
VPN Services That Take Your Anonymity Seriously - chaostheory
http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/
======
confluence
If I were a governmental entity - I'd go ahead and set up my very own honeypot
VPN provider. I'd then log everything - whilst providing exceptional service -
and play the long game - collect as much data from people who self-select
themselves as requiring large amounts of anonymity (the paranoid/people who
can't access Hulu overseas/criminals/terrorists).

I'd wait a few years and then use said data to slowly infiltrate various
groups - looking to grab the big fish that are hopefully well separated from
the VPN service and then take them down quietly.

Hell - I might even turn a nice little profit on the side.

Reality check: if your credit card details are visible to a third party -
you're not anonymous.

Note: I don't actually believe the above to actually be the case in reality -
but one must remember that stuff like Room 641A weren't that long ago
(<http://en.wikipedia.org/wiki/Room_641A>).

This is an example of where worst case thinking, despite its negative
reputation, can help protect oneself from falling prey to the faulty
assumptions that bring down complex systems (Will the generators kick in on
time? What if the VPN provider is already compromised? Did we double check
that after cleaning the safety valves - we didn't block any of them?).

~~~
Zirro
"If I were a governmental entity..."

In that case, you would be a governmental entity which does not care much for
the rights of your citizens. Instead, pick a service in a country with a
transparent, low corruption-government. I suggest the Scandinavian countries.

~~~
ptaipale
As a resident of said countries, I'd propose that you should not trust
Scandinavian governments either. The officials are not that corrupt but the
politicians are politicians. Moreover, in these countries there's a widespread
belief that the state can do no wrong, that restricting freedom of speech is
okay if done for a good cause, that censoring the net is a good thing for the
government to do. Even the rule of law can simply be dismissed (it started
with preventing child pornography, of course).

~~~
fulafel
I think the point was that scandinavian countries are less bad than the
alternatives.

There are restrictions on freedom of speech in just about every country btw.

~~~
ptaipale
Sure there are. But we could apply Dilbert's management theory to this and
split governments to types on axis good/evil (G/E) and on axis
competent/incompetent (C/E). The worst thing you can have is an evil competent
(EC) government.

Therefore I'd say it's more important to have an I government than a G
government, because it is easier for a government to go from G to E than it is
to go from I to C.

~~~
fulafel
So which government(s) have a more favourable equation of agenda+capabilities
towards net freedom? Taken literally, the most "I" countries would be bad
bets: <https://en.wikipedia.org/wiki/Failed_state#2012>

Remember that it was US pressure that drove the recent unpleaseantness in .se
and TPB were able to succesfully defend themselves there for many years - and
most countries currently willing to stare down threats of US trade sanctions
aren't exactly havens of privacy and net freedom.

The pro net freedom countries currently correlate with G&C governments, it
seems.

~~~
ptaipale
Yes, extreme incompetence is not good. BTW I haven't seen much evidence about
US pressure regarding unpleasantness in .se (I assume you mean Assange).

Anyway, I sort of like the incompetence level in Greece. They haven't been
able to set up a land registry, so that the government could collect property
taxes. That sounds promising from the point of view of setting up a privacy-
respecting net service. There is a mostly reliable supply of electricity and
communications, and it's not a very bad a place to live.

------
cmpctyd
VPNs are constantly being mentioned as a solution to companies, governments,
etc attacking privacy but it's extremely easy to make a bad choice and end up
with more than you bargained for (a VPN ran by someone you were trying to
escape, for example).

It is still possible to do the following:

1) Wiretap the VPN.

2) Correlate with bandwidth/time.

3) Keep logs as a VPN provider.

4) Hack the VPN and do something evil (log, change content)

5) Block access to/from the VPN.

6) Correlate access logs with the VPN IP address (not always applicable, not
all providers give unique IP addresses)

The VPN provider doesn't have to _want_ to betray you to do so.

I could create "ProTurboVPN" and promise "anonymity", privacy and no logging,
"nobody's touching your data!" but it won't stop the above problems.

Even if I want to save the world as a VPN provider, I might not be able and
it's safer to remember that than pretend I can and in the process, get someone
into trouble.

------
acabal
I'm starting to feel like anonymity on the internet is going to be one of the
most important challenges in the next decade. Especially with stuff like 6
strikes starting the ball rolling (today it's warning messags, in ten years it
might be disconnection for breaking any of modern society's myriad and
unfathomable laws).

The internet wasn't built with anonymity in mind; eventually an IP address has
to be tied to a paying customer. Is there any way we can build on today's
technology to ensure anonymity on a grand scale? I.e., so that your grandma is
surfing anonymously, even though she doesn't know it, using the iPad she just
bought?

~~~
robinh
The answer might be something like Tor.

~~~
nikster
Not something like, the answer is TOR. Thats exactly what it is for.
Anonymity.

~~~
plg
but with Tor you are only anonymous at the exit node, right? Sure, your ISP
(or anyone else listening in) doesn't know WHERE you are connecting to, when
you use Tor, but if the connection isn't encrypted (for example using SSL or
ssh) then they sure can listen in to WHAT you are sending and receiving. In
other words if the traffic between your computer and the Tor entrance node is
not encrypted (and it wouldn't be unless you are using SSL or ssh), your ISP
(or any third party listening in on that traffic) can read everything you are
doing. Or am I mistaken?

~~~
samdk
You're mistaken. With Tor you are (in theory) anonymous at every leg of the
journey. The only connection Tor doesn't encrypt is the connection between the
exit node and the server you're connecting to, which is unavoidable. Your ISP
can probably tell you're using Tor, but they won't know what you're sending or
what its ultimate destination is.

In a little more detail, when connecting through a circuit of Tor routers R1
-> R2 -> R3, the encryption looks something like this.

    
    
        client <- E1(E2(E3(msg))) -> R1 <- E2(E3(msg)) -> R2 <- E3(msg) -> R3 <- msg -> server
    

It's not perfect, though. If you can see the traffic between the client and R1
and between R3 and the server and you're being reasonably clever you can
probably break Tor's anonymity. (This is what's called an 'end-to-end
correlation attack'.)

~~~
plg
Hey thank you for the clarification!! I didn't realize there was any
encryption at all with Tor. RTFM I guess ;)

------
davepeck
I built GetCloak.com. I draw a hard distinction between privacy and anonymity
and feel that it's disingenuous for VPN services to claim that they offer
anonymity. Here's our take on it:
<https://www.getcloak.com/blog/2011/11/30/word-anonymity/>

~~~
SomeCallMeTim
Too bad you aren't protecting anyone but Mac/iOS users, though. :(

~~~
davepeck
Soon, my friend. Soon. :)

------
rdl
I'd be wary of any service specifically marketing to high-risk activities
unless there are strong technical controls to make it trustworthy.

There are no existing mainstream VPN providers who have strong technical
controls to protect user privacy OR anonymity.

There's Tor, and some other systems like that, which make a stronger technical
case for anonymity.

There's still a place for VPNs, but it's not as an anonymity service.

On the other hand, I'd want all services to have high security built in --
your mainstream mail provider, mainstream note-taking service, etc. Some of
that is technical (a "hostproof" architecture if possible, good internal audit
on administrative interfaces, personnel security, etc.). But then, you're one
of a mainstream company's customers, vs. a subscriber of the "illegal activity
hiding service".

There are "mainstream" uses of VPNs (business, local-privacy, desire to defeat
geolocation, firewall-busting, etc.), for which they're great. There are some
purposes (anonymity) for which they're horrible. There are things like file
sharing in contravention of your ISP's policies or national law where they may
work but might not be the best solution -- I'd really go with a seedbox
instead of running peer to peer traffic over a VPN.

~~~
nachteilig
This is what I'd be really interested in seeing--a list of good seedbox
providers.

~~~
rdl
What I'd really like is a file sharing network more in keeping with the
original "mojo nation" concept vs. what we have with bittorrent.

Tahoe-LAFS might be the best project right now.

------
nonpme
I know that using VPN I "trust" the VPN owner, because he has all the data I
send/receive. I was thinking about such setup: buy VPS (for example: linode;
it would be good to buy one anonymously), setup my own VPN (openvpn) and then
use some external (for example: mullvad) VPN provider. I'm not sure if it's
right or more secure that regular VPN, without additional steps. Can someone
comment?

I have a couple more questions: 1\. how can I use Tor with VPN the most
efficient/anonymous way? should I connect VPN -> Tor or Tor -> VPN? 2\. Can
you point me to good resources about privacy/anonimyty online and linux
configuration for privacy?

Thanks for help.

------
vilgax
Quoting from the article it says "We are in compliance with DMCA as all
companies, world-wide, must be." I didn't know that it's applicable worldwide.
Wikipedia article states that it's an American law. Is there some kind of
International treaty or that assumption is false?

~~~
kintamanimatt
You only have to be DMCA compliant if you're in some way based in the US.
Complying with US laws when you're a non-US company is like complying with
Australia's laws if you're a Canadian company.

~~~
robinh
But wasn't there something a while back about how people had to comply with US
law if they owned a .com/.net/.org domain, since these were managed in the US?

~~~
tomp
I think it depends on the definition of "had to comply". If you mean, are
legally obliged to, then no. If you mean, don't want to risk their domains be
seized by the US, then yes.

------
VikingCoder
If I counted right, there were 13 providers listed.

If I had a ton of money, and wanted to be really, really anonymous, could I
pay all of them, tunnel through all of them somehow, and then get 13 layers of
privacy? (And very high latency!)

How about two - are there two of them that I could somehow run one inside the
other? Maybe I'd have to surf from a VM using one of them, running on a
machine using another of them?

~~~
seunosewa
The first one you connect to will have all your data.

~~~
HoochTHX
Its actually the last one that has ALL the data. I am currently using a
chained VPN setup using 3 routers that with DD-WRT OpenVPN installed,

PC->Router1(VPN3)->Router2(VPN2)->Router3(VPN1)->Modem

All three encrypted. I am also using Tor on top of this because as someone
else said this is a static version of the onion system. I've pretty much
accepted the fact that if someone chooses to find out what I am doing they
will find a way, but I am going to make it as difficult as possible.

------
ksec
Why would someone sign up for VPN when they could have set up the same thing
with a much cheaper VPS?

Anyway i am currently looking for something similar to Amazon silk and Opera
Turbo, where the server downloads the page, compress it and send it back to
you. Extremely useful for low bandwidth connection, as well as providing half
of the VPN function.

Does anyone know of software / scripts / services that are available?

~~~
Hates_
I would have thought that being the named owner of the VPS exposes you legally
somehow, also that performing something like "illegal file-sharing" would be
against your VPS's TOS.

~~~
icelancer
Yes, this will be an issue - encryption or not.

------
fuzzbang
While there are definitely benefits to using a VPN, they do not provide
anonymity. They provide privacy, and it is not the same thing.

"No one is going to go to jail for you". If a VPN provider is legally required
to log your activity or face jail time, guess what? you're getting logged! To
assume otherwise is just asking for trouble.

All of this is better addressed in this slidedeck.

<http://www.slideshare.net/grugq/opsec-for-hackers>

------
nwh
A VPN provides privacy not anonymity.

~~~
Zirro
Behind an IP-address shared by many, I'd say you're pretty anonymous unless
you give out your personal details. Would you like to explain why you think
otherwise?

~~~
nwh
You are giving your real identity to a company that _claims_ not to keep a log
of your actions. As far as I'm aware, some of these providers give out unique
IP addresses, or at least ones that aren't used by more than a handful of
people. At any rate, determined law enforcement can pressure a provider into
logging incoming connections. I wager that happens quite often.

As another commenter suggested, they could all be honeypots.

If I was going to trust my life to the anonymity of my data transfer, the last
service I would want to be using is a VPN.

~~~
Zirro
If you assume the things you listed are going on at all VPN-services, I don't
see how they supply "privacy" either.

When it comes to law enforcement, I suppose there are differences in which
approach they take depending on where the VPN-service is located. If law
enforcement did what you suggest frequently in the country where I live, it
would be presented as a scandal and would be the death of the VPN-service in
question.

Of course, you must choose a service you trust to not actually keep logs, and
give out non-unique IP-adresses. However, if I lived in a country where I
could not trust my government, I agree with you, I would avoid VPN-services
located there.

~~~
nwh
They protect data in transit. If I use someone else's network my data is
visible to them, no so much if I use a VPN.

------
fiendsan
the only problem with this is trust, you have to trust that these companies
will do what they say, there is no way to confirm it, maybe all of them are
logging and they just say otherwise, and when we are talking about privacy and
anonymity thats a bigggg deal breaker!

also just because they do it now, doesn't mean that tomorrow they wont just
turn on the logging... if you want anonymity and privacy you can only trust
yourself and your own setup, leaving it at the hands of others is a huge
exposure, as a sidenote since you are also using the services of a company
that might attract the wrong sort of people that also migh expose you to
potential problems (they give you up wrongfully, bad logs, payments to that
company, the list goes on...)

------
mef
Couldn't a wiretap order compel a VPN company (even one with a reputation for
anonymity) to transparently begin logging any data having to do with the
target of the wiretap? The VPN company does have the capability to log, after
all. Could they just refuse?

~~~
pyre
Depends on what you're trying to do. If you're just trying to escape from the
copyright groups, then it might be enough to just get a VPN in another
country, especially one with weak copyright support. Then you just look like
someone in that country, for the most part. The low-hanging fruit right now
far out-numbers people hiding behind VPN / proxies / Tor.

------
johnpowell
I have a seedbox on OVH. I use sFTP to download from it. And I use a SSH
tunnel to browse through that server. It is about 15 bucks a month. OVH could
give me up but I am one of thousands. There is lower hanging fruit so I don't
worry.

------
tomp
> We are in compliance with DMCA as all companies, world-wide, must be.

Really? Why would a company that has no presence in the US have to comply with
the DMCA? I see that one danger might be having it's domain seized, but AFAIK
only if it's one of the domains controlled by US companies (.org, .com, .net,
...).

~~~
rmc
I'm also not aware of what the "European equivalent" of a DMCA the article
talks about it.

Seems like a lot of "didn't do the homework" in this article

------
donniezazen
Will your ISP or government get interested in you if you anonymize your
connection through VPN or Tor?

~~~
noarchy
They might, but as many HNers can no doubt testify, many of us use VPNs for
remote work, and I know a fair number of government workers who do this, too.
It isn't optional; it is a requirement.

~~~
donniezazen
Can one say more number of people use VPN/Tor for legal purposes than illegal?

~~~
noarchy
VPNs, possibly. I don't know, for sure, how many use them for work, versus
those who use them to evade governments. In the latter category it could
encompass things as varied as pirating tv shows, to circumventing the Great
Firewall of China. But Chinese workers use VPNs for remote work, too.

As for Tor, I doubt that anyone is using that for work, but I also doubt that
many are really using it for anything illegal. To be sure, there are the Silk
Road-type sites, but Tor speeds are not conducive to piracy (and Bit Torrent
is highly discouraged on the Tor network).

------
lowglow
<http://valleyanon.com/> \- I'm building an anonymous blogging platform to
help people tell their story without fear. I think anonymity online should be
available to everyone and I'd love any feedback you might have.

------
canttestthis
How do these services monitor abusive customers if they don't even log user
sessions?

~~~
RKearney
Did you read the post? Here's just one example:

    
    
      Through packet level filtering at the firewall it’s possible to  
      apply rules to an entire shared server, blocking the abuse
      immediately. For example, let’s say someone decides to use
      TorGuard to unlawfully promote their Ugg boots business (spam).
      In order for us to block this one individual, we simply implement
      new firewall rules, effectively blocking the abused protocol for
      everyone on that VPN server. Since there are no user logs to go
      by, we handle abuse per server, not per user.
    

Seems like a silly way to handle it since eventually none of their servers
will be able to access the internet.

------
venomsnake
I hope that some of them will allow P2P inside their networks. That could
solve a lot of problems.

Anyway - does some of the services allow for independent audit of their
systems to confirm that the policies they claim are real and enforced?

