Open a magazine, newspaper, your local nightly news or almost internet blog, and you will be confronted with news about another security breach. Breaches, breaches everywhere.
Concerned netizens are trying to find ways to protect themselves when online and to protect their privacy. In response, I have written a bunch of articles (such as):
- KeepSolid VPN Unlimited Review
- Review of Private Internet Access (PIA)
- Honest review of the ProtonVPN service
- Honest review of the Tunnelbear VPN service
- VyprVPN Review
- Review of HideMyAss VPN (HMA)
The above reviews were VPN services, but what if you wanted a piece of hardware that was portable and could be used with any WIFI enabled device?
A new player in the hardware category is LTE WIFI Hotspot service provider Karma.
Karma is releasing a new LTE hotspot (for the US market) called Karma Black LTE hotspot. This device costs $149 now (will go up to $249 after the January 15 pre-order closes). In addition to the initial cost, you will have to plunk down $20 a month for its security services. Karma promises to encrypt your internet traffic and to hide other privacy-invading markers like location, browser identifiers, etc.
It looks like you will be able to use this service with your own WIFI networks (home, office, hotel, etc.) Karma is also promising to add additional features in the future like TOR, network antivirus, ad blocking and parental control.
In addition to the monthly security service fee, you will have to spend more money if you want to use the device's LTE connectivity feature ($3/month + $10/GB on the "drift" plan).
Is it worth it?
I have not had a chance to test the device so everything written here is based on the documentation.
I believe the goal is noble but the question is "should you spend $20 a month for this level of security?".
A technical user knows that sites, threat actors, and government intelligence agencies have multiple ways to identify and track users. Even with all of the security measures deployed by Karma in its Karma Black hotspot, there are fairly easy ways to identify and its track users [here is an article that talks about TOR deanonymization].
As an example, a site that uses TLS encryption (aka most sites these days) is able to set up a secure connection between your browser and its site. They can drop a supercookie in your browser then track you as you browse the web. Facebook and Twitter did this.
There is an easy to implement technique called browser fingerprinting that would allow an online actor to create a unique fingerprint for your machine using nothing more than the information your browser willingly hands over to any site that asks. You can test this yourself here.
Using a secure tunnel (aka a VPN), Karma can mask your internet traffic from your local ISP but they can see where you are going. We know very little about what they log. VPN providers like TunnelBear have clear & easy to understand privacy policies. Tunnelbear has had independent audits to confirm that they are living up to their policies. ProtonVPN has a technology that they call SecureCore to prevent privacy breaches if any of their VPN termination endpoints are compromised.
Unfortunately, there is insufficient information about how Karma Black is actually (technically) delivering these security services, and therefore I have to take every claim with a grain of salt. You can probably buy similar protection from the Invizbox for $190 (hardware plus 12 months of IP Vanish VPN service). You then use the Chrome browser with the uBlock Origin plug-in and you should have equivalent or better protection.
Most security professionals will tell you tech is easy and that the biggest security weakness is the user. Users normally don't have good security hygiene and even the best security tools can easily be broken why careless users.
My professional recommendation would be to hold off buying one of these devices until a "real" security professional has a chance to test one in a lab and determine how good the security controls actually are. It is easy to mess it up and unintentionally leak metadata. So caveat emptor.