Semantics. The VPN provider can honestly claim they keep no logs if their servers don't keep any logs. If they don't physically own and control those servers then yes, someone else can log the traffic into/out of the server but the VPN traffic is secure so they might know you talked to a VPN server and when but not the content (let's assume that OpenVPN is actually, currently, secure). Even if they do own/control the servers various government TLAs can possibly log the traffic into/out of them. PIA are a bit vague in their answers I've seen to where exactly their servers are and who controls them.Alexandra wrote:More often false than true. Most providers don't own their own server infrastructure but rent their servers from other companies, very often these are so called virtual private servers (VPS), which in layman terms means a company rents a share of a set of hardware from another company. The first red flag is that a provider offers servers in many countries and thus jurisdictions, stay away from those if you worry about various LEA.Tano wrote:1. Many VPN providers claim they do not log any info about their users' browsing sessions, times, associated ISP etc... True or false?
Most VPN providers use Google analytics on their customer facing websites, same as almost every other organisation. Organisations want to know how people interact with their website and it's easier to farm the analysis out to Google than do it themselves. Potentially government agencies could access that data. They'd know someone had visited the site and when and what they did there. Depending on what you do on the site they might also know who (ie: you) did it. It might make you a person of interest. In most of the world accessing the website of a VPN operator is not a crime, nor is actually using a VPN, although either activity could make you a person of interest. As could engaging in discussion of VPNs.Alexandra wrote:Private Internet Access was endorsed earlier in the thread so I'm going to continue on that track below, but let me know if you would like a breakdown of another provider.
PIA uses Google analytics on their website, so they not only track all visits to their website but also share that information with Google.
You know this how? Google doesn't appear to know it.Alexandra wrote:Their email (and thus support email and other customer information transmitted via email) is outsourced to an email service called emailsrvr.com, which is owned by a company called Rackspace. Rackspace is also the company that leases VPSes to PIA which they use to operate their VPN infrastructure.
Not really a red flag. If PIA are not collecting any VPN activity logs they have nothing to hand over regarding your VPN usage.Alexandra wrote:They write in their privacy policy that they comply with LEA requests and subpoenas as long as they are considered valid in the state of California. This is another red flag, because as we know courts in California are subject to nasty things such as secret laws, gag orders and similar (FISA), so we know for sure that PIA will comply with national security letters (unlike Lavabit, for example).
I think we can all agree that Google and the USA can't be trusted full stop. So the bad guys know you've been using a VPN and when. If they had access to the VPN server, rather than just the logs, then assume your VPN activities are not P at all.Alexandra wrote:Due to how PIA has chosen to operate the question is no longer if you can trust PIA, but whether you can trust Google, Rackspace and the state of California:
- When you access their website that information is available to Google
- When you interact with their staff that information is shared with Rackspace
- Data sent and received between you and PIA can be timestamped by not only PIA but also Rackspace
But more importantly because they operate in a highly intercepted country (USA) it is more or less given that any information about you required by a prosecutor will be available if there is a case of high enough priority either directly from PIA or from the friends of the feds in companies like Google and Rackspace that PIA has chosen to do their business with.
And make yourself doubly a person of interestAlexandra wrote:I personally do not trust companies that use gimmicks in marketing like "no logs" and then don't even have the legal authority to deny access to their servers because they are not even theirs to deny access to.
It depends on your adversary. Most users are anonymous towards other laymen as long as they don't reveal who they are. Anonymity is most often breached in non-technical means, e.g. criminals bragging about their crimes online or even doing business via SMS and Facebook Messenger. It's important to understand what data retention laws exist in the countries in which used service providers operate in.Tano wrote:2. Can you list the criteria (in a simple, 'networking for dummys' kinda way) by which an average internet user (not a bloody NSA) would choose the best possible anonymity protection? What are the layers?
Tor is a fantastic project because they made it easy for regular users to become anonymous via the Tor Browser Bundle. Sometimes ease of use comes with a high price to pay, like when they didn't update the included version of Firefox making it possible for the FBI to launch a malware attack against users of Tor Browser Bundle as part of Operation Onymous which resulted in the closure of Silk Road 2.0 and the arrest of 17 people by police from 17 countries.
Evidently, unfortunately, easy to use and maintain means easy for the adversary as well. Use Tor but stay away from TBB if you can. Flash and Java are your enemies, throw them out. JavaScript is a pain to lose but best to. If you are tired of being treated like a criminal by the gatekeepers of the world (for using Tor, something which alone is enough to put you on an NSA watchlist), then connect to a VPN *via* Tor, so the connection link becomes Tor->VPN, to keep the VPN provider unknowing of who (and what) you are.
Anyway, what do your well-informed sources say about NordVPN, Trust.Zone, Anonymizer, TorGuard and IPVanish?