
Russian Government Seize Private Internet Access' Servers - neurostimulant
https://torrentfreak.com/vpn-provider-pia-exits-russia-server-seizures-160712/
======
dopamean
This is a copy of the email I received from them last night:

To Our Beloved Users,

The Russian Government has passed a new law that mandates that every provider
must log all Russian internet traffic for up to a year. We believe that due to
the enforcement regime surrounding this new law, some of our Russian Servers
(RU) were recently seized by Russian Authorities, without notice or any type
of due process. We think it’s because we are the most outspoken and only
verified no-log VPN provider.

Luckily, since we do not log any traffic or session data, period, no data has
been compromised. Our users are, and will always be, private and secure.

Upon learning of the above, we immediately discontinued our Russian gateways
and will no longer be doing business in the region.

To make it clear, the privacy and security of our users is our number one
priority. For preventative reasons, we are rotating all of our certificates.
Furthermore, we’re updating our client applications with improved security
measures to mitigate circumstances like this in the future, on top of what is
already in place. In addition, our manual configurations now support the
strongest new encryption algorithms including AES-256, SHA-256, and RSA-4096.

All Private Internet Access users must update their desktop clients at
[https://www.privateinternetaccess.com/pages/client-
support/](https://www.privateinternetaccess.com/pages/client-support/) and our
Android App at Google Play. Manual openvpn configurations users must also
download the new config files from the client download page.

We have decided not to do business within the Russian territory. We’re going
to be further evaluating other countries and their policies.

In any event, we are aware that there may be times that notice and due process
are forgone. However, we do not log and are default secure against seizure.

If you have any questions, please contact us at
helpdesk@privateinternetaccess.com.

Thank you for your continued support and helping us fight the good fight.

Sincerely, Private Internet Access Team

~~~
Vexs
I really like that they were not only upfront about this, but appear to have
gotten ahead of it. Good on them.

Also, RSA-4069? That's pretty damn hefty, is there even a point to using that?

~~~
goodplay
> RSA-4069? That's pretty damn hefty

This surprised me for a different reason: I was under the impression that
effective security bit size does not scale linearly with bit lengths in RSA,
and that key size would need to be 16,000-bits long for a comfortable safety
margin (a size not practical and not supported by RSA).

Are there any practical reasons why one shouldn't use epileptic-curve based
crypto?

~~~
theandrewbailey
> Are there any practical reasons why one shouldn't use epileptic-curve based
> crypto?

Because it doesn't exist yet? Sounds like it would be all over the place and
secure. \s

Isn't RSA more widely used? It could also be that the NSA is discouraging EC-
based crypto[0]; though whether this is due to "We can't crack this" to "As a
guideline to other agencies OMG THIS SHIT IS SO BROKEN" is anyone's guess.

[0] by alleged concerns over quantum computing [https://threatpost.com/nsas-
divorce-from-ecc-causing-crypto-...](https://threatpost.com/nsas-divorce-from-
ecc-causing-crypto-hand-wringing/115150/)

------
jswny
This is truly disheartening. I hope that other providers follow suit and
choose the privacy of their customers over profits. This move is unacceptable
by the Russian government. To save logs as required by this radical new
Russian legislation is to compromise the entire concept of a VPN. I hope that
the US government takes note of how direct of an impact this has on the tech
industry in Russia, and how it can happen here in the US if the government
keeps encroaching on privacy as they have been doing in the past few years.
It's going to kill our tech industry if we don't stop.

~~~
csydas
While I understand the sentiment and frustration, a few corrections and
comments:

1\. This is not radical new law, but has been in place for a year; it's only
now that Roskomnadzor has elected to address this particular VPN service. This
doesn't change the shock of server seizure, but it also has been clear that
this was a long time coming, or should have been for the VPN provider.

2\. In regards to the comment on the US, I'm sure they'll pay attention, but
not in the way you're thinking. Remember, even though the US has no blanket
policy for ISPs and other service providers, they do frequently issue warrants
for the data already stored by ISPs and service providers. [1,2,3] Compliance
for these usually isn't an option, nor do many businesses have the resources
to fight the government successfully.

3\. Even before government snoop acts and projects, ISPs and companies based
in the US (and outside) have been willingly handing over customer data as a
matter of business.

Government snooping likely won't "kill tech", rather, it will kill very
specific privacy oriented tech. This is indeed bad, and I am not sure how to
ensure that my plainness of statement does not understate the severity, but
provisions such as what Russia and the EU have will not be the deathknell for
technology in the United States, or even across the globe, any more than what
the US has already done with it's snooping and spying.

In short, if tech can still pull money after the NSA revelations, it's likely
able to survive more foreign regulations.

[1]
[https://ilt.eff.org/index.php/Privacy:_Stored_Communications...](https://ilt.eff.org/index.php/Privacy:_Stored_Communications_Act)

[2]
[http://digitaldueprocess.org/index.cfm?objectid=37940370-255...](http://digitaldueprocess.org/index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163)

[3] [http://www.cnet.com/news/house-panel-approves-broadened-
isp-...](http://www.cnet.com/news/house-panel-approves-broadened-isp-snooping-
bill/)

~~~
simbalion
I think we should also remember that Putin is believed to be a mass murderer,
and there is no reason to think that Russia can get better with regards to
ethical standards with Putin in charge.

~~~
csydas
I didn't suggest any such thing, nor am I excusing Russia's actions in the
least bit.

The original comment seemed to think that the US wasn't already involved in
this type of snooping and aggressive actions towards people's privacy, and
that such actions would be a poison to tech - if anything, tech and government
have happily crawled into bed with one another in the US, with only a few
important cases where there has been resistance.

So I responded to point out that the US has very little to learn from Russia -
if the lesson is supposed to be trampling privacy and freedom via technology
is going to hamper tech-businesses, then I really don't think the US learned
it during any of the times it did exactly that. I don't think it learned it
when the EU did it, and I don't think they're going to learn it from a VPN
provider's servers being seized in Russia. The US heard the lesson long ago,
and just didn't care.

Putin having skeletons in his closet doesn't really change any of that.

------
mtgx
It's going to take many decades to repair the damage Putin has done to
whatever form of democracy Russia had before him.

But Russians are just as much for blame for wanting a "strong leader" (as in
ruling with an iron fist). This is the type of thing such strong leaders do.

~~~
jdimov10
Russia has NEVER had any kind of democracy, so Putin can not really have
damaged anything that wasn't there. Russian people have, for many centuries,
accepted only authoritarian rule.

On a tangent.. I am yet to find anyone who can actually give me an example of
a working democracy. I believe the concept is flawed and either mis-used or
abused by everyone who has ever used the term in a political (as opposed to
academic) setting.

~~~
varjag
I'm going to spare you the mundane instances of working democracy throughout
pretty much all of the West. But you can undeniably see democracy in action
whenever a change feverishly opposed by an establishment happens anyway
through a due process. E.g. exiting EU or nominating a raving populist as a
presidential candidate.

~~~
supergirl
yeah, working democracies, except if something is national safety issue, then
anything goes

~~~
varjag
The knee-jerk reactions are propelled by fear and cowardice of voters, first
and foremost. It's convenient to blame politicians, but they just do what
brings them easy votes.

------
wrong_variable
Got the message yesterday.

I really liked using Russian Servers, things that are banned in the EU would
load fast.

~~~
kbart
_" things that are banned in the EU"_

I'm not aware of any EU-wide Internet censorship mechanism, can you please
expand on this?

~~~
Retr0spectrum
I assume they mean things like Pokemon GO, which are not censored, but simply
not available due to policies or release dates.

~~~
varjag
Not available in Russia either.

------
woodandsteel
Putin thinks that his country will be stronger if he suppresses all dissent.
But history has shown that, in the long-term, better decisions are usually
made if issues are debated out in public.

------
kenbaylor
Quick comment on two Russian laws that often get mixed up:

242-FZ: It requires data on Russian citizens be kept in databases within the
borders of Russia, and that first-write and first-update happen in Russia.

The other laws involved required retention of internet access logs for 6
months.

------
googletazer
Feels bad for Snowden.

------
ogurechny
Without any additional information, the story, as presented, is fishy.

1\. The “counter-terrorism” package to which they seem to point has only been
enacted last month. The details and dates for its impossible requirements for
ISPs, hosting providers, services, etc. (to save up to three years of
connection metadata and up to half a year of content of all — vaguely defined
— “transmissions”) hasn't yet been set.

2\. Current law also states that ISPs have to save metadata for 6 months and
all traffic for 12 hours (numbers and details can probably be optimized by
one-on-one deals with local authorities). This has been in effect since 2014,
and the VPN providers seem to didn't have problems with that.

3\. I highly doubt they were registered as an ISP and got a license.
Compliance to these laws was mostly their hosting provider's headache.

4\. Failure to comply is punished by enormous fines, not property seizure.

5\. Russian law enforcement can seize your servers “without notice or any type
of due process” if they think they have a reason with or without those laws.
ISPs do have formal and informal contacts with various agencies to prevent
collateral damage and assist in evidence gathering. Maybe they didn't care in
this case or it was too important.

6\. Haphazard reactions like revoking all their certificates (if they didn't
actually have their master server with all the keys in Russia) and boasting
snake oil solution of pushing key widths to their limits without a valid
cryptographic cause is actually a reason to seriously reconsider whether your
own cloud VPN instance would have more competent administrator. (Offtopic rant
follows further down.)

So, while it is not impossible that Russian government sent them off with a
noticeable brazen in order to scare other companies providing tunneling
services (that have been seen as uncooperative and allowing access to content
censored by government), there is still no official statement for what
happened of any kind. AFAIK, censorship agency, who has always been pretty
vocal about its noble citizen protecting activities, didn't comment that
accident at all.

Offtopic rant: Let me remind you that all these VPN services are made by
people greedy for a quick buck who don't even understand how to setup NAT
without side effects for outbound traffic that should return inbound to the
same network, and that “anonymity” and “not keeping logs” claims are
unenforceable. Traditional ISPs are limited by strict laws in most countries,
and they still spy on traffic and sell “depersonalized” (yeah, yeah) data on
ad market. VPN server is even tastier way to spy on browsing habits of each of
the clients, the temptation is too high to resist if you are not ideologically
solid (which, despite all the website speeches, they are not).

