Can Commercial VPNs Really Protect Your Privacy?

from the it-depends dept

Nick Pearson is the founder of IVPN – a privacy-focused VPN service, and Electronic Frontier Foundation member.

As Techdirt readers are no-doubt well aware, online surveillance laws are undergoing a major revamp across the western world. From

            Australia</a> to <a href="http://www.bigbrotherwatch.org.uk/home/2012/04/ccdp-what-we-know.html" target="_blank" rel="noopener">the

            UK</a>, law enforcement agencies are
    taking the opportunity to gain unprecedented powers over the
    data they can monitor, and are blaming the crackdown on
    everything from illegal file-sharing to terrorists. With western
    nations becoming increasingly hostile toward the concept of
    online anonymity, it's not unreasonable to suggest the use of
    commercial VPNs will likely gain more traction (indeed, there's
    already <a href="http://torrentfreak.com/six-strikes-boosts-demand-for-bittorrent-vpns-and-proxies-130311/" target="_blank" rel="noopener">some
      evidence supporting this</a>). But can VPNs really safeguard
    your privacy today and, in the future, what kind of protection
    can you expect with the legal landscape changing so rapidly?

VPNs under fire

VPNs have come under serious scrutiny since mid-2011 after one of the leading services on the market played a pivotal role in the arrest

            and prosecution of a member of hacker group Lulzsec</a>.
    This kicked off the debate amongst filesharers and privacy
    groups over whether VPNs offered any real protection to their
    users at all. As TorrentFreak pointed out, many are <a href="http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/" target="_blank" rel="noopener">no

more

            effective than a regular ISP</a> due
    to self-imposed data retention policies.

It’s certainly true all VPNs have the ability to track users and log their data. Many do so because they don’t consider themselves privacy services and logging helps identify repeat DMCA infringers and quickly troubleshoot network issues. Others do so seemingly because of

            a poor grasp of their country's laws</a>.

Of course, anyone concerned about privacy should not sign-up to a service that’s retaining data. Most privacy-orientated VPNs approach this issue by using a non-persistent log (stored in memory) on gateway servers that only stores a few minutes of activity (FIFO). That time window gives the ability to troubleshoot any connection problems that may appear, but after a few minutes no trace of activity is stored.

As you may know the EU’s Data Retention

            Directive</a> came into effect in
    2006, requiring &#8220;public communications services&#8221; to hold web
    logs and email logs, amongst other data. IVPN, along with a
    number of other EU based VPNs, believe our services are excluded
    from this requirement and we do not abide by it. So far there's
    been no cases we're aware of compelling VPNs to retain this
    information. Indeed, from a user perspective, the presence or
    absence of retention laws seem rather arbitrary, given how many
    US-based VPNs willingly retain data, despite no
    government-mandated policy being in place (<a href="http://news.cnet.com/8301-31921_3-20029423-281.html" target="_blank" rel="noopener">at

least

            not yet</a>).

When law enforcement and VPNs collide…

So what happens if a law enforcement agency approaches a VPN, serves a a subpoena, and demands a the company trace an individual, based on the timestamp and the IP address of one of their servers? VPN services, like all businesses, are compelled to abide by the law. However, there is no way of complying with the authorities if the data they require does not exist.

One of the few ways law enforcement could identify an individual using a privacy service, without logs, is if they served the owners a gag order and demanded they start logging the traffic on a particular server they know their suspect is using. We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same. So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react, your privacy would be protected.

A changing landscape…

But the biggest threat to VPN usage is the changing legal landscape. The waters around the issues presented by VPNs are still being tested and laws may indeed be amended in the future to prevent such services operating in certain jurisdictions. So how do you navigate all this?

In all honesty, there are no easy answers. Picking a host country based on their current laws isn’t going to help much in the long term. By far the best measure you can take is to choose a VPN that demonstrates a commitment to user privacy. Examine the company’s small print, or, better yet, contact the owners and ask them upfront how far they go to protect your personal data. Ensure the company is committed to keeping users informed of any emerging threats to its service and – before buying any lengthy subscription – make sure the VPN is willing to re-domicile should its host country change any relevant laws.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Can Commercial VPNs Really Protect Your Privacy?”

Subscribe: RSS Leave a comment
82 Comments
Anonymous Coward says:

the whole point of a VPN service is to protect users anonymity. if a user specifically wants that and the service doesn’t do that, then the user should move providers. as user anonymity is the main reason for using a VPN service, what is the point of having it if it doesn’t protect users privacy? i am sure that VPN providers will be targeted very soon, simply because the USA entertainment industries dont like them. given how there is nothing more important to the USA government than doing whatever it takes to protect an early C20 business and helping it to remain as that, the VPN providers will be forced to keep all logs. that will mean a drastic loss of business and in a lot of cases. total collapse and shut down. that will bring more unemployment but it wont matter because, according to the bull shit reports put out by half-wits like Dodd, there are a gazillion people working in the movie industry who are losing their jobs every day because of ‘piracy’. if anyone here believes that, you are a bigger fucking idiot than Dodd!!

PopeyeLePoteaux says:

Re: Re:

Yeah, I’m certain copyright cartels will go after VPNs and even encryption in general at some point in the not so distant future.

But I don’t think that could could be difficult for them, as I mentioned in another post a few months ago, if they go after that what they need is to render it illegal to have administrative rights over your own computer,and that would make a pan-global treaty where China, Russia, the third world and the western world all bent over backwards in order to accomodate a rather small portion of the western industry.

Banning encryption or making it hard/impossible to use proxies/VPN is possible ONLY if a new standard is implemented globally where no person can be allowed to be administrator on their own computer.

Even trying is highly likely to harm or even remove a lot of business relying on VPN’s, cloud services and proxies from the market. If that happens, https has to go as well so say fare-thee-well to any service using encrypted login. Banks, amazon, online franchises, personal cloud storage, etc.

But knowing how stupid(?) the thugs at the MAFIAA are, I wouldn’t be surprised if they try to do that.

Akari Mizunashi (profile) says:

Re: Re:

“the whole point of a VPN service is to protect users anonymity.”
Uh, no it’s not. It’s to set up an encrypted link between your machine and the server you’re connecting to.

Never once does a VPN imply protection of anonymity, but rather, protection of data.

I concur with the other post in this thread: expectation of privacy on the internet no longer exists.

For those who use the internet every day, “privacy” isn’t a concern. More people are worried their hidden personal information can be “hacked” on a site than they are about being tracked.

Hell, most are being tracked now thanks to ad cookies.

JarHead says:

Re: Re: Re: Re:

How things should be and what really is are 2 different matters. I agree with Akari, that’s the way things really is. That doesn’t mean EFF, EPIC, etc, should “pack up and go sulk in the corner”. They’re the vanguards fighting for what things should be, and play important role if we are to have things really is closer to what it should be.

D.Master says:

Re: Re:

Well piracy is definitely a bad thing. They wouldn’t be complaining if it didn’t affect their earnings. Piracy is bad. Imagine you made a software/ music/ movie/ book/ silly emoticon and persons were pirating your idea. Using your work for free, or even downloading it and earning money from your work.

Piracy is bad. But I do it anyway because I can’t do any better. I am not rich. But that doesn’t make it right.

Richard Hack (profile) says:

There's no such thing as "privacy" OR "security"

“We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same.”

Frankly, I call BS. I’ll believe that statement when I see it happen. No one who has invested significant funds in a business or worse owes investors is going to shut down that business over a court order even if that order contradicts the very basis of the business.

“So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react”

Which is exactly what they can do. You’ve obviously never been raided by the Secret Service or the FBI. They will kick your door down, point a 9mm firearm in your face, and tell you to stand still. And you will.

Anyone using a commercial VPN to conduct illegal business – without further methods for obfuscating their identity – is an idiot. Anyone using a commercial VPN to protect their privacy should realize that even if THEY are not subject to a government authorized raid, someone else on that server may be. And when that happens, their privacy is over.

I have a meme about security which goes like this:

You can haz better security, you can haz worse security. But you cannot haz “security”. There is no security, Deal.

The same applies to privacy. A VPN is merely a tool. Relying on any one tool to provide security or privacy is a fool’s game.

Anonymous Coward says:

Re: There's no such thing as "privacy" OR "security"

“Which is exactly what they can do. You’ve obviously never been raided by the Secret Service or the FBI. They will kick your door down, point a 9mm firearm in your face, and tell you to stand still. And you will.”

I dunno, I think a company could quite easily set up systems to very quickly shut servers down in such an event. And I don’t think its the case that law enforcement always busts in with a 9mm, certainly not outside of the US. They never did that when twitter was refusing to hand over details of suspects.

But youre right. If you’re doing something seriously shady then relying on a single tool to provide security isnt smart.

Josh in CharlotteNC (profile) says:

Re: Re: There's no such thing as "privacy" OR "security"

If you’re doing something seriously shady then relying on a single tool to provide security isnt smart.

Bingo. In military and security terms, its referred to as ‘defense in depth’. Depending on how secure you want a system, you rely on multiple layers of security. Worried that a VPN is keeping logs on you? No problem, route your traffic through multiple VPNs – and change them regularly. Find an open proxy out on the internet and route through that, too. It’s just like using shell companies for legal games, but it’s tech, so can be automated and done much cheaper and faster. It’s not that hard to do, just requires some knowledge and planning.

Rekrul says:

Re: Re: Re: There's no such thing as "privacy" OR "security"

No problem, route your traffic through multiple VPNs – and change them regularly.

How do you do that? Do you set up one VPN connection, then once you’re connected, set up a second and it automatically goes through the first? I thought each VPN connection was separate, not nested.

Find an open proxy out on the internet and route through that, too.

A usable open proxy is harder to find than a flying pig. Seriously, I’ve searched for open proxies and they either outright don’t work, or they’re so slow that it takes several minutes just to load the Google home page, after it’s timed out 2-3 times.

Sure, there are a few free proxy services on the net which claim to hide your identity, but they’re only for simple web browsing and they’re so limited that you can’t even use most of them to post on forums.

pixelpusher220 (profile) says:

Re: Re: Re:2 There's no such thing as "privacy" OR "security"

How do you do that?

A single computer can use a single VPN at a time, you are correct. However, if you get a remote seedbox and route your traffic over the VPN to that seedbox and then from that seedbox you use a separate VPN to connect to yet another seedbox using a 3rd VPN you have your defense in depth.

Not trivial in setup or cost, but if you truly want defense in depth that shouldn’t be a concern.

Anonymous Coward says:

Re: Re: Re:3 There's no such thing as "privacy" OR "security"

I wouldn’t say it’s costly really. VPS boxes are relatively cheap nowadays, so that could be one route. TOR is freely available as one type of proxy/vpn. There is also the Public VPN project: http://www.vpngate.net/en/about_overview.aspx. Setup is the real issue, as you would have to tweak default routes around, and the really paranoid would want to purchase anything in their own name. For most illegal purposes, I’m sure they would simply use hijacked C&C or webservers.

Freddy Fuller says:

Re: There's no such thing as "privacy" OR "security"

I totally sgree, I have had over the last 4 months an invader that keeps sending me MULIPLE emails with ALL of the X’s in the corner of the page OFF the page so I cannot just close them or move them…and they are all in Korean or Chinese so I cannot read them and they are all sex related sites or at least look like they are. Normally when I get crap like this….I just resend it back to the sender and after a while they realize what is happening and finally stop sending it to me. BUT these are extremely puzzeling as they do not have a visisble ISP or a point of origin and are driving me nuts, I won’t send them to you unless you wish me as I have now opened about 12 of them and have them in an email…. but I sure wish I could find a simple answer “as my ISP” “SHAW” won’t help me as they say it is MY FAULT for recieving and opening this material…”BUT HOW Am I to know” as it just passed by their supposed security to. Let me know if your interested in seeing this stuff as I am extremely PO’d and will eventually find somone out there that IS smarter than these guys…

Thanks
God Bless
Freddy

out_of_the_blue says:

But now ISP man-in-the-middle watches every byte.

) The ISP doesn’t have to trace you: KNOWS exactly who and where you are; signed up and gave ’em name and credit card #, remember?

) ISPs are now definitely unreliable if not hostile MITM, a key point that isn’t even mentioned here. It’s easily possible to log all your keystrokes: they may get passwords in plain text, or be able to deduce them in short order.

) Any activity from your end that starts in plain text, such as normal browser use, may be collected by the ISP, and eventually collated with Google queries and/or website visits; route obscured between known points doesn’t necessarily hinder the surveillance state.

) You don’t know that any given VPN or its software isn’t totally compromised, literally owned as a commercial front, by nat sec, from the start not just after a court order.

) Nor do you know whether your Windows or Apple OS aren’t actively backdoored, rendering VPN futile.

) (More for TOR) You don’t want to be exit node of criminal activity and be left holding the bag with just a lame story that you’ve no idea of the original IP.

And the grandiloquent claim of would shut down the biz to preserve privacy of one client is just baloney; I wouldn’t trust the biz that claims it.

Anonymous Coward says:

Re: But now ISP man-in-the-middle watches every byte.

Except for the fact that someone who uses TOR in Europe was approached by the police, who promptly left him alone once they found out that he was running TOR and wasn’t the man that the authorities were after.

Nice try, but your writhing is useless. You’re willing to say that every VPN is compromised, but not the monitoring systems your heroes in the RIAA and MPAA use?

Gwiz (profile) says:

Re: But now ISP man-in-the-middle watches every byte.

) Any activity from your end that starts in plain text, such as normal browser use, may be collected by the ISP, and eventually collated with Google queries and/or website visits; route obscured between known points doesn’t necessarily hinder the surveillance state.

This is not quite true. Once you start your encrypted VPN tunnel all your ISP is aware of is the VPN server you are connected to. The data is encrypted and they have no way of knowing where your connection goes from there or what the data is aside from the volume.

You don’t know that any given VPN or its software isn’t totally compromised, literally owned as a commercial front, by nat sec, from the start not just after a court order.

Yes, it’s true that the VPN itself could be a honeypot. That’s is definitely something to be aware of. I don’t worry about the software on my side because I don’t use any specialized VPN software and use only the protocols supplied with Debian.

And the grandiloquent claim of would shut down the biz to preserve privacy of one client is just baloney; I wouldn’t trust the biz that claims it.

Bizarre statement, Blue. So you would trust the companies that are blatant about violating your privacy over the ones who claim to stand firm for your rights?
Interesting.

Rikuo (profile) says:

Re: But now ISP man-in-the-middle watches every byte.

“And the grandiloquent claim of would shut down the biz to preserve privacy of one client is just baloney; I wouldn’t trust the biz that claims it.”

So when companies like MarkMonitor are running around accusing people willy-nilly through six strikes, and then demanding subscriber’s bandwidth data, we don’t hear a peep from you. But the instant some guy promises to shut down his service should he be approached for subscriber data, that’s when you’re concerned about privacy?

nasch (profile) says:

Re: But now ISP man-in-the-middle watches every byte.

ISPs are now definitely unreliable if not hostile MITM, a key point that isn’t even mentioned here. It’s easily possible to log all your keystrokes: they may get passwords in plain text, or be able to deduce them in short order.

You think ISPs are installing keyloggers on their customers’ computers?

Anonymous Coward says:

Re: But now ISP man-in-the-middle watches every byte.

When I signed up with my ISP, I didn’t have to give them any credit card info. Also, it is possible to sign up with a small-town ISP under an alias and other fake info (at least, it was years ago). It also helps to pay your bill in cash. 😉

John Fenderson (profile) says:

Re: Re:

But don’t expect them to protect you against your crimes.

This sounds a lot like “if you aren’t doing anything wrong, you don’t have anything to worry about.” Which is simply incorrect, as has been demonstrated repeatedly for pretty much as long as civilization has existed.

The need for strong privacy and encryption is independent of whether or not you’re engaging in criminal activities.

What if you’re saying things that are making the government, or powerful corporations, or your employer/landlord/etc. really angry? What if you are supporting an unpopular, but legal organization? And so on and so forth.

Anonymous Coward says:

Can you trust VPN’s for privacy and security?

If the VPN is from a third party that you don’t personally know or have any relationship other than business.

No, you cannot trust that, they will and many actually do cooperate above and beyond with law enforcement.

Now if you set up your own VPN and know where it is and how the data goes from point A to point B than yes.

Here is a treat for the tinfoil crowd or for those wanting something to go with the popcorn.
http://www.zeropaid.com/news/103429/full-dotcom-spying-documents-released/

The documents about the planing and cooperation among law enforcement agencies was released and it appears that the New Zealand police knew they would be in trouble, they knew it was against their own laws, now that is some private crap that should not be protect ever.

Anonymous Coward says:

well then do what most people do if they require it and create a Private Network, not virtual, not even connected to the internet.

in other words the IP address of the computer on your private network are not available or accessible on the internet. Thousands of businesses use this, it uses some of the same hardware you use to get on the internet, but it is a private network, apart and disconnected to the network..

Do you think a banks national network that their staff uses is connected to the internet ?? or ATM machines ?

those systems are separate from the internet, and cannot be hacked from the internet, because they don’t exist there, they use privately leased dedicated data lines.

tqk says:

Re: Re: Plausible deniability.

A) rm is not going to cut it against forensic techniques

That’s why we have encryption. As long as you’re not in Britain, they don’t get your encryption key.

B) after the subpoena arrives is too late. You can go to jail for destruction of evidence at that point.

That was just a suggested course. There’s far sneakier ways to implement it. “Your honour, I didn’t even login that day. How could I have destroyed evidence?” Well, via a cron shell script that checks whether you’ve “touch”ed that file less than 24 hr. ago and if not, deletes it.

Besides, it’s abundantly clear that judges and juries are utterly clueless about technical computing gibberish like this. Good luck educating that imbecile IQ level jury you picked, Mr. Prosecutor.

Lance Cottrell (profile) says:

Reality of subpoenas

Having founded anonymizer.com in 1995 and being actively involved with it to the present day, I have some first hand experience with this issue. Our business and servers are all located in the US, so this may not apply in other countries.

Over the years the number of subpoenas we have received has varied significantly, but has never really been less than several per month. As we have no logging that would connect our users to their actions, we can’t be responsive to that kind of request. As a subscription service, we could be (and have been) asked if a given person is a customer, but that would not say anything about what they had done.
We have been asked to set up ongoing monitoring that would allow us to capture this kind of information, but we have declined, and no legal force has been brought to bear that could force us to do so.
The real problem is that your computer and browser are probably so well profiled, and full of tracking elements, that you are likely to be identified even while using a privacy VPN, unless you take significant additional steps.

art guerrilla (profile) says:

Re: Reality of subpoenas

thanks for your response, the insights of people who actually use (or make) these tools is ALWAYS invaluable to us who know little about the subject…

to that end, do you have link/source for reasonable, affordable steps that can be taken to increase privacy and make surveillance more difficult for the ‘good’ (sic) guys ? ?? (and, yes, i will look up your s/w and website to both see what it does, as well as for additional info)

further, (even though you didn’t talk extensively about this) are there VPNs which are -relatively speaking- trustworthy in regards to either not tracking stuff, or that have a record of telling the kops, etc to go piss up a rope ? ? ?

thanks again for your insight…

art guerrilla
aka ann archy
eof

Lance Cottrell (profile) says:

Re: Re: Reality of subpoenas

A good privacy oriented VPN is a good start. Obviously I am partial to Anonymizer.com. TOR can work well, but I worry that many node operators may be sniffing any and all traffic in the clear.

I suggest using virtualization. VMWare or Virtual Box can give you a disposable environment that you can reset after each use. That provides a lot of protection, in conjunction with the VPN.

As to trustworthy, it is hard to say. One can’t really prove a negative. Look at the privacy policies to see that they at least SAY they don’t keep logs. Then look for cases where users have been compromised. That almost always gets out. Hide My Ass was shown to keep logs when it lead to the arrest of a member of LulzSec.

I have written quite a bit about this on my blog http://www.theprivacyblog.com

special-interesting (profile) says:

There are many reasons why business has left some countries and the lack of privacy is a large one. If a country does not respect even its own citizens privacy all complaints about lost GDP/business/trade is just whining. And if such records are required to do business then expect higher prices as it only adds to operational costs. (again driving business overseas)

Many times its impossible to collect such data as the volume makes it prohibitive. Its normal that a popular VPN generates 2-4 plus terrabytes a day.

The best way to keep data leaks from happening is not to keep it or collect it at all. Its the only way so much so that it would be nice to see legislation that ensures such (non) action. For now, even if it would be a form of civil disobedience, its probably best to randomize/anonymize posts in logs/blogs/bbs/forums were possible. (there are troubleshooting and maintenance concerns) It’s best to dispose of them before any errant court order demanded them because its worse to knowingly destroy evidence.

There are good exceptions like Wikipedia revision history. Its been great fun knowing who attempts revisionist history. To be honest it might be nice for Wikipedia to offer a corporation sponsored (not the front page but only a tab or button) page if the user wanted to click on it. I just love to read clashing viewpoints and when discovered they raise red flags and loud sirens of incongruity. (lies)

US (and potentially European) law has basically gone crazy with unavoidable felonies committed every day just for backing up data and other stupider things too. At the present conversion rate Jaywalking and parking tickets will soon be added to the death penalty also. Since copytight (right) law is broken almost every time a phone camera is clicked is hard to take them seriously especially when more law is broken just to send it to a friend.

Because of the above obvious legal abuse it makes warrants and gag orders a potential way to abuse law. In fact considering the silly drug laws and ridiculous copyright laws the law is starting to look lawless.

A VPN with a data retention policy of any time length beyond maintenance is as good as not having one at all. A legitimate VPN is becoming almost as normal as an Internet connection.

Lance Cottrell (profile) says:

More IP addresses != more privacy

More IP addresses in a privacy service does not lead to more privacy, in fact the opposite is true. Privacy is provided by the “anonymity group”, which is the number of other people who could have produced the traffic that you actually produced. The more people in your group, the better protected you are.
If everyone is coming from a single IP, it maximizes the anonymity group and the associated privacy.
The only advantage of more IP addresses is commercial large scale information harvesting. This is generally a very different kind of service.
Geographically diverse (but perhaps not numerous) IP addresses can be useful in bypassing location based access restrictions or pricing, but don’t impact privacy.

VPNuser says:

I absolutely agree that VPN can be a disaster. There are people out there who utilize computers to prey on children or commit horrendous crime that can prevent the authority to detect them. This case should be exempted from privacy rights. Any VPN company should be able to turnover the information to the authority, so no users like me ever get affected. These people don’t deserve privacy at all.

I use Internet for good purposes and I never committed crime that can cause problem in my community.

duelistjp says:

Re: Re:

Then they came for me—and there was no one left to speak for me. That is the problem with your assertions. In order for anyone to have a right to privacy everyone does. when privacy is taken away from a group it takes it away from the whole all too easily. I’ll be the one to say the child predators have the exact same privacy rights as us until convicted. Because if I don’t hen I won’t have those rights either. maybe not today or tomorrow but it will happen

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...