> PIA's business is built on trust and rasengan decided to hire Mark Karpeles as their CTO. I honestly can't think of anyone who I would trust less as a CTO than Mark Karpeles. I'm not being sarcastic, I genuinely can't think of someone as bad as Mark for a role like CTO. There's not a chance in hell that I'm going to give PIA another cent based on that alone, even ignoring the most recent Kape debacle.
That thread fails to explain why PIA hired the former CEO of Bitcoin exchange Mt. Gox as their CTO.
By comparison that's like hiring Rudy Giuliani as your Chief Legal Counsel, Elizebeth Holmes as your CEO, Madoff as your CFO, or Rush Limbaugh as your Chief Diversity Officer.
There is no reason to trust them just because their CEO actively answers people's concerns by saying "Please don't worry, please trust us!", but I also wonder: if they were trying to be evil, why make it so obvious by putting known bad people in C-positions? Why not just have these people work as anonymous "consultants", doing all the evil under the radar?
I don’t want anyone to trust us. I want people to verify [1]. If you rely on trust in any system, be it VPN or other, you’re going to have a bad time.
Secondly, Mark was not hired to PIA. He was hired to LTM and I posted a blog post about it to fully explain the world I am a part of. I stand behind my decisions, and no matter how many times people try to make up some conspiracy around it, I will make the same decision everytime; because I want a world that gives second chances, even if I have to build it myself.
I read your blog, but how does one actually verify PIA logs or not for example? It seems there is always going to have to be some level of trust involved.
Correct I was wrong, Mark is the CTO of the parent company who in their own copy describes "LONDON TRUST MEDIA, Inc. is the world's first privacy and security focused accelerator and owners/operators of Private Internet Access, the world's leader in privacy online."
So they've open sourced all their clients? The clients weren't the issue. I'm glad to know there is less likely to be a problem with getting data from my computer to their servers ... but what happens on their servers is the issue. How do I know they don't save logs, snoop on data, log DNS requests, etc.? No amount of Open Source software they release will be able to prove that, since we will never know with 100% certainty what software is running on their servers.
pretty much by definition you have no idea what happens on someone else's server, it is always a trust issue. the fact that there haven't been any cases involving leaked data is as good as it is going to get.
I don't really understand this line of questioning though because the use case of a VPN isn't you hiding Iranian nuclear secrets from the NSA, it's mostly just useful for circumventing region logs or sending DMCA requests to /dev/null
> the fact that there haven't been any cases involving leaked data is as good as it is going to get.
No. No proof of leaked data is a basic requirement for trust, but at the end of the day, PIA is now associated with known criminals. Unless they can continuously provide impartial audits of their server operations (they can't), then they have lower trustworthiness than any other VPN I know of.
Good luck with other VPNs. Let me know how that works out for you.
Meanwhile, we will continue to stand true to our principles at PIA as the only proven no log VPN provider.
I’m biased because I know PIA doesn’t log, but given all the VPNs caught logging and/or overall operating with remedial practices (IPvanish and PureVPN caught logging, NordVPN using default passwords, etc.), even if I wasn’t biased, I would choose the VPN who has a proven no log policy and proven technical know-how.
And that’s Private Internet Access - that won’t be changing while I’m here.
This whole situation makes me feel weird and is giving me trust issues and confusion towards VPN providers. Still, being able to compile the client from source is better than not being able to do so.
Some of the repositories are a couple versions behind, but this is a nice effort, and I appreciate it. Now that PIA, Mullvad, and ProtonVPN all offer open source clients, this should eventually become a baseline expectation for all VPN services.
On closer inspection, it doesn't look like PIA's Android client is open source. This repository does not appear to be the Android app, despite the name and description:
1. https://news.ycombinator.com/item?id=21612488