WARP is not a VPN for privacy
You may have heard earlier this year that Cloudflare was planning a mobile VPN called WARP. Today, 9/5/19, Cloudflare has officially opened its WARP “VPN” feature on its popular 1.1.1.1. DNS encrypting app to the public – and it’s important to note that WARP is NOT private. What most people don’t notice is that the app passes along your IP address to the destination. Cloudflare first announced their WARP VPN on April 1st of 2019 when they also started a public waitlist. WARP was built on technology which Cloudflare first got its hands on when they acquired Neumob in 2017. More specifically, WARP is a Wireguard VPN. That doesn’t mean that the Wireguard technology, which is powerful and promising, can’t still be intentionally misconfigured to pass along the user’s IP address – or other “random” user-specific identifier – to the destination.
1.1.1.1. WARP mobile VPN is not for privacy
While the original 1.1.1.1. Mobile app sans VPN technology provides a crucial, free service to encrypt DNS queries for otherwise unprotected mobile internet users leaking their DNS queries to public WiFi networks or private mobile data providers, the addition of this VPN widens the amount of trust considerably. While Cloudflare does have an extensive privacy policy for WARP, that doesn’t change the unique potential for privacy disaster. As Lily Hay Newman surmises in her article on the Cloudflare WARP announcement for Wired:
[…] Cloudflare already provides foundational services as a content delivery network for 20 million internet properties around the world. So whether you realize it or not, a fair portion of your web browsing traffic likely flows over Cloudflare’s servers every day anyway.
Perhaps that means that also using the company’s VPN doesn’t expose you to significantly more potential privacy risk if the company were to go rogue. But offering a consumer VPN may only further entrench Cloudflare’s influence and power on the internet. […]
Privacy needs to be built into Virtual Private Networks
The number one most obvious symptom of using a VPN (Virtual Private Network) is to give a different IP address to your destination. That IP address can be a shared IP address, it can be a fixed IP address – whatever it is it should be different than the originating IP address if it is to be private. While there arguably are uses for a VPN that doesn’t provide this key feature, they aren’t anywhere near as numerous. One might also argue that this is a must-have feature that is expected of any one click solution mobile VPN that offers VPN service with zero user configuration necessary.