>We don't typically jump into Reddit or other forums but this topic is too important to me. I'm the CEO of StackPath and we acquired IPVanish in February, 2017 (more than a year after the lawsuit from 2016). With no exception IPVanish does not, has not, and will not log or store logs of our users as a StackPath company. Most important, StackPath will defend the privacy of our users regardless of who demands otherwise. I can't speak to what happened on someone else's watch but Technology is my life and I've spent my career helping customers build on and use the Internet on their terms. StackPath takes that even further—security and privacy is our core mission. I also happen to be a lawyer and I will spend my last breath protecting individuals' rights to privacy, especially our customers.
Too stupid for words. They know they are working with customers who barely understand the technology and they are outright lying to them. I'm not here to defend kiddie porn addicts or idiots on the internet, but it's definitely worth pointing out 1) that's an empty statement and 2) they know it guarantees nothing.
I would have to say that any company in the world can pretty much state whatever it is that they want regarding logging/not logging. Unfortunately if it ends up being a lie, they can be sued by people directly suffering damages (in this case probably when the kiddie porn person is out of jail - I am assuming he will go up against a lot of judges and may have to go to the supreme court which would likely end up siding with him - lucky for us, he's probably not that passionate about fighting his cause). And secondly the FTC could sue the company just the same for not being truthful in the advertising. But it sounds like IPVanish had previous owners, so who knows how that will go.
Whether a company promises not to keep logs or not they can and always will comply with legal requests (court order, warrant, national security letter, etc, etc) to monitor specific targets. Otherwise they will be out of business.
Bottom line: don't do illegal stuff. These services (if they are actually telling the truth about not logging) are good for protecting your privacy as a law abiding citizen but they don't really provide any shield for criminal activity.
The problem with that argument (just like "If you have nothing to hide...") is that the line for "illegal" moves over time. It's not entirely unreasonable to expect something that I do legally today will lead to prosecution (in certain countries) or heightened surveillance tomorrow. Them keeping any logs of what I do today is a risk, even if my conduct is legal.
If they didn't keep logs and aren't lying, they could still be asked or warranted to allow LEO to monitor their system live during a suspect's usage in order to identify them.
Indeed, they could be compelled to do that, but according to the article they were keeping logs in this case, despite explicitly advertising that they didn't.
This is exactly the issue that should be stressed repeatedly. When a firm advertises itself as such, that values customers' privacy,etc etc. There should not be any logs, espeically if they make it their number one selling-point.
Regarding illegle activities, if there is a will strong enough that warrents Powers that be to track down something, one way or another, it will happen. No matter, how much one deludes himself into a sense of security. The idiot in the article shoudln't have been posting shit in a fucking irc channel to begin with.
Pardon my english, am very tired and not my mother-language.
An important thing to note here is that they were served with a "Summons for Records," not a warrant. With a warrant the DHS has to provide probable cause, it has to be signed off on by a judge, and cannot be refused. A summons has none of those things; it can absolutely be refused, at which point they would have to get a warrant.
I'd also like to add that I don't have an ethical problem with a VPN company that keeps logs and turns them over to law enforcement with a valid warrant. Lying about keeping logs, though, I do find unethical, as well as not requiring a warrant for access.
I also think that explicitly not keeping logs to protect users from law enforcement is shady to say the least. If law enforcement has a valid warrant, I don't have an issue with providing them with the data they need to find and prosecute.
>>> I also think that explicitly not keeping logs to protect users from law enforcement is shady to say the least.
I guess that depends on which law enforcement you are talking about. An FBI agent going after someone distributing child pornography is a rather sympathetic police action. What about a Chinese officer going after someone for "treason"? What about a Russian cop looking for someone who tweeted pics taken at a protest rally? Or what about a Canadian cop asking questions about a teenager in Sweden, someone well outside Canadian jurisdiction? Or what about the FBI agent asking for some celeb's home address? Rather than pick sides, the best answer is to just not collect the data in the first place.
VPN companies operate at an international level. The cops from some countries cannot be trusted. Cops in all countries make mistakes. A few of them our there are corrupt. And often times the person claiming to be a cop is either well outside their authority, or just lying about being a cop. I tell my client's to not even respond to communications from any sort of law enforcement or intelligence agency. Pass it to your lawyers. Let them first verify who and what authority is making the request. Do not leave such determinations to engineers and support staff.
I agree that it depends on who the law enforcement is. I think operating a VPN service for Chinese citizens to evade censorship and not doing logging to protect those users would be ethical, for example. Like I said in another comment, you have to think about the odds of dealing with an LE request you consider unethical, and balance the consequences of providing logs or not providing logs. Personally, I trust the US justice system enough that I wouldn't have a problem with complying with a valid warrant (after legal due diligence, of course). But that's subjective and I understand others may not feel the same way.
> VPN companies operate at an international level. The cops from some countries cannot be trusted. Cops in all countries make mistakes. A few of them our there are corrupt. And often times the person claiming to be a cop is either well outside their authority, or just lying about being a cop. I tell my client's to not even respond to communications from any sort of law enforcement. Pass it to your lawyers. Let them first verify who and what authority is making the request. Do not leave such determinations to engineers and support staff.
> I agree that it depends on who the law enforcement is.
All Law Enforcement is corrupt. The only unknown is the level of corruption. As a service provider in any country, we have no idea whether we will be dealing with a good cop or a bad cop, and the safest assumption to make is that they are all bad cops. Don't let the good cop set a precedent for interaction that the bad cop can abuse.
The system will work to abuse your trust. If the first warrant tou get is to help catch a pedophile who has been kidnapping children, and you sgree to provide logs for that, the Government will be upset when you don't comply with the next warrant which is a wife beating cop trying to track down his estranged wife who is due to appear in court tomorrow.
You have shown that you have the required data, the purpose of the warrant doesn't have any impact on the legal requirement to comply.
Agree with first half, but second half is an appeal to authority, which is a fallacy. By not keeping logs, a VPN would take themselves out of a situation where corrupt authorities could exploit their power.
Logical fallacies are mistakes in logic. The appeal to authority fallacy is when you say something of the form "X is true because authority Y says so". I don't see how supporting warrants falls into that. What statement do you think is being fallaciously supported here, and which authority is being used to support it?
>I also think that explicitly not keeping logs to protect users from law enforcement is shady to say the least. If law enforcement has a valid warrant, I don't have an issue with providing them with the data they need to find and prosecute.
That statement. That because it's an authority they will be just, law abiding, and acting in everyone's best interest. That op has no problem with it because surely no one would ever abuse that power! That's a logical failure if you don't have your head in the sand.
But, I'm sure it makes no sense if you've been raised to believe the "government is here to help".
I agree with everything you've said, but it's still not an "appeal to authority" argument.
For example: "You should vote Joe for Sheriff because my uncle--who is a private detective and knows these things--says to."
That said, logical fallacy discussions are irrelevant to your actual point: Keeping logs implies you trust the government entirely. Not keeping logs implies you trust your users entirely. Neither option is healthy for the other in and of themselves and requires "everyone else" (aka civilization) to be doing their jobs to stop bad guys and/or governments.
I am inclined to agree, but this isn't an example of appeal to authority[1] it's just a willingness to believe in the status quo ("police should always be able to catch the bad guys, shouldn't they?").
"I don't have an issue with obeying a valid warrant" does not imply that the government is always "just, law abiding, and acting in everyone's interest." I would strongly disagree with the latter while agreeing with the former.
I cannot discern what is or is not a valid warrant. That's why companies have lawyers. I don't trust law enforcement to do this either. That's why we have courts. There's a lot of room for nuanced opinions about our warrant system not being perfect but being better than nothing.
One other option is that I trust the courts. Another is that I don't trust law enforcement or the courts but I still think that an imperfect rule of law is better than not being able to have warrants at all. These things don't have to be absolute.
I said "valid warrant." If I found the warrant to be an over-reach, was on a flimsy pretext, or the request is not properly scoped I wouldn't consider that valid, and would appeal.
You're still considering a just and fair government/system, you've just moved the "just and fair" bit from "the police" to "the judge issuing the warrant". There are a fair number of people who have absolutely no trust in their (or any) government and consider the potential for government overreach. The best way to prevent government overreach is to make sure there is nothing they can reach for.
Some people have no issue with the government knowing their "harmless personal activities". While another group of some people believe the government has absolutely no right to know what's going on in their personal lives no matter how mundane.
But they'd also take themselves out of a situation where non-corrupt authorities could use their power appropriately. You have to do the ethical math on the likelihood of either possibility and the consequences, which is subjective.
>But they'd also take themselves out of a situation where non-corrupt authorities could use their power appropriately.
Oh, well, if we're limiting the conversation to hypotheticals...
How about the idea that your bad behavior doesn't forfeit my right to privacy? I don't care if every other VPN user starts money laundry drug money by selling child porn - when it comes to my VPN logs, you can get lost, and I do nothing unusual or illegal. I have a very American attitude about personal freedoms and privacy.
I don't believe that every opportunity for data collection should be implemented just because an authority says it's for "the greater good".
> I don't care if every other VPN user starts money laundry drug money by selling child porn ...
If I require a valid warrant for a carefully scoped query, law enforcement would have to have probable cause, demonstrate that in a court, and get approval from a judge. Note the "carefully scoped" part: they can ask "who was using this IP address at this time to visit this site" but they don't get unlimited access to the logs data. The only way they would be able to get data about you is with probable cause that you are doing something illegal. Even if everyone else using that service is using it for illegal things, that does not constitute probable cause for them to get your data.
> I don't believe that every opportunity for data collection should be implemented just because an authority says it's for "the greater good".
What’s unethical about not keeping logs? I explicitly don’t have external security cameras at my apartment: is it unethical because I can’t provide law enforcement with video in case something happens on my block?
I didn't say not keeping logs is unethical, I said " explicitly not keeping logs to protect users from law enforcement" is unethical. The difference is subtle. If you just happen to not keep logs that's fine, or if you don't keep logs because you don't want to have to pay for storing them or something that's also fine. But explicitly saying, "I could have logging here, but I don't want to because I don't want to provide evidence to law enforcement serving a valid warrant" is, in my view, unethical. Not tremendously unethical, mind you, but unethical. The morality is about the intent rather than the result.
I could have cameras, but I legitimately don’t want to provide footage to law enforcement. Am I now acting unethically? And what the difference if I simply don’t have them because I don’t want to spend money on them (or any other reason)?
This is not entirely a rhetorical device. I really don’t want to provide the government with a video feed of my neighborhood.
I'll start by saying that intent can matter a lot in ethics. Intent is the difference between a tragic accident and cold-blooded murder. I'll also add that I think your scenario is ethical, you don't have any obligation to put cameras around your house.
What's the difference between your scenario of a house with cameras vs. a VPN service not logging things? I'll be honest here, I could list out a bunch of differences between those two scenarios (houses tend to have a reasonable expectation of privacy while internet services may not, the likelihood of catching criminals and the severity of their crimes, the potential for abuse, in the case of your house you could always serve as a witness to a crime so cameras might be overkill, etc.) but I honestly don't know which one of those differences is the reason why I find one scenario to be ethical and the other unethical, or if it's some difference I haven't thought of (or I might be wrong!).
I'll admit my opinion here isn't fully fleshed out. Another thing is that I consider Tor to be ethical, even though that's essentially a VPN that doesn't log anything (from the perspective of not being able to respond to law enforcement requests, I know there are significant technical differences). In that case, I think the distinction is that Tor is meant to help fight censorship in authoritarian countries, and the fact that it can be used for nefarious purposes is an unfortunate side effect that doesn't outweigh the benefits.
Anyway, I do think there is a line between valuing the privacy of users and shielding them from legitimate law enforcement requests, but I'm open to discussion on where exactly that line falls.
You say that houses tend to have a reasonable expectation of privacy, but not internet services, why is that? Possibly because they keep their logs? I don't understand why we should not have reasonable expectation of privacy for our internet activity. Seems like we could have a reasonable expectation of privacy if internet services don't keep their logs. So intent might be there, but one could view their lack of logs as upholding our privacy, not hiding criminal activities.
I think your reading of my comment is confused: I would not be installing cameras in my house (where I have a reasonable expectation of privacy), but outside my house (where anyone can get a clear view of the entire block and what's happening there.
Do you market your house / front yard as a good place to do illegal things (even implicitly) and then take payment from the people doing them while turning a blind eye to whatever conduct is happening?
> I could have cameras, but I legitimately don’t want to provide footage to law enforcement.
You could have or you would have?
The logs are there, we usually have them, they don't cost much and they are pretty useful. Like his previous comment said, if you had never intended to have logs there or have reasons not to have logs (replace logs by camera in your situation), then there's nothing unethical about it.
As he said it's not the result but the intent that make it unethical. In the same situation, it could actually be ethical to not have logs, let say to allow people to communicate behind a corrupt government that want to silence them.
This presumes that law enforcement always represent the enforcement of ethically correct directives. This is demonstrably not the case, and categorically deferring to them is likely ethically irresponsible.
> I also think that explicitly not keeping logs to protect users from law enforcement is shady to say the least.
"Law enforcement" covers a variety of entities, from Mr. Friendly offering fatherly advice to fresh-scrubbed teens in Neverwas, IN to the people who brought us COINTELPRO and other folks throwing journalists out of windows in Russia.
I think it is more accurate to talk about "not keeping logs to protect users from entities who routinely traffic in violence" (among other things).
Many people in the U.S. see nothing wrong with "logless access" as a way of avoiding law enforcement, when it is practiced in other countries whose law enforcement can -- including within the scope of their laws -- be quite abusive.
What makes you think your law enforcement is different?
And, with data potentially held in perpetuity, any past action may become grounds for prosecution, depending upon how law at the time of prosecution is defined.
People in the U.S. -- mainstream, as opposed to "minorities" -- have spent that past couple of decades waking up to the fact that laws and law enforcement are tools, not paragons of virtue. And those tools can be and are used for evil and harm.
This may not mean turning your back on the system -- nor even having the opportunity to. But it can mean being proactive to limit your exposure to potential abuse.
Not to mention all the commercial interests, who would love to have those logs. And, if your VPN company gets sold, including if it goes bust, all those logs become "assets" that will be monetized, regardless of any "promise" that was made. If there's enough value in them, lawyers will spend time and energy breaking any contractual obligations to same. And it's not like the company itself is around anymore to take the other side in such a dispute.
--
P.S. A bit of personal perspective: I've taken to using a VPN all the time -- as opposed to just while on public WiFi, like I once did -- to a) Keep Comcast out of my browsing, both their monitoring and their JS injection; b) Keep Verizon out of my mobile data use, again both monitoring and injection (that header they keep wanting to inject for tracking/advertising, among other things).
HTTPS is finally becoming widespread enough to prevent some of this, but that change has come years after the above abuses started. And it still doesn't mask domains, nor inappropriate GET's.
Good security isn't just reactive. It's pro-active. Another precept is to always provide minimal information to get the job done.
ProtonVPN (operated from Switzerland) claims[1]: "Our security team has also identified at least one VPN service which is working on behalf of a state surveillance agency."
If I had to guess, it would be PIA: the most popular, the most accessible, and the most affordable US-based VPN.
When a VPN is run by NSA, of course it will stand up in all courts. How would a state surveillance agency let its tool be so publicly destroyed? And it doesn't have to keep any logs at all. They can just be forwarded in real-time, based on a set of filters and rules ("URLs that are requested by <IP>", "IPs that are requesting <URL>").
Honest question: Is there any reason to believe that PIA is a US intel operation vs, say a Russian one? I ask because my main privacy concern is state sponsored industrial espionage. I have often thought that if I wanted to gather kompromat on high level professionals, I would probably start an "anonymous" VPN service to further that effort. Say what you will about the NSA, but I am not worried about them in that space.
> Honest question: Is there any reason to believe that PIA is a US intel operation vs, say a Russian one?
I would also like to know the motivation for a US intel agency to want to run a VPN. It seems to me like it wouldn't be worth the bother: VPNs aren't illegal in the US, so it would be too hard to convince everyone to use theirs. Spies, etc. could just use private ones they control. They'd just see a bunch of crap from unsophisticated people.
Seems to me like it would be more likely for US law enforcement to want to do something like that, but I'm skeptical they have the resources.
if you're a spy using it to hide your identity from websites when you visit, it would be good for your VPN to have a mix of normal activity and spy activity. If you run your own, it's going to have a weird pattern of traffic that might stand out to a website with decent analytics.
> ProtonVPN (operated from Switzerland) claims[1]: "Our security team has also identified at least one VPN service which is working on behalf of a state surveillance agency."
> If I had to guess, it would be PIA: the most popular, the most accessible, and the most affordable US-based VPN.
If I had to guess, the state surveillance agency-run VPN would be one that's still accessible from China. I understand (but I could be wrong) there are still a few that manage to evade the blocks and provide good service despite all the crackdowns. Chinese state security has many more reasons to want to watch domestic VPN traffic than the US does. Their motivation is proven by the fact that they've spent the effort to build and maintain the "Great Firewall," and crack down on VPNs that bypass it.
It would be reasonably clever for the Chinese to crack down on all the VPNs that they don't control, funneling all the "illicit" traffic to the few VPNs they do control. It would make spying, monitoring dissidents, etc. much easier for them.
The NSA and other US intelligence agencies probably don't care very much about anyone that's dumb enough to need to use public VPN. Seems like the only people who would care in the US are domestic law enforcement, like the FBI.
We're not ready to name names at this point, but you're actually correct. If one looks closely at what China lets through the Great Firewall in terms of the major VPN providers, there is something that stands out.
In addition to the redacting the above comment, we deleted several comments below by request of their authors. My understanding is that the dispute has been resolved and that the allegations are retracted.
You aren't doing much in terms of brand ambassadorship for PIA by muck raking and bickering with a competitor. It's quite petty. The comment about PIA wasn't put forth by ProtonVPN. They clarified the discrepancy you raised and did so in a civil manner.
I wasn't that familiar with your company before today but I can tell you that I won't be a customer at any time in the future based on your comments.
ProtonMail team here. None of the above is correct. ProtonVPN is developed, operated and 100% owned by Proton Technologies AG, the Swiss company that also operates ProtonMail. This can be verified in the Swiss commercial registry, which also lists all our directors:
http://ge.ch/hrcintapp/externalCompanyReport.action?companyO...
I wasn't aware that ProtonVPN was not run by ProtonMail, even though I happen to be from Vilnius, Lithuania myself and even have a close friend working at Tesonet. If this is true, that makes me question how much anything branded Proton* can be trusted in general.
ProtonMail team here. The above is not correct. ProtonVPN is developed and operated by ProtonMail. However, it exists as a separate legal entity for security reasons. This is to avoid ProtonMail getting banned in jurisdictions where VPNs are illegal. An example is China where ProtonVPN is banned, but ProtonMail is permitted. Had they been the same company, both would have been banned together. So from the legal standpoint, we put as much separation as possible between ProtonMail and ProtonVPN.
Like ProtonMail, the ProtonVPN team is distributed, split between Geneva, Skopje, Vilnius, and San Francisco. Tesonet (one of the biggest IT firms in Vilnius) was previously used as outsourced HR before we incorporated our own entity in Vilnius. We have similar arrangements for our staff in San Francisco, Prague, and Skopje. The above poster's intentions are a bit suspect, given that he's the co-founder of PIA...
> Tesonet was previously used as outsourced HR before we incorporated our own entity in Vilnius
But your entity's business address in Lithuania is still Tesonet's HQ. And Tesonet runs the entire technical infrastructure needed for a VPN service. So, are you partners or competitors?
The problem is that, without a publicized investigation, there is absolutely no way for users to verify no-logging claims by VPN providers. The same is so for Tor relays. And Tor deals with that by using three-relays circuits. In order to connect users with online activity, adversaries would need access to logs from multiple relays.
One can do the same, albeit more crudely, using nested VPN chains. It's quite easy, using pfSense VMs as VPN gateways.
> It's quite easy, using pfSense VMs as VPN gateways.
One privacy tool that I'd like to see is a program that takes a .ovpn file and user credentials and outputs a pfSense config file which the user just has to import.
Following a guide like yours is quite a bit of work and somewhat error prone. Few users will be able and willing to do that.
This is available within pfSesne. There is a package called openvpn-client-export that exports the pfSense config to .ovpn and a number of other config/packages.
I agree that it's tedious and error-prone. Perhaps someone could automate it. But that's over my head.
There is the argument that, in doing the setup manually, users come to understand what they're doing. But yes, it seems that most are put off by it all.
I've freelanced with IVPN for five years. IVPN was "[f]ounded in 2009 by a group of security professionals at the prestigious Information Security Group at the University of London (Royal Holloway)".[0] In my experience, their CEO Nick Pestell is fundamentally a privacy activist.
Nothing has any defence against global traffic analysis.
Tor still does better than anything else. I don't think it's worth scaring people away from using Tor, because whatever else they'd be using instead is certainly worse.
EDIT: Parent comment originally said words to the effect of "Reminder that Tor has no defence against global traffic analysis".
> Nothing has any defence against global traffic analysis.
It's possible to guard against global traffic analysis by establishing permanent fixed-bandwidth links between each node and sending traffic along them even when they aren't assigned to a circuit (or the circuit is idle). Then there is nothing to passively analyze because the amount of traffic between each node is always the same.
The problem is that this consumes a very large amount of bandwidth.
If you instead ask yourself "how many Tor nodes are out there"[1], and then ask yourself "what is the NSA's annual budget"[2], the concept of a global active adversary makes me a bit nervous.
The scary thing about a global passive adversary is that the attack is undetectable. Active attacks are harder to defend against but they're also harder to keep secret.
I think you're referring to traffic analysis for protocol identification, which is something else entirely, and Tor handles that as well. Resisting protocol identification can be done very efficiently -- you basically get the same information theoretical efficiency as the protocol you're mimicking does, and the primary failure mode is to not be mimicking it completely accurately. It's theoretically possible to mimic the target protocol perfectly, and each time someone finds a way to distinguish them is one step closer to there not being any more ways left.
Resisting global traffic analysis for the purposes of deanonymization is not so easy. The issue is that if every time Alice sends ~476MB of traffic, Bob promptly receives ~476MB of traffic, it's not hard to deduce that Alice is talking to Bob. To fix that, the amount and timing of the traffic Bob receives needs to be independent of the traffic Alice is sending him. Which is possible but inherently comes at an efficiency cost.
Well, first thing, you don't send many MB directly to someone. You put it on a Tor onion file-share site, and PM the link via Tor. Unless your adversary is lucky enough to pwn the guard for that onion site, they can't even see the correlation.
I can imagine a global passive adversary that could log all Internet traffic, and make it searchable. The NSA can somewhat do that. But even the NSA can't retain everything for more than a few days, if even that. So even retaining necessary data for a match would be a stretch. Let alone having the processing power needed to do the matching.
> Unless your adversary is lucky enough to pwn the guard for that onion site, they can't even see the correlation.
We're talking about an attacker that can see every byte going over the wire, encrypted or not it's still able to measure the volume of data itself.
> Well, first thing, you don't send many MB directly to someone. You put it on a Tor onion file-share site, and PM the link via Tor.
In that example the attacker wants to determine the location/IP of the hidden service itself. It's pretty well known that high traffic / volume hidden services are some of the easiest targets for global traffic analysis.
> I can imagine a global passive adversary that could log all Internet traffic, and make it searchable. The NSA can somewhat do that.
They don't have to log the data itself simply the meta data and in specific the volume of data sent between vertices in the graph. Various agencies have openly admitted they keep this information and it's not considered "protected" in their view.
This is simply a graph analysis problem, similar to how Bitcoin is pseudo-anonymous unless you use specific methods that aren't built into the core protocol.
Sure, the NSA can arguably see every byte on every wire. But that wouldn't do them much good, unless they knew what to compare with what, over what time period. But OK, say that they had the processing power to compare every traffic stream with every other traffic stream, with time offset up to a week or so. That still wouldn't tell them whether Mirimir had shared something with someone else. Because we'd all be using Tor.
And about onion file-sharing sites. With OnionShare, you can create a site just for that transfer.
What you're describing is equivalent to a dead drop, which is an old school anonymity method. It's not that it doesn't work, it's that it's completely independent of Tor and it doesn't work in all the contexts where Tor is supposed to work.
If Alice uploads the file and Bob downloads it immediately then you haven't gained anything. Bob has to wait some time for it to work, which means you didn't actually need a low-latency anonymity network to begin with. You can't use it for things that actually need real-time communication, like for live streaming or anything interactive.
True. But Tor is the large anonymity network that we have. I2P is cool, but it's too small. For high latency, perhaps Mixmaster remailers via alt.anonymous.messages is still workable. Last I checked, there was a Tor onion news server.
I agree about unworkability for real-time communication. But there, you want to keep messages small. And use padding. Trying to make live streaming anonymous is nontrivial.
I don't personally know anything about i2p but my spidey senses suggest that until it becomes about as widely-used as Tor, it's not going to have as good an anonymisation factor as Tor.
I mean, if only 100 people use I2P, and some traffic has gone over I2P, you can quite easily narrow it down to the set of 100 people.
Also problematic is that from my understanding i2p is not used by any honest actors, since it doesn't have clearnet access. Tor is used by lots of people for honest things or at least less-than-completely-shady things like getting around IP blocks or geo-fencing whereas i2p is used exclusively for people that require perfect privacy for their communications.
The US has some of the laxest data retention and filtering laws in the world. Especially compared to most European countries. Mullvad is based in Sweden which has much more strict data retention and filtering requirements for ISPs than in the US and the government has already expressed a desire to expand these to VPN providers.
And as the Snowden leaks have shown being located outside the US is not even a speed bump to the NSA being able to access your communications.
I understand your point, but I believe in this case it doesn't apply necessarily because Sweden/Europe are only concerned with privacy related data.
Mullvad gets around this by not storing customer information. As others have pointed out, your "account" is just a long number. You top it up any way you want (including sending cash in an envelope if you are truly paranoid).
So I do believe that it stands a better chance of being fully anonymous & private than a US counterpart.
Mullvad allows for cash in mail payment.
They also don't really have accounts in the traditional sense.
Just a long account number that is associated with the payments.
Really ticks all the boxes for me.
I know PIA likes to talk a big game here but I didn't see anything in your link that would instill overwhelming confidence in their marketing claims. Specifically:
If you click on the Almanac News source in your link, it states:
>"John Allan Arsenault, general counsel for London Trust Media, a VPN company, testified about how many VPN companies, including his, intentionally don’t retain logs of internet activity of their clients so that they cannot be produced in response to subpoenas from law enforcement or others."
Note it doesn't say they don't log only that they don't retain them. So it's quite possible that the subpoena process simply lagged behind the log retention window. Also the claim in only for "internet activity" and nowhere do we see that defined. Does that include client authentication?
Then article then goes on to state:
>"Arsenault said he could not find any record of Ross Colby subscribing to the VPN service when he searched using Ross Colby’s two known email addresses, which he received from law enforcement."
Could not find is not the same thing as there was nothing to search.
I'm not sure why you are providing that second link as proof that they don't log. That is just a link to the same story being discussed here and the same one I am quoting in my comment.
Also the first link continues its insistence on using the phrase "user activity" logging. That's a rather nebulous term. Nowhere is "user activity" defined and it's certainly not a term that meaning in the context of syslog/journald. Does "user activity" logging preclude RADIUS authentication?
And nobody has any way of knowing if this is actually true do they? There is no independent third-party verification of your assertions is there? So why not commission such an audit then. Why not make actual verification your distinguishing characteristic then?
I am also very curious how support and operations troubleshoot client issues in the absence of any logging.
No, health inspections are instaneous spots checks. Audits are far more extensive and look at historicals. This is how nearly all audits work - financial audits, tax audits, compliance audits etc. They are not the same at all.
Furthermore an independent audit is still far more credible than believing something is true simply "because the CEO said so."
What I also like about PIA is their continued support of Open Source projects. I have been a PIA customer for a while now and will remain for the time to come.
There's no way to know that, either. One of the first VPN services, Anonymizer, morphed into a CIA operation. And Tor, after all, is still heavily funded by the US government. However, as cynical as I've become, I believe that the US freedom vibe is more than PR.
But anyway, there's no way to know. So your best bet is nested VPN chains. Including providers from jurisdictions where cooperation is less likely. Insorg is Russian, for example. Also, AirVPN, IVPN and Riseup have said that they'll shut down before they'll log.
It is possible to set up an anonymous DigitalOcean account funded by a Visa gift card and associated with an anonymous email provider.
Perhaps the best privacy-preserving tool would be a pool of anonymous, public accounts to public and private VPN services, and a client app that dynamically builds and connects via nested VPN chains.
But how do you buy the anonymous gift/prepaid whatever card?
Cash bills are marked with unique codes, and the trip from bank->(consumer->seller)*->bank tends to be relatively short, often 1 or 2. Systematic/sustained transfers are easily detected with graph theory & statistics... Especially if most other actors are carrying their cell phone with them all the time!
In this case, a little obscurity goes a long way. A $5/month droplet is more than enough for a single household’s internet use. If you make cash purchases with any frequency, it’s very possible to make your once-every-10-months $50 Visa gift card purchase nearly untraceable (at least by dragnet/mass methods). Your cover is far more likely to be blown by other things, like which IP address connects to the droplet most frequently.
Hi, I live in europe, and am not familiar with visa gift cards in specific. Would you mind describing exactly how they work, what form you buy them in, and how you use or enable them?
I.e. is the code printed at the time of buying? Or does it have a scratch-off code and packaged in plastic wrap? Is it scanned under a device while selling?
Even if there dont seem to be any unique codes, an IR fluorescent barcode could be used on the card, or its plastic wrap.
Even if there are no unique codes, the cards might come from a rack or pack in sequence, and the cashier instructed to scan a new pack of cards when opening a new pack!
It's just a prepaid credit card. Looks and behaves like any normal credit card, except that it has no name or address associated with it (and will validate against any).
Yes, they have unique numbers, and the time/date/location of purchase is known for each card's number. Like I said, this is not secure enough to defend against targeted attacks by well-resourced actors, but good enough to stay out of the dragnet, at least for now.
Question: wouldn't it just be more feasible for American govt to request to have all the numbers to be handed to them prior to the sale? That way they would know, where it was bought and be able to track down by whom.
Sorry for my English. I hope my question is understandable.
Alice buys cell phone charger from cashier/seller Bob with bill 17.
Seller Bob deposits his cash (including bill 17) to the bank, and only the bank needs to scan the unique number, and associate with who brought it in:
Bank predicts: bill 17: Bank->Alice->Bob->Bank
For a lot of people even this simple automatable case is controversial, or supposedly too expensive to be true...
average joes and janes do not need to track and note down serial numbers for this to work...
====
Most convenience stores have a unified interface for printing the unlock codes for each type of product, and print the unlock code at time of buying. If you carry a cell phone, then the space-time event of cell phone position at the same location as the convenience store at the same time as printing the code identifies you. If other actors have their cell phones with them, the path of their bills is very much revealed. One is then trying to hide in among a very small set of unexplained connections...
Really we should have some kind of open source simulator of a market, and the surveillance state perspective of it, so we can prove in practice what is possible to deduce...
> Really we should have some kind of open source simulator of a market, and the surveillance state perspective of it, so we can prove in practice what is possible to deduce...
The problem with tracking cash that way is it only works if the shop closes right after Alice leaves.
If another customer comes in and gets Alice's note in their change (which is fairly likely since it's sitting at the top of the stack) then that note becomes entirely disassociated from the original purchase.
Insert 'Alice walks to cashier and asks "can I get this in 10s and 5s?"' between withdrawing the money and spending the money and it throws a wrench into things.
Or uses that tracked 20 to buy a 1-dollar item from a vending machine that dispenses change in dollar coins, buys a transit ticket, and many other ways to get large amounts of change in a single transaction. Until cash becomes illegal?
Random citizen Randy who does not try to anonimize carries a 10$ bill will hence call Randy's bill
Random citizen Rachel who also doesn't try to anonimize carries a 5$ bill.
Both carry phones gossiping location history to surveillance state. If any of those bills are brought to a bank by some seller, neither Randy nor Rachel will have visited the sellers store recently, so the spooks know it switched hands.
Find any consumption place (bar/shop/...) which both Randy and Rachel have visited "shortly" after each other (location history), since they were last known to carry the bill.
They apparently both went to the same bar.
1) You better not carry your cellphone when anonimizing your 20$ dollar bill in the bar.
2) You better (in the bar) not be within the "light cones" of 2 events: going absent from your phone (forward speed cone), rejoining your phone (reverse speed cone). So locomote very fast!
1) and 2) frustrate each other,
better just don't own a phone.
Your phone can detect from noise, motion (accelerometer/gyro),etc if its owner has left it behind or returns, and you will be one of only few people in a large radius who is not carrying his phone like a good boy.
They are not directly interested in tracking Randy and Rachel, they track them to track those who anonymize.
They are not directly interested in tracking you probably, they track you to track the hard targets. When most substantial (i.e. bills) money flows are fully explained, only a sparse amount of bill transmissions, and a sparse amount of suspicious behaviours need to be matched.
EDIT:
1) When you anonimize a large bill by splitting it, and you get multiple bills back, you must destroy the lower amount bills. (EDIT 2: CORRECTION better keep it and leave it on a train, different trains for each superfluous bill)
2) Lets pretend the introduction of smartphones was the start of surveillance state, say 15 years ago. Individually we have potentially 15 man-years of experience with surveillance, on the other hand a 250 million population nation state has 15*250 million man-years of experience with surveillance!
3) Given a sequence of hypothetical events, it is easy for me to attack a known strategy, but how can the state collect anonymizing strategies? "Easy" : for each flawless execution of anonymization, there will be hundreds of flawed executions: a person not realizing he shouldnt carry a smartphone but correctly splitting his bill after ATM: if enough cases like this are found, you can try find other patterns in their common behaviour, for example after using the anonymized $10 bill on whatever, doesnt see harm in using the extra $5 bill (in conjunction with say his phone, or in conjunction with a fresh $20 bill from ATM)
From all the known (but failed) attempts, we can try and look for alternative ways we could have anonymized them. Some will turn out to be aware of other side-channels and will have found original remedies for one problem, introducing a second sidechannel, which can be taken into account in the future
> Perhaps the best privacy-preserving tool would be a pool of anonymous, public accounts to public and private VPN services, and a client app that dynamically builds and connects via nested VPN chains.
I love that idea. Algo[0] creates IKEv2 servers using mainstream VPS. There are also scripts for creating clients for iOS and macOS devices. However, in my experience, it's hard to get IKEv2 with strong crypto working on Linux. There's also streisand,[1] which creates OpenVPN, WireGuard, etc servers.
Also, there is VPN-Chain,[2] which alters default routing pushed by OpenVPN servers, to create nested VPN chains, without using pfSense etc VMs. And it does create iptables rules to prevent leaks.
However, although compartmentalizing VPN clients in different VirtualBox VMs is far more resource-intensive, it's arguably more secure. Indeed, sometimes I compartmentalize VPN clients in different hardware. But anyway, perhaps there are lighter compartmentalization approaches with adequate security. And one could use vagrant etc to create and configure the compartments.
Even so, client apps for nested VPN chains would be nontrivial. They're far more complicated than simple VPN clients, and so far more error-prone. You'd clearly want them to fail closed overall.
You'd also want feedback to diagnose failures, but nothing that connected directly to "inner" VPNs, which would normally be reached through other VPNs. In my experience, you optimize at each stage of building the nested chain. You may have a general plan. Which VPN services to use, in which order. But to minimize latency and maximize bandwidth, you need to experiment with various combinations of servers. It's likely a BGP-routing thing.
But sure, that could be automated. Most VPN clients have an automatic mode, where they identify servers with lowest latency and maximum bandwidth, within some constraint for exit location. So your app would just need to do that recursively, in building the nested VPN chain.
> It is possible to set up an anonymous DigitalOcean account funded by a Visa gift card and associated with an anonymous email provider.
I'd rather pay with Bitcoin. You can arbitrarily anonymize by using multiple mixing services, with independent local wallets. I use Whonix instances in VirtualBox, each with an Electrum wallet.
Each Whonix client can hit Tor through a different nested VPN chain. So you have some anonymity, even if Tor has been compromised. Even after the first mix, you should have different Bitcoin. But with three mixes, you've got anonymity even if one of the mixing services is a honeypot.
If you want better anonymity, just mix more times. And Whonix instances require very little setup, so they're disposable. Mix some Bitcoin, then nuke the intermediate Whonix instances.
> There are still some legal restraints on US agencies and military conducting signals intelligence within the United States.
That is likely a fantasy. The NSA is a military organization. And the US is always at war. So there's no expectation that the NSA will respect US law. At best, it will pretend to do so.
> So wouldn't it actually be safer for a US resident to select a provider based in the US?
It is true that there's no mandatory logging requirement for VPN services in the US. And PIA has prevailed so far on that basis. However, there are also National Security Letters, which might require logging without public notice.[0]
Problem with Riseup is, that they're invite-only and at the same time becoming the most centralized email service for anonymous left-learning political use.
Personally I can recommend Autistici/Inventati. More smaller services/servers seems like a much better way to go.
Using a VPN service from a non-US friendly jurisdiction doesn't guarantee the CIA isn't operating the service, hasn't compromised the service (via human or technical), or doesn't have taps to monitor the service in/out flows giving them the metadata needed to retrace your connection back through the platform.
Abraxas Corporation bought Anonymizer in May 2008.[0]
> Abraxas Corporation focuses on services, system and technology solutions, and training programs across the United States National Security community, the United States Government, and the United States military markets.[1]
It was founded in 2001
> by a group of former high-ranking agency employees, led by Richard "Hollis" Helms, a longtime overseas officer in the Middle East and onetime head of the CIA's European division, and Richard Calder, who was the agency's deputy director for administration.
The user sounds like he was a regular on the IRC channel. Did they perhaps add particular logging on the IP/port combo when asked to, rather than having always logged, and lied about it?
I mean, it's still not consistent with "no logging", but it still protects "backwards" privacy of connections happening in the past, and crucially it's a kind of logging that will always be technically possible to implement for a VPN provider, and probably legally trivial for law enforcement to mandate with a court order (or national security letter) - regardless of how strongly a worded policy the provider has in place.
I spent some time looking into building a VPN business. It's a real bottom feeder industry. The margins are tiny and the bulk of your traffic will be malicious. Anyone who says they don't log is simply lying to your face; the liability is insane if they don't. I'd rather use a provider that at least is honest about their logging policy, although even that is a terrible idea. The only real solution is running your own Streisand node on an anonymous VPS paid with crypto.
>Why would VPN providers need to log but VPS providers don't?
It's a question of obfuscation. A private VPN provider is receiving explicit logs of every single URL request you make, and has access to the actual machine processing the request. A VPS provider cannot. With an IPSEC tunnel terminated inside the VM, there's no way they can see your incoming traffic. They could monitor your outgoing traffic in theory, but would have to be specifically looking for this and targeting you.
If you're the only one using a private VPN run on a VPS then they effectively have access to the same information: your IP address and all of your traffic.
I'm just curious why VPNs would be required to log but VPS aren't if they can be used for the same purposes. Is it just because VPNs are more likely to be used for illegal purposes?
It's run in the open by a group on reddit, with relatively detailed explanations on why they make their recommendations and timely changing of recommendations. A strong place to start, though you may wish to do further research before a large decision.
Still it's a lot harder to convince a, lets say, Chinese court to order that kind of surveillance on a local company over an allegation of a crime that happened half a world away. Add a couple more vpn layers over multiple international jurisdictions and it's a huge effort that can easily take years.
VPN companies don't care too much about customers that are concerned about privacy - too small a percentage of their customer base. Catering to those trying access geo-blocked content is where the money's at.
Seems pretty naive to risk jail timeover the commercial claims of some internet company...
I use a vpn to reduce tracking and keep my ISP in the dark - and so have gravitated to the names in the space that seem to be more solid corporate citizens
Would it be possible to sue a lying company for damages in a case like this? Especially if (as it seems) they were not forced to give traffic data by a warrant but instead complied on their own?
This is why I host my own open vpn instance on AWS EC2. If the government is going to come after me/my IP, they are going to get it one way or another (I know Amazon will hand over my account info if asked for it) so I might as well cut out any security risks in between (are the servers that my VPN providers using secure?).
>We don't typically jump into Reddit or other forums but this topic is too important to me. I'm the CEO of StackPath and we acquired IPVanish in February, 2017 (more than a year after the lawsuit from 2016). With no exception IPVanish does not, has not, and will not log or store logs of our users as a StackPath company. Most important, StackPath will defend the privacy of our users regardless of who demands otherwise. I can't speak to what happened on someone else's watch but Technology is my life and I've spent my career helping customers build on and use the Internet on their terms. StackPath takes that even further—security and privacy is our core mission. I also happen to be a lawyer and I will spend my last breath protecting individuals' rights to privacy, especially our customers.