Private Internet Access Leaves Russia, Following Encryption Ban And Seized Servers
from the yikes dept
A few years ago, I got to travel to Moscow to present some of our research at an event. Having heard more than a few stories about internet access issues in Russia, before going I made sure that I had three separate VPNs lined up in case any of them were blocked. I ended up using Private Internet Access — which was already quite well-known and reliable. That’s my regular VPN, but I had been worried that maybe it wouldn’t work in Moscow. I was wrong. It worked flawlessly. But apparently that’s no longer the case. Just after Russia’s new surveillance bill passed, complete with mandates for encryption backdoors and data retention (along with a demand that all encryption be openly accessible for the government within two weeks), apparently Russian officials seized Private Internet Access’s servers in Russia, causing the company to send an email to all its subscribers, announcing what happened, what it was doing to fix things… and also that it was no longer doing business in Russia.
To Our Beloved Users,
The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year. We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process. We think it?s because we are the most outspoken and only verified no-log VPN provider.
Luckily, since we do not log any traffic or session data, period, no data has been compromised. Our users are, and will always be, private and secure.
Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region.
To make it clear, the privacy and security of our users is our number one priority. For preventative reasons, we are rotating all of our certificates. Furthermore, we?re updating our client applications with improved security measures to mitigate circumstances like this in the future, on top of what is already in place. In addition, our manual configurations now support the strongest new encryption algorithms including AES-256, SHA-256, and RSA-4096.
All Private Internet Access users must update their desktop clients at https://www.privateinternetaccess.com/pages/client-support/ and our Android App at Google Play. Manual openvpn configurations users must also download the new config files from the client download page.
We have decided not to do business within the Russian territory. We?re going to be further evaluating other countries and their policies.
In any event, we are aware that there may be times that notice and due process are forgone. However, we do not log and are default secure against seizure.
If you have any questions, please contact us at helpdesk@privateinternetaccess.com.
Thank you for your continued support and helping us fight the good fight.
Sincerely,
Private Internet Access Team
Of course, the end result of this is going to make Russian internet users a lot less safe. The war on encryption is a really dumb idea, and kudos to PIA for taking a stand.
Filed Under: backdoors, encryption, russia, servers, vpn
Companies: private internet access
Comments on “Private Internet Access Leaves Russia, Following Encryption Ban And Seized Servers”
Very Satisfied PIA client
I wouldn’t bet on that. PIA is my VPN as well. I often use exit nodes not in the country I am in. Not too long ago I was in a discussion with my US based bank via Skype. They kept complaining that they couldn’t understand me. I asked where they were. They were in the Philippines. The closest PIA exit node to the Philippines appeared to be Hong Kong. I said good by, changed my exit node to the Hong Kong server and called back. No problems communicating with them after that.
I will say that most of the time I use PIA via a router that exists primarily to supply the VPN services, as well as to offload the encrypt/decrypt to a different processor. I do not know if this would work the same with a desktop client, which is available for PIA, Linux, Android, and Windows for sure, probably MAC too.
I bet you can still use PIA’s other exit nodes from within Russia.
Travel destinations
Looks like Mike’s list of travel destinations is constantly getting smaller. First it was Australia, now Russia has been removed from the list.
Re: Travel destinations
And based on some of his stories, I don’t recommend that he go to Turkey either.
Love of Control
I estimate that America and most other ‘modern’ nations are no more than 3-5 years behind this effort. Yes, you have twitter, facebook, youtube and a thousand other LIBERAL venues, but post ONE THING that does not toe the party line, and you’ll see DMCA, Hate Crime and DHS Terrorist take-down and surveillance threats from the government within 24-hours. For all those that love to ‘wave a flag’ about the U.S., you better wake up and see just how close we are to them ‘flipping a switch’ and putting us in the same boat as Russia and China are now.
All it’s going to take is one more small, sculpted act to start-up martial law, and we will never return. Stop worrying about that one-tree that fell, you better notice how close we are to all the forest burning up in a flash-fire.
Re: Love of Control
“I estimate that America and most other ‘modern’ nations are no more than 3-5 years behind this effort.”
I think Western nations will go about it in a little big of a different way, but to the same general end result.
I think in the US it will be done much more along the lines of “you can have your encryptions and VPNs, but your connections will have to be entirely logged”. It’s to me one of the reasons why they are working so hard currently to strangle TOR.
I also think that there will be at some point the completion of the title II move to apply similar laws and structures that exist for other utilities to the internet. Particular in that is the personal liability of the account holder for how the service is used. This is how phone, water, and electrical services work, so the internet could (and possibly should) be the same. There may be some legal arguments against it, but title II status goes a long way down the road already without anyone realizing it.
Essentially, if a service provider masks who the true user is by providing a proxy or portal, then they would have to log by mac address and such, and retain those records for a given period of time.
It would change how free public wifi works. It would certainly change the legal landscape for leaving your wifi open for any schmuck to use.
SO you can keep your encryption, you can keep your VPNs, but understand that you are logged all the way.
My guess is by 2020.
Re: Love of Control
Ah, so that’s what’s going on in Russian. Putin is a LIBERAL! I see it all so clearly now.
Re: Love of Control
don’t forget the masses of SJW that will spam your posts and clog it with hate for daring to say something they don’t agree with,
Re: Love of Control
Skeeter, you’re describing Fascism. Know your politics:
http://www.rense.com/general37/char.htm
Re: Martial Law
Martial Law is difficult to implement but worse to sustain, since it involves putting military units on active (wartime) duty in the municipalities of their own nation. It’s hard on morale since there’s no real enemy. No one wants to be the soldier who has to fire on Americans, so every standing post is a hated, thankless job.
Fascism, once started, is tough to sustain:
The upper echelons do love their cocaine.
The war on drugs caused more drugs, and the war on terror caused more terror, so the war on encryption is supposed to do … what?
Re: The War on Encryption
The wor on encryption will make encryption go dark. Nowadays when encrypted data is sent, it is clearly encrypted. In the future, it will look like something else, pictures of bridges, romance era poetry, horse porn, engineering databases, anything that seems legal and uninteresting.
Re: Re: The War on Encryption
Intriguing idea but copyright makes it not possible.
If such a system only used public domain info, say sending random passages of Shakespeare then it would be recognized as encryption because it would still stand out as unusual.
If you used copyrighted works you go to jail for copyright infringement.
If it randomly used words/pixels to make up new content they would throw you in the mental ward since your incoherent babel clearly makes you nuts. It would also stand out as being encryption.
The solution is to just use encryption for everything. When every data stream is encrypted the stuff you really want to hide is now ‘hidden in plain sight’ like you suggest would work best.
Re: Re: Re: The War on Encryption
The system of encryption-with-plausible-deniability would encrypt data to look like garbage within empty disc sectors. So you could send a disk image that looked like it was your Aunt Millie’s Bermuda vacation snapshots where the unused data sectors contained your hidden data.
Without the key, there would be no feasible way to tell there was anything in those unused sectors, compounded by there being a lot of Aunt Millie Bermuda vacation photo disc images out there.
And if I were running a terror / revolutionary / dissenting interests / book club, I’d make sure that most of my disc images I was sending out didn’t include encrypted data.
This is tech already used in states more oppressive than ours. We don’t need to invent it so much as make it available to everyone.
Re: Re: Re:2 The War on Encryption
One issue is how do you tell the decryption process what to decrypt? There has to be some flag that says ‘don’t decrypt Aunt Millies pics’ but decrypt this ‘xxxxxxxx’
Those flags are all that’s necessary to start the process of breaking the encryption
Re: Re: Re: The War on Encryption
you’re implying that a private distribution is illegal by copyright. That’s a pretty big stretch of current law isn’t it?
Not saying they wouldn’t try it but it’s a LOT harder to make that a winning argument.
Re: Re: Re: The War on Encryption
“Intriguing idea but copyright makes it not possible.”
It’s not only possible, but easy and commonly done right now. A huge number of people routinely post pictures they take themselves on social media sites. It’s trivial to use steganographic software to embed encrypted data in them.
Re: Re:
The more you tighten your grip on encryption the more data will slip through your fingers.
Re:
False assumption there, the ‘wars on x’ haven’t affected x much at all.
The war on drugs allowed oppressive laws to be passed without an appreciable effect on the drug trade, the war on terror allowed more oppressive laws to be passed without an appreciable effect on terrorism, and this war on encryption will allow more oppressive laws to be passed.
It won’t matter if you use encryption or not; if you don’t, six lines typed in your hands will be used to hang you, if you do, you’ll be hung anyway for ‘refusing to decrypt/cooperate’.
Re: Re:
criminalize law abiding citizens, just like everything else.
What you’re talking about is steganography, and I’ve been saying that for years. The real “encryption” will be the fact that it’s even encrypted. I think the time is right for steganography to flourish.
Yeah. Steganography already exists, and it doesn’t need copyrighted content to work. But even if you think of it in terms of being artificially tied to some type of media (which it’s not) then you still live in a world of rich media that we create ourselves every day on facebook, when we take a selfie, etc. A photo of your cat takes millions of bytes of data, where a text message of “Farid has the vest” only takes a few bytes.
I’m sure our day to day lives generate enough junk data to mask people’s communications. For example, you could theoretically hide a text message inside a voice chat. While you’re saying “I like pancakes” on the voice chat, you could weave an encrypted message into the digitized audio without affecting the sound quality noticeably. Technology like this already exists.
As a programmer, I’ve heard the term “security through obscurity” as an insult for the last couple decades, but obscurity probably isn’t a terrible thing if you mix it with good security. I think privacy is going to be the next killer app.
So, congrats Russia, you’re now the driving force behind what I’m sure will be many great innovations in encryption and just privacy in general. Fuck Russia–there’s an app for that.
Re: Re:
“As a programmer, I’ve heard the term “security through obscurity” as an insult for the last couple decades, but obscurity probably isn’t a terrible thing if you mix it with good security.”
This is correct.
“Security through obscurity” is usually used to refer to two different serious errors in security:
1) Relying on secrecy alone to keep you secure. Over time, this fails in close to 100% of all cases.
2) Relying on crypto whose algorithm is a secret. Crypt is notoriously hard to do right, and it’s incredibly easy to develop crypto that appears to be strong, but isn’t. Secret algorithms don’t gain you any security, but they do make it much more difficult to notice flaws in your crypto.
Now, using strong crypto in a way that is hard to notice (by combining it with steganography, for instance) does, in fact, increase your level of security. But you still must treat the crypto part of the scheme as if everyone will know it’s there.
Re: Re: Re:
The steganography algorithms also need to be open source, as flaws in those could make the presence of a message obvious. However steganography does obscure the presence of a message if done right, and the intended recipient if the media is posted on a public forum. Obviously keys, and any means of signalling the presence of a message have to be kept secret.
I often use PIA too and while they do have some issues (Five Eyes etc) it seems to be the best vpn provider for the price. Let us see if this is isolated or if other companies will leave Russia to protect themselves and their customers.
regarding steganography
Maybe it’s been long forgotten, but steganography was once extensively used back in the 1990s to host MP3s on “personal” websites, of both the free ones like Geocities as well as the personal webspace that always came packaged with dialup ISP accounts. While the RIAA, BPI, IFPI, and other copyright cops were quick to find and take down MP3s hosted on websites, they apparently never caught on to this widespread practice of hiding (split) MP3s inside pictures.
Let’s not forget that this was a time when recorded music was generally only sold as albums (in physical form) and the term “MP3” was synonymous with “piracy.” In the age before P2P networks, Bittorrent, commercial usenet services, or MegaUpload-type file hosting sites, steganography was the most reliable and safest way to host copyrighted music long term on the internet.
Dear US Govt:
Please look at this and take a very very hard look at this warning, because the second this shit happens in the US, the same shit will happen in the US, and it won’t just be VPN users. I can guarantee it.
Re: Dear US Govt:
I dunno. Most of the major companies would not pull out of the US if that happened here. Microsoft, Apple, etc., would certainly remain and comply with whatever the law demands.
The ones that leave would more likely be the smaller companies who tend to be more sensitive to their customer’s needs and security. Exactly the ones we can least afford to lose.
Re: Re: Dear US Govt:
Microsoft must have a reason for the pushing users to Windows 10, and it is not because the majority of the code is from a different code base than the previous versions, or that Microsft lack Version control..
Ouch!
As this plays out financially, it’s probable that Putin may very well discover that he has just ‘shot himself in the foot’!
Re: Ouch!
In Russia you don’t shoot yourself in the foot, they have people for that.
Sounds like the Hollywood crowd is behind this, it is business as usual in Russia, for them.