they miss life back at home.

If there was a show on Netflix about stealing candy from babies, it would look a lot like using public WiFi without a VPN. Turns out there are some scary-good reasons that all advice about attending (or getting anywhere near) a hacker conference begins with "Get a good VPN for all your devices and use it at all times."

When you use a VPN, the only thing an attacker sees is your computer talking to it -- they can't see the connection to the sites you're visiting. The ability of an attacker to spy, intercept, attack or steal information stops at the VPN.

When you use public WiFi in a café, plane or airport without turning on a VPN first, you can be hacked by anyone who's downloaded any of the many, excellent, free, open-source network traffic analysis tools (like Wireshark or TCP dump). The risk of being scanned like this is typically low in private networks, and extremely high in public ones.

Without a VPN, someone with one of these tools who is on the same network as you can see the URLs you're looking at, metadata, and any information transmitted between you and the sites you're visiting. They can also maliciously inject traffic, where you visit a trusted web page that's spiked with code to infect you with malware, which typically steals your banking and identity credentials.

Even if the connection is encrypted (yet you're sans VPN), the attacker is limited to the URL you're visiting and any leaking metadata. But if it's not an "https" site, they'll be able to see and capture plain-text passwords.

If you turn off your VPN to watch Netflix, and leave browser tabs or online apps with active sessions running in the background, you're handing over to malicious hackers anything that's being transmitted while you're watching Netlfix.

As hacks and attacks increase, VPN use is something you're increasingly going to be considered dumb not to do. Using a VPN might feel like insider InfoSec knowledge at this point, but so was making complex passwords not too long ago.

Netflix seriously needs to catch up with real-world security practices, as do other streaming sites that conflate VPN use with thievery -- Netflix isn't the only service prohibiting VPN security in the name of preserving content distribution deals. The company leveraged this when Netflix's David Fullagar, VP of content delivery architecture, announced in a blog post that this was the company's move to "employ the same or similar measures other firms do" to solve its licensing headaches.

That Netflix is trying to pave VPN blocking over with an "everyone's doing it" approach is worrying. Netflix is widely considered the game-changer for streaming content. If it leads the way in reducing user security industrywide by discouraging VPN use among ordinary people, things are going to get a lot worse for stalking, identity theft, ransomware, credential harvesting and much more.

Annoyingly, Fullagar's post characterized the situation as though Netflix was being tricked by people who had something to hide. Nothing was mentioned about the legitimate use of VPNs by millions of people worldwide. Much in the same way we heard very little about non-criminal use of file-sharing services during the MPAA and RIAA's decade-plus of campaigning against the evils of torrenting. Hollywood is, in fact, pleased as punch with Netflix's VPN purge. This week the studios even called on Netflix to maintain its VPN crackdown.

Dear Hollywood: The security risks are real. Maybe ask your friends at Sony about that.