It was the nightmare come true. An unscrupulous VPN provider that happily handed over identifying information to law enforcement, providing a cold-shower reminder that security consciousness can be the very real difference between life and death.
As the VPN provider HideMyAss.com happily identified a person at the request of law enforcement, it was a jaw-drop moment for many of us. This was the exact thing that was supposed to not happen. It was supposed to be physically impossible; the log files were not supposed to exist. Many rightly criticize the company for advertising a service they didn’t deliver, and from their defense of righteousness and entitlement in a “we did nothing wrong” statement, it is obvious that they are completely oblivious to the concept of lawful evil:
Our VPN service and VPN services in general are not designed to be used to commit illegal activity. It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences.
I mean, like, wtf? I am speechless. Flabbergasted. Tell this to the activists of Egypt, Syria, or Palestine. Then try to say with a straight face that the countries in the West are completely different when it comes to Net censorship and corruption.
As a quick recap, just because something is lawful, that doesn’t make it good. This is most obvious in hindsight. Homosexual individuals were criminal from birth in most countries two generations ago, and still are in many. Forced sterilizations were legion one generation ago in countries we consider civilized. In retrospect, this is pure evil, even if it was the law.
My point here is that anybody who thinks that the future won’t think exactly this of today’s laws is delusional. There are still many examples of evil going down in the name of the law, today. I am sure all of us can think of several examples.
Therefore, the activists fighting against this evil and for a change of society have a very legitimate reason to hide themselves from law enforcement. But breaking the law is not the only reason to use a VPN or other kind of cryptographic tunnel.
Because, after all, you can desire to be private and untrackable for many legitimate purposes. The future always judges the activists who fight for good to have been completely legitimate in retrospect, even though they were lawbreakers in their own time. (Consider Greenpeace, which were considered borderline terrorist in their time, who are now instead borderline heroes.)
Regardless of the necessity of people breaking the law to advance society, there are many other legitimate reasons to be private. You probably lock the door when you go to the toilet, for instance. Not because you know that it may get you in trouble with authorities, but simply because you want that moment to yourself.
The shameful deceit of HideMyAss.com forces us to revisit many assumptions. It goes back to the basic information advantage game: who has what information, and in particular, is there anybody who knows what I do online and who I am? If so, that is a weak link that needs to be addressed.
Specifically, we have seen now that we can’t trust VPN providers with our identity, as — no shocker, really — a “trust us with your life” isn’t worth the recycled electrons it’s displayed with when it comes from a marketing department that really says “trust us with your money“.
So how to you separate the good from the bad tunnel providers without risking to become the case that uncovers the bad apple? Nobody wants to take that risk. For some, it’s even a matter of life and death. The obvious conclusion is that nobody should trust a VPN or tunnel provider with their identity — and that VPN providers who demand the identity of their subscribers cannot, should not, and must not be trusted.
Specifically, this means that nobody should pay commercial VPN or tunnel providers with a credit card.
Now, in the case of commercial providers, that does pose a bit of a problem. There are only two somewhat anonymous payment methods: cash and bitcoin. And people who pay in person by cash have frequently been tracked by CCTV cameras.
I’m therefore going to argue that bitcoin, while not perfectly anonymous, offers the best level of identity protection of the available payment systems. The exchange where you get your bitcoin knows your identity, but the places where you transfer them after that don’t.
I just learned in the wake of this scandal that at least one VPN provider, AirVPN, is now accepting bitcoin. (HugeHedon tips us off in the comments to this post that they have commented extensively on the situation, agreeing with the message of this article and going a good bit further.)
In closing, we also need to take some care with other details that the VPN or tunnel provider will know and that can be used against us. The provider will know our originating IP address. If we do something that authorities don’t like, this can be used to track us. Therefore, the IP address of origin should be a public place like a café, a bus, an airport, or similar. There will be CCTV cameras, which need to be considered.
The public location may be able to identify your computer through its MAC address (its individual network interface), if logs are kept. Assume logs are kept. Therefore, it may be possible to tie your computer to having had a specific IP address in the public location, an IP address which a hostile tunnel provider gives to law enforcement. If you want to mitigate this risk, use USB wi-fi sticks (some €15) and change them regularly, discarding and destroying used ones. Better yet, change your network MAC address regularly if you can. Google for how to do it.
And of course, you should never give your identity to the wi-fi network in the public location, either. That’s just as dangerous as giving your identity to the VPN provider, which is able to track you to the public network.
As a final note, always route through multiple countries under jurisdictions that have serious problems cooperating. Like Israel, from there to Iran, on to North Korea, and end it up with Germany which has strong privacy laws. (If you find tunnel entrances and exits in Iran and North Korea, that is. But as an example.)
And never, never, ever, trust a VPN or tunnel provider that requires your identity or credit card.