Hypothetical: To what extent should you trust / distrust your VPN provider

Many people on these forums are very skeptical about the actual protection that VPN services provide. This caution is in many cases warranted and prudent. However, their argument is usually based on a worst case scenario. I.E. You subscribe to ExampleVPN, and ExampleVPN is located in a privacy friendly country (SE/NL/ME etc) and claims in their privacy policy to keep no logs. The argument would be that you cannot trust ExampleVPN's claim to not log and you cannot trust them not to rollover and give out your real identity if threatened by law enforcement. These vulnerabilities are real, and are good to keep in mind (especially if what you're doing is highly sensitive or highly illegal -- not the case for most of us), but in my opinion this risk can be overstated. I do appreciate the worst case scenario discussions as they are very real for some people and give all of us a better understanding of the security/privacy vulnerabilities in our systems. But sometimes taking every scenario to the Nth degree and pointing out all the vulnerabilities of 'acceptable' privacy solutions confuses the novice or keeps them from using the acceptable solution which is undoubtedly better than no solution at all.

My intention for this thread is to start a practical discussion aimed at a particular group of people, to discuss the realistic protection provided by VPN's or other privacy solutions.

The Scenario
Agent: Little fish in a big pond (P2P user, low level activist/dissident, privacy enthusiast, low level public figure, etc)
Potential Adversaries:Identity Thief, Hacker, MPAA/RIAA/Anti-piracy group, Tracking/Data mining corporation, etc.
Who is not an adversary in this scenario: NSA, High level U.S. Government, Hacker targeting a specific individual, etc
Goal: Sufficient (reasonable) protection against the adversaries outlined above.

Topics to discuss:
Is it a realistic concern that a VPN provider would claim not to keep logs in their privacy policy and in fact keep logs that could be retroactively used to tie your IP address to traffic routed through the VPN? Assuming the VPN is in a country that doesn't require logging and that the VPN is not a honeypot or run by a malicious admin.

Which countries are most privacy friendly?

Non-VPN privacy solutions?

Strategies for evaluating the trustworthiness and/or competence of a VPN provider?

Any and all feedback is welcome!


------------------------------------------------------------------------

This is intended to be a discussion regarding reasonable privacy for those with moderate to low levels of risk. If you are looking for discussion regarding near-absolute anonymity, worst case scenario vulnerabilities, or discussions of high security privacy setups see these links:
Dasfox's: Anonymous Services
This thread discusses a huge number of Anonymity services (VPN and otherwise), their vulnerabilities, trustworthiness, and discusses how you can assess the strength of a VPN service on your own.

Happyyarou666's: Best VPN / VPN Whitelist
This thread is a more pointed alternative to Dasfox's catch all anonymity thread. The thread discusses VPN's primarily and has a rudimentary 'VPN whitelist'

AirVPN's: Explanation of using a VPN over the TOR network
This thread (on the AirVPN forum) explains how to improve your anonymity through using a VPN over the TOR network. They explain that near-true anonymity can be accomplished through VPN over TOR using Bitcoin as payment and false registration information.

 

To start things off:

I think a good starting point for a reasonable privacy solution for the target demographic outlined above could be:

1. Anonymization Layer: A VPN provider (or similar anonymization service) which is located in a privacy friendly country and has servers in privacy friendly countries, has a good reputation in the digital privacy community, and that the user trusts to an extent.
2. A blocking layer: A hosts file or blocking service (peerblock, etc) which can automatically block connections to the majority of known spyware/anti-p2p/government/ad serving/tracking servers.
3. Data Security layer: This layer is the most broad and should be designed around your specific scenario. Something as simple as HTTPS Everywhere / HTTPS Finder + Secure Webmail sounds like a good first step for novices. Adding further encryption such as GnuPG or PGP and using Truecrypt to encrypt the whole system might be beneficial for more advanced agents.

DISCLAIMER: I am by no means a security, privacy, or IT expert. Take what I say with a grain of salt and as purely hypothetical. I am a privacy & technology enthusiast but by no means a professional. Any constructive criticism is welcome and is in fact the purpose of this thread.

 

Recently I signed up for Mullvad.

Can I trust them? Probably, the guy running the site seems like a kind of internetactivist which is good for me because we both want unlimited and uncensored web access. I use the VPN to circumvent the EU data retention laws.

Do I trust them? Not really, I have no idea if this "company"/person even exists or is just a honeypot set up by some fishy organisation. Even if this person has good intentions, let's say I run a VPN provider and one day, the cops knock on my door. They tell me I have to trace a specific user distributing CP or else I'm responsible/accountable and could go to jail. Put yourself in that position and what would you do to prevent jail and lock up a person that should definitely be locked up?

So why do I use them? Because I can always choose another VPN provider or use Tor/Proxy/a haced box. I don't trust my government and I don't trust the EU with their data retention laws and local laws that can put a man in prison for "trolling" or "seriously offensing" people. So, I use a VPN that I can't fully trust to protect me from my government that I do not trust at all.

 

Except that YOU aren't responsible for what your users do .
EU ISP's and others providing net-services are protected by 'Safe Haven'-laws.
You ARE of course 'responsible' for refusing to comply with a lawful court-order and could get in trouble for that .
I don't think child-molesters should expect that anybody will go to prison
to 'protect their rights'.

I consider that rather paranoid .
Besides the fact that it would be illegal (false marketing etc etc etc)
why on Earth would they want to do that ?
'Sorry Officer, can't help you because we have no logs' vs
'Sure thing Officer, we tell our customers we don't log, but we do .
We exist for the sole purpose of helping you' .

Do you really think they even WANT to know what you are doing ?

 

Trusting your vpn provider, mine happens to be bwprivacy, is an exercise in mental appeasement. You want to be protected and secuure while online, you've read the TOS of a mulyiyude of providers(or you've read DasFox's posts), you've contacted them and asked tem about keys and logs and jurisdictional locations. You've picked one or two and then...you hold your breath and sign up for a month using Ukash or Liberty Reserve. In the end its all about trust. And trust is just an exercise mental appeasement. Like bwprivacy and bolehvpn.

 

Trust may be "just an exercise [in] mental appeasement". But maybe we should consider examples where trust was unwarranted, and ask what red flags were missed. How, for example, might Recursion have known that HideMyAss couldn't be trusted? What other examples are there?

 

You are very right. There are many horrible vpn providers that people seem to trust. There are many lessons for us to learn. I guess I have read so many posts, all the ones in this forum, and have learned so much That, in the end, it is a type of "leap of Faith" scenario. I remember reading one providers TOS, where on the main web page they swore allegiance to your privacy at all costs, but the TOS clearly stated that if requested by law enforcement they would hand over your logs. My current vpn providers, bolehvpn, which has a great record and many praises, even from from wilders memmbers, has me wondering do they really not keep logs? So Reuben, the owner of bolehvpn, is very open and responsive. But my other vpn provider, bwprivacy, is extremely elusive in that I have no idea who owns them, I only ever talk to one guy in an site messaging system. Both aspects of these providers give me "peace of mind", which is really what I am paying for. The pom that no logs of anykind are being kept. The pom that my connection IS being sent through AES-256-CBC encryption. I'll give you another example. When I first began using vpn's I blindly signed up for a year with a well known company anonymizer.com I found out after reading wilders posts that these are bad guys so I educated myself and hopefully, with knowledge, I have made the right choice.

 

Thank you everyone for your responses!

@JohnMatrix

This is a perfect example of what I would consider "acceptable risk" for most users (given that they take the steps necessary to evaluate the integrity and level of protection offered by their VPN provider). Also, as you mentioned, I think talking to the owner/operator/admin of a VPN provider and assessing their character and reasons for providing VPN service is an integral part of evaluating the integrity of a VPN.

@Enigm

I agree with you entirely, I can't think of any reason a VPN provider would choose to keep logs and claim they didn't unless they were legally bound to do so or some sort of malicious entity/honeypot. Nevertheless, people on this forum and elsewhere have repeatedly used this hypothetical as a shortcoming of VPNs. In theory this is a vulnerability, in the real world I think it is a hugely over-exaggerated risk.

 

@ArubaRocks77 & Mirimir
You both bring up good points.
Trusting your VPN provide is an exercise in mental appeasement. We must take all necessary steps and precautions when choosing a VPN provider (or multifaceted privacy solution). We can never know whether a VPN provider is trustworthy without knowing them personally and intimately but we can determine whether it is reasonably likely that they can be trusted with our sensitive data and our identities.

I also agree with Mirimir that it is prudent to study the cases where a VPN was trusted but proved to be untrustworthy. This allows us to retrospectively analyze the 'red flags' that might have been noticed as well as decide whether trust was actually breached. Often people complain about VPNs complying with law enforcement after a court order. This is often stated in their TOS and it would be unreasonable to expect them to do otherwise even if their TOS doesn't explicitly state that they will.

 

Thanks, but HMA is the only clear VPN trust failure that I know about. Anyone want to share?

 

Good point, and an important one, there is lots of talk of 'untrustworthy VPNs' but this perception is not necessarily backed up by real world examples.

 

I wonder how this works, I think you are not responsible as long as you don't know what happens (DMCA-style). Let's say I am a VPN provider. One day I get a knock on the door from law enforcement, something illegal happened, and as you probably corrrectly point out, I'm not responsible.

But, to avoid future responsibility, I have to comply to monitor a suspect (not yet convicted) or give out his payment details and I am not allowed to inform the customer I am monitoring them. That leads to two questions:

1. The VPN provider does not log, is he required to log, in case of a court order?
2. If not, would the VPN provider break under legal pressure? Would you still protect the rights of a suspect (not yet convicted)

 

@JohnMatrix

Your concern is legitimate but it is my understanding that this scenario would only apply if:
1) Your VPN provider (or the servers which they use) are located in the United States.
2) Whatever you are doing is highly illegal to the point that the U.S. government would take the time and resources necessary to convince the VPN's host government to force the VPN to comply with U.S. law and possibly break some of their own law. I don't see this as likely unless you are engaged in organized crime/terrorism/high level hacking/kiddie porn or something else that is either a crime against humanity or seriously threatens a government's authority.

I think what your point highlights is the necessity of choosing a VPN in a privacy friendly country, and choosing a VPN that to the best of your knowledge is committed to digital privacy and respecting the right to privacy.

 

Awesome reply...brings perspective

 

UltraSurf should be added to the list.

http://www.fastcompany.com/1834428/ultrasurf-allegedly-unsafe?partner=gnews

https://blog.torproject.org/blog/ultrasurf-definitive-review

And also this post:

https://lists.torproject.org/pipermail/tor-talk/2012-April/024024.html

That's rather scary.

 

I actually like this thread a lot since it highlights potential adversaries.

I get a lot of questions like why don't you employ this super powerful encryption? Why don't you employ multi-hop?

Well cause they degrade performance and the average user doesn't really need this. There will be users requiring this sort of security but if you're paying ~USD10 a month for a service to a UNKNOWN THIRD PARTY, I don't think you should be doing anything that would be potentially so dangerous and your data so sensitive that would warrant this sort of level of security.

A funny comic (thought not strictly related) that puts some things into perspective:

http://imgs.xkcd.com/comics/security.png

Even with multi-hops VPNs, I wonder how many providers claiming multi-hop are actually implementing this? I know even XB has at least two independent reviews lambasting this claim though I haven't bothered to verify it myself and so I don't know if these reviews are true or are just XB haters.

 

Thanks BolehVPN,
That (last link) is rather scary. It seems like a good rule of thumb, among many, when weighing the potential trustworthiness of a VPN provider is to find out how they make there money. If they are not offering paid VPN service alongside free service, an open source project, or deriving revenue through advertising or some other channel, they are probably a malicious entity that is using YOU as the product. Follow the money!

As a VPN provider, can you tell us whether you see any reason for a VPN provider to claim to keep no logs and in fact keep them? Also can you tell us about data retention laws in Malaysia?

 

It's easy to distinguish one-hop from two-hop by comparing the IP address that you connect to with that reported by what's-my-IP websites. You might think that traceroute would distinguish between two-hop and three-hop, but wise providers reset TTL. I can't imagine how one might test claims about crowding and multiplexing.

XeroBank seems down for the count Only CA-NL and NL-CA still work. But they work quite well, and reliably. Rope-a-dope?

 

Tunneling the VPN through Tor seems like a good multi-hop strategy. Obviously it won't be fast, but usually 'sensitive' stuff isn't very speed intensive. The VPN doesn't know where your coming from (absent any type of identifying log on info which hopefully, if there is, you faked it and paid in cash/bitcoin/liberty reserve, etc...), and the exit node can't sniff your traffic.

PD

 

Tor and VPN are a good combination. I connect to a VPN and after that start browsing with Tor. You can also do it the other way around like AirVPN recommends but the only advantage is end to end encryption after the Tor exit relay. Tor over VPN works pretty well because the speed reduction from a good VPN is almost none.

 

I'd like to see some comments on others' thoughts about Tor over VPN. I see no advantages, and a few disadvantages:

1. VPN see's where you're coming from.

2. Exit Node can see your traffic.

3. Slow (this applies next as well, but that's 3 disadvantages for this column).

The other way around:

1. VPN can not see where you're coming from.

2. Exit Node can not see you're traffic.

With the second, the VPN can see your traffic, yes, but the odds of a compromised VPN seem far less than a compromised Exit Node. Better the devil you know type of thing.

I'm not even a wee bit knowledgeable about about traffic correlation between the entry and exit nodes on Tor, is it a wash for both methods? I guess the first way, if both entry and exit are compromised, it just points back to the VPN...what about the second? This stuff is complicated

PD

 

That's true. But, if you tunnel Tor (or another VPN) through it, that doesn't matter much.

I worry more about my ISP, and those who might get information from it. I've been using VPNs for many years, and sometimes use them in my work, securely accessing my clients' resources. So for me, using VPNs is unremarkable. I've never used Tor, I2P, Freenet, torrent clients and so on except through VPNs. So for me, using Tor would be (at least potentially) remarkable.

That's true, but I mainly access hidden services with Tor, and otherwise I always use HTTPS.

That's just how it is with Tor. There's no free lunch

That's true, but I almost never use a single VPN. I tunnel another VPN, which I've purchased anonymously, through it. I always purchase “inner VPNs” through other VPNs, using various anonymous methods (such as Liberty Reserve, gift cards, and cash in the mail).

That's a good thing.

That's true.

No, if Tor were compromised, it would point back to you. But the VPN traffic would still be encrypted. That is, they'd have IP addresses for both you and the VPN access server, but wouldn't know what you're accessing through the VPN, or be able to read the traffic (unless they compromised the VPN too).

In the second scenario, you're connecting to Tor through the VPN. If Tor were compromised, it would point back to the VPN exit server. You would remain anonymous, and the VPN traffic would still be encrypted, unless they also compromised the VPN.

If you use VPNs on both ends of Tor, as I've described, you get most of the advantages, and avoid most of the risks. It is slow, but not that much slower than just using a VPN on one end of Tor or the other.

 

@PaulyDefran: That's an interesting subject you brought up (Tor over VPN vs. VPN over Tor).

I'll make the case for Tor over VPN:

1. Greater flexibility. This way, you can reserve your 'VPN --> Tor' configuration for dealing with only the most mission-critical/confidential data... while still being able to use the VPN by itself for the bulk of day-to-day activity (which probably isn't as privacy-sensitive).

2. Neither my ISP nor my VPN provider can see my final destination. Sure, there's always the risk that a rogue Tor exit node could be sniffing traffic... but as long as you are careful to keep your Tor activity 100% separate from your real-world identity, it isn't going to matter. I say, let the rogue exit nodes sniff all they want... they're not going to find anything useful anyway.

3. You keep your "expendable men" on the front lines. In other words, if a Tor node gets blocked by a remote site, so be it--there are plenty of others to choose from. But if one of your VPN servers gets blocked, it could potentially become much more of a hassle.

4. If an adversary tries to plant a "bug" on you in order to bypass your Tor connection, you still have the VPN as a last line of defense since it's protecting the entire network... as opposed to Tor, which only gives you application-layer protection.

Similarly, there are some disadvantages of VPN over Tor:

1. Less flexibility. If all traffic is being forced through Tor, it'll severely limit your ability to do P2P, audio/video streaming, or any other bandwidth-intensive activity... not to mention it's a waste of bandwidth in general for any activity where you don't really need that much protection.

2. My ISP can't see my traffic, but they can certainly see that I am using Tor... which might inadvertently make me a "person of interest" in the eyes of a strong adversary. Conversely, connecting to a VPN server in a relatively friendly jurisdiction won't look quite as suspicious... as there are seemingly more legitimate reasons for a "Westerner" to be connecting to a VPN as opposed to Tor. Maybe I am over-analyzing this, but that is just my personal opinion.

3. With your VPN on the front lines, you could still end up losing your VPN account due to complaints or TOS violations. When it comes down to it, I'd rather have an expendable Tor node take the "heat" for some frowned-upon activity, than to sacrifice my precious VPN.

4. Unless you're 100% certain that your financial transaction with the VPN cannot be traced back to you, there's a greater chance for the VPN to be linked to your real-world identity. If all an adversary has to do is "follow the money", it won't really matter how many of layers of anonymity (i.e., Tor) exist between you and the VPN server.

Having said all that, I do see where VPN over Tor can have its distinct advantages, too... as you've correctly pointed out. I guess it's just a matter of a person's particular objectives and risk model. Of course, for 99% of everyday privacy aficionados, just using one privacy/anonymity service (VPN or Tor) is more than enough, so the idea of combining the two is probably overkill... no matter which way you decide to go with it.

 

Okay Tor over VPN is the same as Tor through a VPN, right? When I am connected to a VPN and I fire up the Tor Browser Bundle, that's "Tor over VPN"?

I do this for message boards and social networks sometimes to create a different identity. Sure, the social networking site can't tell who I am with a VPN, but if I am the only one using a particular VPN and then another account popping up with the same VPN would give the appearance of the same person.

I don't think you are over analyzing that at all. It makes perfect sense.

 

Yes, that's correct. I admit, the wording can be confusing sometimes... which is why I usually just prefer to visualize it as:
VPN (first hop) --> Tor (second hop).

That's a good point also. Tor over VPN has an advantage of being able to use two concurrent anonymous identities: one through the 'regular' browser and another through Tor Browser.