It is something to always take into consideration and not forget.

  • fidodo@lemmy.world
    link
    fedilink
    English
    arrow-up
    176
    arrow-down
    1
    ·
    8 months ago

    A smart VPN will avoid going to jail for you by not storing any of the data law enforcement wants in the first place.

      • prole@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        49
        ·
        8 months ago

        Just recently signed up for Mullvad… No CC numbers or email addresses, you just get a string of numbers and that’s all you need to connect with it anywhere. And you can pay with Monero.

        It’s like the paranoid person’s dream.

        • Chariotwheel@kbin.social
          link
          fedilink
          arrow-up
          35
          ·
          8 months ago

          Heck, if you want, you can pay with hard cash by mailing it with your payment token to their office. It’s pretty great when it comes to choice of privacy.

    • spaphy@lemmy.ml
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      8 months ago

      Wondering how these magicians measure quality of service then, since they collect no juicy data. I find this hard to believe.

      • JDubbleu@programming.dev
        link
        fedilink
        arrow-up
        7
        ·
        8 months ago

        Quality of service is usually only useful with aggregate data which is worthless for prosecuting an individual.

        • spaphy@lemmy.ml
          link
          fedilink
          arrow-up
          1
          arrow-down
          2
          ·
          8 months ago

          That’s not true. We used to collect client and server data both to detect issues and even if it was only in a subset of customers there is just some customer facing QoS issues you wouldn’t find unless you were collecting data, that wouldn’t be found on server side for example. Like let’s say iPhones make an update and you’re doing video streaming, maybe certain video formats would lag when streaming to the player but not on an android or vice versa.

          • JDubbleu@programming.dev
            link
            fedilink
            arrow-up
            4
            arrow-down
            1
            ·
            8 months ago

            Aggregate data doesn’t mean no client side data. It’s possible they’re collecting aggregate level client data too. They could go further and collect data on individuals that is not identifiable or useful to law enforcement in any way. I can think of a few ways to get anonymous usage data that allows you to improve your service while protecting your users. I don’t know their scheme but they clearly don’t need overly invasive forms of analytics as they have a solid service.

            • spaphy@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              8 months ago

              If your data is being collected then are you really private or anonymous? I can think of a lot you can infer simply from metrics in a client, time window of connection and a few metrics. That’s just removed.

                • spaphy@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  8 months ago

                  I worked directly for one of the two biggest log and search systems for big data for years and I can tell you that there is always a way to correlate data lol. And the data you don’t have you can always buy to help put the missing pieces together.

  • LWD@lemm.ee
    link
    fedilink
    arrow-up
    96
    arrow-down
    1
    ·
    edit-2
    8 months ago

    Considering this is straight from a VPN provider, take this with a boulder-sized grain of salt.

    And I say that as someone who believes using a VPN is generally more beneficial than not. And espouses most of that advice regarding the VPN.

    Even if a VPN were totally benevolent and gave daily tours of its office, there’s still no 100% guarantee their claims can be verified at all times. So there’s always an element of trust. (I trust most of the ones outside of the Eyes countries more than my home ISP, though. )

    • Syn_Attck@lemmy.today
      link
      fedilink
      arrow-up
      39
      arrow-down
      2
      ·
      8 months ago

      I would put Mullvad and IVPN up there as the two VPNs I’d trust most to do things right, but I still agree with everything you’ve said.

        • Syn_Attck@lemmy.today
          link
          fedilink
          arrow-up
          6
          arrow-down
          2
          ·
          edit-2
          8 months ago

          See the last points in the article: run by activists, and would rather shut down than cooperate with law enforcement.

          I don’t know if proton is run by activists, but I do know they’ve cooperated with law enforcement by inserting code to log user requests when coming from a specific user. Plenty of articles about the court case, and it’s also why they did away with their no-log policy.

          Also, are their logins token based or username based and connected to the protonmail account?

          • Vigilante@lemmy.today
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            1
            ·
            edit-2
            8 months ago

            I think they only did the login thing with their mail service and email was never a protocol ment for privacy and email and vpn laws vary wildly. Feel free to correct me tho .

            • Syn_Attck@lemmy.today
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              8 months ago

              Sure here’s the correction, and why I’d never trust them with anything sensitive.

              They had a no-log policy, and all mail is PGP encrypted on their servers and proton to proton is encrypted in transit and at rest (it doesn’t travel), decrypted only client-side in the browser or with proton bridge, with your account password acting as the PGP key password.

              They could have designed the system so they couldn’t be forced to add that backdoor, or at least automatically notified all users when an unauthorized change was detected, or they could have shutdown, or they could have revoked their warrant canary, but instead they were caught when the court case came to light and they were caught with their pants down, and revoked their no-log policy. https://arstechnica.com/information-technology/2021/09/privacy-focused-protonmail-provided-a-users-ip-address-to-authorities/

              This weekend, news broke that security/privacy-focused anonymous email service ProtonMail turned over a French climate activist’s IP address and browser fingerprint to Swiss authorities. This move seemingly ran counter to the well-known service’s policies, which as recently as last week stated that “by default, we do not keep any IP logs which can be linked to your anonymous email account.”

              That’s why I asked if the proton VPN is token-based and completely disconnected from the proton email account, or if they’re the same login. If the latter, it’s trivial to request the IP address of email account [email protected]

    • prole@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      8 months ago

      As others have said, Mullvad is pretty close to (if not at) 100% guarantee… No personal info whatsoever is required to be given when you sign up (including email address or payment information; you can use Monero if you want), so there isn’t really anything that they could give to authorities even if they wanted.

      Even if they did keep logs (which im 99.9% sure they don’t), all that would show is an IP address, and from what I understand based on past precedent, that is not enough to identify a person on its own. But IANAL.

    • 6daemonbag@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      9
      ·
      8 months ago

      The purpose of these corporate white papers is to inform (impress) potential customers of actual issues. It demonstrates knowledge and implies that the company has the ability to leverage their product or service to meet whatever the challenge is.

      I wouldn’t say boulder-sized because the meat of the article is true, but yes a bit of skepticism is always useful.

  • noodlejetski@lemm.ee
    link
    fedilink
    arrow-up
    40
    arrow-down
    2
    ·
    8 months ago

    In this blog post we explain why competent service operators can avoid having to share sensitive information about you without facing severe legal consequences. The reasons laid out will also highlight why you are better off choosing a VPN service run by privacy activists who will prioritise principles before profits in difficult situations

    is it me or does it read like someone used an LLM to write those sentences?

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        13
        ·
        edit-2
        8 months ago

        This is usually how I intro documentation for tech projects. Its good practice for technical docs, doesn’t necessarily mean its an LLM

      • prole@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        7
        ·
        8 months ago

        Yeah, that’s what I was going to say. Thank god that shit didn’t exist when I was in college, or every paper I ever wrote would have been flagged. I guess I write like a robot.

        • PM_Your_Nudes_Please@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          8 months ago

          Worth noting that there is a strong correlation between neurodivergence and falsely getting flagged for using AI. Apparently AI sounds autistic, so lots of autistic kids were getting flagged for AI use even when they wrote it themselves.

          But if it helps, even ChatGPT has had to admit that AI detection is inaccurate and schools shouldn’t be relying on them.

        • flamingarms@feddit.uk
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          8 months ago

          Haha same! There’s a place for us though: if you ever get into research, robotic writing tends to work out fairly well!

          • prole@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            8 months ago

            Thing is, I don’t even feel like I do write like a robot per-se… Maybe it’s more like I write like the average of every person who has ever written anything ever lol.

      • noodlejetski@lemm.ee
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        8 months ago

        yeah, which LLMs seem to be very fond of. every ChatGPT-written article I’ve seen includes “to sum up” and similar fillers.

    • viktorivpn@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      8 months ago

      Ha! Author here - no LLM was used. It was an attempt to summarise the content and the key message, but it took some time to jam pack everything into two sentences.

  • MalReynolds@slrpnk.net
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    1
    ·
    8 months ago

    Verifiably no logs without court order (I’m guessing canary pages have gone the way of the dodo now, probably boilerplate in the orders, maybe wrong according to the article, perhaps in some jurisdictions) would be awesome. Verified by external audit is about as good as we can get, so proton, tutanota, I think, others muchly appreciated. I think one of them setup their OS in volatile RAM, which is cool, but probably not legally protective.

    No, I don’t expect you to go to jail for me, but due diligence minimising knowledge will bump you up my list of providers to choose.

    One problem here is those that do verify, usually don’t allow torrenting ports, so, no ratios for you. Anyone know what the over/under is on lesser tier VPNs that port share vs a VPS (with all its potential, but which country?) vs Usenet? Looking to have a clue when the time comes, knowledge gratefully accepted :)

    • Nik282000
      link
      fedilink
      arrow-up
      19
      ·
      8 months ago

      I love Mullvad and recommend them for everything other than torrenting. Once they disabled port forwarding I moved to AirVPN who seem to be pretty legit.

      I’m not trying to keep my ratios up but I have a few torrents of media that are not available anywhere for sale and have less than 10 seeds, so I feel like I am helping keep the shows and movies of my childhood alive.

      • MalReynolds@slrpnk.net
        link
        fedilink
        English
        arrow-up
        10
        ·
        8 months ago

        Good person. Much like I would like to do. I’d be happy with a VPN for personal use and another one for torrenting (gluetun compatible preferably) Shall look at AirVPN, thanks.

      • prole@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        Just switched to Mullvad and haven’t tried torrenting with it yet… Doesn’t work? Or just slow?

        • reddithalation@sopuli.xyz
          link
          fedilink
          arrow-up
          2
          ·
          8 months ago

          yes, but you can only download from peers with port forwarding enabled, and you can also only upload to port forwarding peers, so generally its fine for downloading, but if you want to keep ratio (uploading) on a private tracker you need port forwarding

    • theneverfox@pawb.social
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      8 months ago

      I mean, if you set up your os on an encrypted ram disk, then set it to restart when the server rack door was unlocked/opened and didn’t leave a backdoor for yourself to remote in, you could have a situation where you entirely lack the capability to give them access to anything before that moment. A skilled hacker might be able to get in through an exploit or do something crazy with cryogenics to read the memory at the time of shutdown, but a quick restart would overwrite most of what’s in memory and scrub that

      Legally, there’s not much better defense than “I’m sorry your honor, I can’t provide access to the running system in the same way I can’t un-shatter a smashed mug”. If someone shows up with a warrant, you could explain that it’ll wipe itself if they open or unplug it, and it might’ve done so already. Then you guide them to it, hand over the key to the server cabinet, and let them decide to open the cabinet and destroy evidence so they can take it with them. Or they can take you at your word, and give up.

      Court orders can’t break physics, and as a VPN your reasoning for setting up the system like this is to make your service more appealing to customers - the purpose is not to aid in a crime or destroy evidence, it’s just the normal course of business.

      The same way that most companies wipe their emails after 30 days - yes, it potentially destroys incriminating paper trails, but that’s just a side effect of the security policy you’ve had all along

      Granted, there’s probably some sketchy sealed laws they could use to force you to backdoor your own system moving forward, but you can fight that as it’s undue hardship. It requires a non-negligible amount of work and would make your product less competitive

      They might win in the end if they keep pushing, and even might be able to order you to “keep up the canary paper” (meaning keep claiming not even you have access to the running system), but more likely they’d get a warrant for your customer financial records and try to find an easier path to find what they want elsewhere

        • theneverfox@pawb.social
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          True, it’s probably overkill. But even if you don’t log, they could theoretically start live monitoring the VPN with a court order… With a setup like this, there’s no front door or backdoor, just an ephemeral image you have to restart to modify. You’d have to write in access methods and rebuild to get in… The government can’t just walk in and demand you stop what you’re doing and build something for them

          It does add security, even if you might not need that level of security

  • Mango@lemmy.world
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    8 months ago

    And here I thought companies can’t go to jail. Apparently that only applies to the companies who aren’t run by the lizard people or the kids popular with the priests.

  • kobra@lemm.ee
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    8 months ago

    I’ve tried IVPN a number of times but it never works for getting around mlb.tv blackouts which is my biggest use case. ExpressVPN has just been reliable for me in that regard.

    • Syn_Attck@lemmy.today
      link
      fedilink
      arrow-up
      17
      ·
      edit-2
      8 months ago

      IVPN servers are all well-known and catalogued. ExpressVPN partly buys hacked machines to user as proxies for their paid tier user VPNs, so they are much less likely to be blocked. They have a lot more… troubling history, that would make me never visit their download site.

      https://www.zdnet.com/article/trust-but-verify-an-in-depth-analysis-of-expressvpns-terrible-horrible-no-good-very-bad-week/

      Kape Technologies has announced plans to acquire ExpressVPN for $986 million. I do have concerns about this because Kape was once considered a malware provider.

      Reuters indicating that ExpressVPN CIO Daniel Gericke is among three men fined $1.6 million by the US Department of Justice for hacking and spying on US citizens on behalf of the government of the UAE (United Arab Emirates).

      Kape Technologies has had quite a convoluted history. According to a report in Forbes, a company called Crossrider was formed in 2011 by “billionaire Teddy Sagi, a serial entrepreneur and ex-con who was jailed for insider trading in the 1990s. His biggest money maker to date is gambling software developer Playtech,” and Koby Menachemi.

      Menachemi was a developer for Unit 8200, an Israeli signals intelligence unit responsible for hacking and collecting data (think of it as part CIA, part NSA, and part high school, because the unit hires and trains teenagers in hacking and coding skills).

      the newly renamed Kape Technologies set out on an acquisition binge. The company started buying in 2017, acquiring CyberGhost VPN for about $9 million. Next, in 2018, came Mac antivirus company Intego for $16 million. A few months later, Kape gobbled up another VPN provider, ZenMate, for about $5 million. A year later, in 2019, Kape spent $95 million for Private Internet Access, one of the best known VPN providers at the time.

      There’s more to the story as well, but you can be sure that all your data is belong either being proxied by a botnet, or being used to spy on you. ‘I have nothing to hide!’ you may say, but I’m sure you have an app or two that still uses insecure HTTP update checks, which can be intercepted to trigger a malware installation.

      • kobra@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        8 months ago

        Appreciate the info. Do you have any recommendations for alternatives? I do see reports that NordVPN seems to work for mlb blackouts but nothing on mullvad, however I could trial them I suppose.

        Edit: tried mullvad and mlb.tv won’t even allow the login 😞

        • Syn_Attck@lemmy.today
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          8 months ago

          You’ll want a provider with a ton of servers. For bypassing service level blocks, either a VPN like Express with thousands of servers or your own VPN is the way to go. there are docker images for setting up a VPN on a $5 VPS.

          it depends on your risk tolerance. do you need to stay as anonymous as possible (with VPN as layer 1) or do you need to be able to watch shows in a different language? Mullvad and IVPN have a limited set of rented and owned servers that are setup for security and privacy. Express, Nord, and those less ethical VPNs don’t care about that, they just want as many cheap servers as they can possibly get.

    • Manmoth@lemmy.ml
      link
      fedilink
      arrow-up
      23
      arrow-down
      1
      ·
      8 months ago

      For “privacy” yes, almost entirely.

      If your VPN isn’t routing to your home network so you can safely access selfhosted applications then you’re basically just sharing your traffic with a total stranger and trusting them not to run telemetry etc.

      • iiGxC@slrpnk.net
        link
        fedilink
        arrow-up
        30
        ·
        8 months ago

        It depends who you trust more, your isp or your vpn provider. Isps are not known for doing right by their clients

          • Scolding0513@sh.itjust.works
            link
            fedilink
            arrow-up
            17
            ·
            8 months ago

            you dont really. you share your connection with a bunch of other people, and if you then add multi hop that makes it exponentially harder for the VPN’s ISPs to somehow target you. Learn how VPNs work bro

            • Manmoth@lemmy.ml
              link
              fedilink
              arrow-up
              2
              arrow-down
              3
              ·
              8 months ago

              I know how VPNs work. When I connect to a VPN I trust that the provider doesn’t snoop on me, actually routes the traffic like they promise and combines my traffic effectively enough that it obfuscates my identity.

              • Scolding0513@sh.itjust.works
                link
                fedilink
                arrow-up
                2
                ·
                8 months ago

                correct, and, I trust that provider, i.e. Mullvad, 100x more than I trust my ISP. Especially after Mullvad’s run-in with the police last year. Recommend to look it up. Also OVPN’s court battle, and Proton’s court battles too. A good provider will prove themselves to you.

                My point is that I disagree that a VPN provider is somehow intrinsically on the same trust level as an ISP. It really depends on the provider, but all in all VPN providers tend to be much more trustworthy with your traffic.