One of the new features edging its way in to the VPN industry is the introduction by some providers of the Transparency Report.
What this entails is the release of all notices received be it legal, copyright and such like.
The purpose is to be as open and transparent (hence the name) about what actions are taken in relation to what report is received. For example if a DMCA notice is received by a provider and no details are stored about the user then the provider responds as such and us as users get to see both the initial complaint and also the resolution steps that have been taken by the provider.
One of the first providers to introduce such a system was Proxy.sh more recently followed up by LiquidVPN. After Proxy.sh received some negative press on their handling of a specific case they opted to turn round their standing to be as clear as possible about how they handle complaints.
The system has been running for the past few months and is made up 99% of the time with DMCA notices which on their own are of little interest to most people, it is quite nice to see the action taken as it gives a sense of security should you have been that user in question or the type of user that may have raised similar complaints. On the 7th March 2014 an interesting report came in from Senior Detective Constable Håkan Kvist from the Crime Coordinate Division of the Swedish Police which read as follows :-
We have a request about ip-address 18.104.22.168, it was used in a fraud 1/4/2014, between 14:26 and 17:06 UTC + 1 (Swedish time).
For use in investigating we wish that you will provide us, with information about the costomer/user of the obove ip-address.
Contact details as name, address, phonenumber.
The investigating of this crime that could lead to two years imprisonment.
PS: we have been in contact with, Boney, GridlaneCloud VPS Hosting in Stockholm.
Boney gave us the contact details to you.
Senior Detective Constable Håkan Kvist
Detectivedepartment, Crimecoordinatedivision, Gävle, Sweden
Now while it obviously doesn’t go in to detail about the specifics of the case, it relates to fraud. There are a few possibilities about what type of fraud it may have been but for the purpose of this article lets assume it was fraud against another person, as in, someone was defrauded, perhaps by a Paypal transaction or such like.
First and foremost it would be a very poor VPN provider that responded with the details of the alleged perpetrator just on the basis of this email, there is no hard evidence that a user of the service has been involved and it has also not been received through the appropriate channels.
In the case of Proxy.sh this would require a court order or subpoena in a court of the Seychelles or in a round about way perhaps on the server it was carried out on which in this case would be an easier route as it appears it is likely to have been a Swedish server. Just because someone shows up with a badge doesn’t always mean we have to hand over our life stories and in this case it was just a basic email, for all a VPN service knows, Håkan Kvist could be the janitor or someone who just does paperwork in the office.
Proxy.sh answered the request with :-
Because the server is configured to never log any user activity, and because several customers are being crypto-protected behind the same IP address, it is impossible for us to assist the detective.
While the response was correct in this case, firstly because it wasn’t an official request through a court and secondly because Proxy.sh wouldn’t have any information to hand over anyway it started me thinking about where the line is drawn when it comes to a VPN provider and who ultimately decides that line.
Although we all champion providers who protect our privacy and remove us from the evil clutches of those mining our data without good reason there is a darker more ethically related question about where does privacy and anonymity stop and how from a victim perspective would it appear should you be on the receiving end of a crime committed via a VPN.
In everyday life if a crime is committed against us we expect the police to resolve the case somehow and dish out the appropriate punishment to the person in question. I am lucky enough to live in a country that most crimes are investigated thoroughly and would like to think that many people get caught for committing those crimes.
However, to put it in relation to a crime committed over a VPN I wondered how I might feel being the victim of a street robbery that was captured on CCTV only for the investigation trail to go cold because the perpetrator wore a mask or covered his face in some manner. While CCTV has the luxury of still catching the criminal based on aspects of the clothing, his height, his weight and other unique features of him this is where the comparison between a crime committed over VPN and a “real life” crime ends. Simply down to the fact a VPN provides a complete cloak with no distinguishing features.
I contacted the detective on the case to query his opinion of how VPN services may hinder investigations of this type, his response was as many may expect but gave a more human element to the systems which we depend on for our privacy when they are used for purposes of destruction :-
When the supplier did not log the subscription data, it was impossible for us to find the suspect.
Services with hidden or deleted data subscription, makes it possible for fraudsters and other criminals to continue their crimes.
For our part, these services is a disadvantage for us.
There are times a victim needs to be anonymous.
But the advantage of the criminal, do not take over the occasions a victim needs it.
I wonder what became of the victim and the untold damages that could of been caused by this incident. While it is true that a VPN service can not be responsible for its users actions and ultimately the devastation that may have been caused rests solely on the shoulders of the user responsible, it poses the question of with the security and privacy that we seek will it be at the cost of huge untold damages in the future and how will we as privacy seekers feel should a huge disaster come to light that was carried out or organised behind the veil of a VPN.
Another perspective, should we blame the governments of the world for prying ever more in to the lives of normal citizens which has heightened our understanding and desire to protect our privacy. VPN providers are the answer to the demand, without demand and reasons for making use of them then they would be less necessary. Have we entered a situation between protecting our privacy while also removing the capability of the social systems we elect such as the Police to protect us online as we would expect afk?
Image courtesy of chanpipat / FreeDigitalPhotos.net