
How one small American VPN company is trying to stand up for privacy - trauco
http://arstechnica.com/tech-policy/2013/10/how-one-small-american-vpn-company-is-trying-to-stand-up-for-privacy/
======
duaneb
Any american-based VPN company should be assumed to be a honeypot—use it to
dodge your ISP, not governments.

~~~
randywaterhouse
While I don't wholeheartedly agree with the honeypot allegation, I do agree
that you should take most VPN providers with a grain of salt, be it that they
are in fact a honeypot, occasionally leak data, or do shady things like
actually inspect traffic.

An additional use, and the one I use VPNs for from time to time, is to throw
off ad-network information and avoid over-disclosing information about myself.

~~~
duaneb
I'm quite sorry, I didn't intend to imply that PIA is a honeypot. I use PIA
every day (I'm using it now!). My point was to say that at the end of the day,
we must assume the government has access to all servers and services
potentially subject to National Security Letters until proven otherwise.

If the government wants to snoop on you, a VPN is one NSL away from having
full access to all future use unless you hide your identity and money trail
very carefully.

------
fencepost
I seem to recall seeing information recently about one company that has taken
steps to ensure that their technical people are outside the US and that the
staff (& founder?) remaining within the US no longer had any access to network
management, software, etc. so there could be no question of them being forced
to backdoor anything. Is that PIA?

~~~
fencepost
Replying to myself now that I've had a chance to research, here's the relevant
link: [http://torrentfreak.com/how-nsa-proof-are-vpn-
providers-1310...](http://torrentfreak.com/how-nsa-proof-are-vpn-
providers-131023/) partway down the page, in the section on National Security
Letters and Private Internet Access.

Quoting Andrew Lee: “However, to remain in the US, meant, as well, the
relinquishing of my access to the PIA systems/network. Administrators,
developers and co-founders everywhere can relate to the difficulty of doing
so, but the reality is that it was a requirement if I was to remain here. This
policy is in place, and relinquished access I have.”

There's significantly more information in the original article.

------
DigitalSea
Don't assume just because X service says they're not logging data that someone
else isn't. In this case PIA might not be logging user activity, but as the
NSA have proven in the past, it's all too easy for them to get a secret court
order and install hardware into a data centre server rack that monitors
network activities for a particular service. They've done it before and if
they wanted too, they could do it again.

The scary part is if it's a secret court order, the service provider is gagged
and threatened with legal action if they publicly disclose the fact they're
complying with a Government request. Being an American based company all the
more makes it too easy for the NSA to get the information if they need it.
This article does not make me feel any less insecure about my privacy.

~~~
Wingman4l7
Cory Doctorow wrote a piece for _The Guardian_ [1] theorizing a sort of "dead-
man's switch" for this that might allow you to circumvent a gag order.
Basically, you regularly post a signed message saying "we have not yet been
compromised" \-- and then when you are, you just STOP posting that.

As Doctorow mentions in his article, the basic idea is not new -- it
originated in 2004 with Jessamyn West, a librarian trying to fight back
against the FBI trying to look at patron's reading habits, and the
accompanying gag order. In that case, it was:

> a sign on the wall of her library reading "THE FBI HAS NOT BEEN HERE (watch
> very closely for the removal of this sign)."

[1]: [http://www.theguardian.com/technology/2013/sep/09/nsa-
sabota...](http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-
dead-mans-switch)

~~~
hdevalence
I think that one of the claims in the parent was that the feds can just hand
the NSL to the data centre provider or whatever and monitor all the traffic
that way -- they don't necessarily need compliance from the person running the
service.

~~~
Wingman4l7
True -- but then there's nothing stopping the datacenters from having a
"warrant canary" either.

------
rdl
For a privacy protecting VPN where you can't trust governments: There is
really no policy-only way to trust a provider of a security-specific service
where turning on logging is just flipping a single bit. There has to be some
kind of technical measure to protect users, and no one has built that (yet).

It also will take a pretty clear Chinese wall between builders and operators
of a service, or even an arms length multi entity relationship (eg a meta VPN
provider sells sells fairly turnkey VPN nodes to operators, who then run them;
maybe a third entity which does billing for end users and rev shares
everything out). Much more like Tor than the commercial VPN services of today.

The corporate VPN world is different, and the simple "torrent shit on comcast"
or "watch Netflix on vacation" market is way easier.

IFF lavabit is resolved successfully, you may be able to trust a US provider
for general privacy stuff, but that is months or years off.

~~~
bradleyjg
> IFF lavabit is resolved successfully, you may be able to trust a US provider
> for general privacy stuff, but that is months or years off.

I've read through lavabit's filing and I'm not sure the factual predicates are
as strong as they possibly could be. So they could lose on narrow grounds and
still leave the door open for other companies to argue that it is possible to
create a reasonable expectation of privacy for its customers in their
metadata.

However if lavabit loses and the decision is written broadly, you are right
that it is probably game over for any system that requires you to trust the
subject to US jurisdiction operator in any way.

------
jlgaddis
I'm the "head guy" at the ISP I work for. I'm also the "owner" (single member
manager) of two LLCs that I've formed but that are mostly inactive at this
point.

Unfortunately, I've been delayed (due to a fairly major motorcycle versus Jeep
accident that has me laid up) but I've been considering offering a similar
service (as well as Tor relays, including an exit node or two).

For those of you who (might) use such services, what would it take for you to
trust a provider? An AUP/ToS stating "we don't log", a so-called "transparency
report", a warrant canary, payment via Bitcoin?

~~~
rdl
There needs to be some separation between configuring the system and auditing
it. If you could only push configs through something like rancid, made it read
only to auditors or users, and could ensure configs only could get pushed
through that, it would be reasonably to trust it. It is hard when anyone can
either bypass config management to add logging, or where the audit doesn't
include all systems in scope, or is only done yearly (so bad stuff can happen
in between).

------
pzce
Whether a website is ranking VPN services or just discussing them, PIA is
almost always mentioned before any other provider. I wonder how much they are
paying for these types of advertisements...

~~~
rdl
Don't hate them for good marketing!

I think the lifetime value of a VPN customer is >$50 (accounts tend to churn
but it is be same people getting new ones, in my experience with VPNs from
before; users either fall into the long term customer bucket or use then for
single purposes).

I've only seen their ads or promo stuff in very targeted places, as well as
bitcoin (which is more them sponsoring it due to early involvement with
bitcoin), so even high cpm would make sense. People go to " top VPN provider"
lists with intent.

I see anchor free and hidemyass much more in general ads and forums. AF is
free and ad supported, and mega capitalized, so that is probably why they go
for random high volume stuff

------
maaaats
Too bad it doesn't matter. As long as the US government can do what it does
with forced silence, I'm not trusting any provider within the border.

~~~
iends
Can you really trust other countries any more? If so, why do you think so?

~~~
infocollector
I think we should ask Angela Merkel ? ;-)

------
mariuolo
Unfortunately I don't think it's the right country to run a VPN service from,
these days.

------
Learn2win
Did Google say the paid advertisements should have disclaimers?

