Nick Pearson is
the founder of IVPN - a
privacy-focused VPN service, and Electronic
Frontier Foundation member.
As Techdirt readers
are no-doubt well aware, online surveillance laws are undergoing
a major revamp across the western world. From
Australia to the
UK, law enforcement agencies are
taking the opportunity to gain unprecedented powers over the
data they can monitor, and are blaming the crackdown on
everything from illegal file-sharing to terrorists. With western
nations becoming increasingly hostile toward the concept of
online anonymity, it's not unreasonable to suggest the use of
commercial VPNs will likely gain more traction (indeed, there's
evidence supporting this). But can VPNs really safeguard
your privacy today and, in the future, what kind of protection
can you expect with the legal landscape changing so rapidly?
VPNs under fire
VPNs have come under
serious scrutiny since mid-2011 after one of the leading
services on the market played a pivotal role in the
and prosecution of a member of hacker group Lulzsec.
This kicked off the debate amongst filesharers and privacy
groups over whether VPNs offered any real protection to their
users at all. As TorrentFreak pointed out, many are no
effective than a regular ISP due
to self-imposed data retention policies.
It's certainly true
all VPNs have the ability to track users and log their data.
Many do so because they don't consider themselves privacy
services and logging helps identify repeat DMCA infringers and
quickly troubleshoot network issues. Others do so seemingly because
a poor grasp of their country's laws.
Of course, anyone
concerned about privacy should not sign-up to a service that's
retaining data. Most privacy-orientated VPNs approach this issue
by using a non-persistent log (stored in memory) on gateway
servers that only stores a few minutes of activity (FIFO). That
time window gives the ability to troubleshoot any connection
problems that may appear, but after a few minutes no trace of
activity is stored.
As you may know the
Directive came into effect in
2006, requiring “public communications services” to hold web
logs and email logs, amongst other data. IVPN, along with a
number of other EU based VPNs, believe our services are excluded
from this requirement and we do not abide by it. So far there's
been no cases we're aware of compelling VPNs to retain this
information. Indeed, from a user perspective, the presence or
absence of retention laws seem rather arbitrary, given how many
US-based VPNs willingly retain data, despite no
government-mandated policy being in place (at
enforcement and VPNs collide...
So what happens if a
law enforcement agency approaches a VPN, serves a a subpoena,
and demands a the company trace an individual, based on the
timestamp and the IP address of one of their servers? VPN
services, like all businesses, are compelled to abide by the
law. However, there is no way of complying with the authorities
if the data they require does not exist.
One of the few ways
law enforcement could identify an individual using a privacy
service, without logs, is if they served the owners a gag order
and demanded they start logging the traffic on a particular
server they know their suspect is using. We would shut down our
business before co-operating with such an order and any VPN
serious about privacy would do the same. So unless law
enforcement were to arrest the VPN owners on the spot, and
recover their keys and password before they could react, your
privacy would be protected.
But the biggest
threat to VPN usage is the changing legal landscape. The waters
around the issues presented by VPNs are still being tested and
laws may indeed be amended in the future to prevent such
services operating in certain jurisdictions. So how do you
navigate all this?
In all honesty,
there are no easy answers. Picking a host country based on their
current laws isn't going to help much in the long term. By far
the best measure you can take is to choose a VPN that
demonstrates a commitment to user privacy. Examine the company's
small print, or, better yet, contact the owners and ask them
upfront how far they go to protect your personal data. Ensure
the company is committed to keeping users informed of any
emerging threats to its service and – before buying any lengthy
subscription – make sure the VPN is willing to re-domicile
should its host country change any relevant laws.