
Center for Democracy and Technology Launches VPN Trustworthiness Initiative - infodocket
https://cdt.org/issue/privacy-data/vpns/
======
danShumway
Mainstream IP/identity anonymization should be something we're striving for
online, both for site visitors and site operators.

Tor is the only project I know of (please comment if you know about others)
that removes needing to trust someone from the equation. But Tor is slow and
doesn't have many secondary benefits that make it worthwhile to recommend to
someone who doesn't care about privacy.

VPNs require trusting a third party, so obviously they aren't great for
someone like Snowden. But at least I'm trusting someone I chose instead of
being forced to trust Verizon or Comcast. And at least the speeds are good
enough to use it for _everything_ , even normal browsing, without feeling
guilty that I'm stealing bandwidth from journalists. And at least there are
enough benefits that I can recommend VPNs to non-privacy conscious friends and
family members.

I dunno. I view this as an unsolved problem. I have no idea how to solve it.
But I'm very interested in seeing it solved. I'm glad that Tor exists, but I
still don't feel like I could stick it on a router and send literally all of
my traffic through it without significant downsides. Certainly I don't think I
could install it on my parent's router.

Am I being overly critical? Have things improved, or are there any promising
efforts to improve them? I can't even imagine what a technical solution would
be that wouldn't rely on bouncing traffic around a bunch of nodes (which
doesn't seem to scale well) or aggregating everyone's traffic under a central
authority (which is admittedly fragile).

In the meantime I'm using a VPN because it's better than trusting Verizon.

~~~
timbit42
> Tor is the only project I know of (please comment if you know about others)
> that removes needing to trust someone from the equation.

I2P

------
borgdr
Came for a recommendation ... left disappointed.

In the past I found a relatively sane comparison site for most of these
vectors on reddit (that I can now ... not find due to an OS reinstall
literally yesterday).

Ended up going with iVPN for reasons that are currently unknown.

~~~
jen729w
I'm with Freedome purely based on Troy Hunt's recommendation. Pick someone you
trust and listen to them, I reckon.

Every "VPN review" website just seems shady as all hell.

~~~
forapurpose
The people I trust say not to use VPN services; look in past HN discussions of
the subject.

~~~
jen729w
At all, or "roll your own"?

I'm not going to roll my own. I'm using it for basic security and obfuscation;
I'm not a high-risk target. Therefore, a recommendation for a service is still
required.

~~~
forapurpose
I was talking about commercial, third party services. Roll your own can work
better. Tor might be the best option, depending on your adversary: As I
understand these things, it works well against corporate tracking and against
getting swept up in government mass surveillance; but if you have something in
particular to hide from an oppressive government, it may attract attention.

Using commercial VPN services, all you do is shift your Internet gateway from
your ISP to your VPN service provider; it's not clear which one is better.
They also are honeypots: All someone needs to do is compromise the VPN
provider and they have everyone's confidential data. Many VPN providers
(almost all of whom, I'd guess) have poor security practices - security is
expensive; consider how much security your monthly fee buys. It's just a
juicy, high-ROI target.

The creator of Algo, an automated roll-your-own VPN, knows much more more than
I do; this is worth reading IMHO:

[https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-
th...](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/)

All that said, I think you do have a point. I'd try Tor, though.

------
fmajid
It’s a Sisyphean task.

Given how easy Algo or Streisand are to set up, why would you bother with VPN
providers, most of which have questionable practices and would probably not
hesitate to lie on such a questionnaire?

~~~
zigzaggy
I use streisand and I love it. Easy setup, lots of options, and most
importantly, I don’t have to trust a VPN provider. I do have to trust my cloud
provider. But it’s encrypted and, to my knowledge, pretty much opaque to them.

Either way my primary motivation is to obscure my traffic from unscrupulous
data traffickers.

And tor is also an option, although I won’t use it.

~~~
fmajid
I'm conflicted about Tor. On the one hand, it (or something equivalent) is
necessary to fight traffic analysis, but it also slows you down dramatically,
and a significant proportion of its users in the US at least are involved in
serious crimes like pedophilia, which is why I would never consider hosting an
exit node:

[https://www.wired.com/2014/12/80-percent-dark-web-visits-
rel...](https://www.wired.com/2014/12/80-percent-dark-web-visits-relate-
pedophilia-study-finds/)

------
duxup
So is this just going to be a list of Q and A that VPNs fill out?

~~~
bigiain
So we're going to identify untrustworthy VPN providers - by trusting they'll
answer these questions honestly. Right. <closes tab>

~~~
danShumway
I guess this allows you to at least hold them accountable if they mess up?

Although the nature of a VPN is that it's going to be very hard to tell if
they mess up. I agree that this feels a bit like trusting trust. I'd be a
little more interested if part of this process outright required an
independent security audit or something with the results made public.

They go right up to recommending that some kind of independent auditing board
be made, and then just say, "but we don't have the resources to do that."

