Can Commercial VPNs Really Protect Your Privacy?

from the it-depends dept

Nick Pearson is the founder of IVPN - a privacy-focused VPN service, and Electronic Frontier Foundation member.

As Techdirt readers are no-doubt well aware, online surveillance laws are undergoing a major revamp across the western world. From Australia to the UK, law enforcement agencies are taking the opportunity to gain unprecedented powers over the data they can monitor, and are blaming the crackdown on everything from illegal file-sharing to terrorists. With western nations becoming increasingly hostile toward the concept of online anonymity, it's not unreasonable to suggest the use of commercial VPNs will likely gain more traction (indeed, there's already some evidence supporting this). But can VPNs really safeguard your privacy today and, in the future, what kind of protection can you expect with the legal landscape changing so rapidly?

VPNs under fire

VPNs have come under serious scrutiny since mid-2011 after one of the leading services on the market played a pivotal role in the arrest and prosecution of a member of hacker group Lulzsec. This kicked off the debate amongst filesharers and privacy groups over whether VPNs offered any real protection to their users at all. As TorrentFreak pointed out, many are no more effective than a regular ISP due to self-imposed data retention policies.

It's certainly true all VPNs have the ability to track users and log their data. Many do so because they don't consider themselves privacy services and logging helps identify repeat DMCA infringers and quickly troubleshoot network issues. Others do so seemingly because of a poor grasp of their country's laws.

Of course, anyone concerned about privacy should not sign-up to a service that's retaining data. Most privacy-orientated VPNs approach this issue by using a non-persistent log (stored in memory) on gateway servers that only stores a few minutes of activity (FIFO). That time window gives the ability to troubleshoot any connection problems that may appear, but after a few minutes no trace of activity is stored.

As you may know the EU's Data Retention Directive came into effect in 2006, requiring “public communications services” to hold web logs and email logs, amongst other data. IVPN, along with a number of other EU based VPNs, believe our services are excluded from this requirement and we do not abide by it. So far there's been no cases we're aware of compelling VPNs to retain this information. Indeed, from a user perspective, the presence or absence of retention laws seem rather arbitrary, given how many US-based VPNs willingly retain data, despite no government-mandated policy being in place (at least not yet).

When law enforcement and VPNs collide...

So what happens if a law enforcement agency approaches a VPN, serves a a subpoena, and demands a the company trace an individual, based on the timestamp and the IP address of one of their servers? VPN services, like all businesses, are compelled to abide by the law. However, there is no way of complying with the authorities if the data they require does not exist.

One of the few ways law enforcement could identify an individual using a privacy service, without logs, is if they served the owners a gag order and demanded they start logging the traffic on a particular server they know their suspect is using. We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same. So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react, your privacy would be protected.

A changing landscape...

But the biggest threat to VPN usage is the changing legal landscape. The waters around the issues presented by VPNs are still being tested and laws may indeed be amended in the future to prevent such services operating in certain jurisdictions. So how do you navigate all this?

In all honesty, there are no easy answers. Picking a host country based on their current laws isn't going to help much in the long term. By far the best measure you can take is to choose a VPN that demonstrates a commitment to user privacy. Examine the company's small print, or, better yet, contact the owners and ask them upfront how far they go to protect your personal data. Ensure the company is committed to keeping users informed of any emerging threats to its service and – before buying any lengthy subscription – make sure the VPN is willing to re-domicile should its host country change any relevant laws.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: local laws, privacy, vpn


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 4 Apr 2013 @ 12:35am

    Most VPNs will have a list of which countries make them retain data and for how long. It's something everyone should look at for sure especially if they're concerned about their privacy.

    A VPN that holds your data for two years is pretty much the same as not using a VPN.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 4 Apr 2013 @ 1:15am

    the whole point of a VPN service is to protect users anonymity. if a user specifically wants that and the service doesn't do that, then the user should move providers. as user anonymity is the main reason for using a VPN service, what is the point of having it if it doesn't protect users privacy? i am sure that VPN providers will be targeted very soon, simply because the USA entertainment industries dont like them. given how there is nothing more important to the USA government than doing whatever it takes to protect an early C20 business and helping it to remain as that, the VPN providers will be forced to keep all logs. that will mean a drastic loss of business and in a lot of cases. total collapse and shut down. that will bring more unemployment but it wont matter because, according to the bull shit reports put out by half-wits like Dodd, there are a gazillion people working in the movie industry who are losing their jobs every day because of 'piracy'. if anyone here believes that, you are a bigger fucking idiot than Dodd!!

    link to this | view in thread ]

  3. icon
    Richard Hack (profile), 4 Apr 2013 @ 1:39am

    There's no such thing as "privacy" OR "security"

    "We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same."

    Frankly, I call BS. I'll believe that statement when I see it happen. No one who has invested significant funds in a business or worse owes investors is going to shut down that business over a court order even if that order contradicts the very basis of the business.

    "So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react"

    Which is exactly what they can do. You've obviously never been raided by the Secret Service or the FBI. They will kick your door down, point a 9mm firearm in your face, and tell you to stand still. And you will.

    Anyone using a commercial VPN to conduct illegal business - without further methods for obfuscating their identity - is an idiot. Anyone using a commercial VPN to protect their privacy should realize that even if THEY are not subject to a government authorized raid, someone else on that server may be. And when that happens, their privacy is over.

    I have a meme about security which goes like this:

    You can haz better security, you can haz worse security. But you cannot haz "security". There is no security, Deal.

    The same applies to privacy. A VPN is merely a tool. Relying on any one tool to provide security or privacy is a fool's game.

    link to this | view in thread ]

  4. identicon
    PopeyeLePoteaux, 4 Apr 2013 @ 1:39am

    Re:

    Yeah, I'm certain copyright cartels will go after VPNs and even encryption in general at some point in the not so distant future.

    But I don't think that could could be difficult for them, as I mentioned in another post a few months ago, if they go after that what they need is to render it illegal to have administrative rights over your own computer,and that would make a pan-global treaty where China, Russia, the third world and the western world all bent over backwards in order to accomodate a rather small portion of the western industry.

    Banning encryption or making it hard/impossible to use proxies/VPN is possible ONLY if a new standard is implemented globally where no person can be allowed to be administrator on their own computer.

    Even trying is highly likely to harm or even remove a lot of business relying on VPN's, cloud services and proxies from the market. If that happens, https has to go as well so say fare-thee-well to any service using encrypted login. Banks, amazon, online franchises, personal cloud storage, etc.

    But knowing how stupid(?) the thugs at the MAFIAA are, I wouldn't be surprised if they try to do that.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 4 Apr 2013 @ 1:40am

    Re:

    Can someone who has fooled so many into believing his wild and unsubstantiated lies really be classified as an idiot?

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 4 Apr 2013 @ 1:43am

    Re: There's no such thing as "privacy" OR "security"

    link to this | view in thread ]

  7. identicon
    Carlos Tevez, 4 Apr 2013 @ 1:46am

    Re: There's no such thing as "privacy" OR "security"

    To me it seems quite logical to shut down should they forced to give up a customers private information since they would loose all reputation anyway. Rather save face and startup somewhere else.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 4 Apr 2013 @ 1:48am

    Re: There's no such thing as "privacy" OR "security"

    "Which is exactly what they can do. You've obviously never been raided by the Secret Service or the FBI. They will kick your door down, point a 9mm firearm in your face, and tell you to stand still. And you will."

    I dunno, I think a company could quite easily set up systems to very quickly shut servers down in such an event. And I don't think its the case that law enforcement always busts in with a 9mm, certainly not outside of the US. They never did that when twitter was refusing to hand over details of suspects.

    But youre right. If you're doing something seriously shady then relying on a single tool to provide security isnt smart.

    link to this | view in thread ]

  9. identicon
    Mr. Applegate, 4 Apr 2013 @ 3:17am

    Re: Re:

    link to this | view in thread ]

  10. identicon
    Mr. Applegate, 4 Apr 2013 @ 3:21am

    Re: Re:

    Can someone who has fooled so many into believing his wild and unsubstantiated lies really be classified as an idiot?


    Yes.

    They just have bigger idiots that are believers in what they say.

    What does that say about many governments around the world?

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 4 Apr 2013 @ 3:29am

    Re: Re:

    You have been following the whole HTML5 standard thing, right?

    link to this | view in thread ]

  12. icon
    Akari Mizunashi (profile), 4 Apr 2013 @ 3:34am

    Re:

    "the whole point of a VPN service is to protect users anonymity."
    Uh, no it's not. It's to set up an encrypted link between your machine and the server you're connecting to.

    Never once does a VPN imply protection of anonymity, but rather, protection of data.

    I concur with the other post in this thread: expectation of privacy on the internet no longer exists.

    For those who use the internet every day, "privacy" isn't a concern. More people are worried their hidden personal information can be "hacked" on a site than they are about being tracked.

    Hell, most are being tracked now thanks to ad cookies.

    link to this | view in thread ]

  13. identicon
    Mr. Applegate, 4 Apr 2013 @ 3:36am

    But youre right. If you're doing something seriously shady then relying on a single tool to provide security isnt smart.
    It isn't smart to EVER rely on a single tool to provide security. It is called defense in depth.

    link to this | view in thread ]

  14. identicon
    LoseTheLoose, 4 Apr 2013 @ 4:16am

    Re: Re: There's no such thing as "privacy" OR "security"

    I'd hate to have a 'loose' reputation.

    link to this | view in thread ]

  15. identicon
    quawonk, 4 Apr 2013 @ 4:38am

    There cannot be a single solitary communication between human beings that the government cannot snoop on. That seems to be their position.

    link to this | view in thread ]

  16. icon
    Richard (profile), 4 Apr 2013 @ 5:14am

    Re:

    It isn't smart to EVER rely on a single tool to provide security. It is called defense in depth.

    Nor is it smart to rely on the fact that you have multiple layers of defence unless you treat each layer as if it were the only one.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 4 Apr 2013 @ 5:19am

    Re: Re:

    "expectation of privacy on the internet no longer exists."

    So the EFF, EPIC, and all the other privacy activist groups should just pack up bags and go home then? No one has expectations of privacy? Lets just roll in CISPA... sheesh

    link to this | view in thread ]

  18. identicon
    The Real Michael, 4 Apr 2013 @ 5:24am

    Who would've thought just a decade ago that security would become the single greatest threat to privacy on the internet?

    link to this | view in thread ]

  19. identicon
    JarHead, 4 Apr 2013 @ 5:47am

    Re: Re: Re:

    How things should be and what really is are 2 different matters. I agree with Akari, that's the way things really is. That doesn't mean EFF, EPIC, etc, should "pack up and go sulk in the corner". They're the vanguards fighting for what things should be, and play important role if we are to have things really is closer to what it should be.

    link to this | view in thread ]

  20. identicon
    JarHead, 4 Apr 2013 @ 5:57am

    "We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same."

    Dunno, maybe it's just me, but that sentence alone made the entire article feels like an advert.

    link to this | view in thread ]

  21. identicon
    out_of_the_blue, 4 Apr 2013 @ 6:03am

    But now ISP man-in-the-middle watches every byte.

    ) The ISP doesn't have to trace you: KNOWS exactly who and where you are; signed up and gave 'em name and credit card #, remember?

    ) ISPs are now definitely unreliable if not hostile MITM, a key point that isn't even mentioned here. It's easily possible to log all your keystrokes: they may get passwords in plain text, or be able to deduce them in short order.

    ) Any activity from your end that starts in plain text, such as normal browser use, may be collected by the ISP, and eventually collated with Google queries and/or website visits; route obscured between known points doesn't necessarily hinder the surveillance state.

    ) You don't know that any given VPN or its software isn't totally compromised, literally owned as a commercial front, by nat sec, from the start not just after a court order.

    ) Nor do you know whether your Windows or Apple OS aren't actively backdoored, rendering VPN futile.

    ) (More for TOR) You don't want to be exit node of criminal activity and be left holding the bag with just a lame story that you've no idea of the original IP.

    And the grandiloquent claim of would shut down the biz to preserve privacy of one client is just baloney; I wouldn't trust the biz that claims it.

    link to this | view in thread ]

  22. icon
    Josh in CharlotteNC (profile), 4 Apr 2013 @ 6:24am

    Re: Re: There's no such thing as "privacy" OR "security"

    If you're doing something seriously shady then relying on a single tool to provide security isnt smart.

    Bingo. In military and security terms, its referred to as 'defense in depth'. Depending on how secure you want a system, you rely on multiple layers of security. Worried that a VPN is keeping logs on you? No problem, route your traffic through multiple VPNs - and change them regularly. Find an open proxy out on the internet and route through that, too. It's just like using shell companies for legal games, but it's tech, so can be automated and done much cheaper and faster. It's not that hard to do, just requires some knowledge and planning.

    link to this | view in thread ]

  23. icon
    Josh in CharlotteNC (profile), 4 Apr 2013 @ 6:33am

    Re:

    A decade? That's funny. That's like saying WW2 started at the Battle of Midway or on D-Day. 20 years ago we were already fighting the encryption wars. It was clear way back then. Do some research on the clipper chip, key escrow, and import/export controls. EFF and EPIC were founded on this stuff.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 4 Apr 2013 @ 6:40am

    Re:

    Came here to post this, so I'll just agree.

    link to this | view in thread ]

  25. identicon
    The Real Michael, 4 Apr 2013 @ 6:47am

    Re: Re:

    Yes, but it was nowhere near this widespread. It seems as though there's a definite trade-off between security and privacy, yet is not privacy security?

    link to this | view in thread ]

  26. icon
    dennis deems (profile), 4 Apr 2013 @ 7:08am

    Re: There's no such thing as "privacy" OR "security"

    I have a meme
    I do not think that word means what you think it means.

    link to this | view in thread ]

  27. identicon
    Rekrul, 4 Apr 2013 @ 7:27am

    Re: Re: Re: There's no such thing as "privacy" OR "security"

    No problem, route your traffic through multiple VPNs - and change them regularly.

    How do you do that? Do you set up one VPN connection, then once you're connected, set up a second and it automatically goes through the first? I thought each VPN connection was separate, not nested.

    Find an open proxy out on the internet and route through that, too.

    A usable open proxy is harder to find than a flying pig. Seriously, I've searched for open proxies and they either outright don't work, or they're so slow that it takes several minutes just to load the Google home page, after it's timed out 2-3 times.

    Sure, there are a few free proxy services on the net which claim to hide your identity, but they're only for simple web browsing and they're so limited that you can't even use most of them to post on forums.

    link to this | view in thread ]

  28. identicon
    Rekrul, 4 Apr 2013 @ 7:28am

    Re: Re: There's no such thing as "privacy" OR "security"

    I do not think that word means what you think it means.

    Inconceivable!

    link to this | view in thread ]

  29. identicon
    Casey, 4 Apr 2013 @ 7:45am

    VPNs are not going to hand out your information unless they are required by law. So as you don't do anything illegal, they should do quite a lot toward protecting your privacy. But don't expect them to protect you against your crimes.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 4 Apr 2013 @ 7:51am

    Can you trust VPN's for privacy and security?

    If the VPN is from a third party that you don't personally know or have any relationship other than business.

    No, you cannot trust that, they will and many actually do cooperate above and beyond with law enforcement.

    Now if you set up your own VPN and know where it is and how the data goes from point A to point B than yes.

    Here is a treat for the tinfoil crowd or for those wanting something to go with the popcorn.
    http://www.zeropaid.com/news/103429/full-dotcom-spying-documents-released/

    The documents about the planing and cooperation among law enforcement agencies was released and it appears that the New Zealand police knew they would be in trouble, they knew it was against their own laws, now that is some private crap that should not be protect ever.

    link to this | view in thread ]

  31. icon
    Corwin (profile), 4 Apr 2013 @ 7:54am

    NO THEY CAN'T unless paid cash

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 4 Apr 2013 @ 7:57am

    Re: But now ISP man-in-the-middle watches every byte.

    Except for the fact that someone who uses TOR in Europe was approached by the police, who promptly left him alone once they found out that he was running TOR and wasn't the man that the authorities were after.

    Nice try, but your writhing is useless. You're willing to say that every VPN is compromised, but not the monitoring systems your heroes in the RIAA and MPAA use?

    link to this | view in thread ]

  33. icon
    pixelpusher220 (profile), 4 Apr 2013 @ 7:57am

    Re: Re: Re: Re: There's no such thing as "privacy" OR "security"

    How do you do that?


    A single computer can use a single VPN at a time, you are correct. However, if you get a remote seedbox and route your traffic over the VPN to that seedbox and then from that seedbox you use a separate VPN to connect to yet another seedbox using a 3rd VPN you have your defense in depth.

    Not trivial in setup or cost, but if you truly want defense in depth that shouldn't be a concern.

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 4 Apr 2013 @ 8:44am

    I think its gonna take a very public show of a privacy case, for the majority who care about anoniminity, to believe

    "Hey, i trust this guy, he belives in the same things we do, not through words, but through actions"

    Well, maybe not so articulate, but the gist of it, none the less

    link to this | view in thread ]

  35. icon
    Gwiz (profile), 4 Apr 2013 @ 8:45am

    Re: But now ISP man-in-the-middle watches every byte.

    ) Any activity from your end that starts in plain text, such as normal browser use, may be collected by the ISP, and eventually collated with Google queries and/or website visits; route obscured between known points doesn't necessarily hinder the surveillance state.


    This is not quite true. Once you start your encrypted VPN tunnel all your ISP is aware of is the VPN server you are connected to. The data is encrypted and they have no way of knowing where your connection goes from there or what the data is aside from the volume.




    You don't know that any given VPN or its software isn't totally compromised, literally owned as a commercial front, by nat sec, from the start not just after a court order.


    Yes, it's true that the VPN itself could be a honeypot. That's is definitely something to be aware of. I don't worry about the software on my side because I don't use any specialized VPN software and use only the protocols supplied with Debian.




    And the grandiloquent claim of would shut down the biz to preserve privacy of one client is just baloney; I wouldn't trust the biz that claims it.


    Bizarre statement, Blue. So you would trust the companies that are blatant about violating your privacy over the ones who claim to stand firm for your rights?
    Interesting.

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 4 Apr 2013 @ 8:48am

    One will rise, or never come at all

    Me, i hope one rises, to make this a public discussion, and thus hopefully, more people......givin a damn.........the way it should be with everything

    link to this | view in thread ]

  37. identicon
    skyfall, 4 Apr 2013 @ 9:02am

    There is an article on invisibler, http://invisibler.com/lulzsec-and-hidemyass/ talking about this matter as well. The author of that article basically called "it's a lie" for vpn providers promising 100% anonymity while pure anonymity hardly exists at all.

    link to this | view in thread ]

  38. icon
    Rikuo (profile), 4 Apr 2013 @ 9:07am

    Re: But now ISP man-in-the-middle watches every byte.

    "And the grandiloquent claim of would shut down the biz to preserve privacy of one client is just baloney; I wouldn't trust the biz that claims it."

    So when companies like MarkMonitor are running around accusing people willy-nilly through six strikes, and then demanding subscriber's bandwidth data, we don't hear a peep from you. But the instant some guy promises to shut down his service should he be approached for subscriber data, that's when you're concerned about privacy?

    link to this | view in thread ]

  39. identicon
    Anonymous Coward, 4 Apr 2013 @ 9:14am

    well then do what most people do if they require it and create a Private Network, not virtual, not even connected to the internet.

    in other words the IP address of the computer on your private network are not available or accessible on the internet. Thousands of businesses use this, it uses some of the same hardware you use to get on the internet, but it is a private network, apart and disconnected to the network..

    Do you think a banks national network that their staff uses is connected to the internet ?? or ATM machines ?

    those systems are separate from the internet, and cannot be hacked from the internet, because they don't exist there, they use privately leased dedicated data lines.

    link to this | view in thread ]

  40. icon
    tqk (profile), 4 Apr 2013 @ 9:17am

    Plausible deniability.

    touch "/etc/As long as this file exists, you may be assured we've not been issued a subpoena to retain VPN usage history"

    When the subpoena arrives, rm ...

    link to this | view in thread ]

  41. identicon
    Rich, 4 Apr 2013 @ 9:28am

    Re: But now ISP man-in-the-middle watches every byte.

    You don't understand how computers work, do you? The ISP can "watch every byte" all it wants. With VPN, the data is encrypted before ISP even sees it.

    link to this | view in thread ]

  42. icon
    John Fenderson (profile), 4 Apr 2013 @ 9:28am

    Short Answer: No

    No commercial service provider can really protect your privacy, including VPNs. They all are subject to surveillance laws and the whims of their own management.

    VPNs can be a huge help in safeguarding your privacy, but only if you don't use a third-party VPN provider. They're necessary anyway.

    link to this | view in thread ]

  43. icon
    John Fenderson (profile), 4 Apr 2013 @ 9:32am

    Re: Re:

    For those who use the internet every day, "privacy" isn't a concern.


    Speak for yourself. I use the internet every day, and privacy is in the top three of my concerns.

    link to this | view in thread ]

  44. icon
    John Fenderson (profile), 4 Apr 2013 @ 9:35am

    Re: Re: Re: Re: There's no such thing as "privacy" OR "security"

    I thought each VPN connection was separate, not nested.


    You can absolutely tunnel VPN connections through other VPN connections, to any depth you wish. Each layer impacts performance, of course.

    link to this | view in thread ]

  45. icon
    John Fenderson (profile), 4 Apr 2013 @ 9:36am

    Re:

    Pretty much everybody, that's who.

    link to this | view in thread ]

  46. icon
    John Fenderson (profile), 4 Apr 2013 @ 9:41am

    Re:

    But don't expect them to protect you against your crimes.


    This sounds a lot like "if you aren't doing anything wrong, you don't have anything to worry about." Which is simply incorrect, as has been demonstrated repeatedly for pretty much as long as civilization has existed.

    The need for strong privacy and encryption is independent of whether or not you're engaging in criminal activities.

    What if you're saying things that are making the government, or powerful corporations, or your employer/landlord/etc. really angry? What if you are supporting an unpopular, but legal organization? And so on and so forth.

    link to this | view in thread ]

  47. icon
    nasch (profile), 4 Apr 2013 @ 9:50am

    Re: Re: Re:

    You have been following the whole HTML5 standard thing, right?

    I haven't particularly. Why, what does that have to do with administrative rights, VPNs, and HTTPS?

    link to this | view in thread ]

  48. icon
    nasch (profile), 4 Apr 2013 @ 9:53am

    Re: Re: Re:

    I use the internet every day, and privacy is in the top three of my concerns.

    What is it, porn, privacy, porn, or porn, porn, privacy, or what? ;-)

    link to this | view in thread ]

  49. icon
    tqk (profile), 4 Apr 2013 @ 9:55am

    Re: Re: Re:

    ... yet is not privacy security?

    Er, no. Burglars, carjackers, pickpockets, et al victimize people they don't know every day. Privacy is pretty much security through obscurity, which isn't security.

    link to this | view in thread ]

  50. icon
    Lance Cottrell (profile), 4 Apr 2013 @ 10:09am

    Reality of subpoenas

    Having founded anonymizer.com in 1995 and being actively involved with it to the present day, I have some first hand experience with this issue. Our business and servers are all located in the US, so this may not apply in other countries.

    Over the years the number of subpoenas we have received has varied significantly, but has never really been less than several per month. As we have no logging that would connect our users to their actions, we can't be responsive to that kind of request. As a subscription service, we could be (and have been) asked if a given person is a customer, but that would not say anything about what they had done.
    We have been asked to set up ongoing monitoring that would allow us to capture this kind of information, but we have declined, and no legal force has been brought to bear that could force us to do so.
    The real problem is that your computer and browser are probably so well profiled, and full of tracking elements, that you are likely to be identified even while using a privacy VPN, unless you take significant additional steps.

    link to this | view in thread ]

  51. identicon
    Anonymous Coward, 4 Apr 2013 @ 10:32am

    Re: Re: Re: Re: Re: There's no such thing as "privacy" OR "security"

    I wouldn't say it's costly really. VPS boxes are relatively cheap nowadays, so that could be one route. TOR is freely available as one type of proxy/vpn. There is also the Public VPN project: http://www.vpngate.net/en/about_overview.aspx. Setup is the real issue, as you would have to tweak default routes around, and the really paranoid would want to purchase anything in their own name. For most illegal purposes, I'm sure they would simply use hijacked C&C or webservers.

    link to this | view in thread ]

  52. icon
    John Fenderson (profile), 4 Apr 2013 @ 10:54am

    Re: Re: Re: Re:

    Ok, top four. porn, privacy, porn, porn, screen cleaners.

    link to this | view in thread ]

  53. icon
    nasch (profile), 4 Apr 2013 @ 10:55am

    Re: But now ISP man-in-the-middle watches every byte.

    ISPs are now definitely unreliable if not hostile MITM, a key point that isn't even mentioned here. It's easily possible to log all your keystrokes: they may get passwords in plain text, or be able to deduce them in short order.

    You think ISPs are installing keyloggers on their customers' computers?

    link to this | view in thread ]

  54. icon
    nasch (profile), 4 Apr 2013 @ 11:08am

    Re: Plausible deniability.

    When the subpoena arrives, rm ...

    A) rm is not going to cut it against forensic techniques
    B) after the subpoena arrives is too late. You can go to jail for destruction of evidence at that point.

    link to this | view in thread ]

  55. icon
    art guerrilla (profile), 4 Apr 2013 @ 12:00pm

    Re: Reality of subpoenas

    thanks for your response, the insights of people who actually use (or make) these tools is ALWAYS invaluable to us who know little about the subject...

    to that end, do you have link/source for *reasonable*, *affordable* steps that can be taken to *increase* privacy and make surveillance more difficult for the 'good' (sic) guys ? ?? (and, yes, i will look up your s/w and website to both see what it does, as well as for additional info)

    further, (even though you didn't talk extensively about this) are there VPNs which are -relatively speaking- trustworthy in regards to either not tracking stuff, or that have a record of telling the kops, etc to go piss up a rope ? ? ?

    thanks again for your insight...

    art guerrilla
    aka ann archy
    eof

    link to this | view in thread ]

  56. icon
    tqk (profile), 4 Apr 2013 @ 12:05pm

    Re: Re: Plausible deniability.

    A) rm is not going to cut it against forensic techniques

    That's why we have encryption. As long as you're not in Britain, they don't get your encryption key.
    B) after the subpoena arrives is too late. You can go to jail for destruction of evidence at that point.

    That was just a suggested course. There's far sneakier ways to implement it. "Your honour, I didn't even login that day. How could I have destroyed evidence?" Well, via a cron shell script that checks whether you've "touch"ed that file less than 24 hr. ago and if not, deletes it.

    Besides, it's abundantly clear that judges and juries are utterly clueless about technical computing gibberish like this. Good luck educating that imbecile IQ level jury you picked, Mr. Prosecutor.

    link to this | view in thread ]

  57. icon
    Lance Cottrell (profile), 4 Apr 2013 @ 12:47pm

    Re: Re: Reality of subpoenas

    A good privacy oriented VPN is a good start. Obviously I am partial to Anonymizer.com. TOR can work well, but I worry that many node operators may be sniffing any and all traffic in the clear.

    I suggest using virtualization. VMWare or Virtual Box can give you a disposable environment that you can reset after each use. That provides a lot of protection, in conjunction with the VPN.

    As to trustworthy, it is hard to say. One can't really prove a negative. Look at the privacy policies to see that they at least SAY they don't keep logs. Then look for cases where users have been compromised. That almost always gets out. Hide My Ass was shown to keep logs when it lead to the arrest of a member of LulzSec.

    I have written quite a bit about this on my blog http://www.theprivacyblog.com

    link to this | view in thread ]

  58. icon
    art guerrilla (profile), 4 Apr 2013 @ 1:19pm

    Re: Re: Re: Reality of subpoenas

    thanks again...

    following up on info you provided...

    art guerrilla
    aka ann archy
    eof

    link to this | view in thread ]

  59. identicon
    Anonymous Coward, 4 Apr 2013 @ 2:10pm

    Re: There's no such thing as "privacy" OR "security"

    Nothing is foolproof, but some protection is better than none. A .32 isn't exactly the best gun in the world, but I'd rather have that than no gun at all.

    link to this | view in thread ]

  60. identicon
    Anonymous Coward, 4 Apr 2013 @ 2:15pm

    Re:

    One example is disabling Javascript and Active X. If Active X and/or Javascript are enabled, your real IP address could be read even if you are going through a proxy.

    link to this | view in thread ]

  61. identicon
    Anonymous Coward, 4 Apr 2013 @ 2:19pm

    Yes if used correctly.

    link to this | view in thread ]

  62. identicon
    Anonymous Coward, 4 Apr 2013 @ 2:22pm

    Re: Re: Plausible deniability.

    I have 3 cleaning programs installed, and I use them after each and every use of my computer.

    link to this | view in thread ]

  63. identicon
    Anonymous Coward, 4 Apr 2013 @ 2:23pm

    The trouble is that a VPN service operating, say, out of Europe could never be subject to US laws, as long as they obey European laws.

    link to this | view in thread ]

  64. identicon
    Anonymous Coward, 4 Apr 2013 @ 2:25pm

    Re:

    It all depends on where the server is. They only have to obey the laws of whatever country a particular server is in. So, Prefect Privacy, for example, only has to obey Chinese laws, on their Chinese servers, and their Chinese servers are not subject to any US laws.

    link to this | view in thread ]

  65. identicon
    Anonymous Coward, 4 Apr 2013 @ 2:32pm

    Re: But now ISP man-in-the-middle watches every byte.

    When I signed up with my ISP, I didn't have to give them any credit card info. Also, it is possible to sign up with a small-town ISP under an alias and other fake info (at least, it was years ago). It also helps to pay your bill in cash. ;)

    link to this | view in thread ]

  66. identicon
    Anonymous Coward, 4 Apr 2013 @ 3:50pm

    Re: Re: But now ISP man-in-the-middle watches every byte.

    That is fine if you have an older computer that can dial-up. Virtually all new computers cannot dial-up, because they cannot use a dial-up modem

    That not withstanding, they can still trace the call to your phone.

    link to this | view in thread ]

  67. identicon
    Anonymous Coward, 4 Apr 2013 @ 3:53pm



    It does not matter what the VPN provider re-domiciles. It is the countries where the servers are that determines what laws apply. Servers in the UK, for example, are subject to UK laws and only UK laws.

    link to this | view in thread ]

  68. icon
    special-interesting (profile), 4 Apr 2013 @ 4:44pm

    There are many reasons why business has left some countries and the lack of privacy is a large one. If a country does not respect even its own citizens privacy all complaints about lost GDP/business/trade is just whining. And if such records are required to do business then expect higher prices as it only adds to operational costs. (again driving business overseas)

    Many times its impossible to collect such data as the volume makes it prohibitive. Its normal that a popular VPN generates 2-4 plus terrabytes a day.

    The best way to keep data leaks from happening is not to keep it or collect it at all. Its the only way so much so that it would be nice to see legislation that ensures such (non) action. For now, even if it would be a form of civil disobedience, its probably best to randomize/anonymize posts in logs/blogs/bbs/forums were possible. (there are troubleshooting and maintenance concerns) It's best to dispose of them before any errant court order demanded them because its worse to knowingly destroy evidence.

    There are good exceptions like Wikipedia revision history. Its been great fun knowing who attempts revisionist history. To be honest it might be nice for Wikipedia to offer a corporation sponsored (not the front page but only a tab or button) page if the user wanted to click on it. I just love to read clashing viewpoints and when discovered they raise red flags and loud sirens of incongruity. (lies)

    US (and potentially European) law has basically gone crazy with unavoidable felonies committed every day just for backing up data and other stupider things too. At the present conversion rate Jaywalking and parking tickets will soon be added to the death penalty also. Since copytight (right) law is broken almost every time a phone camera is clicked is hard to take them seriously especially when more law is broken just to send it to a friend.

    Because of the above obvious legal abuse it makes warrants and gag orders a potential way to abuse law. In fact considering the silly drug laws and ridiculous copyright laws the law is starting to look lawless.

    A VPN with a data retention policy of any time length beyond maintenance is as good as not having one at all. A legitimate VPN is becoming almost as normal as an Internet connection.

    link to this | view in thread ]

  69. identicon
    Anonymous Coward, 4 Apr 2013 @ 5:30pm

    Re: Re: Re: But now ISP man-in-the-middle watches every byte.

    Yes, my computer is 10 years old and I have dial-up. Primitive, I know, but it works. When I need high-speed for downloading, I use a public access computer.

    link to this | view in thread ]

  70. icon
    techdude (profile), 10 Apr 2013 @ 12:14pm

    Re:

    I have been using VPNs for many years now. But I would never trust a VPN provider which is headquartered in the USA. And if all these US based providers will be forced to log user data or are forced to stop operations you should look for some offshore providers like yourprivatevpn or purevpn.

    link to this | view in thread ]

  71. icon
    Lance Cottrell (profile), 10 Apr 2013 @ 12:37pm

    Re: Re:

    In general europe and most other countries have much worse data retention laws than the US.

    The reality is that US providers are not forced to retain data. My lawyers tell me that we can not be forced to do so.

    link to this | view in thread ]

  72. identicon
    Mert Deniz, 27 May 2013 @ 7:54am

    Re:

    You are correct, we always go with a no log vpn. I personally use boxpn (https://www.boxpn.com). They have NO LOG keeping policy to take privacy seriously.

    Well I'm not an illegal activity user but still If I'm paying for a service I at least expect something more :)

    link to this | view in thread ]

  73. icon
    Mert Deniz (profile), 27 May 2013 @ 7:56am

    Re:

    You are correct, we always go with a no log vpn. I personally use boxpn (https://www.boxpn.com). They have NO LOG keeping policy to take privacy seriously.

    Well I'm not an illegal activity user but still If I'm paying for a service I at least expect something more :)

    link to this | view in thread ]

  74. identicon
    Juli, 7 Jan 2014 @ 8:23pm

    Clean every time when you turned on your pc will help to leave footprint to anyone and its free download from here http://www.piriform.com/ccleaner.

    Also i suggest hidemyss vpn service because, they have more IPs than any other vpn providers read review here
    http://www.cpmu.org/hidemyass/

    link to this | view in thread ]

  75. identicon
    Lance Cottrell, 8 Jan 2014 @ 9:58am

    More IP addresses != more privacy

    More IP addresses in a privacy service does not lead to more privacy, in fact the opposite is true. Privacy is provided by the "anonymity group", which is the number of other people who could have produced the traffic that you actually produced. The more people in your group, the better protected you are.
    If everyone is coming from a single IP, it maximizes the anonymity group and the associated privacy.
    The only advantage of more IP addresses is commercial large scale information harvesting. This is generally a very different kind of service.
    Geographically diverse (but perhaps not numerous) IP addresses can be useful in bypassing location based access restrictions or pricing, but don't impact privacy.

    link to this | view in thread ]

  76. identicon
    VPNuser, 9 Apr 2014 @ 3:12pm

    I absolutely agree that VPN can be a disaster. There are people out there who utilize computers to prey on children or commit horrendous crime that can prevent the authority to detect them. This case should be exempted from privacy rights. Any VPN company should be able to turnover the information to the authority, so no users like me ever get affected. These people don't deserve privacy at all.

    I use Internet for good purposes and I never committed crime that can cause problem in my community.

    link to this | view in thread ]

  77. VPN Services

    You should always choose a reliable VPN provider that doesn’t track his client’s usage. You can search for the same on internet.

    link to this | view in thread ]

  78. identicon
    duelistjp, 9 Feb 2015 @ 1:58pm

    Re:

    Then they came for me—and there was no one left to speak for me. That is the problem with your assertions. In order for anyone to have a right to privacy everyone does. when privacy is taken away from a group it takes it away from the whole all too easily. I'll be the one to say the child predators have the exact same privacy rights as us until convicted. Because if I don't hen I won't have those rights either. maybe not today or tomorrow but it will happen

    link to this | view in thread ]

  79. identicon
    motiurhost, 7 Apr 2015 @ 10:30am

    vpn

    Goghost Personal VPN service. Connect your computer, laptop, smartphone and tablet to our VPN network to unblock websites and protect yourself from snoops

    link to this | view in thread ]

  80. identicon
    best ip hider, 2 Aug 2015 @ 4:46pm

    hidemyass vpn

    i am recommend hidemyass vpn it's best vpn service on the world .... i am use this service since 4 years .. it's very helpful service and i am get comment from
    http://www.hideipsoftwares.com/hide-my-ass-review

    link to this | view in thread ]

  81. identicon
    Freddy Fuller, 13 Nov 2015 @ 9:37am

    Re: There's no such thing as "privacy" OR "security"

    I totally sgree, I have had over the last 4 months an invader that keeps sending me MULIPLE emails with ALL of the X's in the corner of the page OFF the page so I cannot just close them or move them...and they are all in Korean or Chinese so I cannot read them and they are all sex related sites or at least look like they are. Normally when I get crap like this....I just resend it back to the sender and after a while they realize what is happening and finally stop sending it to me. BUT these are extremely puzzeling as they do not have a visisble ISP or a point of origin and are driving me nuts, I won't send them to you unless you wish me as I have now opened about 12 of them and have them in an email.... but I sure wish I could find a simple answer "as my ISP" "SHAW" won't help me as they say it is MY FAULT for recieving and opening this material..."BUT HOW Am I to know" as it just passed by their supposed security to. Let me know if your interested in seeing this stuff as I am extremely PO'd and will eventually find somone out there that IS smarter than these guys...

    Thanks
    God Bless
    Freddy

    link to this | view in thread ]

  82. identicon
    D.Master, 3 Mar 2017 @ 8:47pm

    Re:

    Well piracy is definitely a bad thing. They wouldn't be complaining if it didn't affect their earnings. Piracy is bad. Imagine you made a software/ music/ movie/ book/ silly emoticon and persons were pirating your idea. Using your work for free, or even downloading it and earning money from your work.

    Piracy is bad. But I do it anyway because I can't do any better. I am not rich. But that doesn't make it right.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.