The following post is from iVPN’s head of business development Christopher Reynolds. IVPN is a Virtual Private Network (VPN) provider and Electronic Frontier Foundation (EFF) member that’s dedicated to protecting user privacy.
Make no mistake: we’re in the midst of an upheaval when it comes to online surveillance laws. From the US to Australia, western governments have found themselves desperately trying to introduce legislation that would have dire consequences for Internet freedoms and online privacy if enacted. Such legislation will likely see increases in the use of Virtual Private Networks (VPNs). A VPN secures your computer’s Internet connection so that all of the data you’re sending and receiving is encrypted and never logged, therefore protecting you from snooping.
However, while many VPNs take privacy seriously, many others in operation today offer no more protection than a regular Internet Service Provider (ISP). In fact, they might be handing your data over to law enforcement. Read on to learn how to pick a VPN that really secures your privacy.
The growing threat of government surveillance
Surveillance laws need updating. The channels of our everyday communication have changed dramatically over the past few years and it’s only right that governments respond to this shift. But as we’ve seen recently with CISPA in the US, the CCDP in the UK, and the current surveillance proposals in Australia, western law enforcement agencies are using this opportunity to exploit the situation and call for unprecedented powers of surveillance.
All of these new bills have one thing in common: they aim to make it easier for law enforcement to monitor everyday Internet activities, such as web browsing and emailing. In European countries, these efforts are being facilitated by the EU-wide Data Retention Directive, which mandates that all EU-based ISPs must retain a customer’s data for between 1 and 2 years after they leave the service. Such a law does not exist in the US (well, not yet anyway), so law enforcement wants to make it easier for internet services, such as Facebook and Skype, to do the spying for them. It’s also worth noting that just because the US doesn’t have a data retention law doesn’t mean ISPs cannot, and are not, retaining data.
Not all VPNs are born equal
As research conducted last year in Sweden suggests, the more surveillance fears increase, the more Internet users gravitate toward using VPNs. We can therefore expect VPNs to become more mainstream over the next few years, as surveillance issues gain traction and media attention. However, this will also lead to many companies taking advantage of the situation and offering VPN services that are not privacy-oriented and will not protect Internet users from the overbearing surveillance they are trying to escape.
This is not news. In fact, one of the most popular VPNs on the market, HideMyAss.com, has proven itself to offer no protection from government surveillance. Back in 2011, HideMyAss was forced to hand over data logs belonging to a member of hacker group Lulzsec to the US authorities. There is no point, at least from a privacy perspective, of using a VPN if it’s retaining data. If you retain data, then you’re compelled by law to hand it over when requested. The way VPNs get around this rule is by wiping logs as soon as they’re created.
Questions to ask when choosing a VPN
HideMyAss is not alone. A number of popular VPN services keep data logs (around six last time we checked) and new services are springing up all the time. If you decide to use a VPN for privacy reasons, then these are the key questions you need to ask:
1. What is the company’s data retention policy? – If the small print says they keep logs of their users’ information, then stay away. But many companies aren’t forthcoming about this information. If you can’t find an answer, contact the VPN and ask them. Do not sign up unless they reply that they don’t keep logs.
2. Where is the company based and what will it do with your data? – It’s always worth checking what the laws are regarding data retention and surveillance within the country where your VPN is headquartered. Law enforcement could still seize servers located in different countries, but as long as the VPN is not logging traffic, a users’ identity wouldn’t be compromised.
There is no easy answer to which country is the best host for a VPN. The US grabs a lot of headlines due to controversies like the NSA’s warrantless wiretapping, but it currently has no data retention laws in place (unlike the EU), and law enforcement agencies still need judicial oversight to access your data. This can’t be said for many European countries such as the UK, which for many years has seen widespread warrantless data monitoring via the Regulation of Investigatory Powers Act. Countries like Sweden are often thought of as good choices, but they also suffer from harsh surveillance laws. Even Switzerland’s government, which is not compelled by the EU to retain data, still does so and permits its law enforcement to install trojans and malware on citizens’ private computers.
Generally speaking, governments that have a shown an interest in protecting the online privacy of their citizens include Germany, Poland, and Romania. But even Germany, which has been incredibly good at resisting the EU’s Data Retention Directive, has one of the strongest copyright lobbies in the world and vigorously pursues offenders. Some people may find countries such as Russia or Panama more appealing, but these places struggle with more prevalent police corruption, potentially leaving VPNs open to more abuse from law enforcement.
Remember, many VPNs retain data willingly, as they may have little motivation to defend their subscribers. Therefore, while it’s worth looking into the relevant legislation of a VPN’s host country, by far the best measure you can take is signing-up to a VPN that is privacy-oriented and clearly states it will protect its users’ data. If a VPN is not logging data, then the only way law enforcement can link users to data is by serving a subpoena through the proper legal channels, issuing a gag order, and then forcing a VPN to start logging data. We cannot speak for other VPNs, but iVPN would shut down its servers before cooperating with this request.
3. What will the company do if laws change? – We’re in the middle great changes when it comes to surveillance laws. If a country introduces new data retention laws, then a VPN will have to comply. Any privacy service worth its salt should be ready and willing to re-locate if needed.
If you follow the three points above, then you should be confident that the VPN you choose is respecting your privacy. Some people may insist on anonymous billing methods, such as Bitcoin, but such forms of payment create their own problems. Merely proving that you use a VPN cannot be used as a basis to suspect you of wrongdoing.
Government surveillance laws are changing rapidly, so if you’re concerned about this issue, one of best things to do is stay informed and get involved. A good place to start is the Electronic Frontier Foundation’s website, which can be found here.