[wlkr]

I'm very interested to see how some VPN providers react to this. For a zero logs VPN provider, if such a thing can really exist, how big of a problem is this? Presumably many customers pay with a debit/credit card already so there's some PII on file? Usage remains the same? Surely savvy people can just use their existing VPN to buy a VPN from outside the UK.

Of course, we're sliding quite rapidly down that slippery slope here so I'm sure logging and easier government tracking would be next. The justifications will get weaker and even more lacking in supporting evidence for their implementation.

[FrostViper8]

> Presumably many customers pay with a debit/credit card already so there's some PII on file?

Yes. But I think most of the zero logs providers will remove the identifiable payments details after a certain about of time. e.g. Mullvad have a specific policy relating to what is stored and retention time (I am not affiliated with Mullvad, I just use their service).

https://mullvad.net/en/help/no-logging-data-policy#payments

> Surely savvy people can just use their existing VPN to buy a VPN from outside the UK.

Or you can use Tor. I will just use a VPN that lets me pay with Monero or some other crypto currency. None of this will stop savvy people.

[chrisjj]

> But I think most of the zero logs providers will remove the identifiable payments details after a certain about of time.

No problem there. Once a user is old enough, he stays old enough.

[FrostViper8]

The entire point of using a VPN is so that you don't have to provide photo card ID to a third party. So obviously there is a problem.

Most of these VPNs provide alternative payment options other than Credit/Debit card e.g. Monero/Cash etc. So it would undermine the entire point.

[c0n5pir4cy]

I believe a whole host of VPN providers have no real need to comply with this amendment if it passes the Commons.

The providers are structured in a way that makes forcing compliance difficult and have built their whole business model around this. NordVPN is registered in Panama for example and Mullvad lets you send cash in the mail and doesn't store any user details (even a hashed email).

It'll be interesting to see how & who reacts if it does pass.

[fartfeatures]

There are already solutions that do the double VPN thing for you. For example https://obscura.net

[traceroute66]

> For example https://obscura.net

Obscura ....

"Terms and the relationship between you and Obscura shall be governed by the laws of the State of New York"

Yeah, erm.

Now more than ever, trusting a US jurisdiction VPN provider ? No thanks !

[fartfeatures]

> Now more than ever, trusting a US jurisdiction VPN provider ? No thanks !

The whole point of Obscura is you aren't trusting any single company. A Swedish company and an American company would need to collude to cause a problem. Unless you know something I don't?

[traceroute66]

> The whole point of Obscura is you aren't trusting any single company.

First, Mullvad's infrastructure has been independently audited.

Mullvad integrity has also tested as proven by a legal case where they were subject to a search warrant when someone was trying to claim copyright infringement.

As far as I can tell, Obscura has not had anywhere near the same scrutiny.

Second, obscura is the first hop is it not ?

Therefore it may well "only" relay the traffic to the exit node but it is still a relay and hence open to SIGINT analysis by the US.

I would have thought therefore using Mullvad's built-in multi-hop mode on their audited platform would be the wiser decision ?

Or Tor if you insist on multi-party ?

[fartfeatures]

Hence why Mullvad is being used as the exit point.

You have full e2ee between yourself and Mullvad but crucially Mullvad don't know who your IP. Five eyes are already doing SIGINT on behalf of both the US and the UK government before my connection even reaches Obscura so I lose nothing but potentially gain privacy.

How is it you think a single company (Mullvad) having access to my IP and what I am browsing is less secure than splitting it up amongst multiple providers one of which being Mullvad with that audited platform you talk about?

If I wanted Tor on top I'd layer it on top too but that would still be a single point of failure.

[traceroute66]

I see you are carefully skipping around the point ....

Where is Obscura's independent audit ? When has Obscura been tested to the same extent that Mullvad was during its court batttle ?

Answer it wasn't.

Therefore Mulvad Multi-Hop mode. Or Mullvad + Tor, if you insist. Is the safer choice.

And the US juristiction of Obscura is not something you can brush under the carpet like it somehow doesn't matter.

With Obscura you are just throwing your first-hop traffic against an unknown. And an unknown that is under US jurisdiction, and hence PATRIOT Act etc.

[chrisjj]

> Surely savvy people can just use their existing VPN to buy a VPN from outside the UK.

Surely they can simply buy that direct ... at least until the Govt. requires ISP to blacklist.

[fartfeatures]

Sadly if you look at how the law is drafted its setup to catch companies that have a significant UK base not just those that advertise here. It is highly likely for compliance reasons (as we saw with imgur and others) that they will simply block the UK themselves.