In recent months there has been a lot of upheaval and general hoo haa about VPN providers and the security or safeguards that they provide. With high profile cases such as the HideMyAss and Lulzsec fiasco of recent years and the more recent Proxy.sh “scandal” in which they publicly announced they would play cop and turn over information regarding a client to a complainant because of their “ethical” stance on matters. This lead me to question, Are certain customers expectations of what a VPN provider can safeguard them from too high?
Like many of us I make use of a VPN provider for my own security, my personal use is to safeguard myself from delinquents and other nefarious types from snooping on my personal business when making use of public WiFi systems. Anywhere I go that has public WiFi access then I enable my VPN and sit safe in the knowledge that my data is encrypted and any sneaky user in the vicinity won't be able to take a peak at what I'm up to.
I also make use of a VPN on my home and work connection, I do this for a variety of reasons, one is to keep the details of my browsing and internet use safe from my ISP and the other so that I can in theory be semi-anonymous when browsing the internet. There is an ever growing ability to build a profile of you when you browse, whether this be your shopping history, your tastes, your opinions, we are constantly being pigeon-holed and directly targeted. Now the majority of this is down to what is stored on your computer in the form of cookies but it is also possible to trace your usage to some extent via your connection details. If you had taboo hobbies or interests that are frowned upon (but obviously not against the law) then you really wouldn't want your personal outlook on topics being available to your boss, your friends or anyone else whose business it shouldn't be and this is what I see a VPN as a vital tool against this.
More recently it has been in the public domain due to revelations by the likes of Edward Snowden and others that there is a higher power snooping on us. Now, while a revelation that the wide spread scale of snooping extends to governments on governments is something shocking (although in all honesty expected) it is also widely accepted that blanket snooping, collection of data or at least access to information of the general population is being carried out by the US, UK and other governments.
Due to this there appears to be a consensus by some users that a VPN provider should be able to defend against government prying. Personally I find that quite a tall order. Of course in an ideal world I do not want the government to be freely looking at what I get up to on the internet, I have nothing to hide, but as is such, it is my right to privacy. However is blanket privacy something we can expect online? We certainly don't enjoy such luxury in the real world. I live in the country with probably the most CCTV in the world, this means that at any one point my every movement is being recorded or monitored by someone, somewhere. I live with this fact, if I choose to wear a disguise or cover my face then this is my right, but I am 1) not that paranoid and 2) not up to anything of importance that I want to hide in the shadows. I am in fact a huge fan of CCTV and the amount of crime it solves is testament to the system that it is.
So when it comes to the internet surely we expect a similar CCTV system? Isn't government snooping just an extension of public monitoring that exists in the offline world? If so, why apart from a handful of people is there not greater outcry on the surveillance society that many of us now live in outside of the internet and on the reverse side why is there such a large camp of internet users who are up in arms about it when it comes to “online”? Is paranoia being spread just “because” or do we have the right to expect no government snooping on our online lives?
I am a huge advocate of VPN use and the benefits that it brings but I am in two minds about the idea that a VPN provider should somehow protect me from government bodies such as the NSA or GCHQ. To be completely in the shadows and expect to be totally covered then I have to be of the mind set that a VPN provider can also be a crime enabler. To allow every citizen to encrypt and cover their connection is to allow a VPN service to be the everything to everyone service. Unfortunately we live in a world in which is less that perfect and humans are capable of abhorrent crimes, this includes those being carried out on the internet. A VPN service should not necessarily provide protection from the law and enable those who commit crimes to go unpunished.
I am certainly not suggesting that somehow a back door should be available for government organisations to peer in at all times but as someone who has been at the end of e-commerce crime on more than one occasion I do not feel that by using a proxy or VPN service that it should be acceptable for criminals to get away with such crimes. If we truly believe that a VPN service should offer absolute security from each and every angle and especially in regard to the government and its organisations then we also have to allow a VPN service to be the protector of unspeakable crime. If in such extreme situations as the terror attacks in many countries over the last 15 years that the perpetrators made use of VPN services, would we be so happy for these individuals to go unpunished because they employed the services of a VPN provider?
I feel that while we strive for the most secure and reliable VPN and bemoan those who are seen to be less secure to government intervention or in jurisdictions of higher chance of being part of a court order or subpoena we should not be blinded by the somewhat glamorous ideal that by handing over $5 per month to a random company in random-ville that they will basically “have our back” no matter what the situation. We put a lot of trust in our VPN providers for our security and rightly so, from keeping us safe from criminals, companies and other non-necessary organisations but is it acceptable to require them to protect us from the very pinnacle of government and is there truly a golden elixir of VPN who would stand defiant for a client who handed them $5 one month regardless of why the government may be pursuing them? Is it even a realistic expectation?
Now the majority of us are not up to anything so sinister or important that the government will be interested in our activity so for those attempting to seek that fairy tale provider who can whole wholeheartedly say they wouldn't cave in to government pressure then perhaps those users are losing sight of the other major purposes of a VPN provider and the real reasons and protection from actual criminals that they can offer. Some may say that blanket information collecting is wrong and this is what they want protecting against, but how do we expect criminals to be caught if there isn't some form of sniffing? Just as CCTV records many citizens daily to capture a few seconds of a crime committed by one, surely the same is to be expected online? As Sir Iain Lobban, director of signals intelligence agency GCHQ recently said in regard to finding needles, “I do not look at the surrounding hay”.
VPN providers live on the sales patter that they protect and in general this is true, some even give a cheeky wink to the fact they are “NSA-proof” which is probably more creative advertising than reality. So we put this question to all of the providers listed on our comparison table. Not including VPNSecure.me & IBVPN who have only just been recently added. Out of the remaining 17 providers only 6 actually answered and in the majority of cases who didn't answer we had contacted them either through their public contact form or email to which confirmation ticket opening replies got received, the remaining providers who failed to respond we contacted directly via email contacts we have already in relation to our site. So why did so many providers fail to respond? Its plausible that these emails went unseen, or even got lost, but in the majority of cases answering the question that we put to them could be damaging from a PR sense. It appears for those who did not respond or who opted not to that perhaps giving the impression that they are government-proof even though it may not be the case is a high priority and generating sales based on assumed protection is too risky an area to comment upon.
Whatever the reason for not responding I feel it necessary for companies in this industry to be held to account and when questioned should respond with open and honest replies, in general those who are honest about their own short comings or abilities will appear much more trustworthy to us as clients than those who choose to remain silent.
Do you think that certain customers expectations of what you can safeguard them from are too high?
“No. Our customers get exactly what they expect-the strongest encryption methods and the best throughput speeds available anywhere from any VPN. IPVanish's core principle is that everyone deserves the right to online privacy and security. We not only put the user in control of his or her IP address, but also provide anonymous, shared IP addresses. This effectively mixes user A's traffic with user B's traffic with user C's, D's and so on, making it impossible to identify any one person. IPVanish subscribers leverage leading edge encryption and secure data delivery technology, which is the absolute best tool available today to combat monitoring, spying and hacking from any 3rd party.”
“We support most secure VPN protocols, SSTP and OpenVPN as of date. SSTP protocol uses military grade 2048 bit SSL/TLS certificates for authentication and 256 bit SSL key for encryption. OpenVPN protocol uses AES cipher with 256bit encryption, hash algorithm is 160bit SHA1, control channel is TLSv1/SSLv3 DHE-RSA-AES256-SHA and 2048 bit RSA.We have 32 countries and 87 locations including offshore locations such as China, Russia, Ukraine, Hong Kong, Japan, Panama, Brazil. Using most secure vpn protocols and offshore locations will also protect our users from intelligence and security agencies spying as noone in the world have the power to enforce a policy worldwide.”
Proxy.sh seem baffled by our question and we're not entirely sure why, but they responded as such after further clarification of the question.
“To us, customers should expect everything they want and it is our job to provide the best service we can. I'm sure there are some aspects some people dislike about us, but it's part of the game and we are truly doing our best to provide online services that satisfy the greatest amount.”
“In the past users put a certain amount of trust in their VPN provider and sometimes it was proven to be misplaced. I mean obviously if you are committing serious enough crimes in any country where law enforcement cooperates with other agencies around the globe and think you are safe because the VPN provider you are using is a company registered on some small island in the Caribbean your nuts. That being said lately customers expectations are set to low. Now days customers expect you to be working for the NSA and you have to work to prove differently. Which is not necessarily a bad thing users that sign up for VPN service are doing so because they want their privacy protected. With the string of providers that have violated that trust users have gotten weary of the industry as a whole. It is too bad because there are some good providers out there who really do put their users first.”
“Let me begin by explaining how Golden Frog views programs such as the NSA’s PRISM. “Golden Frog is not part of PRISM. We run 100% of our own infrastructure and do not rely on third party hosting providers. We provide a higher level of protection for our customers than other VPN and Cloud Storage service providers that may have been compromised by this program.”
The above quote is taken from a recent announcement on the Golden Frog website by co-CEO Ron Yokubaitis. It clearly states Golden Frog’s views on PRISM and a user’s right to privacy. Please take a few moments to review the entire announcement: http://www.goldenfrog.com/blog/golden-frog-not-part-of-nsas-prism-project-offers-solution
“We run 100% of our own infrastructure and do not rely on third party hosting providers” is a particularly important quote, not just in view of the NSA/PRISM, but also in regards to the recent hacking of *******. ******* used a third party billing and provisioning system (WHMCS). Ours is in house which naturally creates a more secure environment. Unlike any other provider we manage everything end to end (from servers, to network, to DNS service). This enables us much more control from a security and privacy standpoint (even providers who claim to keep no logs are at the mercy of the hosting providers where they run their servers). I just wanted to point this out as it’s an important advantage that Golden Frog’s customers have over customers of other providers. The customers that you refer to with high expectations of what can be safeguarded can expect a higher level of security from Golden Frog/VyprVPN.
So in review, I do want to stress that we feel we are quite different from other providers, not just in the service we offer, but the way the company operates. I believe VyprVPN should meet a customer’s expectations if they have taken the time to review the information available on the Golden Frog website: http://www.goldenfrog.com/vyprvpn
I also encourage you to read Mr. Yokubaitis’ vision paper, “Peace, Prosperity and the Case for the Open Internet” (http://www.goldenfrog.com/vision). This paper provides a much more in depth discussion of Golden Frog’s core beliefs.”
“Everyones expectations are different – but yes perhaps some people expect more protection than a VPN or even Tor can provide.
A VPN does not make you invisible on the internet. Your real IP address might be hidden and all of your data to the VPN encrypted – but tracking cookies on your computer could be giving away your identity.
If you are logged in to your Google account then any searches you do on google.com won't by anonymous – Google will know it was you searching. If you are logged in to your Facebook account then any pages with social buttons could be tracking you.
Even if you use Tor it's possible that your cookies can identify you – which the NSA has already done with their QUANTUMCOOKIE attack.
We recommend that people use a tool like the new Lightbeam add-on for Firefox (mozilla.org/en-US/lightbeam/) to see how many 3rd party tracking sites you interact with each time you visit a webpage.
Also we've learnt that the NSA and other EU governments can request your personal data from sites like Facebook and Google. Any data stored with those companies could be shared with your government if they are chasing you for a serious crime. So even though your data is protected by the encryption of the VPN and HTTPS your emails are not secret from your email provider or your government.”
Some interesting responses and while some companies opted for a more smooth PR response, one or two reaffirmed the general tone of this article and acknowledged that to assume a VPN provider can give protection fully from law enforcement and other government agencies in the words of LiquidVPN then, “your nuts”.
We're interested to hear your thoughts on the subject in the comments area and will welcome any rational discussion or opinions.
Image courtesy of Tuomas_Lehtinen at FreeDigitalPhotos.net