Jigsaw, the Alphabet-owned firm formerly known as Google Ideas, has announced a new free VPN (virtual private network) software package called Outline. The new open source VPN serves as a way to protect journalists, activists, and others who need a secure service to protect sensitive data or vulnerable individuals, though there’s no reason why other organizations or individuals can’t take advantage of it.
Outline was designed as VPN software rather than a VPN service, to avoid the problem of having to find a trustworthy company. Jigsaw explains:
Outline makes it easy for news organizations to set up a corporate virtual private network (VPN) on their own server to more safely connect to the internet and keep their communications private. Millions of people around the world already use VPNs to get access to important information, but VPNs aren’t always reliable or safe. Most VPNs require you to trust a third party organization with you data, which means you’re not always sure who’s running the servers and providing your access to the internet. Some VPNs don’t even use encryption.
Outline gives you control over your privacy by letting you operate your own server. And Outline never logs your web traffic. We made it possible to set up Outline on any cloud provider or on your own infrastructure so you can fully own and operate your own VPN and don’t have to trust a VPN operator with your data.
The company claims Outline uses 256-bit AEAD (Authenticated Encryption with Associated Data) and is meant to resist both probing and protocol fingerprinting. Jigsaw claims that the software is easy to use, cheap, and can be configured either on a local server or as a cloud service if you don’t have your own infrastructure.
Digging in further, Outline is an open source software kit that’s been independently audited by Radically Open Security. Jigsaw then worked with the latter firm to remedy various issues. Readers should know, however, that security audits are extremely complex and typically take months to thoroughly evaluate a piece of software. This audit, for example, notes that “we did not explicitly test for general flaws in Shadowsocks or the effectiveness as resilient tool to circumvent network filters.” (Shadowsocks is an open source encrypted proxy that can also proxy UDP traffic and is widely used in China to circumvent the Great Firewall.) Our point here is not to imply that Jigsaw or ROS conducted the audit in bad faith, but that the words “security audit” are not unilateral proof against a security flaw or bug in non-audited code.
With that aside, this type of hybrid cloud service gives organizations more power over their own data while simultaneously providing host opportunities much more cheaply than what we might have expected to pay years ago. It’s an example of how the cloud can be used to help people protect their own data, rather than exposing it as a frickin’ feature of an online service.
Jigsaw might not have intended the debut to drop alongside Zuck’s frantic, failed defense of Facebook’s data policies and Cambridge Analytica’s exploitation of the same, but it’s a noteworthy parallel. If you want to protect your data, protect it yourself. It’s a woefully inadequate prescription for our times, but it’s also the only thing you’ve got.