Is it pointless to use an American VPN company if you are an American citizen?

I am currently a ProXpn customer and I was told that the Government can simply subpoena that company for logs if they want them. So doesn't that basically make it kind of pointless?

just so i can get it off my chest I would like to say that i always thought that it would be impossible for the government to get a subpoena because the traffic is encrypted to begin with, which means they cant produce any probable cause to get the warrant. And, if the G-Men can break the encryption they would have to admit that in court and then IT security as we know it would be in question on a global scale. Do I have the right idea?

 

Probably want to look at this:

https://secure.eff.org/site/Advocacy?cmd=display&page=UserAction&id=461

Court orders are the least of our worries.

 

IMO, yes.

As the other guy said, the PATRIOT Act has pretty much destroyed the 4th Amendment. They don't need warrants in many cases, especially when it comes to snooping electronically.

This may or may not be true. Just because the traffic is encrypted doesn't mean they can't pinpoint who was doing what. And even if the traffic is encrypted, who's to say the VPN company doesn't have a master key? How can you know? Chances are if they are operating in America, they have some way of recording the activity of the customers.

Maybe, maybe not. It really depends on the case. In certain national security sensitive cases, the court transcripts are not publicly available, which means no one knows what went on at the trial. And those that were there are bound by NDA's and the like. We know, for example, that in certain terrorist trials in the past, the government introduced evidence that was classified (probably because their methods of how they got the evidence is secret). That is the big reason they keep such trials closed (military tribunals and the like).

In your regular run-of-the-mill criminal trials, all transcripts are publicly available, so it's doubtful the government would introduce their capabilities of encryption cracking for a case that is unimportant to national security. Therefore, I wouldn't worry too much about such a threat. If anyone can crack strong crypto, it would be NSA, and they are not going to worry with you unless you are a threat to national security. We know other agencies cannot crack the crypto because we have seen a number of trials where they admitted they couldn't.

Of course, there is also a possibility that they crack your crypto and then claim at the trial that they simply cracked your password or found a flaw in the software. The lay jury would have no way of discounting such a claim. So, the notion that "the government would never reveal their capabilities for unimportant cases" is not really true. They technically could simply "cover-up" the fact they cracked it at all. Of course, this is doubtful since, as I said, we have seen cases where they couldn't crack it (one case involved a mafia guy who used PGP and another was a Brazilian banker accused of fraud -- the FBI admitted they couldn't crack his PGP and Truecrypt containers).

It must be said, however, that most crypto experts are skeptical about anyone (even NSA) being able to read traffic that's been encrypted with strong state of the art ciphers like AES. These modern ciphers are so mathematically complex and require such a high level of computational complexity that it's doubtful even NSA can read traffic at will. The public cryptographers have rapidly "caught up" with NSA's technical expertise in cryptanalysis and cipher design (though they are still a number of years behind, but probably not so far behind to the point that NSA can simply break any cipher they create). The NSA's major advantage nowadays is they have such huge supercomputers that allow them to brute force keys a lot quicker than anyone else. Does this mean they can brute force 256 bit keys? Extremely unlikely.

 

thank you very much for that fantastic response.

 

Well I don't know what you're doing with your VPN. Are you really just connecting to SSL servers, if you're not then the government doesn't have to descrypt anything, Just Subpoena your VPN for the details of the user who accessed a particular site at a particular time with the known VPN IP.

If you were uploaing secret documents to wikileaks (as an example) then your entire trail is encrypted & I'd think you would be as safe as you would like to think you are, unless the G men really can descrypt AES SSL.

 

Interesting conversation, and good information. It is true that is highly unlikely that the NSA will bother with normal users who desire privacy but the ravenous types at DHS/FBI may.

What is your opinion on quantum computing and hash breaking possibilities?

 

As long as you use a true non-logging VPN, you generally have nothing to worry about--regardless of the country of operation. If a subpoena were to be issued, the VPN provider would not be able to honor it anyway due to lack of evidence/records, and the case would just go cold.

In the absence of logs, the only way your real identity could be revealed is if the VPN company is forced by law enforcement to put active surveillance on a live connection. Basically, that means a "black box" packet sniffer installed on the physical VPN server, designed to trigger logging when the suspect accesses the targeted remote site/resource (as defined by the scope of the investigation).

Considering the amount of time and resources involved, however, it's highly unlikely that FBI/DHS/NSA is going to go through THAT much trouble to identify a suspect--except for very high-profile criminal cases like terrorism, human trafficking, etc...