In recent years the landscape of VPN providers has changed dramatically. In fact in just the past year there have been many providers moving forward to offer extra peace of mind and reassure users that they have their best interests at heart.
It all started back in September 2011 in what came to be known as the “Lulzsec Fiasco” and for those who haven’t kept abreast of the goings on in the VPN world it basically revolved around a situation in which a group of hacktivists involved themselves in various crimes whilst making use of the HideMyAss service. I have long been an advocate that a VPN service should not be the provision to allow crime to go unpunished and regardless of your personal views the facts remain that with session logs the perpetrator(s) got caught and received punishment in relation to those crimes. The backlash from various sections of the community was immense and forever changed the landscape of VPN providers and the public opinion of what was going on behind closed doors with regard to logging.
One benefit of the situation is that the public became so much more aware of what might be possible and the single general banner of “No Logs” was generally banished from use from any respectable VPN provider. Even though the majority of the population had suspected for years that the government had ways and means to spy on the general public be it from over active imaginations or time spent watching too many conspiracy theory movies or TV shows, when the likes of Wikileaks and Edward Snowden released documents showing what was really going on, the world stood still in shock. Not only is the government capable of the spying that we originally thought but on such a massive scale that none of us could of imagined in our wildest dreams.
The same situation is now apparent in the VPN world and in thanks to the revelations that came to light in the HideMyAss incident it altered the landscape in a way in which no longer did the user blindly trust the “No Logs” banner leading us all to question and probe our providers for more information on their policies, ethics and in many cases what exactly they would do in certain situations.
Moving forward to 2013 the second big incident of recent times surfaced with the situation around Proxy.sh in which they employed the use of Wireshark to weed out an unscrupulous user on their network. The backlash was equally as big and more so due to the fact that unlike the HideMyAss situation no legal document had forced the hand of Proxy.sh to employ such tactics. The grounds of this relatively new landscape shifted again and feelings burned strongly, especially as no legal body had required the use of Wireshark or no criminal complaint had been made to result in the situation.
There is no inherent wrong with actually logging various aspects of a users service, as long as that user is fully aware of what is and what is not part of that deal. Many providers state that to continue to operate as a legitimate service they need to have systems in place to catch wrong doers. Again, I see nothing wrong in that but it has to be made clear and as open and honest as possible, not hidden away in some tiny corner called the T&C that very few people actually read because of the mass of text that will no doubt put people off.
In the case of HideMyAss the situation was now clear and users started to realise that with “Session Logs” and Dynamic IP addresses their actions could be related to themselves without the requirement of any kind of activity log. The different uses of commercial VPNs make it very difficult to pigeon hole if this is a critical problem or less of one. Where one user may make use of a VPN to bypass geographical restrictions found in places like Hulu and BBC others may be using them to write anonymous but sensitive news articles which could be related to government operations.
If such sensitive material is the case then it is paramount that a provider does not release any such “Session Log” information unless forced to by legal avenues. However regardless of this we never fully understand the reach of governmental spy organisations and what we consider law is never always as it seems which is why the phrase “the long arm of the law” is apt in this instance. Just because no legal paperwork on the surface exists do not rule out the possibility that the government and organisations can basically do as they please as they have shown time and time again in the past. I would not be surprised to see various agencies attempting to gain access to any such logs without the knowledge of anyone outside of that agency. However, if you are not using the service in a way in which requires protecting your sensitive web usage then this would not be a concern to you.
Regardless of your opinion on session logs or any type of logs in general the resolution to these situations is for providers to be fully open and honest about their policies and when and if possible alert their user base and those who take any interest in VPN matters if any intervention by legal authorities has been recorded, such as with a Warrant Canary.
The final incident came in the form of LiquidVPN who more recently announced they would be enabling a certain level of logging on a specific server due to a hacking incident. While this never came to fruition due to the server being killed by the data centre before any logging could commence it caused concern amongst users of social site Reddit and no doubt other less prominent forums.
Proxy.sh made good headway in this area by introducing a Transparency Report, Warrant Canary and Network Alerts. VikingVPN have followed suit and introduced their own Warrant Canary. The final contender LiquidVPN went the whole hog to resolve what some saw as “wrongs” and took a leaf out of Proxy.sh’s book by also introducing the full set including Transparency Reports, Warrant Canary, Network Alerts and an Ethics Policy.
While there are those who disagree with logging at all and in theory this is the ideal situation there are cases like the EarthVPN debacle that show that regardless of VPN provisions there are also other avenues for users to be linked to their actions via “other” means. Moving forward the ability to be as open, honest and clear about what is and what isn’t possible appears as if it is the best solution in a difficult situation. No VPN provider can operate outside of the law, be it legally, financially or other, at some junction every legitimate company needs to be operating in a legitimate manner. But what about those that aren’t? Well, it’s simple, they’re aren’t legitimate companies. Perhaps they can be more secure but if they’re operating outside the scope of what society has deemed normal or acceptable in business for many hundreds of years then are they any better than those claiming to log nothing but logging something?
When it comes to a provider who is not operating in a legal, legitimate manner who will be of more interest to the powers that be? The provider operating within societies acceptabilities or that which operates under the radar even avoiding such simplicities that any business must abide by such records for taxation and the like?
Clear, concise and honest policies are what educate a user and allow them clear choice, it is now left only down to yourself to actually read those stipulations before signing up…
Image courtesy of think4photop / FreeDigitalPhotos.net