VPN

From The Uncensored Hidden Wiki
Jump to: navigation, search

A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it is directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryptions.

VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely connect geographically disparate offices of an organization, creating one cohesive network. VPN technology is also used by Internet users to connect to proxy servers for the purpose of protecting personal identity and location.

Choosing a VPN

A VPN service’s main selling points are security and privacy, but privacy is interpreted differently among VPN providers. Just ask former lulzsec member Cody Kretsinger (a.k.a. recursion), how private his VPN service was.

Kretsinger used a popular VPN called HideMyAss and engaged in activity that linked him, and his online persona “recursion,” to several high profile hacks, including unauthorized access to servers controlled by Sony Pictures. As it turns out HMA keeps logs of users’ IP addresses and logon/off times. A UK court order was issued to HMA to turn over the logs related to the offending account, which were then used to identify and arrest Kretsinger.

VPN providers can log web activity over their network, but it is more common to see VPN providers log users’ IP addresses, logon/off times and bandwidth usage. This logging activity allows providers to identify individuals abusing the service for fraud and spam, but in doing so they acquire information that can be used to identify individual users.

You can be absolutely sure if a VPN provider is pressured to cooperate with authorities and they have any information to identify you as the suspect you will be up shit creek and you will be there without a paddle. No one is going to go to jail for you.

This is why some VPN services go out of their way NOT to log any information that could possibly identify their customers. They cannot be forced to hand over incriminating information that they do not have. [1]

Why Trust In Your VPN Provider Is Important

Not all VPN service providers are worth your trust. Some diligently log your connection times, dates, IP addresses, keep track of how long you're connected, and some even keep an eye on the types of traffic that you send through their networks while you're logged in. They'll tell you it's in order to make sure you're not doing anything illegal, or anything that would damage their network, but that level of snooping does kind of go against the whole purpose of a VPN, doesn't it?

The best ones keep as few logs as possible, and aren't interested in what you do while you're connected at all. Some don't even track when you're logged in or out, and even if they do have to keep some logs, they purge them periodically in order to protect your privacy. After all, the reason you pay for a VPN is for privacy and security, and if they keep their own data, they're the weak link in that chain. Here's are some tips on how to research a VPN and decide whether they're a good match for you.[2]

Do your homework

Read their Privacy Policy

Mullvad's Privacy Policy

It is mundane but it is so incredibly important when considering a VPN to read the company’s Terms of Service and the Privacy Policy, and these documents need to be in plain English not lawyer-eese. A VPN provider who legitimately cares about customers’ privacy will lay it out in black in white what information, if any, is recorded and for how long.

Good VPN providers state that they store “personal information” necessary to create an account and process a payment (for example: name, e-mail address, payment data, billing address), but state that they do NOT log users’ IP addresses, logon/off times, or bandwidth usage.

Great VPN providers go a step further to minimize the amount of “personal information” required by accepting bitcoin or other cryptocurrencies, eliminating the requirement for billing information. This further insulates the user’s true identity by requiring an as little information as an e-mail address to create an account.

An honorable mention must go out to VPN provider MULLVAD who do not even require an email address. Visitors to the website click “create account” and they are given an account number without entering any information at all.[3]

Google their name and "logging" in the same query

It may sound simple, but it's actually really effective. You'll usually turn up the provider's own privacy policy (which, in the worst cases can be so buried it's difficult to find), which can answer the question right away. Some VPN providers are proud to say they don't keep logs, or that they only keep access logs in order to bill you for usage, or that they do log, but they purge daily or weekly. Some will try to dance around the issue by saying they keep "whatever logs are required by law," which really means whatever law enforcement has asked them for—which could be anything. Others won't address the issue at all—that's where the rest of the results come in. You'll probably find other sites and articles discussing the company's logging policies, which can help you figure out if they care about your privacy as much as they care about your security.[4]

Bitcoin

With VPNs, the acceptance of bitcoins is also a critical factor. This gives you an indication of how seriously a VPN takes your privacy.

Don't be afraid to ask outright

If you don't get the answer you want from simple searches, contact them and ask what their logging and data retention policies are. Again, this is something you'd want to do with premium providers more than free ones—you don't want to spend your money unless you're sure what you're getting.[5]

Beware US Based Providers

Faced with the sweeping powers afforded to government agencies (such as the NSA) by the post 9/11 Patriot Act, and to copyright enforcement bodies by legislation such as the Digital Millennium Copyright Act 1998 (DMCA), most US based VPN providers do not make any real pretence at protecting their customers privacy or identity.

A few, most prominently Private Internet Access, do claim to provide high levels of security by keeping no logs ‘whatsoever’, and by using shared IP addresses, which in theory makes identifying an individual user with any internet behaviour impossible. However, the following points should be considered:

  • All US VPN companies are subject to the Patriot Act, and if the NSA is able to monitor all data collected by the likes of Google, Microsoft and Facebook, then it would be foolish to assume they cannot, or do not, monitor the servers of VPN companies such as PIA (who as we noted have a high profile).
  • All VPN companies are subject to the Stored Communications Act (SCA) which can force a provider to keep logs on the activities named individuals without alerting them to the fact
  • All VPN companies are subject to CALEA search warrants, which gives the FBI broad powers to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time.
  • All traffic that passes through the US communications backbone can be monitored, so any traffic that passes through a US server can, at least in theory, be monitored by the likes of the NSA. Although the contents of encrypted traffic will remain hidden, the NSA can collect metadata of a similar nature to that obtainable by ISPs.[6]

The paranoid should therefore avoid any company even remotely related to the United States. However, we think that companies such as Private Internet Access are genuinely committed their customers’ privacy and anonymity, but have little faith in their ability to guarantee this on US soil. Using their overseas servers should be ok though, as US laws and organisations have neither the means nor jurisdiction to prevent logs from being discarded form servers outside the United States.[7]

See Also

References