Edit: Many coutries have mandatory data retention policies [1], so if you're from one of those countries it's virtually guaranteed that your internet usage logs for the last months/years are logged somewhere. On the otherhand, a VPN provider has a strong financial incentive to not log your data (because their repuatation has a high financial value) and in some cases it can be known that (at least at some point in the past) they weren't logging, so there is a very high probability that they are not logging now.
Some other VPN providers claims were tested by hackers and security researchers and found wanting [0].
The point the article was trying to make was you can never be sure which providers are trustworthy and which ones are not, and even the trustworthy ones today might not be trustworthy tomorrow and you have no way to verify whether they are or aren’t keeping logs.
from that link there is only one "verified" case, and that is with PIA, all others are audits from private firms, or seizure of one particular server that is assuming just a dumb node.
even with PIA it's not sure what exactly was asked because its not a USA company, so if i ask you to give me logs for a server in USA, but you don't keep the logs on that server, can you say we dont keep logs on that server.
and do you have time to verify every source of information.
They don't have a data retention policy [1]. The European Union for example requires "the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC" for up to 2 years:
My main reason for using a proxy is to prevent my government from tracking and logging all my internet activity (when you look at the huge list of agencies the UK government has allowed access to that information you can see why).
I skimmed through this article but I don't think it addressed this use case. Sure, my VPN could be tracking me, but I have much more trust in Mozilla than I do any other internety company. This article seems to be arguing that because perfect browsing privacy isn't possible that you might as well not bother with any.
I'm interested. I thought the proposed tracking and logging requirements on ISPs never made it through parliament. Do you have any details of the requirements and agencies with access?
Your comment made me look into this in further detail and you may be right; it seems the situation isn't as bad as it once was.
> in April 2018, when the high court found the government’s power to order private companies to store communications data, including internet history, to be in breach of citizens' right to privacy.
It seems the original proposal has been watered down and then challenged in court. I'm wondering if someone more knowledgable can chime in.
Still, I don't want some government agency to be able to pull my entire browsing history, now or in the future.
Also, the article makes the weird jump from the fact that it's possible a VPN provider might log you, and possible a government or similarly powerful entity might request those logs, and possible that they might then get them - to the idea that you therefore must assume that will happen.
Jumping through all kinds of administrative hurdles is still a hurdle, even for a government (in fact, in many ways - especially for a government!). A court may not force a VPN provider to hand over logs, and a a VPN provider may have little legal exposure in a country anyhow.
Even if a government somehow managed to get permission to see them, if a VPN provider doesn't have any (or none sufficiently detailed) it's pretty likely it will not suffer much for not having logs (especially given that various privacy laws might even make it illegal to keep unnecessary privacy-sensitive data floating around), and courts tend not to punish even illegal court-order violating behavior when the party was required to engage in that behavior (e.g. by law). If anything, that's a modicum of risk with a high potential reward (publicity here we come!)
And even if a VPN service maintains logs - what kind of logs? There are a lot packets floating around on a VPN, and storing metadata for every single one strikes me as a pretty excessive expense if there's no really good business case for it. Tying various incomplete logs together doesn't always reconstruct the whole story, so it's pretty plausible some logs may still contain less data than would be retrievable if you didn't use a VPN.
All in all it strikes me as invalid reasoning to assume that merely because it's possible a VPN might not keep traffic private that it will in practice leak said traffic. That does not appear to be the path of least resistance. So even if some UK government agency were to have the intent to track some of your traffic - a VPN might well prevent that or at least make it much more expensive (in both time and effort) for said agency to achieve that.
You are overlooking a jump that seems obvious to me and I have not seen anyone address before: if government intelligence agencies go to great lengths to spy on the world's internet traffic, why wouldn't they run, and promote, the top VPN companies themselves?
Therefore, shouldn't we expect at least some of the largest, cheapest, and most widely promoted VPNs to be secretly run by intelligence agencies?
Congratulations, you're now being tracked by the government of whichever country your VPN is proxy'ing your data to.
And that government also certainly has much less legal restrictions on tracking you since you're probably not their citizen. Unless you VPN to a node in your own country, in which case, they're just tracking you at a different exit point.
Using a VPN also raises the actual cost of the adversary. For a simple example, considering something like a movie download - doing it from the home IP means a form letter information request from a lawyer to the ISP. Doing it through a VPN means an international request for legal support is required to get the name behind the IP. Costly and time-consuming and perhaps even impossible depending on jurisdiction. (USA won't honor an information request from Iran,etc)
Only reason for VPN I see is circumventing geo-fencing. And even then you need to remember that it can put your account at risk. For subscription services this might be insignificant, but for likes of gamestores it might prevent you from making future purchases at some point.
Yeah this is the only reason I have one. Weird licensing restrictions mean basically nothing I want to watch is available in my country and so I need to constantly jump through hoops to _pay_ for content...
Some accept anonymous cash payments like mullvad and do not require any information.
Everyone here probably knows VPNs are not an all-in solution for privacy nor security but they're certainly a good added layer to add and most likely have better privacy standards than most ISPs.
A person more concerned about privacy should just add one or more layers above/below the VPN ... like ISP > VPN > Tor for instance at the price of substantially lower performance ...
Or you could do the opposite with a cash accepting VPN such as Mullvad ... and only connect to them using ISP > Tor > VPN which would also provide a decent layer that would avoid the massive "maicious high risk flagging" of Tor Exit nodes everywhere while preventing the VPN provider from knowing your IP. You certainly have to hit less captchas with VPNs than with Tor ...
There are also quite a few VPN/VPS providers accepting Monero that can be used and paid for "anonymously" for adding more layers.
If you live in a large city with a decent view on places offering free legal public wifi, you could also buy a long range Wifi Directionnal Antenna and USB Wifi adapter to add such layer while remaining at home and avoid having to move to such places. Mac address randomization is trivial and integrated in most OSes now. Again it's not perfect but it's an added "convenient" layer not requiring physical moving.
I think it is pretty funny that his suggestion is that you should setup your own VPN. Your hosting provider knows your real identity and is going to shut you down very quickly if something happens and is far more likely to yield to legal pressure because they don't earn money from privacy. Meanwhile for a VPN provider it would at least make sense to invest into a legal team that at least throws empty threats into the recycling bin instead of "selling you out" as soon as there is even a hint that you are a problematic customer.
There are hosting providers you don't need to give out your real identity to use and would fight any attempts of getting the details they do have on you, to law enforcement or others.
Obviously if you want to protect your identity, you need to do that at every level, if you're hosting your VPN somewhere, that includes from the platform you're hosting your VPN at.
Since someone already answered the second part, I'll take the first,
>There are hosting providers you don't need to give out your real identity to use
Even if you don't give them your real identity, they have access to the IP address you are connecting from which to a big enough adversary is enough to identify you.
Not necessarily. First not all providers store IP addresses and secondly you can always hide your IP, via multiple hops if you need to. Otherwise there are hosting providers you can sign up to in person, while being masked if needed, and there wouldn't be any IP traces then.
1) Why would you keep logs, when you could then be compelled to hand them over?
2) As setting up a VPN company is easy/cheap, you conversely have to spend a large pile of cash to advertize your way to the top. The only asset you really end up with is your name/reputation. Publicly burning a customer would be incredibly expensive.
Adjusts tinfoil hat
I think the point about VPN providers acting as a honey-pot might have some legs though. Seems incredible to think that whilst NSA and the rest are determined to detect illegal activity online, VPN providers seemingly thrive without any interference/intrusion. My view is that as long as you're not doing anything too bad, you're safe as the cost of your exposure isn't worth it.
Of course if the government was having trouble infiltrating/extracting information from the big VPNs due to the volume of traffic, pushing the 'people who really want privacy' to self-identify even further, by creating their own service makes sense.
All the traffic emerging from it (even if encrypted, you know where it's going) can be tied back to the single user.
> 2) As setting up a VPN company is easy/cheap, you conversely have to spend a large pile of cash to advertize your way to the top.
Therefore, it seems to obvious that the VPN companies with the largest advertising budgets (perhaps even running a deficit) are run by intelligence agencies. They recoup their investment on the data harvested.
If there are trusted and untrusted agents, and you can’t tell the two groups apart, it’s sensible not to trust anyone.
Also, the government, in addition to setting up honeypots, could simply require the providers to log. The way that it works, there are only a couple of people in the company who need to be aware of that; such fact will never be known to the public. There is zero audit trail.
>1) Why would you keep logs, when you could then be compelled to hand them over?
Yeah that's a good point. If you keep logs then your legal team will have to do more work. It actually costs more to keep logs and customers will leave you for a competitor, meanwhile there is no opportunity to earn extra money.
There are definitely lots of miss-conceptions about VPNs and some ridiculous claims by VPN providers for things like security or malware protection.
Still VPNs can be useful to access content\networks that otherwise you can't.
As for privacy, it comes down to trust. You mentioned HideMyAss but other services have good track record, far better than most ISPs that publicly state they share information with 3rd parties.
The article raises a few very good concerns about using VPN services, however, the headline is completely misguided. There are valid reasons to use VPN, some even mentioned in the article. One just should not consider is a silver bullet which magically protects you in all aspects. And it is good to warn about non-obvious weaknesses of the concept, especially as most readers are not security experts.
It is however important to tell users, where using a VPN can greatly enhance safety. It does protect your traffic up to the VPN provider. This protects from unsafe local networks and also from any state actor in the country you are in. It doesn't protect from state actors in the country where the VPN exit point is, but depending on which states both are in, can make quite a difference.
I haven't seen any discussion of this, so I assume I'm wrong.
Can't you solve a lot of these problems by chaining VPN providers? It would only take one running securely and not keeping logs to make it impossible to trace the connection from the destination to you.
I subscribed to ProtonVPN for more privacy and security when I travel and have to use hotel WiFi. I trust them. In general I don’t agree with the article.
I can't seem to find a reliable source, would AWS or Azure penalise you for using a VPN for torrenting? I've heard about accounts being terminated because of hosted seedboxes on VMs, but I'm not sure what would happen with a VPN + Torrent combination.
If the torrent traffic is over a vpn out of the datacenter you're fine. If the torrent traffic is going out of that vm (like a seedbox) then certain providers may ban you. Many do allow bittorrent because of things like syncthing though.
Those seeding public torrents are in trouble if they get an abuse complaint. Most providers don't like those and will boot you off real quick.
Considering the networking costs of azure and AWS, it's hard to see why anyone would want to use them for torrents, with or without VPN.
lowendbox have much cheaper alternatives for such boxes.
Unless you explicitly need speed, or they're your only option, why do people use VPNs for privacy over Tor? Do they provide any benefits other than being faster? I thought Tor was a much more secure option if privacy in particular is your objective.
TOR exit nodes are more likely to be flagged than VPN servers.
Though even for accessing TOR, using a VPN is a good idea. If you're planning of doing stupid things like mailing in a bomb threat to delay your exams because you haven't studied enough and you're using TOR, the usage itself will point at you if you're the only person using it. Had they used a VPN to access TOR, they wouldn't have been caught that easily.
> Kim was taken into custody on Monday—identified as one of the few Harvard wireless users who was also on Tor at the time. When interviewed by an FBI agent and an officer with the Harvard University Police Department that night, Kim admitted to sending the bomb threat emails and said that he acted alone.
Based on this it sounds like if he hadn't confessed he wouldn't have been caught. After all, it would still be on the prosecutors to prove he used tor to send the threat, instead of just using it out of paranoia or something.
This is a pretty printing article that completely misses one of the main reasons to use VPN: browsing resources blocked in your country. I use VPN to open LinkedIn and watch West wing on Netflix, and I couldn't care less about who gets to know about it.
Also bypassing throttling like cell carriers limiting video bandwidth to a small fraction of normal speeds. The article also ignores the multiple VPN providers who have been subpoenaed in court and replied that they have no logs. So either they don't log or they're willing to lie to a judge on their customer's behalf.
I feel like every few months one of these holier-than-thou anti-VPN articles hits HN where the author completely ignores the real demographics and use cases of commercial VPNs and acts like our primary concerns are ISPs finding out what color of underwear we like. Most people use VPNs to watch Netflix and steal Game of Thrones. They don't leave them turned on because they noticeably increase browsing and gaming lag.
Yup, this is my use case. I live way out in the middle of nowhere, and our internet is LTE - and the provider traffic shapes like crazy, depending on content and time of day.
The VPN sidesteps all of that, and allows me to use the full speed of the connection - otherwise we’re throttled to about 40%.
Yes, I could and probably will set up my own endpoint, but for less than a dollar a month this is just an easy and cheap solution, for now.
Unless you are a high profile target, the most important factor would be whether you trust it more than your ISP (which you should in most part of the world).
The article isn't making that claim. Logging the traffic can for example mean storing CDRs for the connections. The kind of thing your ISP could also do, and in many jurisdictions is legally obligated to.
They could do per-flow logging of TCP flows (subscriber 89 made a TCP connection to 1.2.3.4:567 starting at 12:00:05, ending at 12:02:04, transferring 10kB up and 1MB down). In the worst case this would also include the TLS SNI, which is transmitted in plaintext.
Or it they could do logging based on the endpoint (subscriber 89 transmitted 1MB from IP 1.2.3.4 in the 15 minute interval 12:00-12:15).
If you think TLS is adequate to stop a VPN provider figuring out what you're doing, why isn't it good enough to stop the ISP/Government/evil coffee chain IT team?
It's good enough to stop the government to know what exactly you send, but not who you send it to. The VPN provider can know what servers you send it to, but that's usually not your threat model.
Short of using a VPN provider that's a front operation of the government you're trying to avoid, VPNs do a good job in adding a layer of protection. The proposed solution in the article (rent a VPS) does not, as the IP is unique to you and tied to your identity, the hoster has no incentive to protect your identity.
https://www.techspot.com/news/82259-keeping-private-5-vpns-h...
Edit: Many coutries have mandatory data retention policies [1], so if you're from one of those countries it's virtually guaranteed that your internet usage logs for the last months/years are logged somewhere. On the otherhand, a VPN provider has a strong financial incentive to not log your data (because their repuatation has a high financial value) and in some cases it can be known that (at least at some point in the past) they weren't logging, so there is a very high probability that they are not logging now.
[1] https://en.wikipedia.org/wiki/Data_retention