Prompted by a high-profile case of an individual using an ‘anonymous’ VPN that turned out to offer less than expected protection, applesam ventures decided to ask a selection of VPN companies some tough questions.
With our findings we compiled a report of providers that due to their setup were unable to link their outbound IP addresses with user accounts. Ever since we have received countless emails demanding an update.
It’s taken a long time but today we bring the first installment in a series of posts highlighting VPN providers that take privacy seriously. Our first article focuses on anonymity and a later installment will highlight file-sharing aspects and possible limitations.
We tried to ask direct questions that left providers with little room for maneuver. Providers who didn’t answer our questions directly, didn’t answer at all, or completely failed by logging everything, were simply left out. Sadly this meant that quite a few were disregarded.
This year we also asked more questions, which are as follows:
1. Do you keep ANY logs which would allow you or a 3rd party to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold?
2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?
3. In the event you receive a DMCA takedown notice, how are these handled?
4. Which payment systems do you operate and how are these linked to individual user accounts?
The list of providers is a tiny sample of the thousands out there today and is not comprehensive by any means. Providers not covered this time around will be added during the coming weeks. All responses listed below are in the words of the providers themselves and the order of the list does not carry any meaning.
BTGuard
1. We do not keep any logs whatsoever.2. The jurisdiction is Canada. Since we do not have log files, we have no information to share. We do not communicate with any third parties. The only event we would even communicate with a third-party is if we received a court order. We would then be forced to notify them we have no information. This has not happened yet.
3. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.
4. At the moment we only accept Paypal and Bitcoin. We have plans to accept alternative credit card processing in the near future.In kenya,hopefully soon,we would line our payment acceptance via mpesa(safaricom),airtel money(airtel) and ikopesa(orange).
Private Internet Access
1. We absolutely do not maintain any VPN logs of any kind. We utilize shared IP addresses rather than dynamic or static IPs, so it is not possible to match a user to an external IP. These are some of the many solutions we have implemented to enable the strongest levels of anonymity amongst VPN services.2. We are in compliance with DMCA as all companies, world-wide, must be. We have proprietary technology and an experienced legal team which allows us to comply without any risk to our users.
Proxy.sh
1. No information whatsoever is being recorded or held in our facilities. Our services are run from RAM and all our system services come with state-of-the-art configuration that ensures nothing is left after usage. The only information we have about our customers is an e-mail address and the name of the payment method.Torguard
1. TorGuard doesn’t store IP’s or time stamps on our VPN/proxy servers, not even for a second. It’s impossible to match what is not there. Since some people tend to misbehave when using a VPN , this raises the obvious question: how do we maintain a fast, abuse-free network? If even our network engineer can’t back track the abuser by IP, then how do we stop it?Through packet level filtering at the firewall it’s possible to apply rules to an entire shared server, blocking the abuse immediately. For example, let’s say someone decides to use TorGuard to unlawfully promote their Ugg boots business (spam). In order for us to block this one individual, we simply implement new firewall rules, effectively blocking the abused protocol for everyone on that VPN server. Since there are no user logs to go by, we handle abuse per server, not per user.
2. TorGuard recently went through some corporate restructuring and has now moved its parent company to Nevis, West Indies. Our company abides by all International laws and data regulations imposed within our legal jurisdiction. We don’t share any information with anyone regarding our network or its users and won’t even consider communicating with a 3rd party unless they’ve first obtained adequate representation within our legal jurisdiction. Only in the event of an official court ordered ruling would we be forced to hand over blank hard drives. There’s nothing to hand over but an operating system.
3. TorGuard complies immediately (24 hours or less) with all DMCA takedown notices. Since it’s impossible for us to locate which user on the server is actually responsible for the violation, we block the infringing protocol in its entirety, whatever it may be – Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc. This ensures the content in violation is immediately removed from that server and no longer active on our network.
4. We accept all forms of credit card, Visa, Amex, Mastercard, Discover, PayPal , Google Checkout and Bitcoins. We also accept anonymous payments through our pre-paid PIN system. These pre-paid service PIN numbers can be purchased from one of our participating online resellers and redeemed during checkout on our website.
Our client billing area and VPN/Proxy user auth servers are two completely separate systems. This is to ensure the privacy and securities of our customer’s accounts are upheld at all times. While the customer’s chosen payment method will be linked to the client billing area login, this information is kept completely separate from their VPN/Proxy network. In this way, it’s virtually impossible to “connect the dots” of a paying customer with that of someone who is using the servers. This can become a pain for clients as they are required to remember two sets of logins/passwords, but trust us – it’s in the best interest of security.
TorrentPrivacy
1. We don’t store any logs, it’s impossible to track users’ activity through our VPN.2. Our company is based on Seychelles. We do not disclose any information to 3rd parties and this can be done only in case of a certain lawsuit filed against our company.
3. If we receive a notice about DMCA infringement, our team of lawyers solves it immediately without any blocking of servers or protocols. We don’t store any content on our servers, users are anonymous, so, there are no problems with it. We promise our customers that they will not have problems with the DMCA.
4. PayPal and CommerceGate.
Anonine
1. We store a users E-mail and username, that´s it. This means that we do not store, or have access to, any traffic logs of any kind. By traffic logs we mean, any kind of data that has the potential to, directly or indirectly, match a users original ip or identity with one of our IPs.2. It is important to remember that we do not store any traffic logs, and therefore it would be physically impossible for us to hand something like that over to a 3rd party. This, next to the encryption, is the core of the entire anonymity aspect of the service.
3. Our no logging policy has never really caused us any trouble since we never have received any official requests to hand over any traffic logs.
4. We accept credit card payments through Paypal and Payson.Our services will soon be unveiled in kenya and modes of payment will be communicated further.
IVPN
1. No. As a privacy service and EFF member, IVPN’s main priority is the anonymity of its users. We use non-persistent logs (stored in memory) on our gateway servers. The logs are only stored for 10 minutes. That time window gives us the ability to troubleshoot any connection problems that may appear, but after 10 minutes no trace of activity is stored.2. We ensure that our network providers understand the nature of our business and that we do not host any content. As a condition of the safe harbor provisions they are required to inform us of each infringement which includes the date, title of the content and the IP address of the gateway through which it was downloaded. We simply respond to each notice confirming that we do not host the content in question.
AirVPN
1. We don’t keep any log that can allow a 3rd party to do that.
PrivatVPN
1. We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user our service. The only thing we log are e-mails and user names but it’s not possible to bind a activity on the Internet to a user. This applies to all our servers except U.S. servers.PRQ
1. No logs are held or kept.2. We operate in Swedish jurisdiction. We do not give out any information, since we do not have any information to give out.
3. We do not care or get scared about the DMCA.
4. We accept Wiretransfer, Bitcoin and Bankgiro. We only require a working e-mail address to be a customer.
Faceless.me
1. We keep connection logs in our system, but they contain only depersonalized data, that allows us to optimize traffic routes and make connection more fast. These logs are stored for 7 days, but they are not interesting for anyone. In the event we are sued we can deliver only this information.2. We don’t have any mechanics to block users, we also have no information about which user the complaint is against but we are developing a system to alert our users in case there is a complaint about their activities.
4. We use Plimus Payment System for all user accounts. iPhone / iPad / iPod users can purchase a subscription from an application that can be installed from Apple AppStore. Payment is made through the AppStore billing system. Users of devices based on Android can purchase a subscription from an application that can be installed from Google Play. Payment is made through Google Checkout.
IPVanish
1. IPVanish users are given dynamic and shared IP addresses. Essentially, that mixes customer A’s traffic with customer B’s and C’s and so on, making it impossible to single out anyone for anything.The only information that we do collect from a VPN session is: Timestamp (date and server time) of the connection to IPVanish, duration of the connection, IP address used for the connection and bytes transferred. This helps us troubleshoot any connectivity issues a customer may have. And of the small amount of support info we do keep, we purge it regularly.
BlackVPN
1. On our Privacy servers we don’t log anything that can identify a single user, but on our US, Canada, UK, Germany & Singapore servers where we don’t allow file-sharing. We do log the internal RFC1918 IP that is assigned to the user at a specific time. We never log the real external IP address of the user.We also hold a username and email address of our subscribers, the times of connection and disconnection to our services along with bandwidth consumption.
2. We now operate under the jurisdiction of Hong Kong because we worry what the lawmakers in USA and Europe may introduce to make things difficult for proxies and VPNs. We will fiercely protect the privacy and rights of our users and we will not disclose any information on our users to anyone, unless forced to by law enforcement personnel that have produced a court order.
3. On our Privacy servers DMCA does not apply (eg USA DMCA to our Swiss server). If we receive a DMCA on our other servers (US, UK, Canada, Germany & Singapore) we generally give the user one warning that they are violating our TOS and their account may be terminated.
Ipredator
1. We keep connection logs for debugging purposes, which happens encrypted and off-site. Connection logs contain information for debugging PPTP client issues. We try to store the least amount legally possible anywhere. IP-addresses are encrypted and can only be decrypted by non-support staff to ensure a proper process. For example, to work around issues where the police ruffles up the support staff a bit to get data for an abuse report. In the database we only store the details users give us on sign-up and a limited backlog of payments.2. Usually we only receive email, therefore we drop anything that has DMCA in the subject. If they want something they need to send us a letter or a fax or send the police. Most of the time we get complaints for running the TPB proxy or the TOR servers.
3. PaySafe, BitCoins, PayPal, PaySon, AlertPay
BolehVPN
1. No we do not keep logs. However as per our policy, if we do notice any unusual activity on our servers (high bandwidth loading, high number of connections or cpu usage) we may turn on logs temporarily to identify abuse of our services (such as DoS or spamming through our servers).Once the user is identified, we will terminate the offending user, issue him an e-mail for the reason of termination and wipe the logs from our system.
Turning on logs for troubleshooting is a very last resort and is necessary to ensure the integrity of our services. It has happened very rarely (only a handful of times in our 6 years of operation) and such information was not disclosed to third parties but merely used to terminate the offending user. In any case logs were usually enabled for not more than few hours and only for the particular server that was experiencing abuse.
2. Servers hosted in US or categorized as “surfing/streaming’ have P2P disabled on them. As for other servers, they are not subject to DMCA and we have a good working relationship with our server providers.
In the event DMCA notices or similar are given to us, we normally respond that we don’t have such content hosted on our networks and if the provider is adamant, we will terminate our relationship with the server provider and find a new one. We will not reveal the user that generated that DMCA notice (nor can we with no logs taken). Over the years, we have identified server providers that we can work with and understand the nature of our business.
4.. However to sign up to our service, all is needed is a working e-mail and you are free to use placeholder names etc etc. Only in the event of dispute or chargeback cases (especially with credit cards), additional info is requested which is to be expected when using a credit card (unless a prepaid visa is used).
Following these remarks,applesam ventures urges Kenyan ICT firms to embrace virtualization for easier ways to keep and store data as it is soon going to be the most effective way of trafficking the most essential data that we all need.
Source:www.samwelkariuki.blogspot.com
Credit:Applesam ventures
