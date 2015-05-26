Hacker News new | comments | show | ask | jobs | submit login
VPNs Are Absolutely a Solution to a Policy Problem (standardnotes.org)
Well allow me to retort.

This article is saying, basically, that the tendency of ISPs to try to monetize user data is a natural consequence of capitalism, and trying to curb that tendency with legislation is ineffectual compared to the real solutions (fight monopolies, and everyone use a VPN).

I don't buy it. Roughly the same argument could be made about virtually any regulation. "Corporations are incentivized to pollute, so there's no point trying to stop them. Buy a water filter." "People will always try to get heroin, so there's no point in restricting it. Get some naloxone." Damn near every regulation is an attempt to counteract some profit-motivated tendency which is the unfortunate consequence of capitalism. And as regulations go, user data is a lot easier to regulate than drugs or pollution.

"Just get a VPN" might be good advice for individuals, but it is emphatically not the society-wide solution to data privacy. We can and should continue to fight for good legislation that protects us.

Your comparison is nonsensical. Pollution is a violation of a shared resource, and can even be an aggression to someone's property. Even the most libertarian minded individual will make a case against it, see for instance Rothbard[1]. Selling user supplied data to advertisers is exactly what Google and Facebook do. The problem is that there is a monopoly in the ISP business. You can use Searx, Startpage, DDG, or other privacy-focused solutions instead of Google directly, and Facebook is really superfluous, if you don't want don't use it, or just create a fake profile. When it comes to ISPs you don't really have a choice if they all decide to turtle up and do the same (the freer the market the greater the incentive to one of them to turn or for another to start in business by answering to the demand for a more private browsing experience, even if locally at a certain city at first).

[1] "The eruption of Mt. St. Helens should have alerted everyone to the ever-present processes of natural pollution (...) In sum, no one has a right to clean air, but one does have a right to not have his air invaded by pollutants generated by an aggressor (...) such aggression may take the form of pollution of someone else's air, including his owned effective airspace, injury against his person, or a nuisance interfering with his possession or use of his land (...) this is the case, provided that (...) while visible pollutants or noxious odors are per se aggression, in the case of invisible and insensible pollutants the plaintiff must prove actual harm; the burden of proof of such aggression rests upon the plaintiff; the plaintiff must prove strict causality from the actions of the defendant to the victimization of the plaintiff; the plaintiff must prove such causality and aggression beyond a reasonable doubt; and there is no vicarious liability, but only liability for those who actually commit the deed." https://mises.org/library/law-property-rights-and-air-pollut...

I think you missed the authors real point. The selling of data isn't the policy you need to fight. The monopoly power of ISP's is the problem you must push back on. The author has rightly pointed out that regulating your way to your goal is not a solution. He is advocating for a free market solution which is much more robust then one that hinges on the right people being in power for all eternity.

There won't be a free market solution to land-based ISPs. After the government broke the telcos up, they just consolidated again. Now we have less than half-dozen large ISPs, and states are trying to ban local governments from creating co-ops! Maybe one or two entrants will come in (google Fiber, who stopped expanding), and only then, it will be from GOVERNMENT enforcing free use of easements.

Certain industries have a tendency to be monopolistic, or else have incredibly high barriers to entry. ISPs should be regulated to protect customer privacy. This is the equivalent of USPS, the public library, and the phone company selling your data to whoever wants it, and it's wrong.

Quoting the article:

> [...] stop relying on governments for self-protection that you can handle yourself. If it’s not the current administration that will repeal our protections, it will be the next one. And what then?

The whole point of a democratic government is to protect the interest of the majority of their citizens, and the selling of personal personal data is clearly against the interest of most Americans. In a democracy the tool we have to protect our interests is the law. Unfortunately this tool sometimes is also used by small but powerful actors for their own purposes, colliding with the will of the majority. That's exactly when we have to fight back to keep the government democratic.

VPNs can be used as a temporary workaround by some people, but it's definitively not a good permanent fix for this constant invasion of privacy that many corporations in the US are so willing to attain. Even if you think you have a perfect technical solution (GNUnet? Tor? I2P?) the next administration can simply say that solution is unlawful, and what then? The fact is, sometimes we have to demand our government to do the right thing, and this now is one of those times.

It's evident from previous examples that it's a significant increment from legalizing a bad practice, that is anyway going to be done by law enforcement and other government organs, and by stealth even if it was illegal, to making software or protocols contraband.

Completely agree. Monopolies are the problem. Capitalism is a delicate system and, unregulated, it leads to monopolies. That's why capitalism needs regulation -- not to pick winners, but to ensure healthy competition. This is something Republicans seem to be willfully obtuse about. Capitalism without regulation is like a football game without referees.

This is I think where the voting public gets played by both sides. On the "free market" side people are told all regulation is bad, just let the market operate. Which ignores that some regulation is needed to keep a level playing field. Then on the other side we are told we need to strictly regulate to control for safety and shared resources, but both sides just impose regulation that benefit established firms and sell out consumers.

> ... but both sides just impose regulation that benefit established firms and sell out consumers.

Can't agree more. Corporatist rent-seeking is the fundamental problem with our political economy and/or society. But both sides keep talking past each other (as they are incentivized to do).

rent-seeking

Tangent, thanks. This is the phrase I was trying to conjure to mind earlier today in a discussion about the very topic of this thread. Ended up taking a long, exhaustive and context-laden road to get to my point; after which I had already lost an audience but so it goes.

For the interested: https://www.wikiwand.com/en/Rent-seeking


The counterpoint is, if The monopoly power of ISPs are the real problem, VPNs don't do anything to stop the monopoly power of ISPs.

VPNs are a strategy for mitigating an individual's exposure—leaving the monopoly of the ISP intact.

Yes, ISP monopolies are still a problem w.r.t. price and quality of service. But VPNs stop the ability of ISPs to snoop on and sell your data, which -- in a perfect world with ISP competition -- market forces would prevent. So VPNs can take the place of market forces for one of the bad things that arise with ISP monopolies, namely the one that the House just enabled yesterday.

VPNs do that so long as ISPs don't inhibit, block, deprioritize, or charge extra for traffic that isn't over known protocols that they can mine for salable data; which, given that the same political actors that oppose the FCCs Privacy Report and Order also oppose the Open Internet Report and Order that prohibits that action means that VPNs may not long be an effective mitigation of the policy problem, because of an intimately linked policy problem.

There are a lot of factors leading to the current lack of competition in most markets, but I'm not convinced that a monopoly is an entirely natural market condition in this instance. If it were, providers wouldn't demand franchise agreements before entering markets.

https://arstechnica.com/business/2014/04/one-big-reason-we-l...

https://motherboard.vice.com/en_us/article/the-fcc-cant-help...

https://consumerist.com/2015/05/26/why-your-cable-company-do...

Government regulation contributes much to the cost of investing in infrastructure and starting an ISP business in most areas. I think it would be interesting to see what would happen if that cost could be brought down.

That's a double-edged sword. Regulations create monopolies as well.

Regulations destroy competition. Sometimes that's a sacrifice you want to make - do you want an unregulated drug market or would you reduce the number participants with burdensome regulations? - but I don't think you can regulate your way to competition. Or to lower prices.

That depends on whether said regulation actually increases barriers to entry or decreases them.

Anti-cartel ones do the latter. Many properly made regulations are not easier to adhere to by big vs small agents.

US history is rife with examples that contradict you. (anti-trust regulation)

Regulation is a tool, and it does more or less what the tool user intends it to.

I depend on many things that hinge on the right people being in power for all eternity, and so do you.

We've seen what the wrong people in power do. Mussolini, Stalin and his gulags, Pol Pot and his genocides, Kim Jong-il, Slobodan Milošević. This isn't a statement about the current US President, but we depend on having right (enough) people in power in a lot more ways than this one policy decision.

So, on the one hand we can have effective legislation right now over reasonably well-defined privacy concerns.

On the other hand, we can work for a decade to introduce regulation over the hard-to-define concept of an ISP monopoly, and then spend more decades going through the inevitable break-up and re-conglomeration of these entities under different forms, like we had with the telcos through the last half of the 20th century. In 50 years we may have a landscape that resembles that of the current cellular carriers: three or four large players in most metro areas, fewer rural options, and little real choice among them in terms of QoS or T&C. I suppose this would represent a slight improvement over the status quo?

This is the problem with so many free-market proposals, they would have you off tilting at windmills instead of directly addressing a fairly straightforward problem.

That was most certainly not the author's main point; he only mentioned it briefly, and he didn't mention a way to fight monopolies. To be sure, when the "Make Network Monopolies Not Exist Somehow Act of 20xx" is up for a vote, I'll probably be for it. But that's not what this article is about.

I think what the author saying is incredibly valid and the pollution example doesn't exactly equate.

Ideally, you wouldn't rely on trust, i.e. Policy, you would rely on math. As far as we know, judging from the Wikileaks releases, encryption still works.

With pollution, it is a policy issue, because there's no mathematical way to prevent polluters. So we have to negotiate amongst lawmakers, regular people, and corporations.

I think what the author is saying here is that we shouldn't bet our privacy and safety on who is in charge, as we are always one flick of the pen away from losing those protections. I think this is especially the case when there is a mathematical solution to the problem, that doesn't require trust. Obviously, having math and policy would be an added bonus.

Pollution and privacy are just two examples of cases where we use regulatory laws to curb the natural tendency of for-profit corporations successfully. That the regulations are implemented differently isn't very relevant; they're both regulations that a) shouldn't be relied on according to the article's rationale, but b) have proven effective in the real world.

> I think what the author is saying here is that we shouldn't bet our privacy and safety on who is in charge, as we are always one flick of the pen away from losing those protections.

Yes, and what I'm saying is that the same is true of every other regulation, which is why it's not a compelling argument against this one. You may have noticed that the same Congress currently gutting privacy protections is also gutting air quality protections...

Sorry, I'm not sure I totally follow your thesis. I think what you're trying to say is that the right thing to do is for privacy to be protected by the legal system, right? Then I think you're analogy to support that is how we have regulations around pollution.

So, on this point I agree. We should live in a world where lawmakers protect privacy and the environment, and the fact that they don't is disappointing and a short term (hopefully not long term) failure of government.

So far we are in agreement. In addition to that, I think what I'm trying to add is that VPNs are absolutely a way to mitigate the need for lawmakers to do the right thing, a concept in the abstract we all agree on but in reality proves to be very difficult. I'm not sure you're disagreeing with that point or if you think they're mutually exclusive, maybe you can clarify.

To go with your analogy about water filters being a substitution for having protection for keeping water clean. No, of course I don't think it's an effective substitute, but I'm still going to filter my water in addition to demanding that adequate protection is put in place.

So hopefully we are in agreement on that point as well, as they're not mutually exclusive.

But the overall, larger point to be made is we should just always do what we can. So voting is one thing, among other avenues within the process of government, however I'm also going to use a VPN, because, damn it, it works.

One last thing I'd like to say from another comment that I wrote somewhere else in here is that hopefully this will be an impetus for full decentralization the internet further, because an ideal solution would be to make it logistically intractable to snoop. A distributed internet, similar to how it was originally envisioned.

Came here to say exactly this.

We are all engineers and can understand the concept of a patch versus a refactor. Yes, a refactor may be harder, but there is never an excuse to rely indefinitely on a patch; that's how you get burned with technical debt.

The government needs to change to be more responsive to the people and not constantly sell them out at the flick of a pen. Yes, use a VPN! But don't buy the message that there isn't more that can be done. There is, and many people are working tirelessly to see it through. Don't ignore or devalue their efforts to make a better system for people.

I think the key difference is selling one person's internet history mostly only affects that person's privacy. The environment on the other hand is a common good, and any damage to it hurts everyone. Similarly, someone taking heroin doesn't only hurt themselves, they are likely to hurt people around them as well.

You can't see a downside to living in a world in which you personally have protected your privacy, but society generally has given up on it?

reply


I find the outrage rather interesting. Google and Facebook are basically everywhere sniffing as much data as they can. I actually don't mind if another party starts collecting the data as well. Go nuts.

Google is already toying with the idea of creating VPNs for consumers. In the case of the pixel it's legit because they allow you to opt-in to VPNing to google servers on untrusted WIFI connections. The irony is that now google has even more data on you. Once your VPN exits, you can still get MitMed/injected on non-TLS resources, so what is the VPN really doing for you? The only thing the VPN does is control which party will spy on you.

The blind lead the blind I guess.

You can easily avoid facebook by not registering there and blocking requests to their servers from other sites. Similarly with google, though you can't use Chrome and Android in that case. There is no easy and free way to avoid your ISP spying on you.

Maybe I don't understand DNS well enough, but I assume all the tech sites that recommend everyone change their DNS servers to google's 8.8.8.8 or 8.8.4.4 understand that Google is heavily data mining and monetizing every lookup.

And the FCC has never attempted to regulate that level of privacy.

If you're curious, Google is quite open about what and how they log from their DNS services:

https://developers.google.com/speed/public-dns/privacy

So they don't track personally-identifiable information directly; it's certainly possible you could de-anonymize someone from their dataset, but most of what they do track is on their end (what machine handled the request, how quickly, etc.)

You're absolutely right that a broad regulatory solution would be a good thing - but we shouldn't ignore a technical solution when it's available. By analogy, we have pretty good regulations about the contents of your home not being stolen. But you should still lock your doors when you leave.

It's a lot easier to see many pollution problems and the harm often is more direct and quantifiable - with a privacy issue the harm is often abstract and harder to see.

I think privacy and pollution regulations can be good, but they need to be carefully tracked and aren't always effective.

The best solution for you is always to be a vigilant consumer. Something like this can be protected entirely by doing so. Pollution is harder to defend against. Using a VPN is a great strategy to mitigate these issues before they're allowed to happen to you.

Your analogies don't hold up.

Buying water filters doesn't do anything to the polluting party. They can just keep polluting.

On the other hand, using a VPN makes your data worthless. It allows you to directly hit back at the companies trying to monetize your data. It's entirely different that just avoiding the problem.

Only techies will be setting up VPNs. What about the vast majority of everyone else who don't understand what is happening when they connect to the internet?

The article didn't use the term, but it's basically arguing there are such things as natural monopolies, and that ISPs are examples of them.

Fighting monopolies is an argument for more aggressive application of competition law, to break up monopolies, and disallow anti-competitive conglomeration. But again the article doesn't bring up anti-trust.

The article also doesn't account for the fact that an ISP, without net neutrality regulation, can block or throttle or charge extra, for VPN usage.

So I was a call-in on NPR today (http://www.wbur.org/onpoint/2017/03/29/internet-privacy-cong...) that discussed the ISP privacy issue. I brought up the crowd funding initiatives to buy Republican's info as well as the Democrat's unwillingness to make use of this issue. The call-ins were unanimously against what the congress did.

edit: Here's the GofundMe trying to raise money to buy their Internet history. Something tells me this dude is going to run off with the money though

http://resistancereport.com/resistance/crowdfunding-lawmaker...

These "jokes" are already getting incredibly stale and silly. I don't get it at all. A provider is not just going to let you come in, even with say a billion USD, and buy X individual's data. That's not how it would work at all, this is not just like some sort of self-checkout to get someone's data.

And even if it was remotely like that, I can guarantee you that the providers will go to lengths to make sure they didn't just lobby millions (speculating, of course) to get this through and then throw the same congress members under the bus that they lobbied to and then hand out their data to get them in trouble with the public.

No, they can't buy X individual's personal data.

However, they can do what everyone else does; buy anonymized data for the area person X lives in. They can then use countless techniques (that have been demonstrated repeatedly) to de-anonymize the data and find out about person X.

reply


What I'm getting at is even if they did try to use the method you described, I highly doubt they would even include that data of those congress members. I bet they blacklist users in situations like this. They are not just going to give that sort of thing out via a sell. Even if they law ALLOWS them, doesn't mean they sell to anyone with money.

This is what UK members of parliament did with a very similar bill, where they exempted themselves from the law itself: https://www.independent.co.uk/life-style/gadgets-and-tech/ne...

All-in-all, I think if you donate any money towards these crowdfunding initiatives, you might as well burn that money because it's not going to get people the info they think they are going to get. ¯\_(ツ)_/¯

Now you are being over-optimistic about ISPs' sophistication. If I wanted data to target white renters, I can get it as long as I don't do it wearing a klan hood. A data set encompassing legislators is for the most part a data set of lawyers with some special characteristics. It could be a subset of data you can buy, or it could be assembled as a mosaic.


I'm not sure how VPNs are a solution.

Politically, it means that people who should be getting angry about reduced privacy are "comfortable" with the fact they can work around it, while a new generation grows up with fewer and fewer expectations of what privacy means. It's short term protection in return for normalization of anti-private behaviours and long term damage.

But I also have a problem with it technically:

Issue: You don't trust ISPs to not sell browsing history.

Solution? Provision a virtual server, set-up a VPN and tunnel.

But your server still has a service provider. It might not be literally tied to your billing information but that was never going to be anyway.

You've shifted which ISP gets to sell the data from "home provider" to "virtual server provider", but there is still browsing data isn't there and it's just as valuable from a private single-use VPN as it is from your home connection.

> But your server still has a service provider. It might not be literally tied to your billing information but that was never going to be anyway.

The idea is to use a VPN provider that keeps no logs and runs many concurrent connections NAT'd behind the same public IP address. That way your traffic is mixed in with everyone else's who's using the service and provides you with an additional layer of anonymity.

There are no full-proof security solutions, only varying degrees of who you trust with what. There are many VPN providers who claim to keep no logs on user activity. If their claims are true, that is a better option than Comcast or AT&T since the VPN provider with no logs has no data to sell or share.

* fool-proof

I plan on automatically switching VPS provider for my VPN on a monthly basis. So even if they get one month of data, they won't get it all.

I think that actually increases your exposure, as a monthly snapshot will likely be as good as any other month's snapshot and just as damaging (or not) if it got out. If all providers sell your data, that means that purchasers of aggregated data will always have up to the date info anyhow.

I would say the "better" solution would be to find a provider with a good reputation and stick with them, and leave them in a heartbeat if it appears that they've sold your data. It gives them an incentive to continue behaving well through referrals and recurring revenue.

The only thing is, I shouldn't have to pay for a VPN to continue enjoying some measure of privacy when I'm paying for the ISP's service. This is just some MBA's "great idea" to "leverage previously untapped revenue sources" rather than a real need by struggling firms grasping at any life-line.

It's disgusting, and I'm disgusted (_yet again_) by the mercenary Republican Party. They are declaring war on me and my loved ones and the vast majority of our fellow Americans and anyone else unfortunate to have to use an internet connection in the US (and live under the rest of their insane policies).

For the record, I signed up for a personal VPN two weeks ago because this anti-consumer outcome was assured with the current party in power in the US.

Just curious, what VPN provider did you go with? Are you happy with it so far? Any helpful links that compare/review VPN services?

reply


I am very happy with f secure freedome. Good speeds (mostly able to give me at least 30-40 megabit) and reputable company that provides decent support. I have been a customer for a few years.

> It's disgusting, and I'm disgusted (_yet again_) by the mercenary Republican Party

Stop this BS. The democratic party has done pretty much similar bad things that violate our privacy. Are you just good at selectively ignoring things? This is really the fact that every US govt is not for personal data privacy. You have to just accept it (if you are an american).

On this specific issue, it was the Obama FCC that made sure that ISPs couldn't sell this data, and it's the republican congress & president that rolled it back. So it's a pretty fair issue to point this difference out with.

It's also a good concrete issue to use in understanding that while arguments like "Democrats Do Bad Stuff Too So IDK Apathy" may be persuasive to some people in justifying not voting, it's ultimately not true. If this issue matters to you, there was a ballot box solution to preventing it. Not enough people used it.

While I'm usually all for bashing both sides, does it really apply in this case? The bill in question repeals rules set out by the FCC under the Obama administration. Those rules were a proactive measure that increased privacy from ISP monopoly overreach.

If this recent attack on privacy is something both sides support (as you seem to claim), why did the Obama administration set out those rules? And why did the Democrats in Congress not vote for this repeal?

No, you're absolutely wrong. Look at the vote.

Don't bring that weak Whataboutism here.

Exactly! While both parties do bad things and are undermining this country, it helps nobody to blame both parties for something specific that one party is doing without the support of the other. The vote was along party lines and in this case, one is right and one is wrong.

it's not a republican/democratic split. Both parties are working together to screw over you and your loved ones.

Its a "has power" vs "doesn't have power" split.

The Democrats are just as culpable as Republicans. Don't give either party a pass.

>The Democrats are just as culpable as Republicans

A Democratic president put these protections in place.

Ah, yes, president obama, advocate of the privacy rights of individuals world-wide.

He expanded the powers of the NSA because he could, or had to, or whatever. I struggle to imagine that he then turned around and used the FCC to push meaningful reform along for his citizens.

I think the burden of proof is on you to show that his track record with government spying should be ignored when thinking about his track record with FCC/consumer protections.

Why not? for every other service you use online this measure of privacy doesn't exist and no one seemed to care about it. When services came along that advertised a measure of privacy they were not inundated with business turning them into titans of industry.

If when given the option you don't use services that keep your data private, why is this a big deal to you when yet another service you use sells your data? If you want privacy you either need to shop for services that provider it, or like this article states, take measure to ensure some level of privacy.

Everybody is right. It doesn't have to be either-or.

You can select a paid VPN service that helps protect you from specific adversaries. You can roll your own VPN on your own VPS that helps protect you in some use cases.

You can, and should, advocate for good privacy policy.

>Other articles have argued that VPNs are not a solution to a policy problem, because you can’t necessarily trust a VPN provider, or some VPN providers don’t encrypt your data properly. That may be the case, but that’s an easily solvable problem. And there are no monopolies on VPNs. This is something that a market economy can solve in a year.

It has been a few years since my Econ 101 class, but I suggest the author Google "market for lemons". Users have no way to verify the intentions of VPN providers as there is natural information asymmetry. Trust is not an issue that market economies have come up with a good solution to fix. The solution we often use ironically enough happens to be policy and regulation. So maybe this is a policy problem.

The market has come up with a great solution to some trust problems, like Underwriter's Laboratory. A group of experts certify any device that will have their stamp of approval.

https://en.wikipedia.org/wiki/UL_(safety_organization)

There could be an identical service for privacy/internet tech. There isn't, but I'd trust an "Internet Underwriter Laboratory" group way, WAY more than a group of politicians.

reply


Which is a regulatory solution. I don't know the specific history of UL, but the most common way these type of agencies are created is by the government or from within the industry out of fear of government regulation.

Read over UL's history [0]. It was started by a private individual, and is a for-profit company with huge reach and sets safety standards for devices in many, many industries.

So, while I can't speak to how these things _normally_ come about, this is a compelling example of self-regulation entirely outside of the scope of the government.

[0] https://en.wikipedia.org/wiki/UL_(safety_organization)#Histo...

"That may be the case, but that’s an easily solvable problem."

So, how is that problem solved? I can't see what VPN companies are really doing inside their stack. They might very well be logging everything and I have no way to find out other than to "trust them" - so there's no real market mechanism to choose a VPN provider which doesn't log anything.

I suppose it could be in the contract.. so does VPN contracts have a clause like that, and how is it enforced?

Someone could make a program that inspects the packets on your local network. If they're encrypted then the connection is safe. They could then start a register of VPNs and rate them.

This is just the start though, you'd also have to guard against common keys and other various gotchas.

Also, another idea is VPN providers might start seeing it as a business opportunity to provide robust, secure connections and advertise how they work. These claims could easily be verified.

Just a start, I'm not an expert in networking, but it seems fairly doable. Obviously MITM is always possible if you're not connecting via ssl.

Also, this could be the impetus for further decentralizing the internet, although who knows how far that's out. The centralization of the internet might have taken things too far and killed the golden goose by abusing their position, incentivizing an acceleration of full decentralization, like with IPFS and their ilk.

Furthermore, SNI will leak domains. Which is just as valuable to data miners. And also DNS.

>I can't see what VPN companies are really doing inside their stack.

You can always run your own VPN. Buy a cheap VPS, and set up OpenVPN to route traffic through it.

Couldn't your VPS provider sell information about what you're accessing?

I ask because, I use a cheap VPS for a VPN, but wonder if it actually accomplishes anything.

The counter-arguments:

A VPN that sells your information and eventually, inevitably is caught, will lose their entire business. Meanwhile they can make a perfectly good profit just... providing the desired service. There are also people who take the time to investigate these various services, and you can do some work to find one that meets standards you deem to be acceptable.

There isn't going to be a perfect solution here, but the issues with VPN's are really not the issues you raise. My concerns are: Google and other major sites endlessly pestering VPN users with CAPTCHA requests, or the government actually making them illegal. Your concerns are largely answered by researching which product you're willing to buy, not unlike all other similar decisions in life.

This argument, applied to any industry, is so tired by now.

Yes, a VPN company caught selling info would crash and burn. The invisible hand would ensure this, etc etc. But only if they got caught, and even then it's not like there would be any actual legal punishment (outside of a lawsuit if they were contractually obligated to not sell the info, I guess). And if selling that info meant double the profits, I doubt the owners who were willing to lie to their customers would feel all that bad or embarrassed. They'd probably also be shameless enough to re-brand.

And all that is ignoring the fact that with VPNs privacy becomes a privilege only to people who can a.) afford it and b.) understand how to use it. And finding a VPN that won't sell your info on the side requires the time and know-how to research it, not to mention even considering that a VPN might sell your info requires interacting with news orgs or people who might bring this concept up.

Chalk this up as another "HN readers don't realize most people don't read HN", color me surprised.

Except that those "most people" are the ones who are directly responsible for electing the current crop of leaders who have put us in this position, so I'm running a bit low on universal love and compassion, sue me. Moreover this is, as others have pointed out, not a new loss of privacy, just a new monetization of the existing loss of privacy.

So yes, there are better solutions involving the law, but unfortunately the innocent lambs you're defending are the ones calling us nerds and buying IoT junk!

Is there a reason that instead of using a VPN to hide our traffic we don't just have an app that surfs randomly around the net in the background ruining the usefulness of the data collected in the first place?

"Companies selling your data is nothing new—Facebook and Google have been doing it for decades."

Is there any evidence for this? I'm pretty sure that in the case of Google, at least, it's a flat-out lie. In fact, they state in massive letters: "We do not sell your personal information to anyone." (https://privacy.google.com/how-ads-work.html) Who would they even sell it to? They're at an advantage having that data themselves.

You're right: selling the data would be selling the golden goose. Instead the data is milked for all it's worth by pimping it out to advertisers.

VPN's are a way for you to choose which provider's or country's policies you want to be under. Obviously this can only happen as long as the powers that be allow it. It is trivial to forbid or block all non-backdoored vpn's for example.

A question which I find interesting is why we can't make these policy choices in the real world. For example, choose which country's social safety net you want and be taxed accordingly. It may be impractical, but are rivers and mountain slopes (aka borders) really the best way to draw a line between two different policies?

Instead of using a VPN I think I'm just going to create a script that randomly requests various websites 24/7. So don't cut off the signal to your ISP just drown it in a lot of meaningless noise

In my home, Comcast business uses IPv6. So far, no VPN supports this, and I haven't found proper answers on how to handle this?

I've heard I can just "disable IPv6" on my Mac, but I don't know the full implications of this. If anyone has any input I'd appreciate this, because then I would use a VPN all the time.

EDIT Sorry I meant to type VPN not VPS, stupid typo.

If you're on Comcast business, there's no real implication on turning off IPv6.

Any sites you use that are exclusively available only via IPv6 will stop working, but due to slow adoption of IPv6, that list of exceptions is quite small. IPv6 adoption is big in China, but even then the major services themselves are available over IPv4. (Weibo.com doesn't even advertise an IPv6 AAAA DNS record, so the things I read about IPv6 adoption in China may be overstated.)

There are, of course, exceptions. There are a number of intentionally ipv6-only test sites like https://ipv6.google.com that won't work. Things like Google.com which are available over both IPv4 and IPv6 will degrade gracefully if you turn off IPv6 on your mac, and just connect over IPv4.

Google found this company offering ipv6 support.

https://www.perfect-privacy.com/vpn-with-ipv6-support/

What I'd really like is a vpn that gives me an ipv4 address and an ipv6/64 so I can have my router do the vpn and route my whole network through a vpn by only configuring one computer.

I'll provide you with a VPN that supports IPv6. Email address in my profile.

EDIT: And the full implications of disabling IPv6 are approximately nothing.

Why the secrecy? Many of us would like to know. It's fine if it's pitching a product that you are making. We would like to sign up.

There's no secrecy, there's no product yet. I just already operate a VPN for my own use, and could easily do so for others. Maybe a product would come out of it, maybe not.

Who are you? How do I know you're not logging my traffic and selling it?

It sounds like you're in the UK - I'm a US person, if I give you my traffic, what will courts say about my expectation of privacy?

I'm James Stanley. I blog at http://incoherency.co.uk/

I already operate https://smsprivacy.org/ which is essentially a VPN for SMS.

I don't have any way to prove I'm not logging your traffic, but I am a big believer in privacy and promise not to. If you don't trust me, you don't have to use it.

According to the Supreme Court you don't have any expectation of privacy in information given to a third party so whether the VPN is in the US or not does not matter.

No VPS supports IPv6?

I can think of a few off the top of my head that do:

* Linode

* Vultr

* Tilaa

* DigitalOcean.

DiitalOcean supports IPv6.

Classic libertarian fallacy: “every resource should be managed by markets and every problem solved by the marketplace”. Except, the Internet is not a commodity, it’s infrastructure: it’s not a car, it’s the road. For consumer fluff — sure, go the libertarian route (“shop around”), but for things that really matter, like infrastructure and healthcare, don’t look for trivial market-based solutions…

I like that they say "Don’t use sites that force you to disable your ad blocker" and then link to a Wired article.

I'm able to read the wired article with javascript disabled. I'm not sure what your adblocker is doing that prevents you from reading it.

Wired became infamous for their "Here's the thing with Ad Blockers" modal:

https://pbs.twimg.com/media/CeqLfB5WIAAPZZh.jpg https://www.wired.com/how-wired-is-going-to-handle-ad-blocki...

However, either they've removed it or uBlock is currently winning the blocker blocker fight since I actually can read that article (I hadn't tried.)

Wired doesn't force you.

Not a solution, rather a workaround. VPNs reduce performance, and they aren't free either. The idea of privacy abusers is to to tax those who value it.

Federal statute known as 18 USC Section 1702 makes it illegal to open correspondence addressed to someone else. I don't know that the mail services keep statistics of where mail comes from and to, although they likely do, but regardless, they don't get to know what the content is. They don't get to know what I buy from Amazon.. But they do know I shop at Amazon because they see the boxes. ISPs might be able to know you hit these servers but they shouldn't be profiling you based on all your browsing data.

If another person can't open your mail, then why is it so hard for lawmakers to understand that this adds up to the same? You route my mail/traffic, doesn't give you the right to spy into the contents of it, to know what I buy, what media I consume, what my hobbies are, how often I check my bank balances, whether or not I'm left or right leaning based on the news I consume, whether or not I'm shopping for internet at competing ISPs... List goes on. Imagine the depth of the information an ISP can build on you if they have all your browsing information.

The lack of respect shown towards the people who have made these companies possible by buying their services is appalling. And the fact that they keep competition away is even worse.

Provide your services and stop trying to suck in every penny from every potential revenue stream possible.

To make a comparison, just because my car has GPS, doesn't mean the manufacturer should track and sell my location and build a megacorp ads company to interrupt my radio and force me to listen to ads for businesses in my direct vicinity.

Just because you make shoes, and you could integrate piezoelectric energy capture devices, doesn't mean you should integrate tracking devices into people's shoes so you can sell the data to who ever wants it.

Just because you provide a service and because you've squashed competition by lobbying for everything which gives you monopoly, doesn't mean you should drop all sense of right and wrong.

There's countless business models which could abuse data collection and make a few extra bucks, but they don't. Because you don't always have to be a dick. Because at the end of the day, a businesses image should still be important because it is USUALLY what decides if consumers will keep on buying from them or not.. Unless there's no competition....

This by itself is big enough although some will argue its not a big deal. But once you remove all protections, you have no clue how far they'll go and once they go there, its harder to backtrack.

> If another person can't open your mail, then why is it so hard for lawmakers to understand that this adds up to the same?

They understand, they just are rewarded by those with a financial interest for treating the cases differently.

Just getting a VPN is like a teacher telling a bullied student to "just ignore and move away". Sounds great in theory, but really doesn't work for everyone in the real world. Some day, when wireless solutions get really good, or the cable monopolies are broken, pro-privacy will be a selling point.

Please, at least give credit the artist creator of the illustration, Josan Gonzalez.

http://f1x-2.deviantart.com/art/Robo-President-K3n3-DY-IV-62...

Correct me if I'm wrong, but aren't ISP already monetizing on my data by the fact that I _literally pay them for their data services_? So no: an ISP going "I want a piece of that behavioural profiling ads money" is most absolutely not reasonable.

If you want to be in the ad business, stop being an ISP and go into the ad business, but if you're providing a service and that service is internet-for-pay, and we pay you the money you have said it costs to use your service, then it is not reasonable for you to complain that there is more money to be had, and you want all of it.

Couldn't disagree more with this article. VPN is a solution to a policy problem until policy makers forbid VPN to enforce their core idea in the first place. (e.g. see United Arab Emirates for some restrictions of VPN use)

Didn't you read the "Big Book of Internet Rules"? All you have to do is say the words "Virtual Private Network" 3-times-fast in the bathroom mirror of The Courthouse, with the lights off. The judge is then required to let you go and drop any pending charges. Those are the rules!

That's right folks: the overwhelming power of the state to enact actual policy that can impact millions of lives? It crumbles before the power of my 1ghz Atom router. It has AES-NI, after all. That's, like, impossible to beat.

It's not a solution for one simple reason: policymakers can create a "policy" that simply makes them illegal. They don't have to defeat them on technological grounds.

How do I do know what VPN to trust? I guess getting my own server and provisioning everything myself is the answer? I'm sure that'll work fine for average Joe.

Completely agree. All we need now is for a major player to step up and say "here's our VPN cloud and it's free to use and we guarantee it's encrypted and won't keep logs. From now on, all our devices will use it by default unless you opt out." I imagine meetings are already being held at Apple to discuss this.

Any recommendations for a secure, fast and reliable VPN service? I'm in the US. Use would be for privacy, especially in the face of yesterday's vote.

My vpn doesn't prevent my cell provider from selling my location info.

This article is really bad. On the one hand it says government is unreliable and therefore it's hopeless to regulate. Then it immediately argues we need to break the ISP monopolies (which is true.) But why are there monopolies? It is because the ISPs collude not because there is regulation stopping new ISPs. Google and Verizon both dipped their toes in and gave up on providing wired access to the home.

The only way to break the monopolies is with government regulation forcing them to share the lines, because running the lines is the very costly part that stops new ISPs from competing.

I see this doublethink all the time. The government is both all-powerful and cunning, but also inefficient and inept.

At least until they overturn the net neutrality rules, too, and then the ISPs will be able to throttle VPN services to make them unusable. Or perhaps they'll ask them to pay more for the "fast line", and VPNs may get too expensive for most people.

How do you solve the problem without policy then?

Mesh networks? Really all these technical workarounds are just band-aids on the problem that is hostile, anticompetitive networks.

Technical solutions are the way to solve this sort of problem without policy. A protocol that obfuscates your traffic, along with an unpredictable IP for the provider, would make the DPI required to throttle VPN connections very difficult and expensive.

I advocated for Google to please do this here: https://news.ycombinator.com/item?id=13983468

I'll quote it in full:

>Hey Google, when all email providers sucked you fixed it with Gmail, you run a DNS at 8.8.8.8, and now -- now, I think you know what you need to do now :)

>(I personally recommend you also do a web-based proxy, because who is going to filter https://www.google.com now or in the future?)

>I believe in you. You can do it!

>Counter this chilling effect today - and show more adwords as a result. (There is no irony in this statement. I mean from web sites that opt into adwords, not from selling VPN traffic logs.)

----

Google, pay attention: step up to the plate. Please!

reply


- The US government tries to restrict 'strong' crypto --> people print PGP source code on t-shirts and the government eventually has to accept SSL/TLS.

- The government starts capturing information directly off devices (using regular search warrants etc. --> people start using encryption (e.g. truecrypt, veracrypt) and large device makers respond to consumer concerns by encrypting by default.

- The government starts MiTM'ing everyone's traffic at the ISP and online service provider (e.g. google, microsoft) level, using their newly created pseudo-court, secret warrant process (FISA) --> people start using VPNs.

- The government starts talking about key escrow, banning encryption.....

You can't eradicate a disease by just treating the symptoms as they pop up (in ever increasing severity). If you do this, you'll die. You have to attack the disease directly (and, in many cases, first convince people that they really are ill). So far, we've made one attempt at the direct approach by 'engaging in public discourse'. It's clear this is not effective in this case.

I doubt protesting in the streets would make much of a difference either, if the lead up to the Iraq war is anything to go by. Consider these two quotes from the previous thread (the second is mine), as just one example of the many possible actions that could be taken:

"The Video Privacy Protection Act was passed after Supreme Court nominee Robert Bork's rental history was leaked to a newspaper."

and

"I've always liked the idea of using the copious public video of these politicians to train voice and face recognition NNs, specifically targeting anti-privacy politicians. Maybe even sell pre-made raspberry pis with all of this stuff preloaded for journalists to scatter around places that politicians congregate.

I think it's only fair that these folks get to be the first ones to live in the kind of world they are creating. And none of them should have a problem with any of this, because I'm certain none of them ever do anything wrong and therefore have nothing to hide."

Although one always tends to like one's own ideas, I think this idea has merit, because:

- It's low effort compared to organising protests and then getting everyone to take to the streets

- It directly attacks the source and (assuming you aren't sent to a Federally funded leisure resort for your efforts), creates a 'heads I win, tails you lose' situation: they either pass laws to stop this kind of privacy invasion, or we end up with a long-term selective pressure against anti-privacy politicians. Everyone has secrets...

- It directly educates the public about their "illness" (through example). It shows them exactly how their life could be in the near future if they don't start paying serious attention to privacy issues. If a bunch of angry nerds can pull it off, imagine what the NSA and CIA are capable of...

The time for 'reasoned public discourse' and 'teching around the problem' is well and truly over. It doesn't hurt to do these things, but it does no good in the long-run either. More drastic measures are required.

Ok, can you route every connection(besides the vpn one) from an iphone to a vpn gateway?

If it isn't possible, anyone can explain why?

Seems very easy: https://www.howtogeek.com/215730/how-to-connect-to-a-vpn-fro...

I don't have and iDevice so I don't know for sure, why do you think this'd be a problem? Or am I misunderstanding your question?

Yeah..thanks for the info. I got it wrong. There's no built-in support for openvpn in iOS.

The iPhone has a built-in VPN client. I've only used it (the IKEv1 client, specifically) to access stuff on my home network, but I have no reason to think that it doesn't respect the routes that the server offers.

I prefer to tunnel my traffic through an SSH tunnel. VPNs are OK too, but SSH does what I want, and I can control it.

Could you provide a few more details on how your setup works? You SSH tunnel to where? Your own cloud instance?

How do you do this on your phone?

You could probably do this with Termius (formerly ServerAuditor) https://termius.com/

