GDPR has revolutionized security. That’s not hyperbole. The massive pivot in emphasis at the basis of GDPR makes it a genuinely radical piece of legislation with profound implications.
Yeah, so I‘m not running for Congress, so I’ll ease up on the twenty dollar words now. Thing is, GDPR really has changed how privacy law works.
GDPR is a sea change in privacy law
Before, the law applied to organizations. Now it applies to data. Anywhere your data goes, GDPR goes. This came as a terrible shock to many American companies who realized that if you do any kind of business with anyone in any European country – if they subscribe to your newsletter, even – you’re on the hook for GDPR.
Cue a paradoxical spasm of spam, as everyone you ever forgot you gave your email address to emailed you the day after GDPR went into force, asking you if it was OK to keep emailing you.
And that’s the other really new part of GDPR: if you never wanted to hear from any of these bums again, all you had to do was… nothing.
GDPR makes everything opt-in (‘yes, contact me’) not opt-out (‘check this box if you do not wish to receive marketing communications from everyone we sold your email address to’).
So far, so awesome. But does GDPR make you so secure that you don’t need a VPN anymore?
Not so much, in fact.
So does it make VPNs obsolete?
The noises about how obsolete VPNs are and how GDPR is the final nail in their coffins are mostly coming from the business world.
For instance: Desire Athow, writing in TechRadar.pro, told readers in April this year that ‘VPNs are so last year,’ asking: ‘is it time for them to bite the dust?’
Dig a little deeper, though, and her point becomes clear: businesses with remote workers aren’t getting enough security from a VPN alone.
‘For many companies,’ says Desire, ‘working from home just isn’t the same as working from the office, and it’s mostly down to the ease with which employees can access corporate applications remotely. The concept of Virtual Private Network (VPN) was created to resolve this issue and provide a secure link between an employee at home or on the road and the corporate network.’
OK, so how true is this? Desire’s point that businesses are better protected by a mix of tough legislation and well-designed Identity and Access Management systems is valid.
VPNs were invented because it wasn’t possible to encrypt the internet
VPNs weren’t created to make it safe to access corporate systems remotely.
In fact, Stan Hanks, who invented IP VPNs, says:
‘Faced with a problem where I had to move packets from a variety of customer networks running a variety of network protocols, and not being able to get them to expose routing (in the case of the routable protocols, and not all were), I had to come up with something…So, I took a hack I’d used before, based on a concept from another telecom platform, and turned it into Generic Routing Encapsulation (GRE).’
In other words, VPNs exist because it wasn’t possible at the time to encrypt all internet traffic. They don’t exist to solve a business problem, but to address an issue that’s inherent to the network: encrypted > unencrypted.
GDPR won’t keep you safe
GDPR is a law. It only affects people who obey the law. Stealing your data and using it to rob you, threaten you or build shadowy, dystopian advertising-meets-psyops tools to subvert your democracy are the kinds of things people do when they don’t care about the law. (As is using it to spy on you.)
So does GDPR mean you don’t need a VPN anymore?
Depends on your motivation. Business VPN use in Europe might tail off some, but not because of the direct effect of GDPR – businesses can be robbed too.
And for personal use? The only time you don’t need a VPN is when you’re using a network that’s totally encrypted and permissioned. The internet isn’t that – Stan Hanks couldn’t find a processor fast enough back in the day. So if you value your privacy, yes, you still need a VPN