"Show me all the VPN startups in country X, and give me
the data so I can decrypt and discover users."
Can someone explain this bit to me please? I read this as:
1) The NSA have a list of companies (grouped by country),
which analysts can 'target' for further inspection.
2) The NSA can 'decrypt' that encrypted data.
3) The NSA can 'discover' users.
2) and 3) are weird and scary. This suggests that VPN traffic is not secure at all. It also suggests that they can target specific users exiting at that VPN provider. There is nothing stated about restrictions on particular VPN protocols, suggesting that all are decryptable. Hence, OpenVPN could be also as vulnerable as PPTP and L2TP/IPSEC.
To me this suggests that VPN's provide no privacy value against NSA spying.
By VPN startups, they mean initiation of a VPN session. Specifically, this means they can grab the credentials at the beginning of a PPTP VPN session, and then decrypt it. PPTP has been known to be vulnerable to this sort of attack for some time.