This is better than nothing, but the fact that it's only _client side applications_ means that this is doesn't add much security for PIA users. The largest threat of PIA has never centred about their client app, but in their server-side business practices. Count me as one of the people concerned about PIA's trustworthiness.
I would be very interested to know what you think a VPN provider could do to assure users that the servers are safe.
I've yet to see an example verifiable safe server configuration, but some people have claimed that SGX might do. I'm pretty sure that wouldn't work with stock OpenVPN or StrongSWAN today.
Are there any other practices they could adopt that would ease your worries?
In 2018 there is no reason to use anything other than algo vpn. I don't understand why anyone reading this comment would trust PIA or any other 3rd party.
DCMA abuse emails being put into /dev/null, most VPS providers do not do that. Also a promise to insist on subpoenas or other expensive methods before they would comply with requests.
Also why do you trust your VPS provider over a VPN provider? They can inspect your VMs memory and do whatever else they want to the machine. Same with whoever owns the real estate that you co-locate your own physical servers.
> why do you trust your VPS provider over a VPN provider?
They simply don't have the resources to log every single memory read/write and every network connection of all their hosts. Thus you would have to already be a known target for them to want to do that. Whereas a VPN provider has a limited scope of what they can log and thus needs a fraction of the resources to log everything.
I know nothing about their trustworthiness - they do have a good reputation.
In general, though, if a three letter agency wanted to spy on interesting web traffic, the traffic of people who "have something to hide", then targeting VPN servers would be more fruitful than the general Internet.
They have a good reputation, because they sponsor a whole bunch of open-source projects, which people like to see. I'm not aware of a good reputation for things that actually indicate how they run their service.
Things that have irked me so far about their service:
- That their applications were not open-source so far. Why even sponsor open-source, when clearly you don't care for it too much yourself.
- Google Analytics on their webpage. Literally a service supposed to protect your IP address and the first thing they do when you dare to even look at their service, is tell the biggest data broker on the planet about it. (This is a problem with most VPN providers.)
- The company behind it, London Trust Media Inc., operates from the USA, putting it into one of the least privacy-friendly and least predictable jurisdictions on the planet.
- Their privacy policy isn't bad, aside from the aforementioned Google Analytics and that they use your e-mail address for promotional mails, but it's not good either. If you're so great on privacy anyways, then use your privacy policy to legally bind yourself to your standards and provide your customers with a service that has at least any kind of insurance of what it promises.
That they provide OpenVPN access does not change the discrepancy in their choice of sponsoring and their own doing.
And well, you should care for the US jurisdiction, whether you're from Europe or anywhere else on the globe. It means that the various three-letter agencies there probably have access to your internet traffic.
What I mean is that the regulations in the US are not relevant for my kind of activity (which is not criminal, which could warrant international operations via Interpol).
Privacy-wise, you are right. I have all my data in Google so the key parts are already there.
