College students may think VPN’s are safe…but they’re wrong

Illustration by Kelsey Mason

The Journal of Behavioral Addictions in 2014 found college students in the United States average 8-10 hours a day on a smartphone. Just a smartphone. 

Reading that statistic made me curious to check my own screen time in my phone settings, and  I found my usage average to be 1 hour and 50 minutes a day. I pick up my phone on average 108 times a day and receive around 117 daily notifications. For my laptop, I averaged around 7 hours of screen time per day. 

Combining my laptop and phone usage, I average 8 hours and 50 minutes a day of screen time. Then I remembered if I watch Grey’s Anatomy or Friends after a long day of school work, I have to add those hours too. Turns out, that statistic describes my daily life. 

A fact is a fact: our modern lives are deeply wired into our technology, and I know I’m not the only one. 

For the amount of time we spend staring at screens, we don’t think often enough about the negative sides of technology. Maybe you’ve read about the impacts on your mental health once or twice, or how screen time takes away from friends and keeps us from exercising. We know a lot about how our personal lives can be affected by technology, but what about our personal data and information? 

Brandon Bowlin, Chief Information Security Officer at Boise State, is responsible for all cybersecurity information and activities on campus. Bowlin is also the Executive Director of IT Governance Risk and Compliance. Bowlin works with departments around campus to secure employee data, student IDs, social security numbers and other sensitive information. Bowlin monitors Boise State’s network and blocks malicious websites, phishing attempts and malware with the security team.  

Bowlin discussed how he has been in the cybersecurity industry for 30 years and was scammed recently. 

“I would also say anyone is susceptible,” Bowlin said, referring to malware. “It’s getting much harder to detect scams as well, especially with a lot of AI-generated content. A lot of the traditional kind of flags with bad grammar misspellings … you’re not seeing that anymore, because they’re using AI to actually kind of perfect this and make it much harder to realize that this isn’t legit.” 

College students are more vulnerable to online scams than the average Joe. 

This year, a 15% increase in cyberattacks against educational institutions was discovered according to Check Point Software’s Threat Intelligence Report. The report stated that 2,507 attacks were recorded in the first months of 2023 per college institution per week. 

“College students in particular are heavy targets,” Bowlin said. 

While there are installations and apps that can hide malicious software in its systems, such as TikTok when it was banned nationally in 2022 via  the No TikTok on Government Devices Act, there are other less obvious installations that can attack users. 

One VPN in particular has caused trouble for Boise State’s network and its users: Hola VPN. 

“VPN is a virtual private network … by connecting to a VPN, it essentially puts you on to another network. So for example, for most of the staff members there’s a VPN provided by Boise State that if we are working from home, we can connect to the VPN and then be able to access internal resources on the Boise network,” Bowlin said. “The flip side is that it provides a secure mechanism so that if you are on a VPN, only that VPN provider can actually assess your network traffic.” 

Hola VPN was developed by a company named Hola Networks Ltd, headquartered in Netanya, Israel.  

Eric Kollmann, Deputy Chief Information Security Officer at Boise State, knows how bad actors can target students as scapegoats for their malicious data.  

“One of the big things we’ve seen over time has been peer-to-peer VPN software,” Kollmann said. “It sounds great. Everyone wants to protect their traffic with VPN. A lot of times they download Hola VPN, it’s a peer-to-peer one but what happens is it puts you in the end of a bigger, larger network that lets people route their traffic through you.” 

A peer-to-peer network (P2P) is when two or more devices share a connection of files, data and information. 

“Students have been primarily using this all the time,” Kollmann said. “What they didn’t realize is now their machine became a node for bad actors to route traffic. So everything that was happening on that machine whether that was attacking third-party websites, sending spam stuff was all tracking back to their machines. We put blocks on that product specifically and a few other peer-to-peer VPN products.” 

Boise State has been on email blacklists before due to email spam sent from the Boise State network traffic according to Kollmann. “Bad actors” or digital criminals attack software that their device and their target’s device share such as 

For example, if a student has Gmail and a bad actor has Gmail, that bad actor will attack the Gmail they share on the peer-to-peer network like a VPN. Any traffic a bad actor creates on his or her device is hidden in the peer-to-peer network he or she shares with the student. 

“Because you’re one of those nodes on that network, the traffic now goes out your IP address,” Kollmann said. “It attacks whoever that third party is, the response comes back to you because you would have initiated it from the VPN perspective and then it routes back to whoever the original person is.” 

Any shady activity a digital criminal would want to hide, he or she can hide in your computer via sharing a VPN like Hola. 

“Any investigation by police … they’re gonna track back to you the node that was there, the IP address was actually attacking and they won’t be able to tell any difference,” Kollmann said.

Online savviness is critical to every digital consumer, especially in days where even cybersecurity officers can fall prey to a scam. 

Leave a Reply