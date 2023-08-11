The VPN client directs you to Google’s Privacy Policy and Google One’s Terms of Service, neither of which mentions the VPN. This lack of information encapsulates the issue of trusting Google to protect your privacy with a VPN. To trust the VPN, you must trust all Google services because you cannot access the VPN without a Google account. Your Google account is extremely personal, especially if you use Gmail or Google Search. Although Google One VPN encrypts your traffic between your devices and its servers, you likely leave your browser logged into your Google account while you do it.

Therefore, Google knows what you search for online, which emails you receive and where you navigate with Google Maps.

Google’s headquarters are also in the United States, which means it is within the jurisdiction of the Five Eyes and the expanded Nine and 14 Eyes cybersecurity alliances. This means data requested by law enforcement agencies in that country can be shared with other member countries.

Of the 22 countries where Google One VPN is available to users, over half are members of the 14 Eyes alliance. The only member of the alliance where Google One VPN is not available is New Zealand. The app can be downloaded by users in Austria, Finland, Iceland, Ireland, Japan, Mexico, South Korea, Switzerland and Taiwan without being concerned because those countries are not members of the alliance.

Our researchers found it difficult to determine which encryption standard the VPN uses because there is no information on the Google One website, and without being able to select a VPN protocol it’s impossible to know how user data is being encrypted. However, Google does say it uses Advanced Encryption Standard with 256-bit keys (AES-256) – which is a virtually unhackable encryption method used by government agencies to protect sensitive documents – for any data stored in Google Cloud.