
VPNs are not the solution to a policy problem - staticsafe
https://asininetech.com/2017/03/28/vpns-are-not-the-solution-to-a-policy-problem/
======
nikcub
There are a few schools of thought on where responsibility should lie in
protecting user privacy. The first that it is a role of government and policy
- in the same way the government sets standards for automobile and road safety
they can set and enforce policies for user privacy.

The second school of thought is individual responsibility. Users should take
steps to protect their own privacy on a case-by-case basis, in the same way
they look after their own home security or personal safety.

The third would be a hybrid approach - that there is a role for the government
to play in setting up a universal minimum level of privacy protection while
users also have a role to play in their own protection. This is most akin to
how healthcare works - i'm guaranteed treatment in an emergency room but I
also might choose to keep myself healthy with diet, exercise etc.

I personally believe in user responsibility for personal privacy and security,
where you can't and shouldn't depend on policy to protect you and that all
users should be aware of the issues and actively educated on how to protect
themselves. For a few reasons:

1\. Policy is not universal. Some countries may have extensive and rigorous
user privacy protections but that doesn't apply to users everywhere. While
user privacy protections are strong in Europe, and consumers have access to
recourse if they're privacy rights have been violated, that same advice
doesn't apply to the majority of internet users, most of whom are residents of
a nation or jurisdiction where there is no strong protection or user recourse.

2\. Governments are a major party in privacy violations and are conflicted, so
they can't be expected to behave in the interest of users. The most recent
campaigns to roll out encrypted communications and connections in apps was
prompted by the US government intercepting internal Google data. The
government will almost always be incentivized to lower barriers to ease
intelligence gathering and in most of the world government surveillance trumps
individual rights.

3\. Similarly, government can't be trusted. This is the point Ed Snowden made
when he argued for individual and tech solutions to privacy over government
policy[0]. Snowden cites the difference in Obama's campaign promises and what
he delivered[1], and this isn't unique to Obama - the FCC ISP privacy rules
being blocked this week is yet another example of how easily and quickly
policy can be undone, while the mass surveillance Snowden disclosed is an
example of how public policy and private actions can be different.

4\. Tech solutions to privacy doesn't imply individual responsibility. We can,
and do have, tech solutions that are universal - such as the campaign to roll
out encrypted communications and connections with Whisper and LetsEncrypt.

5\. Policing government policy is labour intensive and difficult. It relies on
privacy researchers - usually individuals - to track what companies are doing
with user data. With more data being shared between companies it is even more
difficult to apply individual oversight to how policies are being enforced.
See Natasha Singer's reporting in the NYTimes on data brokers[2]

6\. There are usually very minor enforcement penalties for companies that
violate user privacy policy. The FCC tracking opt-in rules were prompted by
some ISPs adding tracking headers or cookies to user traffic. AT&T and Verizon
were adding tracking cookies to user traffic and it took two years to notice,
and there were zero implications for both companies[3] other than the new FCC
rules which are now dead.

7\. Even in the perfect world of good policy, good application of policy and
good enforcement you still have more data than ever being stolen and leaked
online. You only have to look yourself up on haveibeenpwnd or a similar
database to find that for a lot of people, all of their PII has already
leaked[4]

It is very clear to me that technology solutions have the primary role in
protecting user privacy. Policy isn't a waste of time but it can't be relied
upon. The question is how user privacy protection is packaged for a mass-
audience. User privacy requires an equivalent of what 'use WhatsApp, use
Signal' is for user security, what 'install antivirus, don't click on
attachments' used to be for user security and the growing popularity and
awareness of ad blockers.

I'm not sure what that will be or what it will look like, but warning people
away from VPN's probably isn't going to help. Chances are that some form of
VPN connection will become part of the standard solution (along with
HTTPS/encrypted comms everywhere) now that the reality of ISPs and users not
sharing privacy interests is here and many are aware of it.

Theres a great market opportunity here - perhaps not for VPNs as a product but
VPN as a technology.

[0] [https://www.wired.com/2016/11/despite-trump-fears-snowden-
se...](https://www.wired.com/2016/11/despite-trump-fears-snowden-sees-hopeful-
future/)

[1]
[https://www.forbes.com/sites/thomasbrewster/2016/11/10/edwar...](https://www.forbes.com/sites/thomasbrewster/2016/11/10/edward-
snowden-pardon-president-donald-trump-pardon/#a6ea4b21357f)

[2] [http://www.nytimes.com/2013/09/01/business/a-data-broker-
off...](http://www.nytimes.com/2013/09/01/business/a-data-broker-offers-a-
peek-behind-the-curtain.html)

[3]
[https://www.techdirt.com/articles/20150115/07074929705/remem...](https://www.techdirt.com/articles/20150115/07074929705/remember-
that-undeletable-super-cookie-verizon-claimed-wouldnt-be-abused-yeah-well-
funny-story.shtml)

[4] [https://haveibeenpwned.com/](https://haveibeenpwned.com/)

~~~
igk
> The second school of thought is individual responsibility. Users should take
> steps to protect their own privacy on a case-by-case basis, in the same way
> they look after their own home security or personal safety.

I think this is a bullshit argument. Nobody looks after their home security or
personal security the way we expect users to be careful of their privacy, nor
do we accept the amount of intrusions into our house or personal space as we
are told is reasonable in information.

Imagine you could get a free pizza every week, you just need to let the driver
go through your house and correspondence. Imagine if you had to sign over the
risk that your house might be burgled if you signed up for a bank
account...And the police didn't act on it.

These examples seem ludicrous, but that is not because I'm making them like
this, it's because the premise that we all do "personal responsibility" is a
myth.

We have police, laws, community rules, all of these things to protect our
houses and personal security. If you leave the door unlocked, robbing it is
still a crime. Likewise, if you walk around on an unsafe neighbourhood and get
robbed, it would be ludicrous to hear "well, the city warned you that part is
unsafe, so the police isn't going to investigate"

~~~
arca_vorago
> We have police, laws, community rules, all of these things to protect our
> houses and personal security. If you leave the door unlocked, robbing it is
> still a crime. Likewise, if you walk around on an unsafe neighbourhood and
> get robbed, it would be ludicrous to hear "well, the city warned you that
> part is unsafe, so the police isn't going to investigate"

The irony of this statement is that this actually happens quite often in
certain east of the track neighborhoods, especially when the victim is a
minority. It goes to show that this attitude, while I don't agree with it,
isn't so far from the reality as you might think.

Coming from out west, this is one of the cultural reasons I am pro-gun. The
police are just there to draw the chalk line around your body, it _is_ your
responsibility to defend yourself, your loved ones, and your home.

Always remember that the constitution was created to protect, _not establish_
rights, rights that you have independent of the constitution itself, and of
these rights, the right to self defense is one. The second amendment is simply
about defense against tyranny. Even if you got rid of the second amendment I
still have the right to bear arms.

Which makes me wonder, how well could the right to self defense argument be
applied to encryption?

It's almost like everyone forgot about the 90's crypto wars, but it makes me
think of something Eben Moglen said about the 90's crypto wars being just a
temporary setback to TPTB;

[https://youtu.be/sKOk4Y4inVY?t=580](https://youtu.be/sKOk4Y4inVY?t=580)

~~~
igk
This might be very cultural thing(I'm from Europe). But unless you want to
live in a society dominated by warlords and gangs, laws and society is the
better way imo. Again my opinion, but for me the gun defense is a myth
perpetuated in the US for ideological reasons. Keep your guns,but they won't
keep you safe against a gang which will just shiv you at night, or simply
outgun you. The reason all civilisations of a certain density have centralised
law enforcement is it's simply inefficient for everyone to defend themselves
(think narco states: sure, you can hire a guard, but your neighbour also has
to hire one. If you try to start a neighbourhood guard cooperation then you
are one step towards government and police)

And coming from Europe, we create new rights all the time

------
jfoutz
Lots of people seem to think the right answer is selling improved security. I
disagree. It would be much more exiting to get the data coming from
politicians homes, and the homes of their staff. It would be a fantastic way
to generate news. Why is senator X's household researching cancer treatment?
Will they step down this year? I can't help but think military bases would
google their next deployment, that's another set of huge news articles.

If you're more into the finance side of things, CXO's home clickstreams would
probably be enlightening. Or hedge fund managers. Some will be fully encrypted
and secure, but just the dns would be a strong signal about what companies
they're researching.

 _That_ is the kind of business that will drive privacy legislation.

~~~
confounded
Those people will have VPNs and other security measures. This is about
exploiting ordinary people to widen the power differential between the two.

~~~
jfoutz
I think you overestimate the average politician. They may not _bother_ with
the internet. I'm confident Senator Lamar does not.

But really, i don't think it would take very long to figure out where he and
his staff in DC and in Tennessee live. I don't know what the data purchase
rates are, so that could be expensive. But buy the data for a bunch of
neighborhoods. Perhaps 50,000 people. watch the data for a while, query
strings with Lamar would be good indicators.

Heck, make some really finely targeted ads on Facebook.

I think the reality is most news sourced this way would be super tabloidish. i
mean, you're going to figure out what porn they look at faster than what
policy they're developing.

~~~
ianai
I think you're onto something. I also think this falls into investigative
journalism - which used to be able to drum up funds for that sort of cost.

There are all sorts of problems like this. What could you learn from the
browsing history of people that work in sensitive areas? i.e. nuclear
facilities, national labs, financial/industry regulators, etc. City and state
representatives probably give away a lot through browsing. There's plenty of
low lying fruit ripe for exploiting in huge ways.

Another avenue: merely knowing when someone is likely to browse the internet
tells you:

-they're awake

-they're at home/indications of their location

-their level of awareness (think security workers or even prison guards)

Imagine being able to figure out the best time of day to hit a bank by
browsing history? In an aggregate way you could probably figure out staffing
(corporate level) or whether someone's home (residential level).

~~~
j_s
[https://www.gofundme.com/BuyCongressData](https://www.gofundme.com/BuyCongressData)

[https://searchinternethistory.com/](https://searchinternethistory.com/)
(currently 500 errors)

source:
[https://news.ycombinator.com/item?id=13985684](https://news.ycombinator.com/item?id=13985684)

------
Goopplesoft
A heads up: theres a really nice project called Streisand[1] which provides a
multi-protocol VPN with very little effort. You can launch one on a cheap
cloud provider (like DO, if their policy allows).

[1] [https://github.com/jlund/streisand](https://github.com/jlund/streisand)

~~~
bdarnell
I've used streisand on DO (while traveling in China) and it worked well.
There's also a similar project called algo[1] which provides a single protocol
with maximum security, in contrast to streisand's multi-protocol flexibility
(and increased surface area).

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
andreyf
Why does he refer to OpenVPN as a "risky server"? Does it have a history of
embarrassing security vulns?

~~~
analogist
I think a recurrent concern is OpenVPN's reliance on TLS, and its codebase
complexity as a result of being built on OpenSSL--but with far less attention
and resources and vuln hunting compared to say, actual browsers. Complexity +
lack of auditing person-hours is never a good combo. (See
[https://twitter.com/tqbf/status/806646188158152705](https://twitter.com/tqbf/status/806646188158152705))

Matt Green's audit of OpenVPN, when completed, may lead to more light on the
matter. Otherwise, we're just relying on informed intuitions.

~~~
bitexploder
Except all the shenanigans with IPSEC.

[https://en.m.wikipedia.org/wiki/IPsec#Alleged_NSA_interferen...](https://en.m.wikipedia.org/wiki/IPsec#Alleged_NSA_interference)

As a "security people" I think me and tptacek could split a great number of
hairs and get not too far on this one, but I am open to new info. I know a lot
can hide in the complexity of OpenSSL. Maybe the whole thing with IPSEC was to
sway us toward OpenVPN likes. Regardless, I still lean slightly towards
OpenVPN

But honestly I am out to defeat ad networks. I only aspire to give nation
states indigestion (at a mass scale). Individually if a well funded adversary
wants any one of us I think they have us.

------
FridgeSeal
No, they're not.

The solution is getting strong, enforced laws that protect our privacy and
punish those who break them.

But for the moment, with advertisers viewing themselves as gods gift to the
internet who think that all your information belongs to them simply by virtue
of existing, and who will go to great lengths to acquire and store it all (for
perpetuity), a solution is needed, and part of that is VPN's.

~~~
surement
In general, you can still identify users for advertising purposes without
knowing their IP address.

~~~
confounded
3rd party cookies and fingerprinting js is _hugely_ different from "full take"
at source.

------
dfc
It's strange to see the evolution of the technology versus policy debate. We
started out with "the Internet views censorship as damage and routes around
it." A little later we had Lessig saying "code is law." And now the refrain is
"VPNs are not the solution to a policy problem."

I miss the idealism and optimism of the past. The only hopeful thing I can
find in the new "quote" is that it seems that the tech world is finally aware
of the need to work with policy makers and the public in addition to building
new systems.

~~~
chatmasta
So true and I could not agree more. When did technical problems start
requiring political solutions?

I think it's a Trojan horse from politicians to start legislating where nobody
needs legislation. The net will still route around censorship, but it's
becoming increasingly harder in a world where a high percentage of global
bandwidth transits through a small number of large deployments by centralized
corporations.

The pessimist in me sees this as a sure sign that the "Balkanization of the
internet" train has long since left the station. However I remain optimistic
that "information wants to be free." As long as information exists somewhere
(and people know to look for it), decentralized tools like torrents, ipfs,
Tor, etc will continue to enable access to it.

What I worry most about is the public's increasing dependency on sandboxed
devices. We celebrate sandboxing as a win for security, which it certainly is,
but the more we depend on it, the more we are subject to the whims of its
corporate gatekeepers. How long before laptops are as sandboxed as phones?

Software can only solve the technical problems so long as it can run on the
hardware in your possession.

~~~
Bartweiss
> When did technical problems start requiring political solutions?

When the technical solutions became criminalized. End-to-end encryption is
only now becoming common, and English MPs are already talking eagerly about
outlawing it. The need for political fights isn't exactly new - think of the
Clipper chip in the 90s - but it hasn't abated either.

I see lots of suggestions that we can solve this with keeping tech ahead of
law, but I don't think that's a realistic answer. People have tried that in
banking and finance and a lot of other domains, and the result is that you
eventually get stuck with whitelists (only access the internet these 3 ways)
or intent criminalization (banning access the government can't see). You have
to win _some_ political fights, if only to carve out space for the technical
solutions.

~~~
dfc
When in the modern era has there been technology that was not illegal? Guns,
radios, printing presses...

------
byuu
Another thing often overlooked with VPNs is that they're just not that fast. I
have a 600/40 connection, and I've tried at least six for-pay VPN providers.
The fastest one I found (won't mention as my goal isn't to advertise for them)
hits, at best, 100/30\. And even then, only over L2TP. For whatever reason,
OpenVPN is _always_ slower on every PC I've tried this with.

And obviously, you gain a good deal of latency, especially if you use an
overseas exit point.

And now we get to deal with shitty services like Netflix punishing privacy-
conscious users and blocking access to paid accounts while your VPN is up.

~~~
st553
I've been using PIA for a few years and have been disappointed to see an
increasing number of websites blocking VPN access.

~~~
byuu
That and CloudFlare ... more and more frequently I've been asked to solve
those really annoying "pick seven of these sixteen pictures that have X in
them" captchas. Those take way too long and I'll often just leave the site
instead of answering it.

------
sjwright
Perhaps one solution might be to poison the data and have your router/device
make spurious random DNS lookups and HTTPS connections. Ensure the list of
random websites includes the top few hundred companies likely to be in the
market for usage data. If enough people did this it would make the data
useless.

~~~
wizardforhire
How would one go about doing this? More importantly... Is there a simple cross
platform application I could have my friends and family install that takes
little to no effort on their part?

~~~
walterbell
[https://adnauseam.io](https://adnauseam.io) on Firefox.

------
jdoliner
Why aren't VPNs, and more broadly encryption, a solution to this problem?
"Waving the wand of a technical solution," as the post pejoratively calls it,
isn't such an unreasonable thing to do with an inherently technical problem.
This problem only exists because of other technical wands we waved. Why solve
this problem with policy? Policy is hard to get passed, hard to keep passed
and even when it is passed often times it means nothing. Remember this is the
same government that contains multiple organizations surveilling your every
move, not because they legally can, because they illegally can. The point is,
it's foolish to count on USG to give you a right to privacy, just look at the
history on this, it's not going to happen. But it's especially foolish when
this is a right that you can enforce for yourself. If you actually care about
your privacy use a VPN, or Tor, don't sit around waiting for the government to
do it for you.

~~~
false-mirror
Then the question is: are technical experts the only ones who deserve privacy?
Are the strong the only ones who deserve safety? etc etc.

While I also prefer a system which assumes no trust in government policy, it
is still prefferable provide legal protections for the little guys whenever
possible. In this case, the little guy is the vast majority of people who
don't understand how the internet works.

~~~
brokenmachine
I agree completely. Taking an interest in the laws is important because if the
technical solutions are made illegal then there is no real solution.

We can't assume VPNs will always be legal for individuals with the horrible
direction things are going.

I would like to add however that it would be really nice if the super-
intelligent programmers on HN could come up with an open solution that is
super easy to use that actually preserves the little guy's privacy. Like just
a tickbox in Firefox that makes your whole PC untrackable.

Something so easy that anyone can use it, yet as secure as all the complicated
technical solutions that are being presented in these comments.

------
guelo
One thing I was wondering, beyond your own personal ISP, does this mean that
the backbone providers, the Level 3's of the world, are going to get into
selling data to advertisers? I was feeling personally ok because I use an ISP
with a strong privacy pledge, but I wonder if their uplink is going to be
selling my data. Though I guess it's less of a concern since the backbones
don't have the complete personally identifying info that the customer ISPs
have.

~~~
staticsafe
If I was a betting man - backbone providers don't do this (sell to
advertisers).

It would be costly to maintain the interception/analysis infrastructure
required for such data collection.

I daresay it would cost more than what they would make off the data.

~~~
Goopplesoft
Thats an interesting bet. If they isolated to the subnets they sell off to
ISPs (i.e exclude datacenters and such) what do you think would contribute to
the cost/benefit difference of the two?

~~~
staticsafe
That is still a significant amount of traffic to analyze and store data for.

I don't want to speculate further as I don't know what margins for transit
providers in NA look like.

------
libeclipse
I understand the viewpoint of the article, but it assumes that the person
waving the wand particularly cares about everyone else.

Personally, with the Investigatory Powers Bill in the UK, I will "wave the
wand of a technology solution" to conserve and protect my own privacy.

Sure, if the policy was changed upstream then a lot more people would benefit
than the technically inclined folks, but if there's a bug upstream we don't
all sit with it and wait, we fix it locally and vendor.

~~~
Bartweiss
It also assumes the person waving the wand has any faith that they _can_ help
anyone else.

The last paragraph, about holding the House accountable in 2018? That deserved
the preface about "not understanding US politics". The privacy voting bloc is
small, and the vast majority of it lives in places that already elect pro-
privacy reps - Boston and SF are incredibly limited in what they can achieve.

I'd like to see internet privacy enshrined in US law. I'll fight to make that
happen. But it's an "empty the ocean with a teacup" situation, and in the
meantime it makes total sense for people to help themselves and those around
them.

------
WhitneyLand
What would be wrong with selling preconfigured routers to solve the problem?

The router could talk to a standard web api to get information to configure
itself. The web service behind the scenes could set up and teardown digital
ocean droplets as necessary running streisand. The web service IP's wouldn't
be blocked because they'd only be used to periodiy get configuration.

So then you buy a non technical person this router, they create an account on
the configuration website and as Ron Popeil would say, set it and forget it.

------
philip1209
I think the bigger hole is DNS. Full-tunnel VPNs to primarily TLS-encrypted
sites seems like overkill. Encrypted DNS plus an "HTTPS Everywhere" plugin
should obfuscate enough info for most people without significantly affecting
latency.

~~~
eli
Wouldn't it be fairly trivial to guess most of the domains you're visiting by
looking at what IP addresses you connect to?

~~~
philip1209
Yes. To be fair though, many sites are on shared hosts, and lots of traffic
goes through a handful of CDN networks.

I think that the SNI note below is probably the bigger hole.

------
joveian
One nice although limited alternative to openvpn is sshuttle:
[https://github.com/sshuttle/sshuttle](https://github.com/sshuttle/sshuttle)

The limitations are: no ipv6 support :(, sometimes leaks dns, and always
crashes shortly after it is first started (then works fine when you start it
again). There seems to be little active development.

To work around the limitations, I mostly use SOCKS (curl also supports SOCKS),
plus run sshuttle to try to catch any additional traffic. For that matter,
SOCKS alone would at least catch the most sensitive traffic for most people
(and would make it easy to have another browser profile for watching netflix).

I get a $15/year OpenVZ account from ramnode.com, which supports VPN usage. I
haven't had an issue with bandwith (it seems to undercount quite a lot) but
don't watch netflix or otherwise use that much bandwidth.

The main issue I've had is that some websites (google, amazon, gog) will
default to various other languages that I assume other people who are doing
the same thing speak. Fixed by logging in to the site and they then seem to
remember for a while even if you don't log in, but eventually they switch
again.

The nice thing is that the remote server can be configured to just have an SSH
server on port 80 (in case you ever want to use it from restrictive public
wifi; I first stated to do this after seeing SSL downgrade errors on public
wifi) with public key authentication, so there is much less to worry about in
terms of being responsible for a system open to the internet all the time. In
SSH, I set:

    
    
      KexAlgorithms=curve25519-sha256@libssh.org
      HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
      Ciphers=chacha20-poly1305@openssh.com
      MACs=hmac-sha2-256,hmac-sha2-512
    

So still not a super easy option but a somewhat easier option than OpenVPN. It
would be quite easy with an automated way to set up the remote ssh server
correctly.

Edit: Speed is quite good with this setup and while I haven't done extensive
comparisons, it does not seem to lower the connection speed by much.

~~~
tgayton
To be clear: sshuttle is more comparable to redirecting system traffic through
a proxy than a VPN.

UDP is not tunneled at all.

------
andrenotgiant
Until a better solution is found, I think the way the recent IOT botnet stuff
+ this ISP privacy deregulation is portrayed in the media opens the
opportunity for a startup that sells a secure, smart home router + VPN
subscription plan.

~~~
wfunction
And you would trust the startup with your traffic because...?

~~~
brokenmachine
You have to trust someone at some point if you want to use the internet at
all.

Do you trust any VPN providers? Or your ISP? Or the programmers of the browser
that you're using? Or your CPU manufacturer? It's turtles all the way down.

Perfect is the enemy of good. If that protocol was open, it might foster a way
to fold VPNs into the everyday person's internet connection, with the
possibility to easily change VPN providers down the track.

~~~
dredmorbius
And the point of this article, that VPNs are not the solution to a policy
problem, _is to change policy such that that trust may be far better founded._

Adding more players to a game that perverts and corrupts virtually every
player on the field doesn't strike me as a particularly wise and enlightened
approach.

------
nine_k
Technology used to trump policy, in an unstable but stubborn way. Napsters and
piratebays die, but file sharing lives. It's less intense now nit because of
policies, but because legal ways to buy most music and videos became
reasonably convenient for the mass user.

How well might connectivity limitation work? It took China immense
centralization and a lot of technical effort to build the great firewall,
which is not exactly impenetrable, though.

------
quantumfoam
I'll just leave this here:
[https://github.com/trailofbits/algo/blob/master/README.md](https://github.com/trailofbits/algo/blob/master/README.md)

I used a droplet on DigitalOcean to configure an Algo server. Very seamless
setup, highly recommend. There's a $10 promo floating around: DROPLET10. You
can self host too.

~~~
skynode
Stated _anti-features_ leave a lot to be desired.

------
siculars
Ya, this sucks... a lot. VPNs are a start with existing tech. I firmly believe
new technology will solve this problem. Encryption everywhere. Overlay
networks. New fully encrypted and annonymized DNS systems. Digital currency
incentivizations. Policy helps but in the absence of policy technology will
find a solution.

------
frebord
This whole damn thing spawns from the lack of competition with ISPs. If
consumers had more than 1 or 2 options, we could choose with our money. I
don't think the solution is to regulate the industry, but our privacy should
certainly be protected by our fucking useless government.

------
pryelluw
Ok, so which vpn providers are good?

~~~
alex_lod
I just did a bunch of research at
[https://www.reddit.com/r/VPN](https://www.reddit.com/r/VPN) \-- looks like
Mullvad is the most recommended / highest rated.

~~~
JumpCrisscross
Sweden is a member of the EU [1]. It has a 6-month data retention law [2].
Much safer to route through Norway, Switzerland or even the United States. (I
use PIA [3].)

[1] [https://europa.eu/european-union/about-
eu/countries_en](https://europa.eu/european-union/about-eu/countries_en)

[2] [https://www.purevpn.com/blog/data-retention-laws-by-
countrie...](https://www.purevpn.com/blog/data-retention-laws-by-countries/)

[3]
[https://www.privateinternetaccess.com](https://www.privateinternetaccess.com)

~~~
brokenmachine
Personally I would never use a US-based VPN.

~~~
uabstraction
Everyone has different needs. If you are a journalist building up a story
against powerful adversaries, then you absolutely find a VPN provider in an
impartial jurisdiction. If you are just trying to hide your browsing habits
from your nosey ISP, torrent a couple movies, and latency matters at all to
you, a local VPN is not a terrible choice.

~~~
brokenmachine
Fair point.

I'm not in the US, so the local advantages don't apply, only the three-letter
agency illegal snooping disadvantages.

~~~
mirimir
Well, the NSA has intercepts virtually everywhere. They're drowning in data.

------
vxxzy
At the end of the day, it is obvious that policy is the right direction to
stop this bleed of infringement. However; be it noted: those who have the
capability to circumvent, or ethically "get around" such enchroachment; have a
responsibilty to free those who may be entagled by that which is "freedom
limiting". The argugment could be had, however; is it really freedom limiting
for others to know your web history? Obviously, there are second, and third
abilities to be held when a dominant party knows of the lesser's behavior.
Still a great bit to parse. As for me and my house, we will tunnel safely
through VPN.

~~~
staticsafe
Some food for thought: Such data can include say, the fact that a certain
person enjoys some fetishes or maybe some other similarly compromising data.

The possibility for blackmail exists and therefore the possibility of your
freedom being curtailed.

------
BatFastard
Does anyone sell a router for the home that has a VPN built in?

So that I dont have to have every computer in my home hook into the VPN when I
start it up. Just one account for my whole house?

I imagine you could setup a linux box to do that for you, but I am lazy...

~~~
Icedcool
Get a asus rt-n16, and throw advanced tomato on it. Then plug in vpn settings
into the vpn client, and your all set.

~~~
BatFastard
Thx for the suggestion, advanced tomato looks great. Some of the reports on
the rt-n16's capacitor issues concern me. But then again I am getting in the
habit of replacing the capacitors in my electronics.

------
cottsak
VPN providers can totally scale. They will cease to be semi-dark-web services
and turn first class. Services that test them will emerge verifying the
security and encryption of tunnels.

Additionally there will be some who take an extreme view to this "zero
knowledge" approach offering all forms of payment and workarounds to
preventing down-stream ISPs/backhaul from tracking/identifying/classifying
user traffic.

Maybe VPNs "are not the solution" but they still can do a lot of good in the
mean time yet.

------
bayouborne
Look to Comcast and TW to buy a few of the mid-tier established VPN providers,
and then play both sides of the table.

------
herbst
After reading digital ocean the 10th time on here. What makes people think
that using a american company that complies with american laws and regularly
gives out data is a much better option than renting a VPN in a country that
still has privacy in place?

~~~
pythonaut_16
In this case people are talking about avoiding ISP tracking, not evading law
enforcement and government entities.

------
godzillabrennus
The solution to all of this is educating the population.

VPN tech is cheaper and more likely to succeed.

~~~
chrisper
Especially if the VPN Provider is a shell company of the NSA or CIA!

~~~
nosuchthing
On the contrary, Hanlon's razor could just assume good intentioned VPN hosts
failing to secure their design by negligence or ignorance of broken protocols.

~~~
brokenmachine
To the contrary, Ockham's razor means shell VPN companies set up by the
_multi-billion dollar_ three-letter agencies whose entire job seems to be to
gather as much data as possible by any means. :-)

~~~
ktta
Gillette's razor means I can get the best a man can get

------
chx
I had all sorts of VPN problems over the years with various Linux desktops OS.
What I do instead is that I have a proxy server with just an OpenSSH daemon on
port 443 -- if there's web traffic, add sslh to taste -- and then use the
SOCKS v5 proxy built into OpenSSH client and then
[http://darkk.net.ru/redsocks/](http://darkk.net.ru/redsocks/) I might be the
weird case here but I found this infinitely easier to set up than any VPN.

~~~
staticsafe
SSH tunnels work in a pinch (OpenSSH is <3). However for coverage across
devices such as smartphones OpenVPN works better long-term.

~~~
dingaling
Unfortunately even recent versions of Android have some incompatibilites with
OpenVPN.

When I tried again with Lollipop last month, the VPN's preferred DNS was not
being set on the phone despite being sent from the VPN server, hence DNS
lookups were leaking to whatever DNS server had been set before establishing
the VPN. Quite a nasty gotcha. Workaround is to run a script to set the DNS,
but that requires root privs which 'normal' users won't have.

------
ollieco
PrivacyTools.io [1] has a great list of resources (not just VPNs but also
email clients, email providers, browsers, OSs) that can be used.

If you are using Firefox, be sure to follow everything mentioned in the
"about:config" hacks section.

[https://privacytoolsio.github.io/privacytools.io](https://privacytoolsio.github.io/privacytools.io)

------
chlordane
I'm sure you all remember this read from 6/1/2016:

The impossible task of creating a “Best VPNs” list today
[https://arstechnica.com/security/2016/06/aiming-for-
anonymit...](https://arstechnica.com/security/2016/06/aiming-for-anonymity-
ars-assesses-the-state-of-vpns-in-2016/)

------
7HNajAH
So which VPSs are good for privacy? We all know DigitalOcean, AWS and Linode
as simple to set up and use VPSs, but does anyone have any recomendations of
VPSs based on their terms? I currently use DO for my VPS/VPN, but i've seen
people voice concerns about them in the past. Is there a list of 'most free'
providers?

------
jmclnx
Well a quick google came up with this:

[http://www.pcmag.com/article2/0,2817,2495932,00.asp](http://www.pcmag.com/article2/0,2817,2495932,00.asp)

[https://www.bestvpn.com/best-linux-vpn/](https://www.bestvpn.com/best-linux-
vpn/)

~~~
ballenf
The PCMag survey felt _very_ heavily weighted to who they get referral fees
from. Every top rated VPN had a special link and referral offer.

That being said I used it and ended up choosing one that they recommended
basically due to lack of info from other sources that is timely. Was a couple
months ago.

------
pnutjam
I run x2go on a linux server that I connect to remotely for browsing. It's at
my house currently and configured to use a vpn, but I used to have one in the
cloud.

I wonder if people would be interested in dedicated browsing VM. Unfortunately
there is no good mobile client.

------
Proof
I swear this 98 percent of this article was from the Policy Change HN read
yesterday.

I think the market for VPNs that have a policy for not keeping logs and easy-
to-use will grow exponentially in the common days or weeks. For the more
technically inclined, VPS providers.

------
johanneskanybal
Not the solution perhaps but the next natural move of a cat and mouse game
that predates the current policy change. It boils down to: Keep the internet
lawless because there's no global entity that has my best interests at heart.

------
logicallee
Although it would not be a solution, see my request for Google to do this
posted a few hours ago:

[https://news.ycombinator.com/item?id=13983468](https://news.ycombinator.com/item?id=13983468)

------
awqrre
if I can buy your browsing history, I should also be able to buy your tax
returns...

------
gshakir
How about Apple provide a VPN as part of the device? Remember Apple was the
one that broke the telecom's dominance on the mobile market. I wouldn't mind
paying Apple for the privacy.

------
dredmorbius
The (presently) top-rated comment on this thread by nikcub is not only wrong,
but fractally wrong in every particular. I'm offering this as a possible
counterpoint.

[https://news.ycombinator.com/item?id=13982966](https://news.ycombinator.com/item?id=13982966)

* False dichotomy: that the solution lies in only one sphere. (Lessig, _Code_ ). This is lightly moderated, but resurfaces at several later points in the argument.

* Personal responsibility. Check. Never mind that the source article states concisely and specifically why this doesn't work or scale.

* Hybrid system. Or as I prefer, _the worst of both worlds_. In the healthcare example, a _guarantee of emergency room services_ is posited as a sufficient mitigation for mandating individual responsibility _in all other areas_. Disregarding the fact beneficial health outcomes comes from public or preventive measures, not acute (read: late, expensive, heroic measures) interventions:

"In all, 86 per cent of the increased life expectancy was due to decreases in
infectious diseases. And the bulk of the decline in infectious disease deaths
occurred prior to the age of antibiotics. Less than 4 per cent of the total
improvement in life expectancy since 1700s can be credited to twentieth-
century advances in medical care."

― Laurie Garrett, _Betrayal of Trust: The Collapse of Global Public Health_

* As with all good Techno-Libertarians, nikcub "personally believe[s] in user responsibility". Despite some 50+ years of experience that _user responsibility for security simply does not work or scale_.

Nikcub continues with specifics:

* Universality of policy. Which seems to boil down to "since _every_ jurisdiction cannot offer the same high levels of protection, _no_ jurisdiction should". What ever happened to the concept of a competitive marketplace for ideas, including legal and moral frameworks? Isn't the very idea of liberal democracy that its principles, premises, and protections _are so manifestly self evident_ that _all_ people everywhere would want them? (And hence: why it's such a major pain in the ass of tinpot despots everywhere.)

* Some governments are bad ... so _no_ governments can be trusted. Again: a slope so slippery nikcub loses his footing instantly. We can apply the same argument to ... anything. Including his proposed technological solutions: _Software is a major party in privacy violations and is conflicted (and buggy), so it cannot be expected to behave in the interest of users._ In government as with software, _the proper response to buggy implementations is to fix the bugs, not burn the house down and abandon the domain completely._

* Government trust. Where do I even start (the concept and questions of trust are ... a whole 'nother essay). _If liberal democratic government, the agent_ and agency* of The People, cannot be trusted, then what can?* Private, _self-interested_ business? Which, I'll hasten to add, _has landed us in the present kettle of fish_? If you're finding that your government (or parts of it) aren't trustworthy, _then you have two problems_. But the one doesn't invalidate proper approaches to the other, _and fixing the problem of government trust gives you an exceptionally powerful tool to apply in remedying privacy and other policy failures_. Say, such as single-payer, universal, socialised medicine.

* Tech solutions that are universal ... are called _policy_. And, to add to that, _a primary reason for approaching such policies through government is that governments have the clout and scale to make policies stick._ Keep in mind that this need not be at national or international scales. Policies at the sub-national scale -- say, Northern Ireland or Scotland within the UK, or California or New York within the United States, could have major impacts. Given the option of adopting _multiple and conflicting regulatory standards_ , or _a unified and coordinated_ standard, companies will often prefer the latter. The case of US EPA and California EPA emissions standards would be an excellent study in same.

* Good policy is hard work. Yes, well, hard problems are hard. This doesn't make them not worth pursuing. And remedying the specific problems highlighted would be a key goal of any privacy regulatory overhaul.

* Penalties are small. Well, duh: _embiggen them._ I thought _yuuuuge!!!_ was in now, anyways....

* On information disclosure: yes, _it 's very hard to un-leak data_. On the other hand, comprehensive and pervasive regulations _against_ the storing _or_ transmission of personal data, _stiff penalties_ for doing so, and _sufficient rewards_ for reporting on such violations, will tremendously decrease the incentives for doing so. Given that the value of vast troves of personal information to firms such as Facebook is ... roughly $12/year per person, those penalties need not be tremendous, though they do need to be sufficient _given scales of detection_. This isn't dissimilar to present approaches against counterfeiting of money or goods: the fundamental capability to violate norms exists, but with appropriate penalties, and incentives, against transacting in such money or goods, it can generally be tamped down to an acceptable level. The more so _if technology and other means are applied in concert with policy_.

The argument continues spewing the additional canards of _perfect worlds_ (no
policy world is perfect, at best it is _sufficient_ ), _sole reliance_ , and
of mis-casting the argument as _warning people away_ from VPNs (it doesn't, it
merely points out that _VPNs alone are grossly insufficient_ ).

And for the capper, we have _free-market it harder_. As if it wasn't free-
market interests, and failures, which haven't landed us precisely in the
present situation.

