After posting an article two days ago entitled Proxy.sh use Wireshark… again! in which we looked in to the second public usage of the network troubleshooting (aka sniffing) software, Wireshark it appears Proxy.sh made a somewhat exciting announcement the day after the article was published.
Firstly after their “Ethical Policy” was belittled by Electronic Frontier Foundation staff attorney, Nate Cardozo in regard to the loopholes it may leave the company open to they have complete re-written this policy with the help of feedback from Nate Cardozo plus others. This is a step in the right direction and with pointers from a well respected organisation such as the EFF we hope that the previous loopholes that existed have now been covered.
One of the major new features of the Ethical Policy and one which was most heavily criticised on the old policy from nearly every corner is the fact that Proxy.sh will now not play judge and jury when it comes to matters which in their own words “is directly harmful to another human being“. This is a huge step in the right direction as most are in agreement that it should not be up to an ISP, VPN provider or other service in the same industry to be policing their network to the extent which Proxy.sh previously allowed themselves via their old policy.
However although the new policy from my non-legal viewpoint looks good I am still quite confused by the statement that follows the section based upon what their “Ethical Task Force” will do should they receive a complaint that relates to some of the more serious crimes. The policy explains that after receiving a complaint it will require the complainant to submit two reports, one by a legal attorney and one by an IT forensics analyst, after such “The team will then attempt to actively report the case to law enforcement bodies and competent non-governmental organizations involved in the fields that the abuse relates to“. The issue I have with this is if a crime or activity is taking place against an individual then it should be for the person(s) in question to report the incident to a law enforcement body or competent non-governmental organisation who should in turn contact Proxy.sh to liaise on the technical aspect of the crime.
Although this may open Proxy.sh up to a position where they are then not able to publish the complaint in their transparency report this would be the case if a individual went to a law agency directly anyway. It appears as if this policy point adds to the workload of Proxy.sh themselves as they will then be putting themselves in a position where they are responsible for contacting law enforcement institutes around the world many of which would require the alleged victim of a crime to be the one reporting it, not another company on their behalf. However I am pleased to see that they are acting in a responsible manner when it comes to the most heinous crimes and as such not allowing or giving the impression that a VPN should be the enabler of crime.
That said, apart from that nuance their policy is now clear that they will not install or use monitoring tools such as Wireshark when receiving a complaint unless it is required by law. As was with the previous case that caused such uproar, in a similar instance this would now not be possible which will no doubt please many of the critics of the company.
Further detail from the announcement and something with which we took issue to in our article two days ago is they are making it an obligation to themselves to “provide alerts within an appropriate timeframe” when they need to intervene on one of their servers for technical reasons. We sincerely hope that this time frame will be greater than the 4 hours they provided on Friday due to a DDOS attack on one of their dutch servers although in the announcement they make no notice of how long an “appropriate timeframe” is which is possibly something they may wish to clarify. Regardless the understanding that this needs to be improved is again a welcome policy change.
For those who haven’t been keeping up to date with the happenings at Proxy.sh, for the past month they have been publicly publishing all the reports they receive in relation to such things as DMCA notices, DDOS and hacking related activity in what they title their Transparency Report. This is a step in the right direction for transparency and puts Proxy.sh at the forefront in this area, a very nice addition that I hope other providers will and should follow in suit.
One of the most interesting parts of the recent announcement is Proxy.sh have decided to publish a Warrant Canary making them the first VPN provider to make such a radical step and taking them one step further in the privacy stakes. This in a nutshell is best explained by the Wikpedia explanation which states
A warrant canary may be posted by the provider to inform users of dates that they have not been served a secret subpoena. If the canary has not been updated in the time period specified by the host, users are to assume that the host has been served with such a subpoena. The intention is to allow the provider to inform users of the existence of a subpoena passively, without violating any laws.
In essence it provides a silent whistle on themselves should their service of been compromised by a government organisation which requires them by law not to publish information or inform third parties regarding such action which would compromise their integrity and the privacy services which they offer.
Such a move was recently made by Apple and although not fully tested by law is a smart move by Proxy.sh and will go a long way in regaining the trust of their current and future user base.
Finally in our article Proxy.sh use Wireshark… again! published two days ago we questioned the lack of communicating network troubleshooting and the implications that this would have on users who would not be clearly informed of said action on the server that they may connect to. I am pleased to see that not only have Proxy.sh heeded our concerns by stating “We still need to link our Transparency Report and our Network Status alerts to our Twitter account (suggested by VPNCompare), so that you can be kept alerted in real time through third party communication channels” which goes to show that they are ready to listen and improve their service and in an extremely swift time frame. Furthermore in this regard they have already introduced easier access to their Transparency Report, Warrant Canary and Network Alerts from their Client Panel which is a very welcomed move making it easier for customers to better understand the actions that they take.
It appears as if Proxy.sh are not only willing to listen to and improve on criticism but are also taking market leading steps to ensure that they are doing the utmost possible to secure the privacy of their users. All of the above improvements will only go to strengthen the stance that they take in the respected areas and should be areas that other providers may wish to take note of for their own services. Proxy.sh provide an excellent service and we found no trouble when we reviewed them back in August. They have taken a heavy bashing from both the public and media in certain regards but are taking the correct steps in readdressing these concerns and I applaud them for introducing such measures.