Who keeps your secrets: Some VPN anonymity providers sound noble; others are just icky
Light anonymity is cheap; real protection is difficult; not every secret squirrel is about liberty or justice
On June 26, 2012, references to Douglas Spink were removed from this article due to reporting errors regarding his arrest in 2005, and his association with CryptoCloud. We apologize for the errors.
Though ridiculing as "scrubs" critics claiming all the LulzSec'ers used the same thin and ineffective anonymity screen as the accused "Recursion," who the FBI arrested yesterday for one in a long line of data breaches at Sony, one of the few surviving LulzSec'ers is calling for a boycott and ultimately the destruction of the VPN service whose records the FBI used to identify Cory Kretsinger as Recursion.
All users of HMA should close their accounts immediately as they do not respect privacy concerns of users using their VPN. – AnonymousSabu, Fri. Sept. 23.
Hidemyass.com, which Kretsinger allegedly used as a proxy service to hide his IP address, but which turned its server logs over to the FBI after receiving a subpoena, "cooperates with law enforcement agencies fully and admit it. They claimed they did not log, but apparently log everything," AnonymousSabu tweeted earlier today.
Though its privacy and terms-of-service statements might have been stronger when Recursion signed up, for at least the past few months HMA has been clear that it does save data on what customers do online and will turn it over to police with the proper warrants or subpoenas.
Server activity is "logged for a maximum of 30 days, these are logs generated by the Apache web server which include your IP address and date/time of all files and websites accessed through our web proxy…We reserve the right to cooperate with law enforcement agencies who are investigating criminal activities from abusive web proxy users."
The rest of the terms of service are irrelevant. If you're doing something illegal, your beard just promised to out you – with all the details of what you were up to – if anyone with a badge should ask.
Who can you trust with your secrets
In its own post about the "Lulzsec fiasco," Hidemyass.com execs admitted learning their service was one being used by LulzSec members after IRC chat logs were released by other hackers.
They did nothing about it because they had no way to identify the accounts LulzSec'ers were using and no hard evidence of wrongdoing.
They weren't surprised with a court order for information about specific accounts, however, and they didn't sweat much over the decision.
Our VPN service and VPN services in general are not designed to be used to commit illegal activity. It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences. This includes certain hardcore privacy services which claim you will never be identified, these types of services that do not cooperate are more likely to have their entire VPN network monitored and tapped by law enforcement, thus affecting all legitimate customers. – Hidemyass.com, "The LulzSec Fiasco," Sept. 23, 2011.
That doesn't mollify Sabu, who view cooperating with law enforcement in any way violation of a sacred compact, despite depending on "rooted servers or busybox routers" as anonymity screens, rather than commercial services.
"No," Sabu replied (profanely) at a "scrub" who said it's hard to "expose" HMA if the real problem was Recursion's use of one login in many places. "I am exposing HMA for going against their own anti-logging policy. Keep up. I know it's hard."
Turning records over to the FBI, then going public with it in a post that defends the practice undermines the credibility of all VPN proxy services and smears those who are more aggressive about protecting the data and activity of their customers, according to a counter-argument posted by rival VPN service AirVPN.
HMA's claim that all VPN providers keep logs and have to turn them over to police when required is wrong on legal and technical grounds, makes VPNs less credible in the eyes of customers and erodes their legal status as "mere conduits" of information that shouldn't be required to track the activity of their customers or reveal it to the law, the AirVPN editorial said.
AirVPN is based in Europe, so it doesn't recognize U.S. jurisdictions and is required by EU law to keep the names of its customers much more private than U.S. companies anyway.
AirVPN's service is designed "so that you don't need to have "faith" in what we say (for example, when we say "we don't keep logs"), but to be inherently secure, regardless of what you think of us and regardless of which pressures we might receive from enforcement or criminal entities."
AirVPN allows customers to sign up and pay for the service using digital Bitcoin reseller networks and to use the TOR VPN network when buying an account at Bitcoin, to keep from leaving a trail of IP addresses to the point at which you paid.
It offers secure email accounts "that cannot be used to reveal your identity," and encourages customers to use its service in conjunction with TOR or others "for extremely critical data transfers" for whistleblowers, those providing information on organized crime or those in politically oppressed countries who risk arrest or death for reading certain sites or posting certain information.
"The key is that we must NOT know who you are."
Other services such as Privax offer a series of free proxy servers users can link through to hide their tracks, each of which has different terms of service.