....About an year ago applesam ventures took a look at a selection of the
web’s VPN providers to see which ones really take privacy seriously.
During the months that followed we received dozens of emails begging us
to carry out an update and today here it is. The first installment in
our list of VPN providers that due to their setup cannot link user
activity to external IP addresses and activities.
Prompted by a
high-profile case
of an individual using an ‘anonymous’ VPN that turned out to offer less
than expected protection, applesam ventures decided to ask a selection of
VPN companies some tough questions.
With our findings we compiled a
report of providers
that due to their setup were unable to link their outbound IP addresses
with user accounts. Ever since we have received countless emails
demanding an update.
It’s taken a long time but today we bring the first installment in a
series of posts highlighting VPN providers that take privacy seriously.
Our first article focuses on anonymity and a later installment will
highlight file-sharing aspects and possible limitations.
We tried to ask direct questions that left providers with little room
for maneuver. Providers who didn’t answer our questions directly,
didn’t answer at all, or completely failed by logging everything, were
simply left out. Sadly this meant that quite a few were disregarded.
This year we also asked more questions, which are as follows:
1. Do you keep ANY logs which would allow you or a
3rd party to match an IP-address and a time stamp to a user of your
service? If so, exactly what information do you hold?
2. Under what jurisdictions does your company
operate and under what exact circumstances will you share the
information you hold with a 3rd party?
3. In the event you receive a DMCA takedown notice, how are these handled?
4. Which payment systems do you operate and how are these linked to individual user accounts?
The list of providers is a tiny sample of the thousands out there
today and is not comprehensive by any means. Providers not covered this
time around will be added during the coming weeks. All responses listed
below are in the words of the providers themselves and the order of the
list does not carry any meaning.
1. We do not keep any logs whatsoever.
2. The jurisdiction is Canada. Since we do not have log files, we
have no information to share. We do not communicate with any third
parties. The only event we would even communicate with a third-party is
if we received a court order. We would then be forced to notify them we
have no information. This has not happened yet.
3. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.
4. At the moment we only accept Paypal and Bitcoin. We have plans to
accept alternative credit card processing in the near future.In kenya,hopefully soon,we would line our payment acceptance via mpesa(safaricom),airtel money(airtel) and ikopesa(orange).
1.
We absolutely do not maintain any VPN logs of any kind. We utilize
shared IP addresses rather than dynamic or static IPs, so it is not
possible to match a user to an external IP. These are some of the many
solutions we have implemented to enable the strongest levels of
anonymity amongst VPN services.
2. We are in compliance with DMCA as all companies, world-wide, must
be. We have proprietary technology and an experienced legal team which
allows us to comply without any risk to our users.
1.
No information whatsoever is being recorded or held in our facilities.
Our services are run from RAM and all our system services come with
state-of-the-art configuration that ensures nothing is left after usage.
The only information we have about our customers is an e-mail address
and the name of the payment method.
1.
TorGuard doesn’t store IP’s or time stamps on our VPN/proxy servers,
not even for a second. It’s impossible to match what is not there. Since
some people tend to misbehave when using a VPN , this raises the
obvious question: how do we maintain a fast, abuse-free network? If even
our network engineer can’t back track the abuser by IP, then how do we
stop it?
Through packet level filtering at the firewall it’s possible to apply
rules to an entire shared server, blocking the abuse immediately. For
example, let’s say someone decides to use TorGuard to unlawfully promote
their Ugg boots business (spam). In order for us to block this one
individual, we simply implement new firewall rules, effectively blocking
the abused protocol for everyone on that VPN server. Since there are no
user logs to go by, we handle abuse per server, not per user.
2. TorGuard recently went through some corporate restructuring and
has now moved its parent company to Nevis, West Indies. Our company
abides by all International laws and data regulations imposed within our
legal jurisdiction. We don’t share any information with anyone
regarding our network or its users and won’t even consider communicating
with a 3rd party unless they’ve first obtained adequate representation
within our legal jurisdiction. Only in the event of an official court
ordered ruling would we be forced to hand over blank hard drives.
There’s nothing to hand over but an operating system.
3. TorGuard complies immediately (24 hours or less) with all DMCA
takedown notices. Since it’s impossible for us to locate which user on
the server is actually responsible for the violation, we block the
infringing protocol in its entirety, whatever it may be – Kazaa, HTTP,
Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc. This
ensures the content in violation is immediately removed from that server
and no longer active on our network.
4. We accept all forms of credit card, Visa, Amex, Mastercard,
Discover, PayPal , Google Checkout and Bitcoins. We also accept
anonymous payments through our pre-paid PIN system. These pre-paid
service PIN numbers can be purchased from one of our participating
online resellers and redeemed during checkout on our website.
Our client billing area and VPN/Proxy user auth servers are two
completely separate systems. This is to ensure the privacy and
securities of our customer’s accounts are upheld at all times. While the
customer’s chosen payment method will be linked to the client billing
area login, this information is kept completely separate from their
VPN/Proxy network. In this way, it’s virtually impossible to “connect
the dots” of a paying customer with that of someone who is using the
servers. This can become a pain for clients as they are required to
remember two sets of logins/passwords, but trust us – it’s in the best
interest of security.
1. We don’t store any logs, it’s impossible to track users’ activity through our VPN.
2. Our company is based on Seychelles. We do not disclose any
information to 3rd parties and this can be done only in case of a
certain lawsuit filed against our company.
3. If we receive a notice about DMCA infringement, our team of
lawyers solves it immediately without any blocking of servers or
protocols. We don’t store any content on our servers, users are
anonymous, so, there are no problems with it. We promise our customers
that they will not have problems with the DMCA.
4. PayPal and CommerceGate.
1.
We store a users E-mail and username, that´s it. This means that we do
not store, or have access to, any traffic logs of any kind. By traffic
logs we mean, any kind of data that has the potential to, directly or
indirectly, match a users original ip or identity with one of our IPs.
2. It is important to remember that we do not store any traffic logs,
and therefore it would be physically impossible for us to hand
something like that over to a 3rd party. This, next to the encryption,
is the core of the entire anonymity aspect of the service.
3. Our no logging policy has never really caused us any trouble since
we never have received any official requests to hand over any traffic
logs.
4. We accept credit card payments through Paypal and Payson.Our services will soon be unveiled in kenya and modes of payment will be communicated further.
1.
No. As a privacy service and EFF member, IVPN’s main priority is the
anonymity of its users. We use non-persistent logs (stored in memory) on
our gateway servers. The logs are only stored for 10 minutes. That time
window gives us the ability to troubleshoot any connection problems
that may appear, but after 10 minutes no trace of activity is stored.
2. We ensure that our network providers understand the nature of our
business and that we do not host any content. As a condition of the safe
harbor provisions they are required to inform us of each infringement
which includes the date, title of the content and the IP address of the
gateway through which it was downloaded. We simply respond to each
notice confirming that we do not host the content in question.
AirVPN
1. We don’t keep any log that can allow a 3rd party to do that.
1.
We don’t keep ANY logs that allow us or a 3rd party to match an IP
address and a time stamp to a user our service. The only thing we log
are e-mails and user names but it’s not possible to bind a activity on
the Internet to a user. This applies to all our servers except U.S.
servers.
1. No logs are held or kept.
2. We operate in Swedish jurisdiction. We do not give out any information, since we do not have any information to give out.
3. We do not care or get scared about the DMCA.
4. We accept Wiretransfer, Bitcoin and Bankgiro. We only require a working e-mail address to be a customer.
1.
We keep connection logs in our system, but they contain only
depersonalized data, that allows us to optimize traffic routes and make
connection more fast. These logs are stored for 7 days, but they are not
interesting for anyone. In the event we are sued we can deliver only
this information.
2. We don’t have any mechanics to block users, we also have no
information about which user the complaint is against but we are
developing a system to alert our users in case there is a complaint
about their activities.
4. We use Plimus Payment System for all user accounts. iPhone / iPad /
iPod users can purchase a subscription from an application that can be
installed from Apple AppStore. Payment is made through the AppStore
billing system. Users of devices based on Android can purchase a
subscription from an application that can be installed from Google Play.
Payment is made through Google Checkout.
1.
IPVanish users are given dynamic and shared IP addresses. Essentially,
that mixes customer A’s traffic with customer B’s and C’s and so on,
making it impossible to single out anyone for anything.
The only information that we do collect from a VPN session is:
Timestamp (date and server time) of the connection to IPVanish, duration
of the connection, IP address used for the connection and bytes
transferred. This helps us troubleshoot any connectivity issues a
customer may have. And of the small amount of support info we do keep,
we purge it regularly.
1.
On our Privacy servers we don’t log anything that can identify a single
user, but on our US, Canada, UK, Germany & Singapore servers where
we don’t allow file-sharing. We do log the internal RFC1918 IP that is
assigned to the user at a specific time. We never log the real external
IP address of the user.
We also hold a username and email address of our subscribers, the
times of connection and disconnection to our services along with
bandwidth consumption.
2. We now operate under the jurisdiction of Hong Kong because we
worry what the lawmakers in USA and Europe may introduce to make things
difficult for proxies and VPNs. We will fiercely protect the privacy and
rights of our users and we will not disclose any information on our
users to anyone, unless forced to by law enforcement personnel that have
produced a court order.
3. On our Privacy servers DMCA does not apply (eg USA DMCA to our
Swiss server). If we receive a DMCA on our other servers (US, UK,
Canada, Germany & Singapore) we generally give the user one warning
that they are violating our TOS and their account may be terminated.
1.
We keep connection logs for debugging purposes, which happens encrypted
and off-site. Connection logs contain information for debugging PPTP
client issues. We try to store the least amount legally possible
anywhere. IP-addresses are encrypted and can only be decrypted by
non-support staff to ensure a proper process. For example, to work
around issues where the police ruffles up the support staff a bit to get
data for an abuse report. In the database we only store the details
users give us on sign-up and a limited backlog of payments.
2. Usually we only receive email, therefore we drop anything that has
DMCA in the subject. If they want something they need to send us a
letter or a fax or send the police. Most of the time we get complaints
for running the TPB proxy or the TOR servers.
3. PaySafe, BitCoins, PayPal, PaySon, AlertPay
1.
No we do not keep logs. However as per our policy, if we do notice any
unusual activity on our servers (high bandwidth loading, high number of
connections or cpu usage) we may turn on logs temporarily to identify
abuse of our services (such as DoS or spamming through our servers).
Once the user is identified, we will terminate the offending user,
issue him an e-mail for the reason of termination and wipe the logs from
our system.
Turning on logs for troubleshooting is a very last resort and is
necessary to ensure the integrity of our services. It has happened very
rarely (only a handful of times in our 6 years of operation) and such
information was not disclosed to third parties but merely used to
terminate the offending user. In any case logs were usually enabled for
not more than few hours and only for the particular server that was
experiencing abuse.
2. Servers hosted in US or categorized as “surfing/streaming’ have
P2P disabled on them. As for other servers, they are not subject to DMCA
and we have a good working relationship with our server providers.
In the event DMCA notices or similar are given to us, we normally
respond that we don’t have such content hosted on our networks and if
the provider is adamant, we will terminate our relationship with the
server provider and find a new one. We will not reveal the user that
generated that DMCA notice (nor can we with no logs taken). Over the
years, we have identified server providers that we can work with and
understand the nature of our business.
4.. However to sign
up to our service, all is needed is a working e-mail and you are free to
use placeholder names etc etc. Only in the event of dispute or
chargeback cases (especially with credit cards), additional info is
requested which is to be expected when using a credit card (unless a
prepaid visa is used).
Following these remarks,applesam ventures urges Kenyan ICT firms to embrace virtualization for easier ways to keep and store data as it is soon going to be the most effective way of trafficking the most essential data that we all need.
Source:www.samwelkariuki.blogspot.com
Credit:Applesam ventures
Fiber connectivity, management
