
How Long Before VPNs Become Illegal? - nthitz
http://torrentfreak.com/how-long-before-vpns-become-illegal-120615/
======
ChuckMcM
Never of course. To make them illegal would force the question of a
constitutional right to privacy. So in the US at least it won't happen.

That being said, I expect various people to continue to obfuscate and make it
confusing. At some point I expect a 'VaaS' type service to be announced with
pretty compelling economics, and it will be impossible to tell that the
service provides access to certain third parties.

Phil Zimmerman is doing his part with Silent Circle. That too is looking to
force the question.

~~~
aqme28
Privacy as a Service sounds like a very plausible business model for the
future (or even today).

edit: I forgot about this[1], so apparently it already exists!

[1]: [http://news.cnet.com/8301-31921_3-57412225-281/this-
internet...](http://news.cnet.com/8301-31921_3-57412225-281/this-internet-
provider-pledges-to-put-your-privacy-first-always/)

~~~
AncientPC
Tor has its own issues (difficult set up, high latency), as well as VPNs
(single point failure / tracking, US-based companies must obey warrants).

Perhaps there's an opportunity for a company based in Switzerland to run a
private TOR network for obfuscation with guaranteed bandwidth. Private TOR
network has its own problems though. You need a large number of users to
anonymize each other's data, and the block of assigned IPs can be treated as a
single entity and blocked / rerouted as a result.

~~~
lambada
I'd argue Tor has removed the difficult set-up recently. Now it's as simple as
downloading the recommended Browser Bundle, run it and you get a standalone
(branded?) Firefox completely set up and ready for Tor surfing.

Admittedly, it is still complicated to set-up your existing web-browser to use
it, and latency is still a huge issue - not helped by the limited number of
exit nodes.

------
fleitz
They'll never become illegal, it will just become like guns in crime, use a
VPN, get an extra 5 years for whatever your thoughtcrime might be. Paid with
bitcoins? Here's 10.

------
jfoutz
The day after there are no legal requirements for handling health care data or
financial data on the internet.

------
grecy
Maybe they won't be outright illegal, but I could see laws being passed so
VPNs must keep extremely detailed logs of users and their activity, thus
making them useless as a way to mask online activity.

~~~
AncientPC
What happens when you use an off-shore VPN that doesn't keep logs?
TorrentFreak listed a bunch of them with their respective privacy policies:
[https://torrentfreak.com/which-vpn-providers-really-take-
ano...](https://torrentfreak.com/which-vpn-providers-really-take-anonymity-
seriously-111007/)

~~~
grecy
Sure, that's a good way around it right now.

But I can also see America forcing their will on other countries and forcing
them to keep detailed logs too (let's face it, the UK is right there with
America)

Countries like the one that hosts TPB may hold out as long as possible, but
eventually the rest of the "internet world" could just ban those IPs or
whatever. (just like they are banning the TPB IP now).

What I'm saying is, I can see the day where it's illegal or extremely
difficult to use a VPN anonymously, from any country.

------
jkap
It seems unlikely that VPNs will ever become completely illegal, at least not
in the US. Too many very large companies use them for Congress to consider it.
They may make them illegal for non-corporate uses, but that would be difficult
to enforce and overall useless.

~~~
noarchy
I can easily see governments forcing ISPs to blacklist the IP addresses of
known VPN servers. I'm only slightly surprised that this hasn't happened yet
in the UK and other such places. The first step is to try to ban direct access
to websites. Then they'll likely try to ban the workarounds. Yes, power users
will always find a way around these things, but it will work to stop many, I
suspect.

And as for corporate/government VPN users, maybe this will be an excuse to
introduce a VPN "license" for those who will be allowed to use them.

~~~
wtracy
The big tech companies I've worked for use VPN heavily for remote workers, so
my first reaction was, "This could never happen."

But now that you mention it, I could see a situation where domestic VPN
providers are forced to log user data (or be on the hook for copyright
violations when the VPN is used by employees) and ISPs are strong-armed into
blacklisting overseas VPN providers. That's actually kind of scary.

------
res0nat0r
Perfect time for another episode of:

Betteridge's Law of Headlines: "Any headline which ends in a question mark can
be answered by the word 'no'".

~~~
Karunamon

        Q: How Long Before VPNs Become Illegal?
        A: No.
    

Doesn't flow too well here ;)

~~~
chc
Eh, it very well might be the best answer. It's a "Have you stopped beating
your grandmother?" kind of question. Perhaps the famous Zen non-answer "Mu"
would be better, but "No" is about as close an English equivalent as you'll
get.

Q: How long until they ban VPNs?

A: No. Just no.

------
jcr
Never. The article is mostly fear mongering on a slow news day. The reason why
it would be impossible to make a "VPN" illegal is simple; Internet commerce
transactions are done over an encrypted tunnel (httpS via SSL/TLS), and there
is really no simple technical differences between one kind of secure tunnel
and another.

For those that don't know, SSL/TLS based VPN's do exist, and the most common
implementation is OpenVPN. It's based on the same OpenSSL (library) code that
your web browser is (most likely) using.

<http://openvpn.net/>

The SSL/TLS based VPN's use " _only_ " 128 to 160 bit encryption, and if your
tin foil hat is on tight enough to cut off your circulation, then this fact
makes you nervous. You can run OpenVPN via UDP over a "tun" interface (OSI
Layer 3) or even a "tap" interface (OSI Layer 2), and compared to many VPN-ish
alternatives, it's pretty fast in my tests.

The other common light-weight approach to VPN's is using PPTP (Point to Point
Tunneling Protocol). I have _NOT_ (recently) studied the crypto employed in
PPTP implementations, but I'd guess it's nearly on par with SSL/TLS. It's been
eons since I've messed with PPTP, so I'm going to keep my (outdated) opinions
mostly to myself. The most fair thing to say is there is (can be) some crypto
involved, and it can be pretty fast.

Though I'm currently working on some OpenVPN stuff for firends, I personally
prefer the more (ahem) sophisticated (read: difficult and complicated) VPN
solutions based on SSH, or better, IPSec. They are a lot more work, but they
tend to be more robust and more resistant (when done properly --and any VPN
done wrong is just a false sense of security). The down-side with SSH based
tunnels is there is a greater performance overhead with TCP based connections,
and hence, you get reduced throughput. IPSec is better, but it's even more
difficult to get right.

For a lot of testing I use Tunnelr.com. They offer both OpenVPN and SSH
(SOCKS) based VPN's for a cheap price.

<https://tunnelr.com/>

It's kind of sad that privacy is being equated with piracy, but the "lump it
altogether" folks are idiots. There are actually _lots_ of extremely good (and
legal) reasons to use both VPN's and other types of secure connections...
--Every time you buy something from Amazon or similar, you're most likely
using a secure connection.

The original article has a link to:

[https://torrentfreak.com/which-vpn-providers-really-take-
ano...](https://torrentfreak.com/which-vpn-providers-really-take-anonymity-
seriously-111007/)

Sadly, the above listing of data retention policies of various VPN providers
is already out of date. For example, iPredator (from the folks at
ThePirateBay) are now logging IP address in accordance with the EU data
retention laws going into effect in Sweden.

[https://blog.ipredator.se/2012/03/the-question-of-data-
reten...](https://blog.ipredator.se/2012/03/the-question-of-data-
retention.html)

The iPredator/TPB blog post is intentionally distracting and painfully vague
on details about the logging they've implemented to comply with the law.
(NOTE: I stumbled on the poorly named iPredator service of TPB because they
offer PPTP based VPN's.)

The same may or may not be true of other EU based services listed in the
TorrentFreak link above. See the following for reasonably updated info:

<https://wiki.vorratsdatenspeicherung.de/Transposition>

If you do any work on Computer Vision (CV) or other types of image/video
analysis (Machine Learning) based on data downloaded from the Internet, you
need to be extremely careful. When you have scripts/programs/spiders
downloading (image/video) data for you, your never know what "kind" of data is
on the other end of any link, and that data may very well be illegal! --It
sucks, but this is the reality everyone lives with. If you take a step back,
you'll realize how normal browsing of the Internet is really no different than
running your own spider to collect data. Every link you click is a potential
violation of some law.

~~~
kfreds
OpenVPN supports all ciphers supported by the OpenSSL library, so you can for
instance get 256 bit AES-CBC if you want. I´ve seen benchmarks with one tunnel
running >400 Mbit, so you can certainly get some nice performance.

PPTP* is broken, and should only be used for anonymisation, never to ensure
confidentiality or integrity of the data in the tunnel. PPTPs encryption
scheme is MPPE which is based on RC4, and tunnel traffic can be decrypted in a
matter of minutes unless the key is sufficiently strong. This is almost never
the case since the password is the only thing used for key material. IMHO this
is pretty much irrelevant anyway since you can do a MITM attack to hijack the
connection or downgrade the session to not use encryption. So basically the
encryption doesn´t matter.

* I´m told the exception would be to use PPTP with EAP-TLS which is certificate-based. However I don´t have any experience setting that up, so I´m staying quiet on that one.

As for data retention, I don´t see how VPN providers have any obligation to
log. And even if they did perhaps a little bit of collective civil
disobedience might be in order?

Full disclosure: I run a VPN service.

~~~
jwr
I don't know which VPN service you run, but I looked at tunnelr and the
showstopper for me is that it _only_ supports OpenVPN.

In order to use VPNs on my Mac and on my mobile devices, I have to pay for two
separate VPN services, which is a deal breaker.

I would much rather use a service that supports both OpenVPN and PPTP, with a
bunch of disclaimers. I understand the tradeoff and I am willing to make it.

~~~
jcr
You might want to take a closer look at tunnelr.com. They _do_ support both
OpenVPN and OpenSSH based tunnels, and both of these work fine on MacOS. I
don't own a "normal" Mac, but I did see MacOS tutorials on their site, in
fact, there are two tutorials, with each using a different method.

You were a bit vague when simply stating "mobile device" but if memory serves
me, Both OpenVPN and OpenSSH will work on some "mobile" platforms (Android,
iOS, etc.). I've never tried it personally, and I don't know what kind of
"mobile device" you use, so for your specific case, I could very well be
wrong.

Using OpenSSH via SOCKS support in applications or by using a SOCKS-Wrapper
like "DSOCKS" by Dug Song or similar ("Sockify for windiws, etc), take more
effort than running OpenVPN. It might take more effort, but if you don't mind
the hassle, it's most likely more secure than the common alternatives
(OpenVPN, PPTP, etc.). The only thing better than OpenSSH (in my opinion)
would be using a correctly configured IPSec implementation. But getting IPSec
right makes OpenSSH look very easy.

You might want to note how in this discussion both Fredrik Strömberg (kfreds
-runs the Mullvad VPN service) and myself have intentionally tried to avoid
disparaging PPTP. Whether good or bad, a lot of people like PPTP for various
reasons, and a lot of VPN services offer it as an option. Other than for the
sake of curiosity, learning, and experimentation, I would never use PPTP. When
it comes to both security and privacy, PPTP has many known problems and some
VPN service providers refuse to support it due to these issues.

Trying to be fair to those who like PPTP is being a bit too generous since the
security and privacy of people is at stake. None the less, development work is
still being done on PPTP, and it has supposedly made some improvements over
the years.

EDIT: I misspelt Fredrik Strömberg's name. Sorry. (sigh).

~~~
jwr
iOS devices do not support OpenVPN nor OpenSSH. You can use L2TP, PPTP or
IPSec for VPNs.

So, I can either pay for tunnelr.com and have zero VPN support on my iOS
devices, pay for two separate services, or switch to a provider that supports
both. I suggested that while it's fine to tell people not to use PPTP, some of
us will _still_ want to use it, because it is better than nothing at all
(please don't make me argue that it really is better than no VPN at all).

Here's a statement of fact: at present, the only reason tunnelr.com does not
get my money is because it does not support PPTP alongside OpenVPN.

~~~
jcr
> please don't make me argue that it really is better than no VPN at all

No argument at all from me. ;)

What you've said seems blatantly pragmatic to me. --It's sad how so much of HN
these days is pointless arguments. Sure, it's good that we're accurate in what
we say, and fair about it, but every word we utter should not lead to an
argument. Oh well...

Anyhow, I did find one SSH app for iOS (iPad) when I last looked, but I still
agree; Whether or not it's possible to get other apps to play well with SOCKS
would be a real headache.

I'm not a real iOS user, but I have helped my parents with their iPad a bit.
I'm curious how much of a pain it is on iOS to get IPSec set up properly?

IPSec can be really tricky to set up properly, but once you've got it right,
it's the very best VPN solution. A lot of companies have tried to make IPSec
more "usable" and "user-friendly" on desktops, but it's still an unwanted pain
for users. For admins, testing it for leaks is often a convoluted nightmare.
The thought of attempting both the setup and testing on a mobile device
(iOS/Android) makes me shudder.

------
eli
_...it’s by no means unthinkable. In Iran, where a quarter of all Internet
subscribers use VPNs, the government has already announced a crackdown on
privacy-enhancing tools that bypass local law._

Err, yeah. That's not a very convincing argument.

~~~
ajross
You took that quote out of context. It was speaking to feasibility, not
policy.

~~~
eli
I don't think that's out of context at all, so I guess I'm reading it
differently than you are. Seems clear to me that they are saying it happened
there so therefore it could happen here.

------
7952
I find it hard to believe that governments can ever do anything to stop file
sharing in the long term. The more things are forced underground the harder
they are to stop. The DMCA was intended to stop piracy but ultimately gave
legal cover to numerous sites that would otherwise have been sued out of
existence.

------
guard-of-terra
You should notice this is orchestrated by countries with consistently high
scores on various internet freedom ratings. They turn blind eye on any
violation if it's reasoned with IP protection, and they crack down on other
countries for rumors or vague plans on blocking some sites or just "because".

------
pasbesoin
IIRC, prohibition of VPN-type "circumvention" was already part of one or more
draft legislation initiatives in the U.S. -- serious initiatives. I'm not
sure, but was it part of the early SOPA/PIPA drafts -- a portion that was
moderated or removed as part of the "appeasement" efforts of the legislation's
proponents?

In summary, it's my recollection that this is already being pushed for, in and
by the U.S. government and/or its lobbyist "masters". And they don't have to
outlaw all VPN connections -- just establish either legal justification or
extra-judicial powers to harass and/or arrest you if you can't qualify and
justify your use of a VPN to their satisfaction.

Keep in mind: They don't have to apply such powers universally. Just enough to
provide the desired effect.

------
altrego99
Kind of a side point, as many people join and use the tor network, will the
speed of tor increase - or atleast move towards the average Internet speed in
the world?

Edit: Only reason why I don't use tor yet is that everytime I tried, speed was
slow. Thanks for the opinions on the question.

~~~
hack_edu
It should definitely get better over time, but the latency issue is pretty
tough to get around. Bouncing between a half dozen nodes, surely back and
forth across an ocean once or twice between each request and piecing
everything back together, is a pretty tough problem to solve. Especially when
a disproportionate number of nodes seem to be located in Central Europe.

Its also an issue that most exit nodes restrict their outbound speed and ports
they route outward. Without restricting the speed in my tor configuration my
exit node holds a constant 10/MBs all day even with only common ports open.
Once you stop restricting ports you'll be getting multiple cease-and-desist
notices within a matter of days since all your traffic will be absorbed by
torrents.

Someone will likely come up with an equally/more secure option before Tor gets
all that close to your average user's connection speed.

~~~
coolnow
People torrenting over Tor make my blood boil.

------
Malic
Assuming Google's SPDY protocol catches on wide-scale (which is likely, I
believe), then SSL will be pervasive; SSL is a requirement of SPDY. At that
point, most web traffic will be encrypted.

------
rsanchez1
They'll become illegal when Obama wills it. SOPA/PIPA/CISPA don't matter now
that Congress is irrelevant.

