[brobinson]

>However, the sad reality is, there is no such thing as a “no logs” VPN. Because running it would technically be impossible.

PIA has told the feds in the US to fuck off multiple times when asked for logs. You can't provide what you don't have, and lying to the feds is a fast track to PMITA prison (PIA is based in the US). I feel pretty confident they're not risking prison to cover for Joe Blow subscriber. Other "no log" providers have been caught with logs, though.

I do agree with overall message about VPN advertising. It's presented as a panacea when it's really a single step you can take.

[tptacek]

Who cares if they log now? They can be forced to log --- and are in fact running businesses the practically beg the DOJ to force them to log.

[mirimir]

Which is why many people don't use US-based VPN services.

[tptacek]

So that, instead of the US using legal formalisms to gain access to your data, they can simply (under our law) hack it directly? While at the same time, whatever host country is involved can use their legal formalisms to get access to the data? How is that helping you?

[mirimir]

It helps me because I use nested VPN chains. And because I alternate jurisdictions. With the goal of complicating log collection.

But in any case, I don't count on nested VPN chains for serious anonymity. Mostly I use them to avoid hassle from torrenting. And conversely, torrenting provides cover traffic, and as well a plausible reason for using VPN services.

But mostly I use nested VPN chains to hide Tor use from local observers. Because Tor usage is far less common than VPN usage, and so far more of a red flag for increased surveillance.

[rasengan]

> They can be forced to log

There is no legislation in the US that can be used to do this [1]. Some very misguided companies may voluntarily log, but those that care about privacy or, at the least, realize that holding people's data is a liability, won't make poor decisions like that.

[1] https://en.wikipedia.org/wiki/Data_retention#Failed_mandator...

[nickpsecurity]

Nah, he's right. The Core Secrets leak said the FBI was using some secret method to "compel" domestic targets to do the "SIGINT-enabling" of their networks. It might have been just fines and jail threats under the secret court (FISC). On top of that, the Patriot Act let them hold people indefinitely, they were kidnapping folks at airports for "extraordinary rendition" (torture), and there's the old civil forfeiture laws on top. That's the extreme stuff.

Less extreme, Lavabit was hit in court. Lavabit said giving their private key to the government would expose all their users' data. They said it would be bad for their business. The FBI countered that there would be no damage if nobody knew they did that. So, they just wouldn't tell anyone what the judge had ordered. Judge went along with that idea. So, that's how legislation and liability in the U.S. works. Especially when there's secrecy orders.

Pro tip: don't host anything that's supposed to be private in the U.S.. It's a surveillance/police state slash plutocracy disguised as a democracy. Anything that might be private can be ordered to not be private secretly with immunity.

[bitreality]

Oh come on now. The US Government forces tech companies to share information all the time.

http://www.msnbc.com/msnbc/us-government-threatened-yahoo-bi...

They certainly can, and will, go after any company they want to, without referencing any specific US legislation.

[rasengan]

ISPs and VPNs have different laws then, for example, email providers. Further, Yahoo Mail, would be storing data (thus "voluntary" logging, or in their case, there's few ways around it to deliver their services in any kind of usable way).

I repeat, after having evaluated this quite deeply, that there are no mandatory data retention laws in the US, period, for ISPs and VPNs. This is contrast to quite a few jurisdictions, and the poor actions taken by ISPs and VPNs in said areas seem to speak louder than words.

That being said, I can relate to the author. Trusting a random service without any reason to trust is definitely blind. However, trust can be earned, over time, and validated, but should never be absolute. Trust is earned, daily, forever.

That being said, at the end of the day, the best bet is to remove trust from the equation - to get closer to a zero knowledge state, thus creating zero trust.

We're working toward that, every single day, and I would love to hear from anyone that's interested in helping or has thoughts.

[bitreality]

You're saying that organizations can avoid being subject to providing data if their service does not store the data. But I am not convinced. If the NSA or whatever 3 letter agency demanded the data be made available in a secret court, the company would have no choice but to comply.

They could require this in several ways. They could store the data directly on government servers, or set up a third party server and store the data on there, where both parties could access it. Either way, there is no technical reason the data can NOT be collected, so if the big boys want it, they will get it.

[comex]

The demands mentioned in your link did reference specific US legislation: FISA section 702.

[bitreality]

Before all this information got leaked, nobody knew about FISA section 702, nor had any idea how it was being interpreted and acted on by government agencies. I think it's quite clear that the secret courts in the US put huge demands on organizations to share and collect data on government behalf. Even worse, the organizations can not even publicly disclose information from the proceedings.

Until I see something to convince me otherwise, I assume any sizable organization that is operating within the United States shares any/all data requested. No loophole will protect them. If they don't collect the data, guess what, time to start collecting.

[okmokmz]

US companies perhaps. That's why so many recommend non-US VPN services

[comex]

Perhaps not (I’m not certain about the issue), but they can be forced to hand over their private keys to let the NSA [ed: or other agency] do the logging for them – as happened with Lavabit.

[tptacek]

s/NSA/DOJ.

[comex]

Good catch, although... I looked it up, and apparently in Lavabit’s case the demand (under the Stored Communication Act) was actually issued by the FBI?

[tptacek]

The FBI is part of the DOJ. :)

[mirimir]

So how would the US government force Insorg, which is Russian, to log?

[pvg]

which is Russian

That's a bit like moving from Phoenix to Pyongyang to escape the unconscionable oppression of your local HOA.

[mirimir]

Yeah, but why would Russia care about me?

[dragonwriter]

Because if you are going to carry out a propaganda campaign to destabilize or realign <non-Russian country>, then being able to identify them interests and vulnerabilities of each particular propaganda target is useful. Modern international propaganda includes what is exactly, or is equivalent to, targeted advertising, and everything useful to such advertising is useful to nation-state propagandists.

We've actually seen this in action throughout the West, including but not limited to the US, recently, so it's not merely a theoretical concern. We are no longer in a world where you need to be personally important to be a target of foreign nation-state information gathering and targeting, because the same factors that make that scale for private actors and your home government make it scale for foreign governments that may potentially be opposed to or wish to influence your home government.

[mirimir]

Clarification: The point is to use nested VPN chains, alternating between jurisdictions that don't readily cooperate. And ideally, are virtually at war. Interleaved with ~neutral jurisdictions, to reduce oversight.

See https://news.ycombinator.com/item?id=19609067

[pvg]

Why would the US care about you? And that's on top of the fact that the policy and regulatory regime in Russia has (over some years and quite openly) moved towards essentially full legal interception capability of everyone's internet comms. Roskomnadzor is out there actually doing the stuff the imaginary messageboard NSA does.

[mirimir]

What mostly matters is that the US and Russia aren't exactly on speaking terms.

[okmokmz]

>They can be forced to log

Not if they aren't in US, hence why so many people choose non-US VPNs

[ben509]

> You can't provide what you don't have, and lying to the feds is a fast track to PMITA prison

White collar criminals typically go to Club Fed, though.

[djsumdog]

What about European based/GDPR compliant VPNs? Wouldn't they require to truthfully disclose if and what they log?

[metafunctor]

Not really. The GDPR is overridden by various laws relating to national security, terrorism laws, and whatnot. It does not prevent or forbid EU nations from collecting intelligence on their citizens.

[AstralStorm]

It does prevent unlawful access and unlimited data collection by corporate entities. (Including fruit of poisonous tree doctrine.)

What the ISP doesn't collect or process, cannot be had as historical data for court cases for example. Albeit the GDPR exemption is pretty open for "required to provide service" data processing.

Wiretapping is a separate matter.

Most importantly, any third party data processing and sale has to be clearly outlined including purpose.

[llukas]

But it prevents adtech to collect info.

[q3k]

For what it's worth, Poland is surprisingly good about this:

- as an ISP, you're required to retain data for a year that would let LEAs map an IP address you manage to a subscriber. If you're giving out public IP addresses to your customers, this can be just an excerpt from your IPAM.

- as an ISP, you cannot give out this data without a court order, and you will be in violation of data protection laws if you do do.

Source: the Warsaw Hackerspace is an ISP.