
PIA VPN to be acquired by malware company founded by former Israeli spy - ArcVRArthur
https://telegra.ph/Private-Internet-Access-VPN-acquired-by-malware-business-founded-by-former-Israeli-spies-12-01
======
rasengan
This article and articles like this miscast Kape in an incorrect light. To be
clear, in the past the company was known as CrossRider and provided a
developer SDK that could be used to integrate with browsers. Unfortunately,
CrossRider didn't do enough to prevent malware (like platforms these days and
their fake news) and the platform was used by some bad people for bad
purposes.

When the new management team of CrossRider took over, they immediately ceased
to engage in the previous business and focused on the opposite due to the
insights they gained watching nefarious developers abuse their platform. With
the focus on security and privacy, they changed their name to Kape and further
the new company will be called Private Internet as it will be purely focused
on privacy.

The merger between Kape and PIA affords PIA the resources needed to bring
privacy to the mainstream. The company can now be decentrally owned by the
people, and public reporting requirements are much stronger than those for
private companies. Couple this with a new random audit program we are going to
launch and its as transparent as it gets, and it's exactly the direction we at
PIA want to go, where our users no longer need to just trust us, instead our
actions are and will continue to be verified.

Ultimately, the choice of VPN is yours, but transparency is verification and
with most VPN companies being incredibly secretive about their operations, who
is behind it, and where they are located, what they do with their funds, etc.
I stand behind the move to bring more transparency to privacy.

The company has always practiced sustainable karma - wherein we do what's best
for the people/what people want, and that allows us to make a living doing
what we love; that's not going to change.

Sincerely, Andrew - Co Founder PIA

~~~
Tenoke
>The merger between Kape and PIA affords PIA the resources needed to bring
privacy to the mainstream.

You were one of the most, if not the most successful VPN provider for years.
Did you really need more resources? For what?

The main benefit of PIA is the expectation for extra privacy. No matter how
you look at it, selling to Kape is a strong signal that's not a priority.
Similar, for hiring Karpeles to do your security (like he hasnt lost us enough
already).

~~~
rasengan
> Did you really need more resources? For what?

Yes, to bring freedom thru privacy to people, The coming battle against
privacy and free speech is by far the strongest and worst yet; the narrative
and our voices are quickly getting quashed.

Without the ability to communicate privately and speak freely, at best
democracy is at risk; and at worst, humanity, or what it has meant to be human
until now, itself may be at risk.

Divided we are not stronger.

> Similar, for hiring Karpeles to do your security (like he hasnt lost us
> enough already).

Cryptocurrency has come a long way, and without MtGox and Mark at the
beginning, it may not have been able to make such strides.

I prefer a battle hardened individual over a clean track record of no
experience. Failure is the fastest and strongest way to learn and grow
stronger.

Overall, I appreciate your words and concerns, but I believe we are
strategically moving in the right direction to the world's benefit.

Time will tell.

~~~
sumedh
So what exactly is the gameplan, how are you going to change the world by
selling your stake?

~~~
rasengan
The company is now no longer controlled by one man alone, but instead many.
I’m still a major shareholder.

We are changing the world by fighting in the front lines with our PR as we
always did [1], donating to organizations without pause or hesitation [2], and
sticking to our decisions even when the world may not understand as they
aren’t deep in the battle like us.

Time will prove everything, and we will help the people (and freedom of speech
and privacy) achieve victory.

[1]
[https://www.reddit.com/r/pics/comments/61ns2w/private_intern...](https://www.reddit.com/r/pics/comments/61ns2w/private_internet_access_a_vpn_provider_takes_out/)
[2] [https://www.privateinternetaccess.com/pages/companies-we-
spo...](https://www.privateinternetaccess.com/pages/companies-we-sponsor)

Edit: Unable to reply below so I wanted to clarify - our ad spend often times
goes toward the benefit of people as opposed to being direct ads about our
company.

~~~
Tenoke
>We are changing the world by fighting in the front lines with our PR as we
always did [1]

You are telling me you did it for PR reasons?? That's not even remotely
believable - look at the 'PR' you are getting. This was the goal??

>donating to organizations without pause or hesitation [2]

Surely, you have even less of a voice where donations go than before.

>and sticking to our decisions even when the world may not understand as they
aren’t deep in the battle like us.

How are they helping you stick to your decisions? You are making entirely new
decisions now, and corroding your previous. Are you saying they are 'deep in
the battle' like you? What?

~~~
ta999999171
Even as a user that for now will not be trusting PIA, I do applaud the
advertising I've seen in many corners of the mainstream net trying to educate
users about issues they otherwise would have no exposure at all to, unlike us.

~~~
Tenoke
I completely agree, I just don't see in what possible way does Kape help with
that.

Even if they start doing more outreach (doubt Kape helps much there but say
they do) now the messages are just going to be tainted with 'yeah, dont trust
those guys' comments when a user looks into it.

------
chippy
Seems to me that the "spy" was doing mandatory military service when he was 18
in the Intelligence part of the army? It seems common for many Israeli
technically minded teens to go into that or similar wings rather than the more
on the ground units.

It was from 1995 to 1998 (that's 20 years ago now) before he was at University
and is the first item in his work experience. And the length of the position
is about the same as military service. I do not know his current age.

~~~
inglor
Yes, and CrossRider mostly did an SDK for cross-browser extensions. I used
their product before they did ads and it worked pretty well.

I stopped using them because I could stop supporting IE but they had a real
product back then.

Teddy Sagi is bad for other (gambling related) reasons - but he is just an
investor...

~~~
dlgtho
Teddy has sold most if not all of his shares in Playtech and other gambling
related businesses[1].

Also calling every one who ever served in 8200 an Israeli spy is ridiculous.
Military service is mandatory in Israel. Lots of kids serve in 8200 because
they get assigned there for their affinity for math and computers. Most of
them do menial Ops tasks, I interview them occasionally for junior positions.

Here are some Israel startups founded by "spies": ICQ, CheckPoint, Wix ...

[1] [https://en.globes.co.il/en/article-sagi-bows-out-of-
playtech...](https://en.globes.co.il/en/article-sagi-bows-out-of-playtech-
sells-remaining-shares-1001261885)

------
beilabs
Disappointed. I've been with PIA for a few years now and I always recommended
them and loved their support. I just cancelled my annual subscription which
was due to expire in 100 days. Vote with your wallet. Any recommendations for
a new VPN provider?

~~~
NickHoff
Me too. I cancelled my subscription about a week ago when I first heard of it
(and I explained why on their cancellation form).

I'm looking at Mullvad and NordVPN. I know Nord had a MITM attack on a Finnish
datacenter a few months ago and didn't immediately notify affected users. I'm
having trouble understanding what it says about Nord's culture and likely
behavior in the future. On a technical level, it's pretty bad when users of a
VPN like this can be MITM'd. Blaming the datacenter's remote admin tools
doesn't help me as a user because the same thing could happen again. I know
they have a bug bounty program and audits now, but still I'm concerned that
they didn't notify people which might indicate a cultural problem.

How would Nord handle a problem like this in the future, and can we still
trust them?

~~~
mirimir
NordVPN apparently using residential proxies is pretty iffy.

~~~
badrabbit
Makes blocking harder,cloud/hosting IP can't access some content.

~~~
mirimir
I know that it makes blocking harder.

It's just that one wonders whether the people whose devices are being used as
proxies are aware of the situation.

------
v64
Former PIA user who recently just moved to Mullvad [1]. Very transparent about
their operations and they don't require any information from you to open an
account. You can even mail them cash or pay with cryptocurrency to avoid
having your real identity financially linked to your subscription.

[1] [https://mullvad.net/en/](https://mullvad.net/en/)

~~~
godzillabrennus
Their ios support isn’t great.

I’m using ExpressVPN and while they cost more (as much as 3 times as these
budget services) they so far seem to offer a fast product.

You can also sign up with crypto currency if you want.

~~~
mirimir
> You can also sign up with crypto currency if you want.

But can you _renew_ with Bitcoin etc?

~~~
extesy
There is no difference between singing up and renewing. It's just a balance on
some anonymous account number.

~~~
mirimir
Have you tried it recently?

------
Tenoke
I've been trying to cancel/shorten my year subscription since this came out.
This + hiring Mark Karpeles as CTO are a solid guarantee that my data isn't
safe.

Sadly, they just have a stock response to everyone emailing which is grating.

~~~
deckar01
This is the first I have heard about Mark Karpeles being their CTO... I had to
look it up, because it seemed too ridiculous to be real, but it is. Their
judgment is compromised. I can't trust them with my network traffic anymore.

------
dvduval
Just a general question about VPN services in general. When they advertise
that they have hundreds of servers in a dozen or so countries, is it even
possible to think that they are able to secure all of that themselves? Surely
some State actor with enough know-how is going to be able to hack into some of
the servers, right?

~~~
duskwuff
> When they advertise that they have hundreds of servers in a dozen or so
> countries...

... they're often lying. In particular, servers in exotic locations are almost
always the result of "creative" routing, and are physically located in a more
standard country.

[https://restoreprivacy.com/vpn-server-
locations/](https://restoreprivacy.com/vpn-server-locations/)

~~~
codethief
Could anyone who's more familiar with routing than me explain how these
"virtual locations" work at a technical level? As far as I understand the VPN
companies in question don't maintain boxes at those locations and an
Azerbaijani IP address for instance literally gets routed to a machine in the
UK. How is this possible? I always thought that IP addresses were tied to the
location assigned to them by ICANN / regional internet registries.

~~~
kuschku
You register as ISP with e.g. RIPE, buy some IP blocks from an ISP in the
country you want to pretend to be in, and then announce them via BGP from your
actual location.

Due to IPv4 shortage, we're actually seeing a lot of chinese and european
companies buying IP addresses in AFRINIC space, from african ISPs, and using
them in their own countries.

------
zigzaggy
Whether this is true or not isn’t really the point. The fact that it it’s even
possible is a huge red flag for my use case / threat model.

It’s relatively easy, not to mention cheap (less than $10 per month) to spin
up a streisand (0) instance and protect myself that way. As long as I keep my
traffic encrypted, I can keep most / all of the vultures away that I’m
concerned about.

Happy to walk anyone through it. Takes less than 30 minutes and it just works.

Edited to add link. Second edit to change reference # typo.

0\.
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

~~~
tgsovlerkhgsel
VPNs have three purposes:

1\. Encapsulate traffic on the way from your machine through the first few
hops of your Internet connection.

2\. Shield your identity from third parties trying to discover it, through
technical or legal means.

3\. Provide a bottomless pit for disposal of DMCA complaints and other
nastygrams.

Your solution covers only purpose 1, which is becoming increasingly irrelevant
as almost everything uses HTTPS, and DNS-over-HTTPS and Encrypted SNI is
coming.

~~~
zigzaggy
I disagree with a couple of things.

First of all, you missed one thing that is really one of my primary concerns.
I hate the idea of my ISP working with other ad surveillance companies to
track and sell MY data about mine and my family’s and friends’ online
activities.

Having a VPN stops that part of the surveillance machinery from working as
intended. Combining that with pihole and other tools allows me to disrupt (at
least a little bit) the business of the internet that I hate so much.

Also, Tor and other tools (all part of the same solution above) address #2 to
the degree I need it addressed. And I am currently not worried about #3, but
with the decentralization of streaming services, it won’t be long now.

------
bransonf
For anyone displaced from their VPN by this... Not mine, but another HN user
made a tool to automatically create a VPN instance on your choice of cloud
provider.

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
codethief
And what good does setting up your own VPN instance do? Now people will be
able to trace every single bit of your traffic back to your cloud instance and
thus to you. The idea of signing up for a VPN provider like PIA or Mullvad is
precisely that it's _not_ a personal VPN and you get to hide among the masses
/ their other customers.

~~~
SahAssar
There are many different reasons to use a VPN. Some are legal, some are
privacy-related and some are just getting access to sites that are otherwise
blocked.

I think your most common reason for using a VPN would be very different based
on living in Russia, Sweden, USA and China.

------
RealStickman
I'd suggest anyone looking fo a new vpn to have a look at this site:
[https://thatoneprivacysite.net/#detailed-vpn-
comparison](https://thatoneprivacysite.net/#detailed-vpn-comparison)

It was recommended by privacytools.io in an article a few weeks ago as being
one of the few sites that don't take money from vpn providers to list them.

------
IceWreck
It's not just PIA. Nord VPN, ProtonVPN, etc all have ties to or owned by shady
companies.

It you want real anonymity, use tor. If you want to change your internet
access location, lease a VPS, and set up OpenVPN/Wireguard on it.

~~~
afroboy
ProtonVPN? i thought they are privetly owned.

~~~
protonmail
That's correct, ProtonVPN is not affiliated or related to any other company.
ProtonVPN AG (Switzerland) is a 100% wholly owned subsidiary of Proton
Technologies AG (Switzerland), which also develops ProtonMail. All of this is
in public record at the Swiss commercial register:
[http://ge.ch/hrcintapp/externalCompanyReport.action?companyO...](http://ge.ch/hrcintapp/externalCompanyReport.action?companyOfrcId13=CH-660-1995014-1&ofrcLanguage=4)

------
carty76ers
Geez... This is a worse outcome than even the cynicals predicted.

------
hellofunk
This is the most disappointing news that affects me personally that I've
received this week. It's getting harder and harder to find tech companies you
can trust, it seems. Just when things seem good, there's always a surprise
waiting eventually.

------
milofeynman
This kind of seems like a national security concern, which the US government
would want to block the acquisition. Given it's US company that has access to
a ton on US traffic it's certainly reasonable that a state actor would want
all that data.

------
dx87
This could do without the clickbait title. "former Israeli spy" is obviously
trying to make you think of something nefarious, even though there are no
details besides where they worked. I was in an intel unit when I was in the
military, and there's a lot of general IT people, managers, etc. It's
deliberately deceptive to label anyone who has ever worked at an intel agency
as a "spy".

~~~
mikeyouse
His LinkedIn indicates that he was a developer in the unit that created the
Student Virus... Spy has a broad definition but it probably fits for a SigInt
developer in the Israeli military..

[https://en.wikipedia.org/wiki/Unit_8200](https://en.wikipedia.org/wiki/Unit_8200)

~~~
ronreiter
Stuxnet was created by the NSA in a joint operation with 8200. And yes there
are 50,000 ex-8200 alumni, so calling all of them spies is kind of absurd

~~~
kuschku
Calling them spy may be wrong, but I certainly won't ever work with, or use
technology made by people who worked for an intelligence agency. That's
something over which I'd also terminate friendships.

And many people have a similar mindset, so it's understandable to report this
information, and make consumer choices based on it.

That said, Israel should probably consider solutions like other countries with
mandatory military service have, e.g. in Germany (until it stopped being
mandatory) it was possible to avoid military service by spending the exact
same time instead working in social services, e.g. hospitals, daycares,
retirement homes, etc.

~~~
pron
Israel does allow it in some cases, but the security conditions in Israel and
Germany are _very_ different, as is the size of their population. But I have
some bad news for you: you are most likely using technology made by people
who've worked for intelligence agencies. For example, if you're using Intel
chips, many dozens of their designers served in Israel's military
intelligence. Same goes for Google, Apple and Microsoft products. It's just
that a very high percentage of engineers in Israel served in military
intelligence, and a _lot_ of technology companies do R&D in Israel. But if you
use Wikipedia, it's OK: its PHP engine was made by someone who served in the
Israeli airforce, not military intelligence. Although, your packets are
probably routed through Cisco routers, so maybe not so OK. Oh, Akamai servers,
too. Also, there could be an issue with your Qualcomm Wifi chip.

~~~
kuschku
In the end, it still makes sense to realize this, and to be cautious. The NSA,
Israeli Intelligence, BKA, FSB, etc are all not much better than the StaSi,
and one should treat them, and their (ex-)employees with as much trust and
respect.

Of course using SELinux or TOR, or Intel products is something that’s hard to
avoid, but one shouldn’t trust blindly.

~~~
pron
> The NSA, Israeli Intelligence, BKA, FSB, etc are all not much better than
> the StaSi

I guess it depends on your definition of "much better", but for roughly the
same definition you'd need to use to make that statement, you could also make
it about Google and Facebook. And note that we're not talking about Israeli
intelligence; we're talking about people who, when they were in their late
teens and early twenties served, like a big portion of tech workers in Israel,
did their mandatory service in a military intelligence unit. I know it's hard
for people not familiar with it to understand, but most of these people don't
have contacts in intelligence, as the personnel circulation in those units is
very high -- almost everyone is just serving a few years for their mandatory
service.

~~~
kuschku
> you could also make it about Google and Facebook

Would you trust Google or Facebook to run a VPN? No, I don't trust them at
all. I only use them in the most limited amount necessary, and only entrust
them with data which is already public.

I self-host everything else, because I don't trust them at all.

~~~
pron
That's fine, but you should know that VPN implementors often particularly seek
out former intelligence agency people to design their security, and that's
pretty much where VPNs started. Feel free to trust whomever you like, but the
assumption that people who've served in an intelligence agency can be trusted
less than those who haven't isn't very logical. Those are often the people who
understand security best, and as far as allegiances go, how can you trust
anyone? When intelligence agencies want to insert backdoors etc., they can and
do cover up their tracks. I.e., you won't know that the people involved are
doing their bidding, nor would you have some special reason to suspect them.
Your point of view might well lead to a _less_ secure system.

------
dd36
Does a spy ever really become a former spy? From the outside, this reads as
destroying PIA by providing user data to intelligence community, at a minimum.
Perhaps even a play to get historical data.

------
iddan
It is worth mentioning a large portion of Israel talented IT youth is enlisted
to intelligence technological units in IDF. So, every cyber company founded /
hiring in Israel will almost always have people from those units. But, this is
not such a big deal and definitely doesn't make them spies.

~~~
rchaud
Correct. It just makes them people that happen to have contacts with an
especially competent spy agency.

------
sytelus
It occurs to me that you can buyout major top 20 productivity apps, browser
plugins with just couple billion dollars, silently change Eula and have field
day with personal data of large chunk of population. This is not a huge amount
for governments.

------
golergka
> If that wasn’t enough, Crossrider’s Founder and first CEO Koby Menachemi,
> was part of Unit 8200 – something that can be called Israel’s NSA.

About half of my coworkers in Israeli game development companies have served
there. Some wrote custom linux kernel modules, most did very low-level QA
work, and in general had more or less the same skillset and level as any other
coworker. Of course, they probably worked close to Stuxnet developers, but
calling a typical kid, just out of his mandatory military service, a "spy"
paints this in a completely different light.

------
iongoatb
I've relied on PIA for years and I'm 100% dropping them for good. They promise
to never log, but that's clearly an empty promise. Their TOS says that they
can change the terms at any time without notifying anyone. This new
partnership with Kape is an intelligence operation with the 14 eyes. A spy
never becomes a "former" spy. I love my country, but I love my rights as well,
and I refuse to be surveilled illegally.

------
isuckatcoding
Thank you for posting this. I just cancelled my subscription (didn’t really
use it that often anyway tbh)

------
Akababa
Previous thread:
[https://news.ycombinator.com/item?id=21612488](https://news.ycombinator.com/item?id=21612488)

Edit: Sorry, I meant prequel thread as they're related but not the same.

~~~
ArcVRArthur
A quick ctrl-f returns 0 results for "8200", "Israel" while it returns 1
result for "adware".

This article centres around the details pertaining to the company's operations
in and around 2016 when it launched the Crossrider malware as well as the
founder's former employment with Unit 8200 (Israel's IDF Signal Intelligence
operations unit).

------
mygo
I’ve been using PIA for years. Chose them over others because they were more
well known and larger, which to me meant they’d be less susceptible to having
to enter into shady activity. I’m trusting them with my traffic, after all.
This one doesn’t sit well with me, it feels like a betrayal of trust. They
have to know that people who signed up to use their service wouldn’t be okay
with something like this if it’s as shady as it sounds. Good thing it’s still
cyber Monday, I think there might be a few VPN deals going around. Maybe it
won’t hurt to to try my luck with one of those.

------
voltagex_
How does this affect Freenode?

~~~
joecool1029
Looks like they issued a statement: [https://freenode.net/news/freenode-pia-
changes](https://freenode.net/news/freenode-pia-changes)

------
guelo
What do people use these VPN services for? Is it mostly for pirating, or
public wifi users, or people that don't want their ISPs to know what they're
doing? It all seems like niche use cases.

~~~
SXX
This might be not the case in the US, but outside VPN is very often used for
opposite. Half of legal video / music / etc streaming companies have content
locked behind per-country limitations and licensing. So if you want to pay for
content you'll often need to pretend that you're from US.

For piracy it's cheaper to setup seedbox.

~~~
tgsovlerkhgsel
I believe that that is still technically piracy.

~~~
chupasaurus
Tough question. Depends on EULA of a service and laws (both US/the target
country and VPN's user) regulating the particular content type (for example
the mandatory age rating for a film) and copyright.

A close counterexample: the Japanese guitar manufacturer ESP was forced to
stop selling worldwide and producing MX-250/MX-2 models which exactly copied
the shape of Gibson's Explorers (court decision and an agreement IIRC), but
anyone can still order one in their Custom Shop with the restrictions of
making an order by sending a letter with order form and paying from inside of
Japan as well as picking it up from the factory (no delivery services). All of
that because they can still sell them in Japan and by client's specification.

------
yodono
As a general rule I have trusted PIA for years and I now trust your judgement
in choosing a partner. Seriously I've considered all alternatives, other
companies don't say anything about themselves; who owns the other VPN
companies? couldn't find any info. Service has been great, price has been
right. and I appreciate the honesty. The fact that you are here responding
means a lot; and more than I can say for other companies.

------
Krasnol
Is there some sticky mechanism going on here or how is that raengan comment so
far on top even with all those comments disagreeing with the content of it?

~~~
dorkinspace
I'm just a casual HN reader, but my understand is that the up vote button is
not to be used as an "I agree" button but rather as a "This is relevant to the
conversation" button. That being said, as the comment is by a cofounder of
PIA, it is extremely relevant regardless of opinion about this situation.

------
daenz
FWIW, if you want a VPN for protecting your traffic while you're out in the
world, get a nice home router that provides VPN and dynamic dns support.

------
bluejay2387
Uninstalled. Sub cancelled. They had to know there would be a massive backlash
from this? I can see why the PIA execs wouldn't care -- they would get their
payout from the sell regardless. But Kape either is oblivious or doesn't care
if a non-trivial percentage of their customer base drops them. I am not sure
which option worries me more?

Now I have to spend the next week researching VPN providers.

------
harel
As a side note, calling someone who served in 8200 a "Spy" is a bit of a
stretch... Story might be legit, but the title is a bit baity.

------
akayoshi1
So it's pretty much the story of the first Iron Man movie, but with malware
instead of weapons.

------
czechdeveloper
I recently extended my subscription by 2 years, now I guess I can just toss
it.

------
api
The name of this VPN is now very appropriate... see Urban Dictionary.

------
tcd
PIA also claimed they were going to release the code of their new Windows
desktop client.

They did not. They have not.

They lied.

They cannot be trusted.

------
rootw0rm
[https://riseup.net](https://riseup.net)

please donate if you use it

------
Triiglav
[https://www.privacytools.io/providers/vpn/](https://www.privacytools.io/providers/vpn/)
Looks like I'll be switching to Mullvad.

------
sudoaza
It was time to change VPNs anyway...

------
rb666
Just stick with AirVPN, they rock!

------
LaSombra
I've been very happy with Azire VPN.

------
jokowueu
300

------
sub7
[https://www.reddit.com/r/PrivateInternetAccess/comments/dhha...](https://www.reddit.com/r/PrivateInternetAccess/comments/dhha6o/piaservice/f8oabnl?utm_source=share&utm_medium=web2x)

Ha! After discovering that PIA runs a background process I posted that they
were one evil change of ownership transaction away from fucking everyone.

Looks like they were way ahead of me.

