Nick Pearson is chief executive officer (CEO) of IVPN, a privacy-focused virtual private network (VPN) service and Electronic Frontier Foundation member.
In a guest post for HumanIPO, Pearson discusses the benefits of using VPN networks and whether it is any more likely to protect users from government snooping.
Ever since whistler-blower Edward Snowden revealed the true extent of the NSA’s PRISM surveillance programme, the issue of online privacy has been dominating news headlines and technology blogs across the world.
This media attention will almost certainly lead to more people seeking ways to escape state-level surveillance online.
A few will end up using the free-to-use TOR to protect their privacy, while others will likely turn toward commercial VPN services. However, while most VPN services advertise themselves as privacy platforms, many of them – especially the most popular one – offer little protection over a regular ISP and lull their users into a false sense of security.
Back in 2011 you may remember a hacker group called Lulzsec terrorised a number of companies and government agencies, before being brought down by the FBI.
One member of Lulzsec, Cody Kretsinger, used HideMyAss, which is one of the biggest and most famous commercial VPN platforms on the market. Kretsinger’s reliance of HideMyAss proved his downfall, as rather than protect his identity and privacy, the company happily handed over his details to the authorities.
Now you may think that’s all fine – Lulzsec were cyber criminals and got what they deserved. But for HideMyAss to be able to hand over Kretsinger’s data to the FBI, they had to have been logging and storing his information, which means it’s likely they’re logging and storing the information of all their users.
There’s nothing unusual about this practice, your ISP is probably doing it right now (in fact it’s a legal requirement for European ISPs), but this is the very type of surveillance people use VPNs in order to escape.
In fact, if you look at the privacy policies of many VPNs you’ll find many that either fail to state whether they log and store data, or they openly admit to it.
In HideMyAss’ case, the company explicitly states that data is logged and stored for up to two years. It’s true that storing data is useful for network troubleshooting, but only for a few days, or less.
The only plausible reason to store data for any longer period of time – if you’re purporting to be privacy service – is to track the activity of a particular user in case that data is requested by a third party.
So if you’re going to sign-up to a commercial VPN – with the expectation that it will protect your privacy – you need to ask a series of questions.
If the VPN says it stores data for any longer than a few days then, again, don’t sign-up.
Secondly, what data does the VPN share with third parties? Many websites share advertising data, but it’s hardly befitting of a privacy service and should set alarm bells ringing.
Thirdly, what will the VPN do if surveillance legislation changes in its jurisdiction? Will it notify you if such changes compromise its ability to protect your privacy?
The online privacy landscape is fast changing, with governments across the world attempting to pass new legislation to keep up with changes in communication habits, and – as we saw with PRISM – seemingly subverting their own laws to spy on citizens.
Protecting your privacy online has never been more necessary nor more difficult. So if you care about this issue don’t just use TOR or a VPN to protect your privacy, get involved with organisations such as Electronic Frontier Foundation, EPIC and Open Rights Group and support the campaign for the protection of online freedoms.