Paypal vs. Bitcoin for VPNs You Access Directly

Discussion in 'privacy technology' started by cb474, Oct 6, 2013.

Thread Status:
Not open for further replies.
  1. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    I was looking at this thread (https://www.wilderssecurity.com/showthread.php?t=330306) on the topic of why not use Paypal, for a VPN one accesses directly. Since the VPN can see who your ISP is and the ISP can see that you're using that particular VPN service, it seems like anonymizing one's purchase of the service doesn't accomplish anything that isn't already visible (the fact that you're using the service).

    Unfortunatley, I can't post a follow up question on that thread because it's too old (I have never understood this forum concept, it just makes for more clutter with more threads on the same topic).

    Anyway, people make several good points in the thread about some small advantages to using Bitcoin anyway (it makes is a little more difficult for someone attacking, raiding, subpoenaing the VPN to trace things back to a particular individual).

    But do people think that small advantage is really worth it?

    Mirimir in the other thread writes:

    So mirimir for a VPN you were connecting to directly, would you just go ahead an use PayPal? What about with a multihop service like iVPN?

    Thanks for any more thoughts on the matter.
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I am not mirimir but if you can indulge me I'll share some thoughts:

    I do use Bitcoins for any VPN provider. Regarding the "tougher" part. Not really too much tougher if at all. I simply grab cash and drive about 5 minutes and change the cash into Bitcoins. Then via a special use wallet I pay my Sub and I am done. Its literally less than 10 minutes longer than using other forms of payment.

    From a security standpoint multi-hop adds very little IF you are using the same provider on both hops. A secure partition of trust mandates that the providers are different. An especially nice combo is TOR ---- > VPN. Pick a VPN you trust, but still by using TOR first they never see who you actually are, especially if you pay them with Bitcoins. TOR doesn't see what you do because the traffic is encrypted by the VPN. Perfect combo for many. Make sense?

    I would pay via Bitcoins even if I connected directly. What if the "feds" went to Paypal, credit card companies, etc... and said give us a list of folks that pay for a VPN? With Bitcoins you are not on that list. The other way you are.
     
  3. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Okay, I found this very useful post by JackmanG in another thread on the topic that answers most of my questions: https://www.wilderssecurity.com/showpost.php?p=2266426&postcount=4. I swear I searched on this topic first, before starting this thread, but did not find that thread at first (it only turned up when I searched on methods for paying with bitcoin, not on why not paypal for VPNs). Just another example of I don't know why there is a rule in many forums against so called "necrobumping." It seems like a rule designed to create clutter. If someone has a question truly exactly on the same topic as an already existent thread, who cares how old it is? Okay, pet peeve rant over.

    *

    Thanks Palancar. Yes, I see JackmanG makes that point. Perhaps the mere fact of purchasing a VPN service through Paypal, easily accessible information by government agencies, would get one on a watch list of some sort. What's the point of being on a watch list and being far less anonymous than one was to begin with, if one just wants privacy and isn't doing anything wrong in the first place?

    I am wondering, if one uses a mixer service to anonymize bitcoins, is it really necessary to purchase the bitcoins in cash to begin with? Or would a paypal or banking record of puchasing bitcoins also raise the watchlist red flag?
     
  4. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Airvpn has a way of buying a voucher via paypal.... and then using the voucher to pay for there service, you can also use a cash card with the name Mr Card to pay for the vpn ;)

    I feel its down to the VPN you use, if they really feel strong about protecting there customers and have no logs/info as some suggest and a good kill switch or system to prevent a data breach, am sure they are aware if they assist or give user detail to an adversary they are effectively shutting down there own company.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    The importance of anonymous payment for VPNs increases as you plan to access them less and less directly. So, for the VPN that you connect to directly, it's OK to use Bitcoins that you purchased informally (on the street) with cash. If you need to buy Bitcoins in some way that links a bank account or credit card to you, mix the Bitcoins once through <-http://app.bitlaundry.com/->, sending them from the original web wallet to a wallet at <-https://blockchain.info/wallet->. If you're feeling paranoid, access the Blockchain wallet using Tor Browser Bundle.

    For VPNs that you will access through other VPNs, pay with Bitcoins that have been further mixed via Tor, using Multibit clients in Whonix instances. I know of two hidden service Bitcoin mixers: Bitcoin Fog at <-http://www.bitcoinfog.com/-> and <-http://fogcore5n3ov3tui.onion->, and OnionBC at <-https://en.bitcoin.it/wiki/OnionBC-> and <-http://6fgd4togcynxyclb.onion/->. Do at least two mixes, using separate Whonix instances and Multibit wallets for each receiving address. If you don't use separate wallets for each transfer step, your Bitcoins will still be associated with you in the blockchain.

    For VPNs that you will access through Tor, do about three times as much mixing through Tor. Otherwise, there's no real point in using Tor, because the money trail will be easier to follow than your Tor circuits.
     
  6. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks for the suggestions TheCatMan and mirimir.

    I'm not really planning to use multiple VPNs, just one decent one (AirVPN, iVPN) in the hopes of gaining a bit of online privacy. I just don't like the idea of my ISP, Google, Prism, what have you, having a record of all of my online activities.

    Do others think the AirVPN payment with a voucher purchased with Paypal or the Mr Card is good enough?

    Also, what about blockchain.info's shared wallet service, for mixing? It looks convenient. But I saw a number of people at bitcointalk.org forums saying they had lost money used the shared wallet service. So then I was wondering how trustworthy blockchain.info is.
     
  7. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    I feel the anonymous cash card is a great idea, but you may have to find one that allows you to buy online and in shops and not one that requires registration online. I use an IDT Prime card which is available in europe and uk. I did not need to register my details online, and paid fine with it just made up name and address when ask as Mr Cash Card living in Minted Street ;)

    The voucher idea worked fine for me once under AirVPN also, just paid for a voucher. And then used the voucher to pay for the subscription, I then just made up a username, and no address needed.
     
    Last edited: Oct 7, 2013
  8. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    And since TLA's can monitor 'both ends of the conversation', unlike most other criminal crackers, it may be more than difficult to remain anonymous .

    Even the FBI can't stay anonymous in bit-coinland :
    http://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
    http://rt.com/usa/fbi-silk-road-protest-785/

    http://arstechnica.com/tech-policy/2013/10/internet-lobs-insults-at-fbis-silk-road-bitcoin-wallet/
    Personally, I find this Mega-lulz !
     
    Last edited: Oct 7, 2013
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    Bitcoins are NOT AT ALL ANONYMOUS (sorry about shouting) unless mixed well enough that none of the original Bitcoins remain. Your mixed Bitcoins may be tainted by all sorts of past usage, but that's also true for any Bitcoins that you buy, unless you buy from a miner (or mine yourself).
     
  10. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Yeah, I thought everyone here got that. When we're talking about Bitcoins for anonymity, that means mixing, etc. Seems clear from previous comments in the thread.

    That being said, wouldn't paying with Bitcoins that are not mixed at all have one benefit over Paypal, which is that there's no centralized database that can be consulted to look up something like, all people who have purchased a VPN service. It's at least hypothetically possible (if not actual) that a government agency can go to Paypal and ask for that information, immediately getting names and addresses. Or even automatically be notified anytime someone makes such a pruchase. But is there any way that the Bitcoin network could be searched for such information so easily? And even if possible wouldn't it just turn up Bitcoin addresses, not actual invidual names and addresses?

    I also have another question. If one is careful and there is nothing to connect you to your Bitcoin address, then isn't it relatively anonymous? What if you purchase Bitcoins with cash, put them in a wallet set up through Tor, pay for a service like AirVPN that asks for no personally identifying information and does not store the information it has, and never use that Bitcoin wallet for anything else. How could that transaction be tracted back to you?

    Also along these lines, if one is using mixers, what's the importance of all doing it through Tor? Are IP addresses stored in the Bitcoin network?

    Lastly, are Bitcoins that you mine yourself more anonymous/private?

    Thanks for any more explanations and info. I'm still trying to fulling understand how Bitcoin works.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    Yes, that's true. It's less likely that general trawling would find you, unless it included some way to analyze the Bitcoin block chain on the fly. But remember, these are very skilled people, and they have massive resources.

    There are two ways. One is through your IP address, captured from AirVPN's ISP. That's not Bitcoin's fault, but it could link you to other transactions involving that Bitcoin wallet. The other way is through the cash transaction. Maybe there are cameras. Maybe the seller is an agent. Those are both unlikely, unless you're a target, however.

    Yes, they are. See <-http://blockchain.info/->: Under the Search button, you'll see "You may enter a block height, address, block hash, transaction hash, hash160, or ipv4 address..".

    I'm not sure. There's the IP address, but VPNs would solve that. Tor is too slow for the blockchain.

    I am too :)
     
  12. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    edited my post regarding bitcoins, as the experts here suggest above.

    perhaps my idea of anonymous cash card works, pay via a 3g pay as you go dongle paid via cash and sorted.
     
  13. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks mirimir.

    One follow up question. You wrote:

    In my scenario, the Bitcoin wallet is only used for the purchase of the VPN service and nothing else (or perhaps only for other equally private VPN services, that do not store information about transactions). So it seems the link from my IP address, to the Bitcoin wallet, would be of no use if I never used the wallet again for anything else. Right?

    I also wonder, once AirVPN has received a payment via Bitcoin, do they keep a record of the transaction and the IP address associated with it? Or would the problem be that the blockchain now shows a transaction that includes AirVPN's IP address and my IP address and the connection between me and AirVPN can be drawn that way?

    Also, wouldn't the link from AirVPN to my IP address be an issue no matter how I paid for it (that was the question I started this thread with)? That link is always possible and does not differentiate between Bitcoin, Paypal, or any other paypal method. So paying with Bitcoin does not make it better than Paypal in this respect. (Unless I suppose, as I suggest above, the blockchain forever contains and transaction that links my IP address to AirVPN's IP address and that is readily searchable.)

    As far as the cash transaction goes, I guess I'm not paranoid enough to be worried about cameras, agents, etc. If someone is trying that hard to track me, with those kind of resources, and I think we all know who are the likely suspects to do this, then they probably are going to know everything about what I'm doing online anyway.

    I do suppose this is an argument against the cloak and dagger cash transaction. If there is a real risk of an agent selling you bitcoins or perhaps more likely that the people who sell bitcoins for cash locally are being tracked, then what's the point of getting caught up in their "file," as it were? Perhaps it is better to purchase Bitcoins more innocuously with a bank transfer, because it's less intrinsically suspcious, and then just mix them sufficiently to disassociate them from one's intitial purchase.

    By the way, when you mix Bitcoins, how do you know they've been mixed sufficiently to no longer include any of one's original transactions?
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    You don't want to use a Bitcoin wallet to purchase different VPNs, at least if you'll be routing one through another. It's OK to use a given wallet for activities that you want associated. Your Bitcoins tell a story, but that's OK if it's the story that you want heard.

    Yes, it will be in the blockchain. As an experiment, buy some Bitcoins and look up the transaction in the blockchain. Then buy something, and look at that transaction. Even manually, it's easy to follow Bitcoins in the blockchain. In a good database, it's trivial.

    Yes, and that's why I don't really worry about the direct VPN. My ISP knows what VPN I use. For any adversary that I worry much about, identifying all users of a given VPN service would be trivial.

    That's a good point. It depends where you are. In large cities, there's lots of churn. And by the way, if you're going to buy with cash, travel at least 200 Km from your home, to a large city. Also, use Tor to set up your cash purchase ;)

    You can spot check, at least, using the blockchain. If you're going to be doing a lot of that, you probably want to maintain a local mirror, rather than creating trails of lookups ;)
     
  15. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Just use PayPal is your not committing crimes. I use PayPal because I am not committing crimes, and the use of VPN is completely legal. What they gonna do? Charge me for watching live streams and YouTube videos? :p
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    Are you properly authorized to watch that stuff?

    ;)
     
  17. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Oh god you have a point.... the American 3 letter agents are gonna come for me after I pirated the America's next model..... Oh god... I'm in trouble now..... I just can't resist those beautiful American women.
     
  18. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks again mirimir, for you many thoughts and responses.

    I guess this brings me full circle to my question in the op. Would you then just go ahead and use Paypal for a direct VPN? And I guess I'll add do you think it's useless to only use a direct VPN (instead of multiple VPNs)?

    I guess it would be trivial if a powerful adversary wanted to trace all IP addresses that connect to a particular VPN service and then find out from the various ISPs who those IP addresses belong to at a given point in time (assuming most of them are dynamic IP addresses). But do we assume that as a matter of course this is going on? Do the most powerful agencies have real time access to the identifying information of the customers behind every dynamically assigned IP address? And are they monitoring in real time and on an ongoing basis every IP address that connects to every VPN service?

    If not then isn't there some advantage to paying for a direct VPN with Bitcoin? I thought that's what was being suggested above.

    Are you assuming that despite using a VPN, the content you are accessing over the VPN is easily connected to you? If so, why use a VPN at all? Aren't we talking about the significance of beind identified as a VPN user, not of having the content one accesses on the internet identified?

    And isn't one of the main points of using VPN simply to have privacy and not have one's every online move recorded for eternity (rather than the point being to evade the law)?

    In any case, this builds upon what I say above. Isn't the point of not using PayPal to just not end up automatically on some list of people who have purchased a VPN service? I'm assuming PayPal purchase might be easier to monitor, than every IP address that connects to any VPN service and then getting the identifying information out of the ISP that assigned that IP address. That would go way beyond merely the metadata that is collected from phone companies.

    Also, isn't part of the benefit not avoiding the interest of government agenices, but avoiding the abusive legal teams of corporations going after people for accessing specific content, often in completely legal or harmless ways? They would be a much more limited adversary and would not have ready access to IP addresses of VPN users and the identities behind those IP addresses.
     
  19. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I don't mind anyone even PayPal/Gov knowing I'm using a VPN, why? If they cannot see my data, and they can't then why should I care that they know I'm using a VPN, there no actionable use to it, and ever if there was I'm not doing anything bad so why would I care.
     
  20. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Very well put, guess it all boils down to what and how ;)

    If you trust your VPN providers stake of no logs and no monitoring and complete 100% privacy, then guess paying via even paypal makes sense.

    Or if all your doing is watching funny cat videos on youtube, then nsa or others can uncover cute cat videos after 1000 years.

    If you got a shred of paranoia then find alternative ways of paying I guess, still as suggested you can reveal your ip so use tor or 3g dongle paid via cash and sorted really, am learning its all about putting up barriers.

    Usually a single barrier like a VPN itself is enough to stop anyone from bothering further. Its a bit like saying would you climb over a gate or walk thru the open one instead....
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    I wouldn't put it that way. Anyone looking wouldn't just stop because you're using a VPN. That might even make them more curious ;) But I do agree that, by using VPNs, it's less likely that your name will be found by searching Internet intercepts for keywords.
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    :)

    It's safest to use Bitcoins bought with cash, or anonymized somewhat through mixing services. That makes it a little harder for adversaries. But if you're just using one VPN, and are just torrenting (not seeding) or watching streaming video (not illegal porn), it's not a big deal. On the other hand, if you're nesting a few VPNs, perhaps with Tor, the initial association is so obvious from connection logs that it's hardly worth hiding.

    We know now that the NSA has all that information from Internet intercepts. We also know that they share with FBI, DEA, etc. We also know that they exchange information with the Five Eyes, Israel, and probably others. So yes, it's prudent to assume that they do.

    There is some benefit, as I've said above.

    If they look closely enough, with the right queries on the right datasets, and suitable analysis, they can see all of that. But, by using one or more VPNs, adversaries with more limited resources won't be able to trace you, and there's less chance that you'll be flagged as interesting by major TLAs based on keyword searches.

    Even Tor is vulnerable to global passive adversaries. However, it does appear that even the NSA can't (or couldn't, anyway) trace all Tor users. But Tor is a LOT more complicated than VPNs. Even with 3-4 nested VPNs, the route is static, whereas Tor circuits change every 10 minutes. You could change VPN routes periodically, but there are far fewer VPN services than Tor relays. Also, having that many accounts would be expensive!

    Actually, all VPN traffic may be recorded, because it's encrypted ;) But that's not a problem if your VPN(s) have perfect forward secrecy.

    Yes, that's the main point.

    Yes, that's true as well. But mostly, they just want to know what ads you like, how much money you have, what you're likely to buy, all the same about your friends, and so on.
     
  23. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Can you outline for me what, if any, benefit you see in using a single direct VPN from a reputable service like AirVPN or iVPN?

    So we're assuming/know that the NSA has the names and identities of every VPN user, by virtue of tracking what IP addresses connect to VPN services and then getting their identities from their ISPs? Should we assume that using a VPN service (even if you pay with Bitcoin, mixed, etc.) automatically throws you into a list of people who are monitored more closely and may be a step backwards in privacy? Or at least, whatever privacy you gain from corporations, etc., you lose by becoming more interesting to the most powerful government agencies?

    I guess I'm becoming more confused than I was to begin with on the benefits of using a VPN service.

    So you're suggesting that if you become a target of the most advanced adversary, they can tell (through correlations, I guess?) all of your surfing habits, even if they've passed through a VPN service? But are you also saying that as a matter of course they do not do this, they would have to specifically target someone?

    *

    I know it keep saying it, but thanks again for your thoughts.
     
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    AirVPN and iVPN are somewhat different, in that AirVPN mostly gives you single-hop routes, except (I gather) in some cases for dissidents etc, whereas iVPN gives you two-hop routes (or sometimes maybe three-hop?). But otherwise, they're both privacy-focused VPN services, as compared with BolehVPN and Mullvad, which seem to be torrenting-focused services.

    If you're a low-profile user, who browses places no more unusual than (say) Wilders, and does some torrenting (not seeding) and such, a single VPN will very likely protect against corporate tracking and harrassment. But I wouldn't count on just one VPN if you're a dissident who might suffer serious harm if identified, or if you're otherwise very interesting to someone with resources. For that, you'd want at least three nested VPNs, or better 2-3 nested VPNs and Tor, and maybe another VPN through Tor if you need to hide the fact that you're using Tor, or need a stable IP address, or need to use UDP.

    We can't do more here than guess. I haven't seen anything in the NSA etc leaks about using VPN services. We do know that Tor isn't (or wasn't, anyway) totally hosed. I have no idea how much extra attention using VPNs attracts. We know that the NSA finds Tor users very interesting. So maybe it's better to hide Tor use between VPNs?

    My working assumptions are:

    1. "they" can search all Internet traffic
    2. "they" haven't deconvoluted all VPN service associations by default
    3. VPN users are more interesting, perhaps by "type", entry and exit IPs, etc
    4. Tor users are very interesting
    5. all encrypted traffic is stored, perhaps with triage for space limitations
    We can only guess here :(

    Yes, that's what I'm assuming.

    It's my pleasure (and primary hobby).
     
  25. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Okay, thanks, that helps clarify a few things for me. Sort of what I would have guessed, but was uncertain about.

    As far as AirVPN and iVPN vs. BolehVPN and Mullvad. Do you think that the former do more to protect people's privacy? What? And do the latter tolerate torrenting more or merely provide better services for those purposes? My interest is privacy.

    Sorry, what does that mean?

    By the way, the only thing I could find about the leaks and interest in VPNs was the story about XKeyscore and the regular decryption of VPN traffic. Such as here -http://www.informationweek.com/security/privacy/nsa-surveillance-can-penetrate-vpns/240159261-. But it's suggested in that article that this probably only applies to PPTP connections and that it's not really prossible to decrypt high quality openvpn connections. Or at least not on a wholesale global realtime basis.

    You mean "they" might not be especially interested in all VPN users by default, but "they" may take a look at where a connection to a VPN is coming from (i.e. a country of interest) or what sort of site it's connecting to (political, dissident, etc.) and then follow up more on those VPN users?

    Huh, I knew that encrypted messages and data (on say confiscated computers) could be stored indefinitely or until it's decrypted and determined to not be of interest. But are "they" really buffering/storing all real time encrypted internet traffic? Wouldn't that be huge, just based on ssl web connections alone?

    It is interesting to think about (if difficult to figure out what if any sort of privacy measures are worthwhile). :)
     
Loading...
Thread Status:
Not open for further replies.