Hacker News new | past | comments | ask | show | jobs | submit | page 2 login
PIA VPN to be acquired by malware company founded by former Israeli spy (telegra.ph)
1004 points by ArcVRArthur 7 months ago | hide | favorite | 359 comments

I've been trying to cancel/shorten my year subscription since this came out. This + hiring Mark Karpeles as CTO are a solid guarantee that my data isn't safe.

Sadly, they just have a stock response to everyone emailing which is grating.

This is the first I have heard about Mark Karpeles being their CTO... I had to look it up, because it seemed too ridiculous to be real, but it is. Their judgment is compromised. I can't trust them with my network traffic anymore.

I'd just like to quote the stock response that we are getting, because it is fairly ridiculous.

> Thank you for contacting PIA Customer Support.

> I would like to start off by stating that there are no changes to the service, policies or principles you have always loved, this includes our very strict no-logging policy.

> The decision to join forces with Kape Technologies was not one that was taken lightly, and it was a decision that came on the back of extensive dialogue and due diligence by both the parties in the transaction, and I’d like to touch on some of that.

> Private Internet Access always has, and always will, put privacy first. Privacy is a fundamental human right as enshrined in the United Nations Declaration of Human Rights, and one that our entire business has been built around. Our commitment to the privacy of our users, and the global population at large, is one thing we would never compromise on. Privacy is bigger than you and I, privacy is bigger than PIA and Kape. Privacy is an absolute necessity to protect and safeguard life for a substantial proportion of the world population.

> At Private Internet Access, we want to continue fighting for privacy, against censorship and oppression and for human rights in general. We want to protect the next three billion people connected to the internet. We want to see world economies improve in line with people receiving unfettered access to information. We want to contribute to ensuring that people can engage, become empowered and educate those in their communities for a better global society for all. We believe in the power of people and we have hope, hope for the future. A global future in which we all have the same access, the same rights and the same opportunities.

> And, in partnering with Kape Technologies, we believe that we will be better equipped to continue fighting for the digital liberties of today and tomorrow. Through lengthy conversation and mutual commitment, Kape Technologies and Private Internet Access have agreed to codify some guiding principles going forward.

> These guiding principles can be found at http://investors.kape.com/about-us and I also include an excerpt here:

> 1. Zero Secrecy – openness as a guiding force – we believe that an organization cannot ensure privacy for others without being open and transparent itself.

> 2. Zero Reliance – we remove the need for you to trust anyone with your personal data by ensuring no one has it, including ourselves.

> 3. Zero Data – sanctity of personal data – we believe each individual owns his own data therefore we will never store or attempt to sell what does not belong to us.

> 4. 100% Customer first – we believe that all decisions should be made with the end user in mind, while maintaining profit as well as building a sustainable balance between social, environmental and economic profit.

> 5. Zero Theater – what you see is what you get, we tell it as it is and deliver on what we promise to achieve.

> 6. Zero Tier – net neutrality – we believe that all connections and data should be treated equally and without manipulation.

> 7. 100% Honesty – we will say it as we see it, straightforward and direct.

> 8. Zero Sidelining – life purpose – this is not a passing phase, this is our mission and we are determined to stick to it and overcome any obstacles which comes our way.

> Going forward, Private Internet Access and Kape Technologies will be bound by these eight guiding principles in absolutely everything that we do. We are not selling out, we have not come to a crossroads and decided to take an entirely different direction. We are growing. We are becoming stronger, and together we will continue fighting for a just world for you and I, and for those who come after us.

> What we will do is use this opportunity to further our work to develop and promote better privacy and security tools, and further our commitment to and involvement in human rights and digital liberties as we continue to empower each other and those around us.

> Our founder, Andrew Lee, has written a blog post explaining his decision to sell the company and how it impacts our mission going forward: https://www.privateinternetaccess.com/blog/2019/11/bellum-om...

> Give us the time to prove to you that we remain as serious and committed to the cause now as we were before, and join us as we break down barriers and unite across borders. We have your back today as we have for every day since our inception and are confident that We will not let you down!!

I'd also like to point out that in PIA's TOS they have no obligation to attempt to tell users of changes to the TOS or privacy. They expect us to watch for changes.

Just a general question about VPN services in general. When they advertise that they have hundreds of servers in a dozen or so countries, is it even possible to think that they are able to secure all of that themselves? Surely some State actor with enough know-how is going to be able to hack into some of the servers, right?

> When they advertise that they have hundreds of servers in a dozen or so countries...

... they're often lying. In particular, servers in exotic locations are almost always the result of "creative" routing, and are physically located in a more standard country.


Could anyone who's more familiar with routing than me explain how these "virtual locations" work at a technical level? As far as I understand the VPN companies in question don't maintain boxes at those locations and an Azerbaijani IP address for instance literally gets routed to a machine in the UK. How is this possible? I always thought that IP addresses were tied to the location assigned to them by ICANN / regional internet registries.

You register as ISP with e.g. RIPE, buy some IP blocks from an ISP in the country you want to pretend to be in, and then announce them via BGP from your actual location.

Due to IPv4 shortage, we're actually seeing a lot of chinese and european companies buying IP addresses in AFRINIC space, from african ISPs, and using them in their own countries.

I really like the methodology in this blog post. It's creative and low-tech, easy to replicate, and came to interesting, important conclusions.

Mullvad is very open about their servers, which they rent and which they own [0]. Note that 31173 is their parent company.

[0]: https://mullvad.net/en/servers/

Most of them just rent servers / VPS boxes, so ultimately your security depends also on whoever operates the servers themselves. NordVPN got recently powned through remote management software vulnerabilities in one of the datacenters they were renting from - https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-ha...

If you're using a third-party VPN service as the single way in which you are protecting your privacy, you're already in such a sorry state that it doesn't matter whether or not your VPN provider is compromised.

If your threat model is such that you're concerned about TLAs or state-level actors targeting you, you're already in a world of hurt.

If you are under the mistaken belief that the VPN provider is anywhere near as conscious of your security as you are, you're already living a bit of a fantasy.

So the answer to your question is that it's not really possible to think that they're ultra-secure, but that ultra-security was never what they were selling.

Security effort scales with number of servers only if you’re doing something deeply wrong (like not using configuration management).

That's only partially true.

A big part of security is your relationship with the people providing you hosting.

The compromises to nordvpn and others came from a rogue hosting company, for instance.

None of these 3rd party VPNs are really meant to be hardened against state sponsored attacks, at least I wouldn't think myself secure from that level of sophistication. They're basically most valuable to mess around against adversaries that have little to no access to security resources, like your average ISP or forum moderator.

Whether this is true or not isn’t really the point. The fact that it it’s even possible is a huge red flag for my use case / threat model.

It’s relatively easy, not to mention cheap (less than $10 per month) to spin up a streisand (0) instance and protect myself that way. As long as I keep my traffic encrypted, I can keep most / all of the vultures away that I’m concerned about.

Happy to walk anyone through it. Takes less than 30 minutes and it just works.

Edited to add link. Second edit to change reference # typo.

0. https://github.com/StreisandEffect/streisand

VPNs have three purposes:

1. Encapsulate traffic on the way from your machine through the first few hops of your Internet connection.

2. Shield your identity from third parties trying to discover it, through technical or legal means.

3. Provide a bottomless pit for disposal of DMCA complaints and other nastygrams.

Your solution covers only purpose 1, which is becoming increasingly irrelevant as almost everything uses HTTPS, and DNS-over-HTTPS and Encrypted SNI is coming.

I disagree with a couple of things.

First of all, you missed one thing that is really one of my primary concerns. I hate the idea of my ISP working with other ad surveillance companies to track and sell MY data about mine and my family’s and friends’ online activities.

Having a VPN stops that part of the surveillance machinery from working as intended. Combining that with pihole and other tools allows me to disrupt (at least a little bit) the business of the internet that I hate so much.

Also, Tor and other tools (all part of the same solution above) address #2 to the degree I need it addressed. And I am currently not worried about #3, but with the decentralization of streaming services, it won’t be long now.

These approaches work (and I use one myself in addition to a group VPN) but remember, if you roll your own, you lose any/all plausible deniability for sure.

Good point, thank you. Because of my use case, this isn’t an issue. But I understand we all have different models and should act accordingly.

For anyone displaced from their VPN by this... Not mine, but another HN user made a tool to automatically create a VPN instance on your choice of cloud provider.


And what good does setting up your own VPN instance do? Now people will be able to trace every single bit of your traffic back to your cloud instance and thus to you. The idea of signing up for a VPN provider like PIA or Mullvad is precisely that it's not a personal VPN and you get to hide among the masses / their other customers.

There are many different reasons to use a VPN. Some are legal, some are privacy-related and some are just getting access to sites that are otherwise blocked.

I think your most common reason for using a VPN would be very different based on living in Russia, Sweden, USA and China.

I'd suggest anyone looking fo a new vpn to have a look at this site: https://thatoneprivacysite.net/#detailed-vpn-comparison

It was recommended by privacytools.io in an article a few weeks ago as being one of the few sites that don't take money from vpn providers to list them.

It's not just PIA. Nord VPN, ProtonVPN, etc all have ties to or owned by shady companies.

It you want real anonymity, use tor. If you want to change your internet access location, lease a VPS, and set up OpenVPN/Wireguard on it.

This is not correct as far as Proton is concerned and easily verifiable. ProtonVPN is 100% owned by Proton Technologies AG (Switzerland) which also develops ProtonMail and is not affiliated or owned by any other company. Information about Proton is all public and visible on the Swiss commercial register: http://ge.ch/hrcintapp/externalCompanyReport.action?companyO...

The investors of Proton Technologies AG are also public information, and they include FONGIT (a Swiss non-profit foundation supported by the Swiss government), CRV (private investment firm best known for their investments in Twitter, Zendesk, etc) and the European Union, who collectively have a minority interest. Actually, the European Commission doesn't have a financial stake as their funding is non-dilutive. Whether or not these entities are shady is a matter of opinion of course, but these are all well-known public entities.

ProtonVPN was also extensively checked by Mozilla before they partnered with us last year, and they also checked into this, details here: https://blog.mozilla.org/futurereleases/2018/10/22/testing-n...

Why would you think your VPS provider is less likely to save network logs than e.g. Mullvad?

There are also plenty of VPN companies not owned by shady companies, e.g. Mullvad and OVPN. Should you blindly trust them? No, but you can probably trust them much more than your VPS provider.

ProtonVPN? i thought they are privetly owned.

That's correct, ProtonVPN is not affiliated or related to any other company. ProtonVPN AG (Switzerland) is a 100% wholly owned subsidiary of Proton Technologies AG (Switzerland), which also develops ProtonMail. All of this is in public record at the Swiss commercial register: http://ge.ch/hrcintapp/externalCompanyReport.action?companyO...

Or if you need a quick solution: dsvpn.

Geez... This is a worse outcome than even the cynicals predicted.

This is the most disappointing news that affects me personally that I've received this week. It's getting harder and harder to find tech companies you can trust, it seems. Just when things seem good, there's always a surprise waiting eventually.

This kind of seems like a national security concern, which the US government would want to block the acquisition. Given it's US company that has access to a ton on US traffic it's certainly reasonable that a state actor would want all that data.


That unit is part of the Israeli army, and Israel has conscription so inevitably a lot of people will end up there. Should none of them be trustworthy?

I would like to rephrase a greyed out comment in a less inflamatory language:

Is the current and recent government of Israel known for highly funded hacking operations (stuxnet), misinformation (palastine), or general shadyness (Bibi)?

(Previous comment generalized to all isralis, presumably due to their military service requirement, but that does not honestly reflect on the individual citizen or resident. )


Is anybody trustworthy? Hell, that's why I avoid any five eyes vpns.

This could do without the clickbait title. "former Israeli spy" is obviously trying to make you think of something nefarious, even though there are no details besides where they worked. I was in an intel unit when I was in the military, and there's a lot of general IT people, managers, etc. It's deliberately deceptive to label anyone who has ever worked at an intel agency as a "spy".

His LinkedIn indicates that he was a developer in the unit that created the Student Virus... Spy has a broad definition but it probably fits for a SigInt developer in the Israeli military..


This Unit is litterally 10000 people, is the largest in the Israeli army and handles the vast majority of computer security things. So still does not say much.

Stuxnet was created by the NSA in a joint operation with 8200. And yes there are 50,000 ex-8200 alumni, so calling all of them spies is kind of absurd

Calling them spy may be wrong, but I certainly won't ever work with, or use technology made by people who worked for an intelligence agency. That's something over which I'd also terminate friendships.

And many people have a similar mindset, so it's understandable to report this information, and make consumer choices based on it.

That said, Israel should probably consider solutions like other countries with mandatory military service have, e.g. in Germany (until it stopped being mandatory) it was possible to avoid military service by spending the exact same time instead working in social services, e.g. hospitals, daycares, retirement homes, etc.

Israel does allow it in some cases, but the security conditions in Israel and Germany are very different, as is the size of their population. But I have some bad news for you: you are most likely using technology made by people who've worked for intelligence agencies. For example, if you're using Intel chips, many dozens of their designers served in Israel's military intelligence. Same goes for Google, Apple and Microsoft products. It's just that a very high percentage of engineers in Israel served in military intelligence, and a lot of technology companies do R&D in Israel. But if you use Wikipedia, it's OK: its PHP engine was made by someone who served in the Israeli airforce, not military intelligence. Although, your packets are probably routed through Cisco routers, so maybe not so OK. Oh, Akamai servers, too. Also, there could be an issue with your Qualcomm Wifi chip.

In the end, it still makes sense to realize this, and to be cautious. The NSA, Israeli Intelligence, BKA, FSB, etc are all not much better than the StaSi, and one should treat them, and their (ex-)employees with as much trust and respect.

Of course using SELinux or TOR, or Intel products is something that’s hard to avoid, but one shouldn’t trust blindly.

> The NSA, Israeli Intelligence, BKA, FSB, etc are all not much better than the StaSi

I guess it depends on your definition of "much better", but for roughly the same definition you'd need to use to make that statement, you could also make it about Google and Facebook. And note that we're not talking about Israeli intelligence; we're talking about people who, when they were in their late teens and early twenties served, like a big portion of tech workers in Israel, did their mandatory service in a military intelligence unit. I know it's hard for people not familiar with it to understand, but most of these people don't have contacts in intelligence, as the personnel circulation in those units is very high -- almost everyone is just serving a few years for their mandatory service.

> you could also make it about Google and Facebook

Would you trust Google or Facebook to run a VPN? No, I don't trust them at all. I only use them in the most limited amount necessary, and only entrust them with data which is already public.

I self-host everything else, because I don't trust them at all.

That's fine, but you should know that VPN implementors often particularly seek out former intelligence agency people to design their security, and that's pretty much where VPNs started. Feel free to trust whomever you like, but the assumption that people who've served in an intelligence agency can be trusted less than those who haven't isn't very logical. Those are often the people who understand security best, and as far as allegiances go, how can you trust anyone? When intelligence agencies want to insert backdoors etc., they can and do cover up their tracks. I.e., you won't know that the people involved are doing their bidding, nor would you have some special reason to suspect them. Your point of view might well lead to a less secure system.

To me the word spy and the term ex-intel paint a very different picture of the person being described. When I realized this guy was just in the 8200 unit I literally giggled at the notion that all those 18 year old nerds are all spooky spies.

Do you believe people would continue using a VPN if they knew several of its employees were ex-NSA? No, not at all.

The same applies here, it doesn't matter if you call the people spy or not, VPNs should not have any association with intelligence services.

Thing is, Akamai and Cisco employ a lot of those people. Quite many of them in security research. People who were in the NSA or Israeli intelligence are the people companies seek when they want security. Israel's military intelligence is one of the places where VPNs were first used, and the idea later became commercial VPN: https://en.wikipedia.org/wiki/Check_Point#History

Yeah the whole corporate security community is full of ex spooks. Look at the backgrounds of the Fortune 500’s CISOs.

Does a spy ever really become a former spy? From the outside, this reads as destroying PIA by providing user data to intelligence community, at a minimum. Perhaps even a play to get historical data.

It is worth mentioning a large portion of Israel talented IT youth is enlisted to intelligence technological units in IDF. So, every cyber company founded / hiring in Israel will almost always have people from those units. But, this is not such a big deal and definitely doesn't make them spies.

Correct. It just makes them people that happen to have contacts with an especially competent spy agency.

It occurs to me that you can buyout major top 20 productivity apps, browser plugins with just couple billion dollars, silently change Eula and have field day with personal data of large chunk of population. This is not a huge amount for governments.

> If that wasn’t enough, Crossrider’s Founder and first CEO Koby Menachemi, was part of Unit 8200 – something that can be called Israel’s NSA.

About half of my coworkers in Israeli game development companies have served there. Some wrote custom linux kernel modules, most did very low-level QA work, and in general had more or less the same skillset and level as any other coworker. Of course, they probably worked close to Stuxnet developers, but calling a typical kid, just out of his mandatory military service, a "spy" paints this in a completely different light.

I've relied on PIA for years and I'm 100% dropping them for good. They promise to never log, but that's clearly an empty promise. Their TOS says that they can change the terms at any time without notifying anyone. This new partnership with Kape is an intelligence operation with the 14 eyes. A spy never becomes a "former" spy. I love my country, but I love my rights as well, and I refuse to be surveilled illegally.

Thank you for posting this. I just cancelled my subscription (didn’t really use it that often anyway tbh)

Previous thread: https://news.ycombinator.com/item?id=21612488

Edit: Sorry, I meant prequel thread as they're related but not the same.

A quick ctrl-f returns 0 results for "8200", "Israel" while it returns 1 result for "adware".

This article centres around the details pertaining to the company's operations in and around 2016 when it launched the Crossrider malware as well as the founder's former employment with Unit 8200 (Israel's IDF Signal Intelligence operations unit).

I’ve been using PIA for years. Chose them over others because they were more well known and larger, which to me meant they’d be less susceptible to having to enter into shady activity. I’m trusting them with my traffic, after all. This one doesn’t sit well with me, it feels like a betrayal of trust. They have to know that people who signed up to use their service wouldn’t be okay with something like this if it’s as shady as it sounds. Good thing it’s still cyber Monday, I think there might be a few VPN deals going around. Maybe it won’t hurt to to try my luck with one of those.

How does this affect Freenode?

Looks like they issued a statement: https://freenode.net/news/freenode-pia-changes

What do people use these VPN services for? Is it mostly for pirating, or public wifi users, or people that don't want their ISPs to know what they're doing? It all seems like niche use cases.

This might be not the case in the US, but outside VPN is very often used for opposite. Half of legal video / music / etc streaming companies have content locked behind per-country limitations and licensing. So if you want to pay for content you'll often need to pretend that you're from US.

For piracy it's cheaper to setup seedbox.

I believe that that is still technically piracy.

Tough question. Depends on EULA of a service and laws (both US/the target country and VPN's user) regulating the particular content type (for example the mandatory age rating for a film) and copyright.

A close counterexample: the Japanese guitar manufacturer ESP was forced to stop selling worldwide and producing MX-250/MX-2 models which exactly copied the shape of Gibson's Explorers (court decision and an agreement IIRC), but anyone can still order one in their Custom Shop with the restrictions of making an order by sending a letter with order form and paying from inside of Japan as well as picking it up from the factory (no delivery services). All of that because they can still sell them in Japan and by client's specification.

Unlocking geolocation-locked content.

In third world countries it used by locals to bypass the ban on many websites.

Can you live without Wikipedia? It is blocked in China and in Turkey.

As a general rule I have trusted PIA for years and I now trust your judgement in choosing a partner. Seriously I've considered all alternatives, other companies don't say anything about themselves; who owns the other VPN companies? couldn't find any info. Service has been great, price has been right. and I appreciate the honesty. The fact that you are here responding means a lot; and more than I can say for other companies.

Is there some sticky mechanism going on here or how is that raengan comment so far on top even with all those comments disagreeing with the content of it?

I'm just a casual HN reader, but my understand is that the up vote button is not to be used as an "I agree" button but rather as a "This is relevant to the conversation" button. That being said, as the comment is by a cofounder of PIA, it is extremely relevant regardless of opinion about this situation.

FWIW, if you want a VPN for protecting your traffic while you're out in the world, get a nice home router that provides VPN and dynamic dns support.

Uninstalled. Sub cancelled. They had to know there would be a massive backlash from this? I can see why the PIA execs wouldn't care -- they would get their payout from the sell regardless. But Kape either is oblivious or doesn't care if a non-trivial percentage of their customer base drops them. I am not sure which option worries me more?

Now I have to spend the next week researching VPN providers.

As a side note, calling someone who served in 8200 a "Spy" is a bit of a stretch... Story might be legit, but the title is a bit baity.

So it's pretty much the story of the first Iron Man movie, but with malware instead of weapons.

I recently extended my subscription by 2 years, now I guess I can just toss it.

The name of this VPN is now very appropriate... see Urban Dictionary.

PIA also claimed they were going to release the code of their new Windows desktop client.

They did not. They have not.

They lied.

They cannot be trusted.


please donate if you use it


Don't you want a VPN to be content neutral?

Sure. Riseup is not neutral however.

"Riseup provides online communication tools for people and groups working on liberatory social change." Does this sound neutral to you? Have you seen the half-red, half-black star which they use as a logo?

https://www.privacytools.io/providers/vpn/ Looks like I'll be switching to Mullvad.

It was time to change VPNs anyway...

Just stick with AirVPN, they rock!

I've been very happy with Azire VPN.



Ha! After discovering that PIA runs a background process I posted that they were one evil change of ownership transaction away from fucking everyone.

Looks like they were way ahead of me.


Did CrossRider have any other users than companies wishing to install adware, changing browser start pages and similar shady shit? Sure, it could theoretically be used for other things but had it any significant number of honest users?

When I google CrossRider I virtually only get hits from various anti-malware companies, including Microsoft.

I used crossrider at an earlier startup and migrated from it when I could stop supporting IE. It worked pretty well when it worked for cross browser extensions.

Our product (TipRanks) brought financial accountability to the market and it was a paid product. Our business model was just plain SaaS. While I am no longer there I think it's a decent and mostly honest company

Thanks for the reply. Did you have any issues with your extension being caught by malware removal programs?

It was misclassified once by an anti virus program. When we asked why they said that it was a known bug when using WinAPI APIs in BHOs (IE extensions)

They fixed it pretty soon. It was also a motivation to drop IE support (and crossrider) but we were mostly happy with them.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact