
PIA: Our Merger with Kape Technologies – Addressing Your Concerns - rahuldottech
https://old.reddit.com/r/PrivateInternetAccess/comments/dz2w53/our_merger_with_kape_technologies_addressing_your/
======
danShumway
It might be that PIA is not going to start doing anything shady, and they'll
still be a (relatively) well-respected VPN company after the merger. But if
you're currently a PIA user, it would be foolish to keep using them while
you're waiting for them to prove that. Cancel PIA for now, and if a year from
now they're still on the level, you can make a more informed decision about
whether or not to go back.

There's no reason for you personally to be the canary in the coal mine, just
use someone else while you're waiting to see what happens.

I advocate somewhat strongly for paid 3rd-party VPNs, not because I think
they're great, but because I think they are sometimes the least-bad option --
3rd party VPNs address privacy problems that self-hosted VPNs can't, and
unlike Tor, VPNs actually scale well for regular Internet browsing.

I do however fully acknowledge that shifting trust can be dangerous, so I
recommend people be willing to quickly jump ship between VPNs, and possibly
use different VPNs for different services. You should be a little nervous
around your VPN provider, and you should hold them to really high standards.

In PIA's case, I notice looking at their pricing page that they offer 1-2 year
plans in addition to monthly plans. Not everyone has the money to ignore
deals, but if you do have the money, paying an extra $35-40 a year so just so
you can easily switch VPNs on a whim is probably worth it. In general, for
services that can pivot in quality quickly (like a VPN) it is usually worth
paying monthly rather than yearly (again, assuming you have the extra money to
do so).

~~~
arkades
So what’re the recommendations for alternatives? It seems like quite a lot of
VPNs play their cards close to the vest - and at the end of the day, all I
want is a modicum of privacy and to safely torrent a movie for my PLEX server
instead of having to dig up my Blu-ray reader and rip it myself once in a
while.

~~~
danShumway
I can't give you a checklist for how you should determine who you trust --
that's one of the reasons why I don't advocate for or endorse any particular
VPN, and one of the reasons why I don't disclose which VPN providers I use.
The difficulty of determining which VPNs to trust is why I call them a "least-
bad solution" rather than a "good solution."

There are a few other people on this post who are recommending specific VPNs,
and you can (and should) look through some of their justifications for why
they like their providers. A couple of things you can look into if you want to
know where to start:

\- What technologies are they using, contributing to, etc? Do they have a good
rapport with Open Source communities?

\- Do they support OpenVPN/wireguard? I advocate against using a custom VPN
client, I don't want my provider to ever touch my computer, only my traffic.

\- What's their privacy policy look like? Do they make public commitments to
destroy logs? Are their claims on-their-face absurd? There's no such thing as
a VPN that does zero logging at all, so if someone is claiming perfect
anonymity, I distrust them from the get-go.

\- Have they had data breaches in the past (for example, NordVPN)?

\- Are there any high-profile cases of them refusing to provide logs to
someone?

\- What country are they located in? Depending on the country, a foreign VPN
can complicate collusion efforts.

\- Do they pay for ads, and how do they advertise? Do they make inaccurate
guarantees about what a VPN can and can't do? A VPN isn't going to protect you
from the police, and a VPN on its own will not make you private, so I distrust
companies that make those claims.

\- Do they seem competent? Do they have instructions on how to deal with
things like DNS leaks, or how to set up killswitches?

That's not an exhaustive list. It is absolutely a pain to determine trust --
this is the biggest problem with 3rd-party VPNs. Don't go crazy with it; a VPN
is just one layer in your privacy setup, so it's OK to have something
imperfect. Don't aim for perfect privacy, aim for "better than what I
currently have."

~~~
dvosar34
You come off rather imperious in your comments here. Between the number of "I"
self-references in your first post, to this saccharine checklist that is more
show-off than informative.

As usual, I think the reaction of PIA's corporate restructuring is a lot of
hot air over nothing. Typical of most hot air, it is released to draw
attention to the source and not convey any real concern.

------
commoner
This is an interesting turn after PIA committed to "open sourcing our
software" in March 2018:

[https://www.privateinternetaccess.com/blog/2018/03/private-i...](https://www.privateinternetaccess.com/blog/2018/03/private-
internet-access-goes-open-source/)

20 months later, PIA open sourced its iOS app, older versions of its browser
extensions, and 2 Swift libraries. Everything else is still closed source.

[https://pia-foss.github.io/](https://pia-foss.github.io/)

~~~
rasengan
Thanks for bringing this up commoner and really appreciate your patience. You
are absolutely right that we are open sourcing our software - there were some
delays as we completely rewrote our desktop application from scratch.

This was a major concern from our new partners as well, as they have been
asking us to release the code as well - we are all on the same page here.

While I can’t give an exact date, I’m confident that the rest of the code will
be released in 2 weeks or less. Along with our QT/CPP cross platform
application, we will also be open sourcing our search engine, private.sh!

Hope this helps and sorry again for the delay, Andrew

~~~
Zombieball
Two years of patience?

You can still open source in-progress software.

------
vincengomes
Usually, Subreddits are created by fans of the service. This is the first time
I'm noticing a complete corporate subreddit. All the moderators are the staff
of PIA. [1]

It will be interesting to see how much they accept criticisms on the subreddit
about PIA.

1\.
[https://old.reddit.com/r/PrivateInternetAccess/about/moderat...](https://old.reddit.com/r/PrivateInternetAccess/about/moderators)

~~~
bla3
It's not that uncommon. The stadia subreddit mods are all Google employees as
well, for example. I agree it's not an ideal setup.

~~~
slenk
It's technically against the Reddiquette:

    
    
      Please Don't
    
      ...
    
      Take moderation positions in a community where your profession, employment, or biases 
      could pose a direct conflict of interest to the neutral and user driven nature of reddit.
    

[https://www.reddit.com/wiki/reddiquette](https://www.reddit.com/wiki/reddiquette)

~~~
tinodotim
Something to add though, it's informal.

> Reddiquette is an informal expression of the values of many redditors, as
> written by redditors themselve

But I guess it makes sense for Reddit to move away from that rule. That's how
you get big campaigns with companies like Adobe. Not by taking away their sub-
reddits.

Personally I think I even prefer that though. Better than having heavily
biased "community moderators", which is the case in way too many sub-reddits.

------
eng_monkey
I lost faith in PIA caring about privacy of its customers when I noticed how
they use unique tracking codes in their newsletter emails. I never received a
response when I asked about it.

~~~
system2
Care to explain in detail, please?

~~~
tjbiddle
Just about every single one of the email newsletters you receive from anyone
does this. It's for tracking clicks to links in an email, opens of an email,
etc.

Not apologizing for PIA - They definitely shouldn't be doing it if they're
trying to advocate for privacy. But just stating it's extremely common
practice and the default for most email services. I use it on my e-commerce
websites so that I can send specific emails to people who have viewed a
certain page, abandoned checkouts, opened a certain email but didn't convert,
etc.

------
mehhh
We had an issue with PIA's Android VPN breaking our app, they never responded
to our PGP'ed ticket and the email address embedded in their PGP keyblock
bounces.

I wonder what will happen to Freenode now: [https://freenode.net/news/pia-
fn](https://freenode.net/news/pia-fn)

~~~
prawnsalad
Freenode and PIA have different parent companies, freenode hasn’t changed
owners so nothing will happen to it.

~~~
mprev
You’ve written this twice in this thread but how do you square it with this:
[https://freenode.net/news/pia-fn](https://freenode.net/news/pia-fn)

~~~
prawnsalad
Sure, that was back in 2017 as per the date in the blog post itself. Then this
month from Kape themselves I've described here
[https://news.ycombinator.com/item?id=21614447](https://news.ycombinator.com/item?id=21614447)

~~~
mynameisvlad
You are just plain wrong. They’re both owned by the newly formed “Imperial
Family Companies” and they both show up under the portfolio, along with the
rest of the brands that used to be part of LTM.

[https://imperialfamily.com/](https://imperialfamily.com/)

To be clear, this is a brand new site that was created in the last few days,
they bought up the domain for 15k a few days ago
([https://domainnamewire.com/2019/11/12/21-end-user-domain-
nam...](https://domainnamewire.com/2019/11/12/21-end-user-domain-name-sales-
at-uniregistry/))

~~~
JmpMovCmp
FYI, OP is associated with them.

[https://irc.com/](https://irc.com/)

[https://kiwiirc.com/blog/Kiwi_IRC_gets_sponsored_by_PrivateI...](https://kiwiirc.com/blog/Kiwi_IRC_gets_sponsored_by_PrivateInternetAccess)

[https://web.archive.org/web/20191022202131/https://gist.gith...](https://web.archive.org/web/20191022202131/https://gist.github.com/prawnsalad/7b3f5929dadc81c39228e373fa0ca569)

[https://www.privateinternetaccess.com/blog/2016/12/private-i...](https://www.privateinternetaccess.com/blog/2016/12/private-
internet-access-partners-reddit-irc-hub-snoonet/)

[https://snoonet.org/posts/2016/12/15/introducing-our-
newest-...](https://snoonet.org/posts/2016/12/15/introducing-our-newest-
partner-private-internet-access/)

[https://web.archive.org/web/20181109070719/https://snoonet.o...](https://web.archive.org/web/20181109070719/https://snoonet.org/updates/56-snoonet-
joins-the-privateinternetaccess-com-family)

------
throwawaypiawhy
Any recommendations? This looks bad really bad. Cybergoast a previous VPN
bought by Kape went to shit.

For the Pia engineer who ends up reading this. I have bin a Pia user for 5+
years. I have recommended it to friends and family. Now I have to tell them
all to cancel.

~~~
starbugs
Just cancelled my subscription.

Looking for alternatives now. Is NordVPN any good?

~~~
cosmojg
NordVPN is a security nightmare. I usually recommend either Mullvad or
TunnelBear depending on whether you care more about quality of service or ease
of use.

~~~
newswasboring
I use NordVPN, didn't know it had a bad reputation (purchased it because of a
promotional offer). Care to elaborate?

~~~
Eremotherium
The problem with NordVPN isn't that they had a breach and their keys were
leaked (ok, well that is huge fucking problem) due to a forgotten KVM but that
they didn't fess up till 18 months later when some independent researcher
brought that to light.

~~~
ILikeOwls
Also they spend huge amounts of money on advertisement and their promotions
contain lots of misinformation.

------
dmclamb
I've been on the fence about cancelling my subscription to PIA after being a
user more than five years. This prompted me to finally do it.

I'm not sure there are any companies left to trust.

~~~
rasengan
This is the problem with several privacy companies and one that we don’t take
lightly. At Private Internet, we are heavily focused on research and,
specifically, have been focused on creating service architectures that limit
or remove the need for trust altogether. That is what Zero Trust and Zero
Access are about, and it’s the only direction we are heading. That’s why, for
example, we launched private.sh, a search engine that you don’t need to trust.

That being said I do want to mention, most VPN companies won’t sign a binding
agreement not to log - whereas our partners at KAPE signed an entire binding
mission statement which you can find here:

[http://investors.kape.com/about-us](http://investors.kape.com/about-us)

~~~
dx87
It doesn't seem very trustworthy when the whole page talks about how much they
value privacy, then the video at the bottom of the page requires you to enter
an email address to watch it.

~~~
entropea
Also no [https://](https://)

~~~
ecf
This is the kicker here. Nothing else matters.

A business dedicated to privacy is completely incompetent if they can’t even
use HTTPS.

I cancelled my sub minutes after learning about the news. I would hope the PIA
engineer can see through what buyout propaganda they are being fed and see the
writing on the wall.

~~~
joshmn
The user seemed to only omit HTTPS. It certainly is configured for SSL.

[https://investors.kape.com/about-us](https://investors.kape.com/about-us)

~~~
lightedman
The company is still incompetent if they're not forcing that HTTP request to
HTTPS.

~~~
system2
Server sided redirection mistake. Most likely crappy developers were hired, or
they don't care about their website in general.

------
ohthehugemanate
Friendly reminder: Azure and AWS both offer a free tier of VM which are
perfectly sufficient for a personal openVPN server. Azure even has a
preconfigured option in their marketplace that's easy to set up in a legal
jurisdiction of your choice.

Probably so does AWS and even DigitalOcean, but I'm most familiar with Azure
because of my own preference for open source (Azure's orchestrator is
[https://github.com/microsoft/service-
fabric/](https://github.com/microsoft/service-fabric/)). After the free year,
a minimal always-on VM costs about $13/mo.

~~~
badrabbit
First that costs too much for many.

Second, you don't just want to prevent MITM, you (hopefully) also care about
site's tracking you. For example, you have a Linux/Firefox user-agent and you
are browsing HN in private mode, you close the window and start over. No
cookies or other artifacts of the previous session remains but your user-agent
and IP combibation is unique enough to identify your device. Now if you are
using a VPN service there might be at least a handful of Linux/Firefox users
out of millions that share the same IP.

Third, most VPN users like the geoip flexibility it allows them (bypass
filtering or access different content).

Fourth, a VPS dedicated to this one service means you are now the admin of one
more server that needs to be patched and supported by you (admin overhead)

Fivth, some sites block you if you use cloud provider IPs

Sixth, some VPN providers specifically host their infra in privacy friendly
jurisdictions and take precautions cloud/vps providers might not (legally and
technically).

Seventh, reputation. No one will bat an eye if Microsoft let some country's
law enforcement have logs of your traffic in Azure. But by design, outbound
VPN traffic can only be logged on the VPN server and it would ruin their
reputation if they disclosed logs or tampered with traffic which translates to
monetary loss.

VPN services are far from perfect but they hardly have any replacement. Just
pick one with a good reputation.

For example with PIA, they are incorporated in the great surveillance kingdom
of the UK, which is why I avoided them. They did not take the neccessary legal
precautions and their freenode aquisition made little sense from a profit
perspective which all in all suggests a grand scheme/vision not obvious to
customers.

~~~
iudqnolq
It depends on your threat model. If you're worried about threats below the
level of major nation-states a big company could make more sense. If for
example a VPN company was caught bundling malware with their VPN client they
would be over, but their owners would loose much less than Google would under
the same circumstances.

Google will cooperate with big governments, but you can be confident they
aren't owned by the Russian mafia.

~~~
badrabbit
If you're dealing with nation states, all the big cloud providers have NSA
presence in their network. Even without that,secret warrants are a thing and
VPS providers rent datacenters from someone else ,that someone else
(azure,hetzner,ovh,etc...) also rents out infra to VPN providers. The only
differrence is VPN providets sell VPN while VPS providers let you access the
whole vm.

The only differnce is how a VPN provider can be incompetent or malicious. It
is less likely for MS to be incompetent but so long as the nation state is a
western nation,they are more likely to be malicious.

I guess it does depend on your threat model but I would say for most people
who don't have specific threat in mind they should exclude highly
sophisticated attackers much like how you don't secure your housr against
sophisticated bank robbers that might pull a heist on you.

~~~
iudqnolq
> The only differnce is how a VPN provider can be incompetent or malicious.

Agree completely

> It is less likely for MS to be incompetent but so long as the nation state
> is a western nation,they are more likely to be malicious.

Yes, but as I argued in the comment you replied to the difference in
maliciousness is effictively infinitesimal because the govt can get access to
any VPN provider.

~~~
badrabbit
There are different factors to consider,even if Microsoft intentionally
infected people with ruddiam malware, at worst they get a fine and bad PR with
tech circles -- their cash cows windows and azure remain unaffected. With a
VPN provider like say Freedome , any sign of malice will cost them not only
their VPN business but Fsecure's ability to provide infosec services. Same
with ProtonVPN and ProtonMail, and unlike Microsoft the CEOs are much more
likely to be held accountable since they reside in countries like Finland and
Switzerland where privacy laws are very strict. Those countries may not like
it if Microsoft did the same thing but they can't extradite Microsoft's CEO
and even if they do the company is not incorporates in those countries. You
want a VPN provider to be run by well known people that are not too powerful
or too connected and reside in countries that will hold them accountable.
Their main revenue stream needs to also depend on the reputation of the VPN
service.

~~~
iudqnolq
> Their main revenue stream needs to also depend on the reputation of the VPN
> service.

I disagree with your last statement completely. A company dependent on VPN
revenue will be incentivized to do whatever they can to get and monetize VPN
customers. A company that offers VPN services as a side operation that isn't
financially key to their operations won't be incentivized to lie to gain
users, cut costs to compete with other VPN operators, or use malware to
monetize their user base.

Microsoft could not care less if you pay them a few dollars a month for a VPN.
They're certainly not writing software to target people running VPNs on Azure
and inject tracking and ads to make a minuscule profit. But - if news broke
that they were abusing any Azure users - Microsoft would lose a significant
amount of corporate and government business.

Can you name a single example of Microsoft exploiting anyone with malware? No,
because the resulting reputational crisis would devastate their ability to
sell their "cash cows".

Fsecure's infosec business is worth a minuscule fraction of Microsoft's
businesses, and thus the potential losses from being exposed as a scam are
much less.

In contrast, 57% of the top 150 free VPN apps on the Google Play Store contain
code to get the user's last location, and a small number request permission to
read SMS messages and take pictures
[https://www.bleepingcomputer.com/news/security/malware-
user-...](https://www.bleepingcomputer.com/news/security/malware-user-privacy-
failures-found-in-top-free-vpn-android-apps/)

Your comment on extradition isn't particularly relevant. Users abused by
Microsoft could sue Microsoft in US court, and Microsoft would face
significant legal and reputational penalties if they broke the law.

In contrast, while Finland and Switzerland do have strong privacy laws, that
doesn't mean it's impossible for a "Finnish" or "Swiss" VPN provider to get
away with violating user privacy. A criminal VPN provider could for example
claim to operate in a country they didn't, or incorporate in a country while
residing in a country less likely to prosecute them. Not saying I have
evidence this happened, I am however saying that the fact that European
countries in general care more about privacy doesn't make it impossible for a
European company to get away with violating user privacy.

------
imafish
> Subscribed since: November 23, 2014 12:10 (Yearly payment)

I could simply not have asked for a better day for this to surface on HN :D

------
nullc
PIA also very strangely bought freenode and has since engaged in a number of
suspect activities.

~~~
LeoPanthera
Could you elaborate on this?

~~~
zaggynl
Announcement:
[https://web.archive.org/web/20181109070719/https://snoonet.o...](https://web.archive.org/web/20181109070719/https://snoonet.org/updates/56-snoonet-
joins-the-privateinternetaccess-com-family)

Original link appears to 404 for some reason:
[https://snoonet.org/updates/56-snoonet-joins-the-
privateinte...](https://snoonet.org/updates/56-snoonet-joins-the-
privateinternetaccess-com-family)

ycombinator article:
[https://news.ycombinator.com/item?id=14101538](https://news.ycombinator.com/item?id=14101538)

~~~
ryanlol
Also

Announcement: [https://freenode.net/news/pia-
fn](https://freenode.net/news/pia-fn)

Weird ad for PIA guys cryptocurrency scheme: [https://freenode.net/news/spam-
shake](https://freenode.net/news/spam-shake)

------
Phylter
This is the same PR blabbering that occurs with any acquisition. It means
nothing just like any other. I’m cancelling and changing providers. Does
anybody have recommendations?

~~~
Fnoord
I'll be going from ProtonVPN to Mullvad because Mullvad does not offer any
deals (which, in a way, I like as besides it being honest for a low price it
allows me to unsub for a month). ProtonVPN with Secure Core is just too
expensive IMO but the primary reason is Mullvad offer WireGuard, and when I
looked them up I saw no red flags whatsoever. You could argue "Sweden" but not
all ProtonVPN employees are residing in Switzerland either, so they could be
coerced.

~~~
Phylter
Thankfully, I don't have to worry that much about it. My only concern is that
they don't keep logs and that they're not automatically updating and loading
my PC with malware.

Though, if PIA ever put malware in their installer it would be like hitting
the self-destruct button.

~~~
Fnoord
Neither do I. I don't tunnel 0/0 through VPN; only some BitTorrent traffic.
This is civil court work; not criminal court. That the NSA (and EU
counterparts) can figure out what I use BitTorrent for, that I take for
granted. They're [in this use-case] not my adversary.

------
MatthiasP
Can anyone give some substantiated information about Kape? Why is so bad? All
I found was FUD.

~~~
tmikaeld
[https://news.ycombinator.com/item?id=21584958](https://news.ycombinator.com/item?id=21584958)

With sources

------
anonymousse1234
What will happen with Freenode now?

------
dang
The submitted title was "PIA bought by company known for distributing
malware". We changed it to the article title in accordance with the site
guidelines:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html),
which ask " _Please use the original title, unless it is misleading or
linkbait; don 't editorialize._" One reason we have that rule is that we're
not in any position to decide the truth or falsehood of contentious claims.

------
eyeball
Time to go. Any suggested alternatives?

~~~
bdibs
I went to Mullvad personally.

------
pkaye
I've never used these VPN services before. Is it possible for them to MITM a
connection?

~~~
mirimir
Yes, they can install certificates that enable MitM.

That's one reason why I never use custom clients for VPN services. That is, no
binaries.

I just get the OpenVPN PKI stuff, and use stock OpenVPN.

~~~
SahAssar
> Yes, they can install certificates that enable MitM.

Well, only if you give them permission to. Just use a non-provider specific
client and you're okay.

~~~
mirimir
I don't use them, so I don't know whether they'd ask specifically about the
TLS cert. It might just be something about "web security" or whatever.

And about using stock clients, that's what I said :)

From openvpn.net or in Linus distros or in pfSense, for example.

------
sizzle
Can anyone vouch for mullvad VPN?

[https://mullvad.net/](https://mullvad.net/)

~~~
dublinben
They're recommended by PrivacyTools.io¹ You can read more about their
methodology² and what's wrong with most other "VPN review" sites.³ They're
also a top pick from wirecutter.⁴

¹[https://www.privacytools.io/providers/vpn/](https://www.privacytools.io/providers/vpn/)

²[https://blog.privacytools.io/choosing-a-
vpn/](https://blog.privacytools.io/choosing-a-vpn/)

³[https://blog.privacytools.io/the-trouble-with-vpn-and-
privac...](https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-
reviews/)

⁴[https://thewirecutter.com/reviews/best-vpn-
service/](https://thewirecutter.com/reviews/best-vpn-service/)

------
Kurd
Your plan will expire on October XX, 2020. Well... shit!

------
darlingparade
I believe that the title should be changed because: "In late 2012 Sagi
acquired the start-up company Crossrider for $US 37M." [1]

That alone tells you that Kape's (or rather, Crossrider's current owner) had
nothing to do with their past actions, and could be therefore considered
libel.

Moreover, post that someone linked with all the proof is pretty much a lot of
FUD, and while I'm not happy with the sale, I fail to see any actual proof
being brought up.

[1][https://en.wikipedia.org/wiki/Teddy_Sagi#Kape_Technologies_p...](https://en.wikipedia.org/wiki/Teddy_Sagi#Kape_Technologies_plc)

~~~
jfk13
> current owner had nothing to do with their past actions, and could be
> therefore considered libel.

I'm not sure that follows. When you buy a company, one of the things you're
acquiring is that company's reputation -- for better or worse.

~~~
darlingparade
But the title of the thread insinuates that Kape is known for distributing
malware, not the company it had acquired. I personally believe that there's a
big difference between saying: "PIA bought by company that also acquired a
company known for distributing malware" and straight out claiming that PIA's
acquirer distributes or has distributed malware at some point in time.

~~~
brentonator
Kape _is_ Crossrider. Crossrider was renamed Kape and a new CEO was put in
place to "exit the advertising market" transitioning to cyber security.

------
billfruit
What PIA is this about? Pakistan International Airlines? Who also own the
Roosevelt Hotel in New York? Famous for the livery with the green tail marked
PIA.

~~~
dewey
How about clicking on the link? It's in the path, the subreddit name and the
post.

~~~
billfruit
On a second look the sub Reddit is named privateinternetaccess, but nowhere on
the page can I see PIA expanded as such.

~~~
somehnguy
You have to employ basic reading comprehension skills sometimes

~~~
billfruit
It is common copy editing practice to expand an acronym it appears the first
time in a text, that is all.

