Netherlands VPN servers at risk now?

Saw this on the AirVPN forums. Apologies if it's been posted already.

Majority of AMS-IX members support set up of US-based legal entity
https://www.ams-ix.net/newsitems/104

Two of the five members of the AMS-IX Board are from U.S. companies (Google and Level 3 Communications): https://www.ams-ix.net/about/organisation/the-ams-ix-board

I know the statement in the first link discusses making sure they are legally protected, but I'm sure the U.S. government and any relevant agencies will have their hooks in them if they have a presence on U.S. soil.

We might have to scratch the Netherlands off our list of "safe" places to connect to when choosing a VPN exit node.

 

So what countries are safe at this point?

 

That depends.

Safe from whom?

Russian VPNs are safe from the US, unless you're very, very interesting.

US VPNs are at least somewhat safe from Russia.

Swedish VPNs are probably fairly safe from everyone except Sweden. Mullvad documentation basically tells you that.

It may be that VPNs in places like Malta and Panama are safe because of nationalism/isolationism, and bureaucratic corruption and inefficiency. But that didn't save Liberty Reserve.

 

I'm unclear on how this makes the Netherlands either more or less "safe" than before. Is there some technical reason?

Isn't what made them "safe" to begin with mostly that it is a different legal jurisdiction from the U.S. and therefore not subject to secret U.S. court orders? Doesn't that remain true even with the proposed changes?

From a technical perspective, isn't the NSA free to do whatever it wants outside of the U.S. borders (as far as U.S. law is concerned) and therefore if they have the means to intercept traffic anywhere in the world, they probably are already doing it.

And doesn't the fact that they specifically mention ensuring that they are not subject to "interception activities by US government agencies" at least mean they are trying to address the issue head on and openly, which perhaps makes them safer than systems that are not dealing with the issue or being open about it? (Of course, putting aside whether technically it is possible to achieve the goal.)

I'm honestly unclear on what difference this makes.

 

The difference (I believe) is that once they have a legal presence here, it might make it easier to fall prey to the FBI (or other alphabet agencies) ordering them to hand over information regarding traffic, logs, etc. I only know what was posted on their site, the same thing you read. But my guess is that it does not make them, or their customers more safe by having any sort of presence in the U.S.

 

If the NSA really wants to listen on a VPN the will simply route the traffic so everything passes one of their servers ..
And if your VPN only uses PPTP they can read everything, in real-time, and that is guaranteed by M$ .

I have seen this happen !
(or rather : I am 99.999% convinced that was what was going on)

Shortly the story is :
I was using a Swedish VPN who only offered PPTP at the time .
One day, I noticed the ping was horrible,
so I ran some trace-routes and whaddayouknow ?
Despite the fact that I live right next to Sweden, everything was routed first to some place in 'Germany' , then to 'a place outside London',
then to the USA and THEN it went to Sweden !
This was all shortly before the US-ordered change of file-sharing legislation
in Sweden and shortly before the first big raid on a certain Swedish website ..

 

Please remember trace-routes are notoriously inaccurate. Country flags/names associated with IP ranges can a lot of the time be just plain wrong.

 

This make me laugh because why you think before that Netherlands is so safe?
https://www.techdirt.com/articles/20130507/07065022977/dutch-law-would-authorize-police-to-hack-into-foreign-computers-phones-what-could-possibly-go-wrong.shtml

 

Maybe Russians will not nicely cooperate with US and give over monitoring informations but US is probably even more interested in tracking communications to/from Russia than other places. Same with China. So that is double-edge sword.

Small countries like Panama have smaller internet profile or volume of data transmissions so maybe make it harder to be lost in the crowd there. And easier for more powerful governments like US to put lot of pressure on their government and businesses to extract informations.

 

Well, the Global War on Terror is . . . global.
Maybe your data get caught in it.
Just hope as you say you are not very, very interesting.

http://www.theguardian.com/world/2013/feb/05/cia-rendition-help-european-leaders

 

I never said it was. Notice I put the word "safe" in quotations. But I'm glad you had a good laugh.

 

hi

I used to appreciate Amsterdam, the Ajax and the modern law of this country, but news like this one lets me quite disapointed.
More about the NSA scandal and its impact on Netherland by taking a look at this excellent blog

http://blog.cyberwar.nl/2013/10/dutch-govt-response-to-parliamentary_18.html

http://blog.cyberwar.nl/2013/09/surfnet-ams-ix-should-not-set-up-shop.html

http://blog.cyberwar.nl/2013/10/dutch-govt-response-to-parliamentary.html

http://blog.cyberwar.nl/2013/09/dutch-govt-response-to-revelations-by.html

Rgds

 

What country-flags ??
I'm not using some 'fancy' newbee GUI-traceroute app .
I see the IP's of the hops my packets take and look them up in WhoIS ..
And when it normally takes 3 hops to reach the VPN-server,then suddenly takes 18 hops ....

 

I am specificaly interested why you believe Malta is a safe place to incorporate a VPN service? I use IVPN. This is my understanding. Please do not hesitate to correct any errors. Malta is part of the EU. Malta has transposed the EU Data Retention Directive (DRD) which means ISP's are required to log data in Malta. I have read everything there is to read about IVPN on their site. I have done my own independent research and have spoke with Amanda, Sam and Chris from IVPN. It appears to me that Malta does not require the logging of VPN customer data. My independent evaluation of IVPN is that it is close to the best VPN service provider on the planet. The entire company seems to have been formed around the ideals of the EFF and groups like Anonymous. Please educate me. There is one position that is worse then not knowing. In this iteration the bad thing is trusting a VPN company to not log your data and find out that it is doing just that.

Thank you

 

You've done more research than I have. Thanks for sharing

AirVPN says pretty much the same thing about itself. Plus, they actually did get shut down in France, and moved to Italy.

From a design perspective, the key thing is using dumb read-only OpenVPN servers that can't log (because they have no storage) and that authenticate connections from remote servers that are hidden and well-secured.

I've heard that Malta is corrupt, nationalistic and bureaucratic.

But in the end, users have no way to verify any of this. Given that, it's best to distribute trust, so that multiple parties must collude in order to compromise you.

 

@Mirmir:

I have both looked at Airvpn and of course IVPN. I can share with you that by the information they are positing Airvpn does not hold a candle to IVPN. The dedication to true anonymity and privacy from IVPN is seemingly extreme. I respect you Mirmir. Can you please take a serious peek under the cover of IVPN? I am a customer and can tell you that I have compared what they say against performance and I am impressed. Your educated feedback would mean a lot to me.

Thank you regardless.

 

I'm curious, how did you come to this conclusion? What do you believe are the drastic differences between AirVPN and IVPN?

 

This applies to Italy as well, but the nationalistic.

@Pcdoctor: let's not mix up ISP retention data law with VPN logging, they are different matters and basically the Data Retention law does not apply to VPN.

 

That's my understanding as well. That's why I found it interesting that IVPN seems to imply that other VPN providers who offer exit nodes in the Netherlands can't be trusted. https://www.ivpn.net/data-retention-laws/netherlands

 

Going to be quite strange if Netherlands is off the list considering its one of the top servers most folk connect to.

I always figured Airvpn were based in Italy, but many folk have suggested Italy are in bed with America and share data like its chocolate mms.

Which server to connect to next ?

I think more and more its looking the more wiser to connect to 2 VPNs and to make sure you use Full Disk encryption on All drives including the most important one ie the one with the os or Windows etc, and then to use vboxes and virtual os/whonix or tails etc. Heck ill create an additional paranoia barrier and make a Ram drive within the encrypted drive

 

With FDE on the host machine, running VMs in a ramdisk is probably overkill

If you want stronger annonymity than VPNs can provide, given the risk of compromise and logging, add Tor to the mix. Something like VPN1->VPN2->Tor->VPN3 is probably overkill for anyone reading this.

For VPN3, use free SecurityKISS, or pay with Bitcoins that have been thoroughly anonymized. Two or three rounds of mixing should do it, using Multibit wallets in multiple Whonix instances, through OnionBC and Bitcoin Fog. Check each wallet for taint from the prior one at Blockchain.

 

Yes, I agree ISP logging and VPN logging are entirely different matters. If they were not no VPN service in the EU could exist without the legal requirement to log data. That is clear.

@Fawkesguy: I want to respond to a couple of things you say. The easy one first. I read the url you posted regarding IVPN's statement regarding the Netherlands. It appears to me they are talking about the transposition of the EU Data Retention Directive and using it to bloviate somehow about their own service. Ok, most companies engage in that type of nonsense to some degree or another. I must admit that I had not seen that post before.

Now you had asked me to talk about my review of AirVPN vs IVPN. I need to say first that AirVPN and IVPN are two of the top providers. In my mind there are two primary considerations when choosing a VPN service. In the country a vpn service incorporates in what are the data retention laws regarding ISP's and what are the data retention laws regarding VPN's. In the best of all worlds you choose a VPN service in a country that finds data retention logging unconstitutional. Most EU countries have transposed the DRD at this point. For our purposes right now we are discussing the Netherlands and Malta. Both countries fall under and have transposed the EU DRD into law. Both countries lack VPN data retention laws. Good for us.

My next consideration is transparency when it comes to talking with customer service. In this area I find IVPN much stronger then AirVPN. I tend to put extreme pressure on potential VPN providers. Under multiple different email addresses I have been extensive email contact with both companies. Much to my pleasure I found that IVPN when placed under pressure simply answers your questions without a lot of pretense and hedging. In order to trust a VPN service I need a lot of technical details about how they operate. IVPN provided everything I wanted in a friendly easy going manner. AirVPN on the other hand was harder to drag information out of. I find this type of behavior suspicious. Next, what attracted me to AirVPN was the huge numbers of breakouts they have. IVPN is more limited in that regard. I questioned both companies on the numbers of breakouts they employ. IVPN's response was they are well funded and put their resources into ensuring throughput and bandwidth. IVPN feels that that developing infrastructure first is more important then having 20 breakouts (sarcastic on my part). I have used IVPN for a year now. I had subscribed to AIR for a month. In my opinion AIR has over extended themselves to provide as many breakouts as possible. In short I find IVPN to be smaller then AirVPN but the level of service they provide IMO is higher quality. Bear in mind that since we are discussing two of the better services in the world we are talking about shades of grey here.

Also I thought hard about responding to this thread at all. With the current threat level within the United States post Snowden I have slowed down my posting in Forums in general. Real reviews are dangerous. I got past that on this issue because choosing the correct VPN is essential now.

My suggestion to you guys is to take a very serious look at IVPN. Absorb their page. Read everything there is to read about them. I have been astounded.

 

mirimir: yeah your right perhaps tad overkill, I may still do it lol

Just like the idea of a ram drive, and knowing if encryption ever failed at least in a ram drive all trace or files is gone. I would still run privaZer and ccleaner+addon daily to clean, cant hurt since its set to auto for startup and upon shutdown, hopefully privaZer will add more options to start at start and shut down too

 

j/k. Ajax has been national champion 3 years in a row btw, it's not mandatory 4-3-3 anymore but not doing bad, CL is a money-game it cannot finance though.

On topic;
The AMS-IX/Amsterdam Internet Exchange has issued a press release. link
In short, the decision to setup shop in the USA will be done through a separate legal identity.
Internet Exchange(s) in the USA will not have a direct/physical connection to the AMS-IX and a Delaware Ltd. has been chosen as legal framework after consulting legal firm Jones Day, AMS-IX will only be a shareholder in it's subsidiary.
This framework is supposed to avoid any control, ownership or management of AMS-IX data or physical equipment by it's USA subsidiary, thus avoiding any Patriot Act et al issues.
Run the linked page/https!->text through Google Translate link for full details.

But who are we kidding. The NSA and GCHQ are already fist-deep in major EU networks.
When Merkel reads her own phone number in the morning newspaper 'NSA article ###' and Belgians are desperately trying to remove US/UK government rootkits/bootkits/malware/etc on their networks, a legal entity this and infrastructure that, doesn't mean much.
The US subsidiary will have a gag order on day 1 and will thus be forced to tell liesleast untruthful answers 'till kingdom come.

 

Sad, and most likely true.