General views on VPN and privacy

Hi there. Been reading about VPNs, and I'd like to make sure I'm getting the whole picture, so I'll try to summarize what I "learnt" so that you can tell me if any of my "conclusions" are wrong.

"Dangers" that VPN services are supposed to protect you against:

-Your ISP, which might log your IP and/or your traffic, either for their own "evil" deeds or to cover themselves if an authority asks for those data.
-"Weak" authorities, which might track you down via your IP either to "punish" you for minor "offences" (i.e. use of P2P to download copyrighted stuff) or as part of some orwellian conspiracy.
-"Strong" authorities and/or cybercriminals, which might, besides finding out your IP, actually listen to your traffic and know exactly what you do on the net, either if you did more serious offences (the former) or if they want to steal your credit card data or watever they do (the latter).

So, among VPNs, there's a key distinction to make, which is whether they log data or not. This takes me to conclusion #1:
-It is useless to use a VPN that logs for purposes such as anonymous P2P. It's a no-brainer that if the VPN can actually give away your real IP, you're just as compromised as you would be if it was your ISP and not your VPN that the authorities had to ask.

As for the case of VPNs that don't log, that takes me to conclusion #2:
-If they don't log, and then there is no way to correlate the "fake" IP (the one allocated by the VPN) and the real one (the one alocated by the ISP, practically invisible because you're using a VPN to hide it), that equals anonimity, which equals impunity.

The only thing that would threaten conclusion #2 would be a VPN that lied about not keeping logs, or one whose encryption was so weak that it allowed attackers to find out your IP or listen to your traffic.

VPNs, however, even the ones that claim they don't keep logs, have ToS, stating prohibited activities. If they really did not log, they would have no way to actually enforce their ToS, so this takes me to conclusion #3:
-If a VPN claims not to keep logs, but state that you may not do this or that, then they're actually keeping logs, or just trying to scare you into abiding by their ToS (or trusting that you will).

So what I'm mostly interested on knowing is:
-¿Are there really VPNs that don't log at all? Does the law allow that? Or when they say they don't log they just mean they keep logs "to a minimum", so that they only know about you whatever might be crucial to know in case they're pressed by an authority?
-Are "honeypots" actually set using VPN services? Are there known cases of VPNs that were actually used to log IPs and traffic in order to catch "offenders", regardless the seriousness of those "offences" (which would be borderline entrapment)?

 

You've summarized the situation pretty well, I believe.

What it comes down to is trust. You need to trust your privacy/anonymity provider. Indeed, you need to trust them more than you trust your ISP, or even your government and its agencies. However, it's also important to recall that your privacy/anonymity provider may need to lie about its logging capabilities -- either to customers, or to authorities that may be investigating them. Perhaps it's actually incapable of policing users, and just says whatever's appropriate to seem respectable. Indeed, perhaps you and other "customers" are just helping to hide the true activities of the provider. Etc., etc. ...

Personally, I doubt that I'll ever know. Or rather, I trust that I'll never find out

 

Every ISP (which what an VPN provider is) will keep logs, no matter what they say. The trick is finding one that's located in a country where they can't get to the logs. For example, Perfect Privacy has a server in Iran, I really doubt any western governments will be able to get to those logs.

 

The idea of Iran being privy to my secrets is not reassuring

Better yet would be securely-encrypted routers/servers that can't be accessed without the cooperation of multiple individuals in multiple jurisdictions who can't be jointly coerced. Yes?

 

I agree with this, I am not sure if it could be called a VPN service, but a chain of three proxies in different countries would definetely slow down anyone in search of the end user.

JonDonym, a proxy provider, is a good example of this set up (chained proxies).

I used them briefly and I was happy with the speed, they also let you choose the chained proxies and final IP.

Prices of course, are higher than those of a VPN.

 

Just to be clear, I was talking re the admin setup for each router/server (node) in the network. Also, each node would have a different (perhaps overlapping) set of admins. This would apply to networks of arbitrary complexity. Using remotely-administered VMs, there's no need for any of the admins to live in the same jurisdictions as any of the nodes. I don't believe that any service not using such a model can claim to be secure, no matter where it's nodes are located. OTOH, I can imagine that managing such a setup could be a nightmare.

 

I am pretty sure this is the way Xerobank is. No one person can compromise it's security. At least I "think" that is the way it was explained months ago.

 

According to Steve, chaining proxies does not necessarily improve anonymity. In fact, it can weaken it.

 

How so?

Can you please provide to link to this info so I can get a better idea of why he feels that way.

Thanks

 

Bingo!

You asked a lot of good questions and made a lot of very good conclusions. As you suggest, VPN services ultimately cannot be trusted. After all, they have your credit card info, your name, your address, etc. Some of these services claim they do not have any way of "linking a real name to a user account" but one must take their word for that since they don't reveal their methods and usually don't open their source code. One popular VPN service wont even tell you where their operations center is located. That's security through obscurity if I've ever seen it, and when a VPN (or any other type of security software) must rely on security through obscurity, that means they can't provide much of either.

And you're right about those who claim they "don't log." If you read their fine print they make it clear that they do in fact log in order to "maintain network health." What this means is they log so they can kick abusive people off the network. Now, if they had no way of linking a real person to a user account, how would they know who to kick off? Therefore, one can only conclude that they know what you're doing, and you can guaranteed that when the Men in Black come a knockin' they will roll over on you faster than Sammy the Bull did on Gotti.

Think about it, do you think they are going to risk their entire business because one customer is engaged in questionable activities? Nope. They will cooperate with authorities. Of course, I am not advocating anyone engage in illegal activity, but am merely making a point that the VPN services cannot, even if they wanted to, provide perfect anonymity. Besides, the real black hats or those doing illegal stuff would never use a VPN of this sort. More likely is they would use a botnet or even Tor.

And the truth is there aren't many places left to put a VPN server without being subject to snooping and data retention laws that many nations have in place. Even the US is about to pass such laws (ISP's must keep backlogs for 2 years if the FBI gets its way).

So, what can one do? Well there is Tor. Yes, it can be dog slow at times, but it's really the best we've got. Why? First, because there are no secrets with Tor -- the source code is 100% open source and the network topology has been scrutinized and peer reviewed by many experts in the field.

Second, people are constantly trying to find flaws with it (and sometimes do) and this is all hashed out in public view. The more Tor is scrutinized, the stronger it becomes (much like encryption ciphers such as AES).

Thirdly, Tor has thousands of nodes, which increases anonymity and decreases the chance of a few compromised nodes hurting one's anonymity.

Fourth, Tor does not log activity (yes a malicious hacker can modify the source to enable logging, but that's why having more nodes available is important).

Fifth, Tor is encrypted end-to-end (along the circuit) which means no node within the network can tell from where the original connection originated. A malicious exit node CAN see what you're doing, but he cannot see who you are. The entry node can see who you are but cannot see what you're doing. When you add in a middle node (which keeps the entry from comparing notes with the exit) it makes you untraceable.

Sixth, Tor is backed by the EFF, which is a non-profit organization dedicated to freedom and privacy on the Internet. The EFF is probably the greatest champion of Internet privacy rights in existence. They aren't out to make a quick buck like the VPN's.

The only way to trace through Tor (barring some flawed implementation and setup like using Javascript) would be via someone who already has a suspect in mind and who can watch all nodes at the same time so that traffic correlation and analysis can be done. Basically, this would be a very large and costly operation that would take the likes of the NSA. For example, if the NSA already suspected you of being a subversive who was visiting terrorist underground websites, they would have to watch your Internet connection at your ISP, find out which Tor entry node you connect to, and then correlate it with the tor exit nodes that visit the targeted website. By looking at time-stamps they could connect the entry node to the exit node.

Other than traffic analysis by an all-powerful agency (or a flawed browser), in order to compromise one's identity, all 3 nodes along the circuit would need to be compromised and this is increasingly unlikely with the more people that run nodes. In fact, contrary to the shoddy logic of some VPN providers, it is for this reason that more nodes do provide better anonymity. (One provider claims fewer nodes is better for anonymity!).

And there are other anonymizing projects one can look into. There are F2F networks like anoNet that don't try to hide your IP, but rather merely assign you a new one to connect to the VPN with. This has the same anonymizing effect as Tor. If no one knows who owns an IP, then one shouldn't care if everyone sees that IP. You can think of it sort of like being on a private LAN with a NAT'ed IP. 192.168.1.1 means nothing except within the LAN.

 

Really, at some point, you just have to trust your VPN provider. If you don't then there is no reason to be with them. Its true, they probably do keep logs but if its halfway around the world its going to be an awful lot of trouble for anyone to get them. And when it comes down to it, you are still better off with the VPN. I mean, you can be almost guaranteed your ISP is spying (I know from experience) but the VPN host may or may not be watching and may not even care. If they do watch they are probably looking for spammers and people abusing their servers (ie making trouble for them). Not for a legitimate user just looking for some privacy. And it would not be in their best interest to expose their own users unless they absolutely had to by law. So, at the end of the day, the VPN is still the smart choice.

And I agree with you, chronomatic. Tor is a fine service, albeit slow as all hell.

 

It is increasingly obvious that it is too difficult for people to evaluate anonymity and privacy systems, and the effective protection they provide. This is exemplified many times on this forum in particular, even this thread has many fundamental misunderstandings. Even I have to scratch my head sometimes and think about an implementation and still come up with more questions than answers.

So I have been working with some other anonymity and privacy experts on this subject. We are nearly done with user-oriented grading system for anonymity services. With this system pretty much any service provider, free or paid, public or private, can be measured by the level of anonymity provided to users against defined adversary classes.

It ought to clear up practically all these issues and questions, and provide a simple yardstick for comparison of implementations and networks. Granted, it is oversimplified against baysian analysis and compound threat analysis, but in exchange it provides an immediately appreciable measurement that says "this network can protect against adversaries up to X level".

This includes all vpn services and non-vpn services, public networks like tor and jap, and private networks like jondonym and anonymizer and more. Practically everything can be rated using this easy to understand system.

When complete, which should be soon, we will make it public and may even present it at a conference.

 

I've been checking on Perfect Privacy lately. Apparently, every user that's connected to the same server will get the same IP. Am I missing the point completely, or would that give you pretty much perfect plausible deniability? If I understood correctly, no external entity could identify you as a user, since any IP they might try to track down could correspond to just any user that was logged in at the same time, so it would effectively make you anonymous unless Perfect Privacy themselves were a honeypot (which they don't seem to be, since they've been around for long, and pretty much every negative comment I've read seem to come from trolls). Your thoughts?

 

The logic is correct only if the VPN has an association between (1) the web traffic of a user and (2) that user’s identity. In the case of xB VPN, these two are distinct: the account identity isn’t linked to the usage of the service -- i.e., knowing the latter doesn't allow you to infer the former. Thus, it’s possible to enforce the terms-of-service against a specific user without knowing that user’s identity and, in this way, preserve the anonymity of the user.

SteveTX can, of course, explain this concept better than I.

 

I use Perfect Privacy and I'm pretty happy with it. That is indeed how it works, you connect to one of their 2 dozen servers and you get that servers IP address. Any other user connecting to that server will also get the same IP. They list the server stats and at any one given time there could be a couple to as many as 30 users on the same server. So I think this is very good for privacy, especially since there are so many servers that you can switch around to at any time. Of course, a powerful global adversary could probably find you if they wanted but PP seems safe enough for my needs.

 

I am new at this so if this is a dumb question, forgive me. Is there any way to get end to end encryption with some kind of software product? Would this provide sufficient privacy and security? Does packet encryption provide end to end protection?

 

Encryption is for privacy, not anonymity. So, with that in mind, yes, there are many ways to encrypt data and transport it from point A to B. If it's e-mail you are interested in, then PGP (or Gnupg) is the way to go.

If it's web browsing, then the only way to ensure privacy is by visiting sites that use SSL/TLS. However, even SSL is not perfect because of the inherent weakness with the certificate authority model (there are way too many of these CA's and you can't trust most of them).

If it's secure IM you are interested in, then use an IM client that supports OTR encryption (Trillian and Pidgin are two on Windows).

Ipv6 has IPSec built into it, which means when it finally becomes the standard, every packet on the Internet will be encrypted by default. This should negate the need for SSL and certificate authorities.

 

So there is no way to generally encrypt all your internet traffic? Does Xerobank do this?

 

XeroBank encrypts from your computer to its exit node. Any good VPN does the same. Other advantages distinguish XeroBank from most other VPNs. There's lots on Wilders about that. Using SSL will encrypt end to end.

 

Xerobank encrypts all of your traffic from your computer to where it exits their server and is sent out to your destination (unencrypted). But there are some programs that I have been meaning to try, but haven't. They have end to end encryption for email and chat.

Enigmail:

http://enigmail.mozdev.org/home/index.php

And here's a little video:

http://www.youtube.com/watch?v=dmovWDGWOf4

Pidgin is a type of messenger for chat...similar to Yahoo etc... http://www.pidgin.im/

And there is a plugin called "Off The Record". It creates an end to end enryption between you and your chat partner. File transfers would be encrypted too, I assume.

http://www.cypherpunks.ca/otr/

Here's another little video:

http://www.youtube.com/watch?v=-X97_2Yt4Gs

Something else you can do immediately is to just write a letter or whatever on word pad or Office, zip it, and then encrypt it with a free program called AxCrypt and then email it. Of course the other party has to know the password. http://www.axantum.com/axCrypt/

TrueCrypt is another free program. But you make a truecrypt folder instead to put your files in. I think the smallest you can make is 5 mb. But you can create the TrueCrypt folder, zip it, and send it in an email....or upload it to rapidshare or mediafire and send the link to your friend. http://www.truecrypt.org/

Xerobank encrypts all of your traffic, but if you send a message through gmail, for instance, then it hits Gmail in it's unencrypted form. Gmail can't see where it came from but it has your unencrypted message. However, if you and the other party are both using Xerobank's email service, then it is automatically end to end from one email to the next. There is no other service out there that truly compares to Xerobank. And they are continuing to create newer and better services all of the time.

 

Thanks everyone for all the info. Very informative.