VPNs and Security Awareness: The New Reality

How one small American VPN company is trying to stand up for privacy (ArsTechnica, 27 Oct 2013) – In recent months, I’ve started to take my own digital security much more seriously. I encrypt my e-mail when possible, I’ve moved away from Gmail , and I’ve become much more vigilant about using a VPN nearly all the time. Just as cryptographers and security researchers are auditing tools like TrueCrypt , I’ve started to kick the tires of the products that I rely upon on a daily basis. When I lived in Germany between 2010 and 2012, my wife and I paid $40 a year for a commercial VPN so we could continue to watch Hulu. But upon our return stateside, I kept paying for it anyway, for privacy-minded reasons. There are lots of VPNs out there, but the one I use isPrivate Internet Access (PIA). Why PIA? No particular reason, really. I don’t remember exactly how I came to choose it, but I remember seeing it in a roundup of VPNs listed on TorrentFreak . I now use PIA nearly every day, almost all the time, and that got me wondering: how does the company respond to real-world legal requests? Has it ever been compelled to hand over user data? Were those users ever notified? Unfortunately, Private Internet Access’ website doesn’t really make clear who is behind its site. The site’s footer points to London Trust Media , which also provides nothing more than an e-mail address. A little searching led me to find, and then get in touch with, the CEO of London Trust Media, Andrew Lee-one of the firm’s two owners. Lee has a background in the world of Bitcoin (he was one of the original founders of Mt. Gox), but he has had an interest in online privacy for years. PIA has been around since August 2009. Today, it has around 100,000 users. One of PIA’s biggest selling points (like other VPN providers) is that it does not log anything, and thus has little data to actually hand over to law enforcement. “We’ve never been asked for keys, nor [have we] handed over user data,” Lee told Ars. “What happens is that if anybody asks us for information, first and foremost, we confirm that they are a legit agency or government body that has any jurisdiction to even attempt to ask for that data. Then we go through and see that that complies with the letter and the spirit of the law. We don’t have any logs whatsoever. We don’t log metadata [or] session data either. We will comply with anything, but we can’t comply because we do not provide any logs. We don’t log, period.” Of course, one of the biggest problems is that there’s essentially no way for me to verify PIA’s (or anyone else’s) practices. Lots of VPN firms claim not to log, and I’d like to believe them, but there’s really no way for me to know for sure that Lee can’t see that I’m loading Ars about 100 times a day. Lee also told me that his firm has spoken with the Electronic Frontier Foundation (EFF) and other related groups to try to come up with a third-party audit system that would attempt to alleviate this exact problem. That way, ordinary consumers like me would at least have a little bit more of a reason to trust that no logs are being kept. “You have to trust the VPN-they have access to your data,” Dan Auerbach of the EFF told Ars. “Even if they’re really good, the government can come in and say we have a warrant… You have to take it on faith that there will be no CALEA -type orders, [where] the government will come in and say you have to come in and do logging. This is the reason that Tor was developed, was that people realized that we want some sort of anonymity service that doesn’t require you to trust just one party. That’s the basic problem with VPNs.” * * *

Vince Polley : This continues, with interesting discussion about legal issues, including possible use of a “ warrant canary ”. For many of the reasons stated in this story, I’ve decided to cancel my VPN account with GetCloak.com; it comes down to my inability to trust any third-party service provider that might log, or steal, my traffic. I’d suggested to GetCloak that they make public security promises that might be enforceable by the FTC, but even those might not be sufficient to enable me to use my financial log-in credentials over their network. So, I’m back to using AT&T, via my iPhone tethering, to secure my sensitive traffic, notwithstanding NSA interception. Better the NSA than somebody I don’t know and really cannot trust.]

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/ddpavumba.