Can Commercial VPNs Really Protect Your Privacy?
from the it-depends dept
Nick Pearson is the founder of IVPN - a privacy-focused VPN service, and Electronic Frontier Foundation member.As Techdirt readers are no-doubt well aware, online surveillance laws are undergoing a major revamp across the western world. From Australia to the UK, law enforcement agencies are taking the opportunity to gain unprecedented powers over the data they can monitor, and are blaming the crackdown on everything from illegal file-sharing to terrorists. With western nations becoming increasingly hostile toward the concept of online anonymity, it's not unreasonable to suggest the use of commercial VPNs will likely gain more traction (indeed, there's already some evidence supporting this). But can VPNs really safeguard your privacy today and, in the future, what kind of protection can you expect with the legal landscape changing so rapidly?
VPNs under fire
VPNs have come under serious scrutiny since mid-2011 after one of the leading services on the market played a pivotal role in the arrest and prosecution of a member of hacker group Lulzsec. This kicked off the debate amongst filesharers and privacy groups over whether VPNs offered any real protection to their users at all. As TorrentFreak pointed out, many are no more effective than a regular ISP due to self-imposed data retention policies.
It's certainly true all VPNs have the ability to track users and log their data. Many do so because they don't consider themselves privacy services and logging helps identify repeat DMCA infringers and quickly troubleshoot network issues. Others do so seemingly because of a poor grasp of their country's laws.
Of course, anyone concerned about privacy should not sign-up to a service that's retaining data. Most privacy-orientated VPNs approach this issue by using a non-persistent log (stored in memory) on gateway servers that only stores a few minutes of activity (FIFO). That time window gives the ability to troubleshoot any connection problems that may appear, but after a few minutes no trace of activity is stored.
As you may know the EU's Data Retention Directive came into effect in 2006, requiring “public communications services” to hold web logs and email logs, amongst other data. IVPN, along with a number of other EU based VPNs, believe our services are excluded from this requirement and we do not abide by it. So far there's been no cases we're aware of compelling VPNs to retain this information. Indeed, from a user perspective, the presence or absence of retention laws seem rather arbitrary, given how many US-based VPNs willingly retain data, despite no government-mandated policy being in place (at least not yet).
When law enforcement and VPNs collide...
So what happens if a law enforcement agency approaches a VPN, serves a a subpoena, and demands a the company trace an individual, based on the timestamp and the IP address of one of their servers? VPN services, like all businesses, are compelled to abide by the law. However, there is no way of complying with the authorities if the data they require does not exist.
One of the few ways law enforcement could identify an individual using a privacy service, without logs, is if they served the owners a gag order and demanded they start logging the traffic on a particular server they know their suspect is using. We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same. So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react, your privacy would be protected.
A changing landscape...
But the biggest threat to VPN usage is the changing legal landscape. The waters around the issues presented by VPNs are still being tested and laws may indeed be amended in the future to prevent such services operating in certain jurisdictions. So how do you navigate all this?
In all honesty, there are no easy answers. Picking a host country based on their current laws isn't going to help much in the long term. By far the best measure you can take is to choose a VPN that demonstrates a commitment to user privacy. Examine the company's small print, or, better yet, contact the owners and ask them upfront how far they go to protect your personal data. Ensure the company is committed to keeping users informed of any emerging threats to its service and – before buying any lengthy subscription – make sure the VPN is willing to re-domicile should its host country change any relevant laws.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: local laws, privacy, vpn
Reader Comments
Subscribe: RSS
View by: Time | Thread
A VPN that holds your data for two years is pretty much the same as not using a VPN.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Well I'm not an illegal activity user but still If I'm paying for a service I at least expect something more :)
[ link to this | view in chronology ]
Re:
Well I'm not an illegal activity user but still If I'm paying for a service I at least expect something more :)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
But I don't think that could could be difficult for them, as I mentioned in another post a few months ago, if they go after that what they need is to render it illegal to have administrative rights over your own computer,and that would make a pan-global treaty where China, Russia, the third world and the western world all bent over backwards in order to accomodate a rather small portion of the western industry.
Banning encryption or making it hard/impossible to use proxies/VPN is possible ONLY if a new standard is implemented globally where no person can be allowed to be administrator on their own computer.
Even trying is highly likely to harm or even remove a lot of business relying on VPN's, cloud services and proxies from the market. If that happens, https has to go as well so say fare-thee-well to any service using encrypted login. Banks, amazon, online franchises, personal cloud storage, etc.
But knowing how stupid(?) the thugs at the MAFIAA are, I wouldn't be surprised if they try to do that.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
I haven't particularly. Why, what does that have to do with administrative rights, VPNs, and HTTPS?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Yes.
They just have bigger idiots that are believers in what they say.
What does that say about many governments around the world?
[ link to this | view in chronology ]
Re:
Uh, no it's not. It's to set up an encrypted link between your machine and the server you're connecting to.
Never once does a VPN imply protection of anonymity, but rather, protection of data.
I concur with the other post in this thread: expectation of privacy on the internet no longer exists.
For those who use the internet every day, "privacy" isn't a concern. More people are worried their hidden personal information can be "hacked" on a site than they are about being tracked.
Hell, most are being tracked now thanks to ad cookies.
[ link to this | view in chronology ]
Re: Re:
So the EFF, EPIC, and all the other privacy activist groups should just pack up bags and go home then? No one has expectations of privacy? Lets just roll in CISPA... sheesh
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Speak for yourself. I use the internet every day, and privacy is in the top three of my concerns.
[ link to this | view in chronology ]
Re: Re: Re:
What is it, porn, privacy, porn, or porn, porn, privacy, or what? ;-)
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The reality is that US providers are not forced to retain data. My lawyers tell me that we can not be forced to do so.
[ link to this | view in chronology ]
Re:
Piracy is bad. But I do it anyway because I can't do any better. I am not rich. But that doesn't make it right.
[ link to this | view in chronology ]
There's no such thing as "privacy" OR "security"
Frankly, I call BS. I'll believe that statement when I see it happen. No one who has invested significant funds in a business or worse owes investors is going to shut down that business over a court order even if that order contradicts the very basis of the business.
"So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react"
Which is exactly what they can do. You've obviously never been raided by the Secret Service or the FBI. They will kick your door down, point a 9mm firearm in your face, and tell you to stand still. And you will.
Anyone using a commercial VPN to conduct illegal business - without further methods for obfuscating their identity - is an idiot. Anyone using a commercial VPN to protect their privacy should realize that even if THEY are not subject to a government authorized raid, someone else on that server may be. And when that happens, their privacy is over.
I have a meme about security which goes like this:
You can haz better security, you can haz worse security. But you cannot haz "security". There is no security, Deal.
The same applies to privacy. A VPN is merely a tool. Relying on any one tool to provide security or privacy is a fool's game.
[ link to this | view in chronology ]
Re: There's no such thing as "privacy" OR "security"
[ link to this | view in chronology ]
Re: There's no such thing as "privacy" OR "security"
[ link to this | view in chronology ]
Re: Re: There's no such thing as "privacy" OR "security"
[ link to this | view in chronology ]
Re: There's no such thing as "privacy" OR "security"
I dunno, I think a company could quite easily set up systems to very quickly shut servers down in such an event. And I don't think its the case that law enforcement always busts in with a 9mm, certainly not outside of the US. They never did that when twitter was refusing to hand over details of suspects.
But youre right. If you're doing something seriously shady then relying on a single tool to provide security isnt smart.
[ link to this | view in chronology ]
Re: Re: There's no such thing as "privacy" OR "security"
Bingo. In military and security terms, its referred to as 'defense in depth'. Depending on how secure you want a system, you rely on multiple layers of security. Worried that a VPN is keeping logs on you? No problem, route your traffic through multiple VPNs - and change them regularly. Find an open proxy out on the internet and route through that, too. It's just like using shell companies for legal games, but it's tech, so can be automated and done much cheaper and faster. It's not that hard to do, just requires some knowledge and planning.
[ link to this | view in chronology ]
Re: Re: Re: There's no such thing as "privacy" OR "security"
How do you do that? Do you set up one VPN connection, then once you're connected, set up a second and it automatically goes through the first? I thought each VPN connection was separate, not nested.
Find an open proxy out on the internet and route through that, too.
A usable open proxy is harder to find than a flying pig. Seriously, I've searched for open proxies and they either outright don't work, or they're so slow that it takes several minutes just to load the Google home page, after it's timed out 2-3 times.
Sure, there are a few free proxy services on the net which claim to hide your identity, but they're only for simple web browsing and they're so limited that you can't even use most of them to post on forums.
[ link to this | view in chronology ]
Re: Re: Re: Re: There's no such thing as "privacy" OR "security"
A single computer can use a single VPN at a time, you are correct. However, if you get a remote seedbox and route your traffic over the VPN to that seedbox and then from that seedbox you use a separate VPN to connect to yet another seedbox using a 3rd VPN you have your defense in depth.
Not trivial in setup or cost, but if you truly want defense in depth that shouldn't be a concern.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: There's no such thing as "privacy" OR "security"
[ link to this | view in chronology ]
Re: Re: Re: Re: There's no such thing as "privacy" OR "security"
You can absolutely tunnel VPN connections through other VPN connections, to any depth you wish. Each layer impacts performance, of course.
[ link to this | view in chronology ]
Re: There's no such thing as "privacy" OR "security"
[ link to this | view in chronology ]
Re: Re: There's no such thing as "privacy" OR "security"
Inconceivable!
[ link to this | view in chronology ]
Re: There's no such thing as "privacy" OR "security"
[ link to this | view in chronology ]
Re: There's no such thing as "privacy" OR "security"
Thanks
God Bless
Freddy
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Nor is it smart to rely on the fact that you have multiple layers of defence unless you treat each layer as if it were the only one.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Er, no. Burglars, carjackers, pickpockets, et al victimize people they don't know every day. Privacy is pretty much security through obscurity, which isn't security.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Dunno, maybe it's just me, but that sentence alone made the entire article feels like an advert.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
But now ISP man-in-the-middle watches every byte.
) ISPs are now definitely unreliable if not hostile MITM, a key point that isn't even mentioned here. It's easily possible to log all your keystrokes: they may get passwords in plain text, or be able to deduce them in short order.
) Any activity from your end that starts in plain text, such as normal browser use, may be collected by the ISP, and eventually collated with Google queries and/or website visits; route obscured between known points doesn't necessarily hinder the surveillance state.
) You don't know that any given VPN or its software isn't totally compromised, literally owned as a commercial front, by nat sec, from the start not just after a court order.
) Nor do you know whether your Windows or Apple OS aren't actively backdoored, rendering VPN futile.
) (More for TOR) You don't want to be exit node of criminal activity and be left holding the bag with just a lame story that you've no idea of the original IP.
And the grandiloquent claim of would shut down the biz to preserve privacy of one client is just baloney; I wouldn't trust the biz that claims it.
[ link to this | view in chronology ]
Re: But now ISP man-in-the-middle watches every byte.
Nice try, but your writhing is useless. You're willing to say that every VPN is compromised, but not the monitoring systems your heroes in the RIAA and MPAA use?
[ link to this | view in chronology ]
Re: But now ISP man-in-the-middle watches every byte.
This is not quite true. Once you start your encrypted VPN tunnel all your ISP is aware of is the VPN server you are connected to. The data is encrypted and they have no way of knowing where your connection goes from there or what the data is aside from the volume.
You don't know that any given VPN or its software isn't totally compromised, literally owned as a commercial front, by nat sec, from the start not just after a court order.
Yes, it's true that the VPN itself could be a honeypot. That's is definitely something to be aware of. I don't worry about the software on my side because I don't use any specialized VPN software and use only the protocols supplied with Debian.
And the grandiloquent claim of would shut down the biz to preserve privacy of one client is just baloney; I wouldn't trust the biz that claims it.
Bizarre statement, Blue. So you would trust the companies that are blatant about violating your privacy over the ones who claim to stand firm for your rights?
Interesting.
[ link to this | view in chronology ]
Re: But now ISP man-in-the-middle watches every byte.
So when companies like MarkMonitor are running around accusing people willy-nilly through six strikes, and then demanding subscriber's bandwidth data, we don't hear a peep from you. But the instant some guy promises to shut down his service should he be approached for subscriber data, that's when you're concerned about privacy?
[ link to this | view in chronology ]
Re: But now ISP man-in-the-middle watches every byte.
[ link to this | view in chronology ]
Re: But now ISP man-in-the-middle watches every byte.
You think ISPs are installing keyloggers on their customers' computers?
[ link to this | view in chronology ]
Re: But now ISP man-in-the-middle watches every byte.
[ link to this | view in chronology ]
Re: Re: But now ISP man-in-the-middle watches every byte.
That not withstanding, they can still trace the call to your phone.
[ link to this | view in chronology ]
Re: Re: Re: But now ISP man-in-the-middle watches every byte.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
This sounds a lot like "if you aren't doing anything wrong, you don't have anything to worry about." Which is simply incorrect, as has been demonstrated repeatedly for pretty much as long as civilization has existed.
The need for strong privacy and encryption is independent of whether or not you're engaging in criminal activities.
What if you're saying things that are making the government, or powerful corporations, or your employer/landlord/etc. really angry? What if you are supporting an unpopular, but legal organization? And so on and so forth.
[ link to this | view in chronology ]
If the VPN is from a third party that you don't personally know or have any relationship other than business.
No, you cannot trust that, they will and many actually do cooperate above and beyond with law enforcement.
Now if you set up your own VPN and know where it is and how the data goes from point A to point B than yes.
Here is a treat for the tinfoil crowd or for those wanting something to go with the popcorn.
http://www.zeropaid.com/news/103429/full-dotcom-spying-documents-released/
The documents about the planing and cooperation among law enforcement agencies was released and it appears that the New Zealand police knew they would be in trouble, they knew it was against their own laws, now that is some private crap that should not be protect ever.
[ link to this | view in chronology ]
NO THEY CAN'T unless paid cash
[ link to this | view in chronology ]
"Hey, i trust this guy, he belives in the same things we do, not through words, but through actions"
Well, maybe not so articulate, but the gist of it, none the less
[ link to this | view in chronology ]
Me, i hope one rises, to make this a public discussion, and thus hopefully, more people......givin a damn.........the way it should be with everything
[ link to this | view in chronology ]
[ link to this | view in chronology ]
in other words the IP address of the computer on your private network are not available or accessible on the internet. Thousands of businesses use this, it uses some of the same hardware you use to get on the internet, but it is a private network, apart and disconnected to the network..
Do you think a banks national network that their staff uses is connected to the internet ?? or ATM machines ?
those systems are separate from the internet, and cannot be hacked from the internet, because they don't exist there, they use privately leased dedicated data lines.
[ link to this | view in chronology ]
Plausible deniability.
When the subpoena arrives, rm ...
[ link to this | view in chronology ]
Re: Plausible deniability.
A) rm is not going to cut it against forensic techniques
B) after the subpoena arrives is too late. You can go to jail for destruction of evidence at that point.
[ link to this | view in chronology ]
Re: Re: Plausible deniability.
That's why we have encryption. As long as you're not in Britain, they don't get your encryption key.
That was just a suggested course. There's far sneakier ways to implement it. "Your honour, I didn't even login that day. How could I have destroyed evidence?" Well, via a cron shell script that checks whether you've "touch"ed that file less than 24 hr. ago and if not, deletes it.
Besides, it's abundantly clear that judges and juries are utterly clueless about technical computing gibberish like this. Good luck educating that imbecile IQ level jury you picked, Mr. Prosecutor.
[ link to this | view in chronology ]
Re: Re: Plausible deniability.
[ link to this | view in chronology ]
Short Answer: No
VPNs can be a huge help in safeguarding your privacy, but only if you don't use a third-party VPN provider. They're necessary anyway.
[ link to this | view in chronology ]
Reality of subpoenas
Over the years the number of subpoenas we have received has varied significantly, but has never really been less than several per month. As we have no logging that would connect our users to their actions, we can't be responsive to that kind of request. As a subscription service, we could be (and have been) asked if a given person is a customer, but that would not say anything about what they had done.
We have been asked to set up ongoing monitoring that would allow us to capture this kind of information, but we have declined, and no legal force has been brought to bear that could force us to do so.
The real problem is that your computer and browser are probably so well profiled, and full of tracking elements, that you are likely to be identified even while using a privacy VPN, unless you take significant additional steps.
[ link to this | view in chronology ]
Re: Reality of subpoenas
to that end, do you have link/source for *reasonable*, *affordable* steps that can be taken to *increase* privacy and make surveillance more difficult for the 'good' (sic) guys ? ?? (and, yes, i will look up your s/w and website to both see what it does, as well as for additional info)
further, (even though you didn't talk extensively about this) are there VPNs which are -relatively speaking- trustworthy in regards to either not tracking stuff, or that have a record of telling the kops, etc to go piss up a rope ? ? ?
thanks again for your insight...
art guerrilla
aka ann archy
eof
[ link to this | view in chronology ]
Re: Re: Reality of subpoenas
I suggest using virtualization. VMWare or Virtual Box can give you a disposable environment that you can reset after each use. That provides a lot of protection, in conjunction with the VPN.
As to trustworthy, it is hard to say. One can't really prove a negative. Look at the privacy policies to see that they at least SAY they don't keep logs. Then look for cases where users have been compromised. That almost always gets out. Hide My Ass was shown to keep logs when it lead to the arrest of a member of LulzSec.
I have written quite a bit about this on my blog http://www.theprivacyblog.com
[ link to this | view in chronology ]
Re: Re: Re: Reality of subpoenas
following up on info you provided...
art guerrilla
aka ann archy
eof
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Many times its impossible to collect such data as the volume makes it prohibitive. Its normal that a popular VPN generates 2-4 plus terrabytes a day.
The best way to keep data leaks from happening is not to keep it or collect it at all. Its the only way so much so that it would be nice to see legislation that ensures such (non) action. For now, even if it would be a form of civil disobedience, its probably best to randomize/anonymize posts in logs/blogs/bbs/forums were possible. (there are troubleshooting and maintenance concerns) It's best to dispose of them before any errant court order demanded them because its worse to knowingly destroy evidence.
There are good exceptions like Wikipedia revision history. Its been great fun knowing who attempts revisionist history. To be honest it might be nice for Wikipedia to offer a corporation sponsored (not the front page but only a tab or button) page if the user wanted to click on it. I just love to read clashing viewpoints and when discovered they raise red flags and loud sirens of incongruity. (lies)
US (and potentially European) law has basically gone crazy with unavoidable felonies committed every day just for backing up data and other stupider things too. At the present conversion rate Jaywalking and parking tickets will soon be added to the death penalty also. Since copytight (right) law is broken almost every time a phone camera is clicked is hard to take them seriously especially when more law is broken just to send it to a friend.
Because of the above obvious legal abuse it makes warrants and gag orders a potential way to abuse law. In fact considering the silly drug laws and ridiculous copyright laws the law is starting to look lawless.
A VPN with a data retention policy of any time length beyond maintenance is as good as not having one at all. A legitimate VPN is becoming almost as normal as an Internet connection.
[ link to this | view in chronology ]
Also i suggest hidemyss vpn service because, they have more IPs than any other vpn providers read review here
http://www.cpmu.org/hidemyass/
[ link to this | view in chronology ]
More IP addresses != more privacy
If everyone is coming from a single IP, it maximizes the anonymity group and the associated privacy.
The only advantage of more IP addresses is commercial large scale information harvesting. This is generally a very different kind of service.
Geographically diverse (but perhaps not numerous) IP addresses can be useful in bypassing location based access restrictions or pricing, but don't impact privacy.
[ link to this | view in chronology ]
I use Internet for good purposes and I never committed crime that can cause problem in my community.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
VPN Services
[ link to this | view in chronology ]
vpn
[ link to this | view in chronology ]
hidemyass vpn
http://www.hideipsoftwares.com/hide-my-ass-review
[ link to this | view in chronology ]