Few areas of the technology world have grown as quickly as the Virtual Private Network (VPN) industry in recent years, despite the fact the concept has now been around for a quarter of a century.
Designed to preserve online privacy and help bypass internet restrictions, services like ExpressVPN and NordVPN rode the zeitgeist following incidents such as the Cambridge Analytica scandal, which opened the public’s eyes to the extent of modern-day data collection.
In territories with stringent internet laws, VPNs have also played a central role in unlocking online resources and fighting misinformation. And these qualities have gained newfound importance during the pandemic, which some regimes have used to smuggle through surveillance initiatives and censorious new web regulations.
As a result of these factors, according to data from Statista, the VPN market is set to be worth upwards of $75 billion by 2027, which would represent a three-fold increase in less than a decade.
However, while consumer VPN platforms have snatched the limelight in recent years, the first applications of the technology had little to do with online privacy and the fight against censorship; in fact, the roots of the VPN are found in the enterprise world.
The VPN is born
The first ever instance of VPN technology can be traced back to a Microsoft engineer named Gurdeep Pall, now one of the company’s Corporate Vice Presidents.
In the mid 1990s, Pall and his team were working on a mechanism for accessing business data from outside the office in a secure fashion. The solution they devised eventually came to be known as the Point-to-Point Tunnelling Protocol (PPTP), which is still in use today, albeit in a deprecated manner.
“We were working on remote access solutions so that users could dial in over modems and connect into their corporate networks,” he told TechRadar Pro. “The first form of what became VPNs was created to test emulated modem connections between the client (calling in machine) and server (gateway to corporate network) by using circuits/tunnels over IP/ethernet.”
“When TCP/IP stack shipped in Windows NT and Windows 95 and all corporations were now directly connected to the internet, and users had broadband at home, we adapted this approach to become PPTP.”
Around this time, says Pall, the business VPN industry took off “like a hockey stick” and PPTP became the default protocol by virtue of the fact it shipped with every Windows device.
To this day, PPTP remains one of the fastest VPN protocols to ever have been developed. Despite the fact that its 128-bit encryption is considered highly insecure by modern standards, the protocol is still applied in cases where speed takes precedence over security, much to Pall’s own surprise.
The underlying technology
Since the arrival of PPTP, however, multiple new VPN protocols have been developed, all of which offer a slightly different set of attributes.
The OpenVPN protocol, for example, rose to prominence in the early 2000s as a versatile and highly secure alternative, with 256-bit encryption via OpenSSL. Unlike many other VPN protocols, it’s also open source, which means its code is available for anyone to use and scrutinize.
“Modern VPNs really came out of the open source movement by creating a public forum where open source developers could mingle with cryptography experts and create security software with the same transparency and peer review that exists in the academic sphere,” explained James Yonan, OpenVPN founder and CTO.
“By making the source code open, we invited security researchers, hackers, cryptographers, etc. to examine the code for flaws and weaknesses, and the resulting product was strengthened by that critical feedback.”
This philosophy allowed OpenVPN to establish itself as a dominant force in the VPN market, but another up-and-coming open source protocol, called WireGuard, is starting to knock on the door.
The goal of any encryption protocol is to provide the maximum levels of speed and encryption, while consuming as few computing resources as possible. WireGuard has been developed with this principle front of mind, offering greater throughput speeds and lower ping times than OpenVPN and running on just 4,000 lines of code.
However, while VPN providers such as CyberGhost and PIA have introduced WireGuard support, many others are taking a wait-and-see approach. Broadly speaking, greater encryption speeds translate to lower security and some providers are concerned WireGuard may not be as stable as more mature projects.
Other VPN vendors, like ExpressVPN, have developed whole new protocols specifically for their respective services. Perhaps predictably, ExpressVPN claims its Lightway protocol is faster and more reliable than other alternatives. Unencumbered by legacy features, Lightway is made up of only 1,000 lines of code, which means it should take just fractions of a second to establish a VPN connection.
The origins of the first VPN protocol might be in enterprise, but in recent years this kind of innovation at the protocol layer has been driven in large part by the explosion of the consumer market.
Catalysts for change
It’s difficult to place a finger on any single trigger for the rise of the consumer VPN, in part because reliable vendors don’t collect the kinds of data that could be used to analyze these trends.
However, the consensus among the experts we consulted is that a general awakening to problems surrounding online privacy and data collection has created significant demand where before there was very little.
The Edward Snowden leaks (2014) and Cambridge Analytica scandal (2018) are thought to have played a major role, alerting the public to the kinds of data both private companies and government agencies are in the business of collecting.
For the first time, people also came to understand that there is no such thing as a free lunch; that online services come with an invisible cost that they might be unwilling to pay.
“With daily headlines reminding us that companies and governments are collecting our personal data without our informed consent and then either misusing or failing to safeguard it, it’s no wonder that consumers all around the world are becoming more protective of their data in recent years,” said Harold Li, Vice President at ExpressVPN.
Another factor in the growth of the consumer VPN market, says Li, is the expansion of internet censorship, particularly in Asia and the Middle East.
“VPN has always been a critical tool for digital freedom, and for as long as internet censorship has existed, people have used VPNs to access information, conduct work and connect with family and friends,” he told us.
“More internet users are feeling the effects of various governments tightening their grip on the digital world. People are really waking up to the need to take their online privacy and security into their own hands.”
In recent months, for example, traffic to VPN websites has surged in response to discussions of a potential TikTok ban in the US and the eruption of the military coup in Myanmar.
According to Dominykas Dimavicius, Head of Communication at VPN provider Surfshark, the correlation between breaches of privacy and growth in the VPN industry has also created something of a snowball effect.
“The general trend is that any news related to surveillance, tracking, censorship and anything else concerning unsolicited exploitation of people’s right to privacy pushes the industry upwards,” he said.
With a greater number of vendors coming to the space in an effort to combat these kinds of problems, Dimavicius explained, competition in the market has become more fierce. In turn, greater competition has sparked massive investment into marketing, public relations and education initiatives, propelling the cycle forwards.
Staying true to its roots
While consumer VPN services have enjoyed the most dramatic growth in recent years, the technology also remains relevant in its original context, in enterprise. Some have prophesied the death of the business VPN, but the pandemic has served to consolidate its place in the technology stack.
Organizations operating in the space are cognizant of the technology’s weaknesses in an enterprise context – namely around security and scalability – but are equally convinced that technological solutions are capable of ironing out the kinks.
“We are actually seeing a lot of growth in business VPN, and at OpenVPN we are spearheading a major R&D effort to modernize VPN for the cloud,” said Yonan. “That means moving the OpenVPN data plane to the kernel for performance and adding additional security layers such as SAML-based authentication and malware blocking.”
“It’s about a complete virtualization of the internet itself, where you can still run the same apps and services, but now the virtualization aspect gives you total control of the security and management, including encryption, authentication, access control, routing, DNS, malware blocking, geolocation etc.”
This concept is echoed in part by Perimeter 81, a business-focused VPN provider that believes the integration of Secure Access Service Edge (SASE) will help deliver the necessary levels of security.
“There is no denying that VPN-related security breaches highlight the fact that, yes, the traditional hardware-based VPN needs to evolve to a cloud-friendly model that can effectively scale, support the security of cloud-based resources and provide better visibility into network activity,” said Sagi Gidali, CPO.
“SASE enables the delivery of integrated secure network security services that supports digital business transformation, edge computing, workforce mobility, identity and access management. In addition to improved security and network performance, SASE delivers increased user and IT staff productivity, operational efficiency, and cost reduction.”
While consumer VPN services proved useful in a pinch last year, with employees forced outside the traditional security perimeter with little notice, businesses understand they need a sustainable solution to the remote access problem.
The next generation of business VPNs, says Gidali, will need to support a zero trust approach, characterized by the “never trust, always verify” principle. And with hybrid working expected to become the norm, businesses will need a way to segregate their network and establish encrypted tunnels between employees and resources in a way that current solutions do not always allow.
What’s next for VPN?
On its current trajectory, the VPN industry looks set to achieve massive growth in the years to come, but change is also inevitable. In a market as lucrative as this one, with the underlying technology developing all the time, it’s only ever a matter of time before a new innovation sparks fresh debate.
OpenVPN believes the industry will soon enter a period of consolidation, during which consumer VPN services will blend into web browsers, which Yonan describes as “the real arbiters of privacy on the internet”.
“I think it’s often not fully understood that a VPN, by itself, will not protect you from tracking via web cookies. So I see the evolution of privacy on the internet as leading towards a merger of consumer VPN with a privacy-hardened browser. This could be as simple as running a VPN while your browser is in incognito mode,” he told us.
It’s possible a similar process of consolidation has already begun with the arrival of Google’s new VPN service, available with Google One cloud storage subscriptions. Fellow tech giants Apple and Amazon are also rumored to be preparing VPN offerings of their own, which could plausibly come packaged with Apple One and Prime memberships respectively.
While the arrival of Big Tech in the VPN space makes plenty of sense – after all, each company already possesses the necessary infrastructure – whether the move will repair damage to the reputation of these companies where privacy is concerned remains to be seen. It certainly didn’t work out particularly well for Facebook.
Others, meanwhile, believe next generation VPNs will integrate emerging technologies to take user privacy to the next level, concealing browsing activity from the provider itself, as well as the ISP.
OrchidVPN, for example, is a peer-to-peer VPN service that uses blockchain technology to settle payments, protect anonymity and cut out market middle men. Instead of paying a monthly subscription fee, users are charged based on usage and transact using the network’s native cryptocurrency.
“Orchid’s blockchain-based solution lets people combine VPN providers and configure multiple ‘hops’, so no single provider can see the whole picture” wrote Dr. Steven Waterhouse, Orchid CEO, in a written Q&A with TechRadar Pro last month. “In the event a given VPN server is hacked, only a trace amount of data would be exposed.”
According to NordVPN, meanwhile, the maturation of quantum computing will play a major role in the development of the VPN. With computers able to crack increasingly complex problems, encryption techniques used by VPN providers will need to become more advanced by the same magnitude.
“Instead of a current bit-based binary system, where end values can only be expressed as 0 and 1, next generation computing will introduce qubits,” said Marijus Briedis, NordVPN CTO. “In theory, qubits can store states in superposition, allowing a dramatic increase in the efficiency of calculations.”
“Quantum computing will make people rethink the very nature of cryptography and rely on completely different mathematical problems in order to invent new cypher-suites.”
With the potential for so many different technologies to bring about improvements or necessitate change, the future shape of the VPN industry is difficult to sketch out. What’s clear is that the core use cases are going nowhere any time soon.
Businesses will need a way to give employees remote access to corporate assets, especially now, in the aftermath of the pandemic. And, unfortunately, consumers will need a way to protect their online privacy and climb out from underneath the thumb of oppressive regimes.