Why I've Chosen To Go With Private Internet Access

Image of padlock

Some people have noticed I’m writing for a VPN service, and having my regular commentary on liberties presented by that VPN service: by Private Internet Access VPN. Seeing my previous stance on advertising, I think it merits some explanation why I’m choosing to associate with a service brand.

When I was posting once a day, this blog had one million visits a month. If you monetize that on advertising, it becomes quite a decent income – on the order of $3,000 a month, or frankly, enough to pay food and board for anywhere outside of San Francisco, Tokyo, or Hong Kong. And yet I didn’t. Why?

Because I posted from insight into high-level politics in Brussels, and my reasons were always political; I could not afford to have those motives questioned. Having even a little small advertising would make it possible to interpret my motives for outrage and frustration as simple clickbait – especially so when I was speculating on something or reporting on more subtle developments that might never materialize. Putting it in real terms, keeping my motives straight came with a price tag of several thousand US dollars a month, money that I chose to leave on the table.

Therefore, I would not agree to sponsoring lightly – not given the name I’ve worked hard to build. Especially given my very early investment in bitcoin (2011); I’m not starving, even if Gox ate a lot of my coin. However, it’s also the case that there are few people who both do things right on the net, and do things right for the right reasons, and I think these people deserve to be called out as good examples to be followed.

Bahnhof is one such actor, the Swedish ISP. They have consistently and tenaciously defended liberty online against governmental overreach and tabloid-fueled moral panic alike. When the Security Police came to visit their offices, to convince and pressure them to rat out their users in realtime bulk wiretaps, they famously recorded and published that conversation instead, causing huge headlines in Swedish media and rightfully shaming the Security Police into submission. That wasn’t a one-off, either – they keep doing things like that. However, their scope and offering is limited to Scandinavia, which is why I don’t write about them much on an English blog.

(Yes, my 100-megabit fiber, the one you’re reading this from and the one I’m writing this at, is indeed served by Bahnhof.)

So when the idea of sponsorship appeared, I was reluctant and cautious at first until I had looked at Private Internet Access VPN more in depth. A VPN company does provide a valuable service for liberty today, but do they also do things the right way and for the right reasons?

One such divider is whether a VPN provider accepts bitcoin. Another whether they save logs for “lawful use”, which can mean getting people killed in jurisdictions where it’s illegal to protest against the regime. Accepting bitcoin would mean that they honestly had no way of identifying a user, even if they wanted; there would be nothing to link to. Saving logs “for lawful use”, in contrast, would be an indicator that a VPN company didn’t have their head screwed on straight: the whole point is to defend liberty at a much more fundamental level than the laws on the books just right now. The perspective is centuries, not years or months.

It turns out that Private Internet Access not only satisfies criteria like these, but have walked an extra mile to run operations in jurisdictions that maximize liberty. From where I stand, they seem to operate under the principle that a successful business always follows passion for a good cause, and not the other way around.

Now, a VPN service – all of them, even – isn’t enough to save the net and liberty from kleptocratic politicians. But a liberty attitude combined with a service attitude is. Courage is contagious. And a VPN service is a good part of your overall security portfolio, even if it should never be the only one.

You’ll notice that TorrentFreak ran an article on which VPN services to trust in a “2015 edition” review yesterday. Private Internet Access is the first service listed. While I’d recommend reading all of it, I’m choosing a few highlights:

We do not log, period. This includes, but is not limited to, any traffic data, DNS data or meta (session) data. Privacy IS our policy. … We do not log and therefore are unable to provide information about any users of our service. We have not, to date, been served with a valid court order that has required us to provide something we do not have. … We do not attempt to filter, monitor, censor or interfere in our users’ activity in any way, shape or form. BitTorrent is, by definition, allowed.

Feel free to compare this stance to your current ISP. Do read it again if you like.

So to answer the initial question, why do I associate with a service brand? Because I think good people deserve recognition, and they deserve to be the measuring stick for the industry as a whole. This is the kind of attitude – both Bahnhof’s and Private Internet Access’s – that the rest of the Internet industry should aspire to, and needs to aspire to. (If other players need a nudge in that direction, it’s also enormously good business sense to put the interests of your customers before the invasive whims of your governments and authorities.)

As a final note for the sake of transparency, just to overcommunicate that point, I do get sponsorship funds from Private Internet Access for writing and talking about liberty in general – though not for writing this specific article; I’m doing that because I want to explain my motives. But as a sponsoree, I do have affiliate links for signing up, and if you want to use such a link, mine is here. They’re also reachable from TorrentFreak, presumably with TF’s affiliate program if you’re thinking of signing up and would rather send a little affiliate portion to TorrentFreak’s good reporting.

Rick Falkvinge

Rick is the founder of the first Pirate Party and a low-altitude motorcycle pilot. He works as Head of Privacy at the no-log VPN provider Private Internet Access; with his other 40 hours, he's developing an enterprise grade bitcoin wallet and HR system for activism.

Discussion

  1. Caleb Lanik

    You’ve walked the walk for a long time. If you believe in the company you’re sponsoring, that’s good enough for me. They made a good choice, too. I’m going to look in to their services right away.

  2. kunya

    That seems nice and all, but the provider is based in the US. They have this claim at their site:

    “Where are you located?

    We are located in the US. Being in the US is optimal for VPN Privacy services since the US is one of the few countries that does not have a mandatory data retention policy. Countries in the EU are forced to log, even though some claim they do not. ”

    Not being located in the EU makes sense on that basis, but the US? That makes me really nervous. Can they really be trusted? Maybe they have been subverted by the various US agencies to log everything. Maybe it is a straight up NSA honeypot. Or maybe they really are legit. Who knows?

    Of course all those scary scenarios would be possible even if the provider was based in another country but I would still trust them more if they were.

    1. Rick Falkvinge

      I share your concern that the US administration is absolutely insane. However, I must ask the mandatory followup question:

      Name one country you’d rather see there instead?

      I’ve thought about it. I can’t name any. No government today has a reputation that would instill trust. Possibly, just possibly, Iceland.

      Cheers,
      Rick

      1. Caleb Lanik

        Iceland would definitely be the closest for me. The US has some pros and cons, on the one hand, without an explicit data retention law, it’s theoretically possible for a company not to keep logs. On the other, the NSA is allowed to give secret orders based on secret laws that are so secret, you’re not even allowed to ask your lawyer if the orders they gave are legal.

        What VPN services really need is an independent auditing group, run by someone like the EFF, that can confirm the claims they make. That and regular warrant canary affidavits. Kunya’s quote from PIA’s website says that many VPNs lie. saying both that they do not keep logs, and by extension, that they are not legally required to. That kind of thing makes me incredibly suspicious of all VPN services, and that hurts the seemingly rare good actors in the industry.

      2. next_ghost

        Germany is a close second right after Iceland. Their secret service is also crazy but at least they decided to scrap their surveillance law for good when their constitutional court shot it down.

        1. para

          Except German law requires service providers to keep logs. In the US there is no requirement for that. Use a service that has a warrant canary and good encryption practices, and your pretty good. Plus the US government will have to go through the courts for any data, wheras the US government can just hack it or whatever if its outside of the US. Though, Iceland would still be the best option imo.

      3. Björn Persson

        Running a company in Iceland would probably make it difficult to accept bitcoin, as I hear bitcoin is outlawed in Iceland.

  3. Ploum

    I was sold then went on their website just to see that their homepage is full of google ads and google analytic trackers.

    I don’t understand and don’t feel it’s adequate at all. For me, “privacy” and “ethic” are not compatible with “ads” and “google”.

    1. pk

      Use “Disconnect” to block these site trackers

  4. hawke

    I ended up going with Cryptostorm; is there any reason that you see or understand for me to switch? So far, I am very pleased with their service and attitude.

  5. NatureSpring

    Why I do not really like PIA? There was one time, when I was still new to VPNs, I subscribed to PIA and at first they are so cool. Been enjoying it but my internet broke down because of them so I had to reformat it all over again. They are complicated. So I shifted to https://ironsocket.com or simply IronSocket. Been using them for several months now and It works really cool. Im not trying to judge anyone here or siding anyone but Im just sharing my experience and if you this negative then maybe you would do something about it like look for a solution so it would never happen again to other customers. That’s all.

    P.S — PIA’S tech support was so rude. As I have said above, Treat negative comments as a challenge for the betterment of each one’s company or for the betterment of all.

  6. JE245

    “We have not, to date, been served with a valid court order that has required us to provide something we do not have.”

    Nor has anyone in the history of the universe, Rick.

    PIA, like all USA companies, is subject to NSLs. I am sure that you are familiar with the Lavabit case. It means that they have to hand over crypto keys and/or modify their infrastructure to facilitate government access. It also means that they are gagged and cannot tell anyone about it. In short, it means that they are almost certainly giving everything over to government and misleading their customers about their traffic not being monitored. The fact that they don’t mention any of these issues in the TF statements is a red flag itself.

    I love your work Rick. And I appreciate that you need to eat. But I trust PIA about as much as Facebook. The first rule of VPNs is “Not In USA”. This is a mistake.

  7. Idee

    For helping purposes only – concerning the line:
    “Feel free to compare this stance to your current ISP. ” (Rick)
    You may also read this report from torrentfreak while comparing VPNs on your own:
    https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/
    “The order of the VPNs within each category holds no value.”

    And culture sharer may take a look at this report and the technics to identify users and data by forensic analysis of the “shared” and the “hum” (background noise); e. g. if the device was directly connected to a power supply line or which line was nearest while file was recorded. Just a glimpse of the how to:
    http://www.telegraph.co.uk/news/uknews/crime/9739037/Met-Police-use-electrical-hum-to-solve-crimes.html
    “…officers are able to work out the exact date and time someone was speaking in a recording. ”

    And this document may be worth a look to understand how they want to identify bitcoin clients:
    http://arxiv.org/pdf/1405.7418.pdf
    “Deanonymisation of clients in Bitcoin P2P network”

    1. Same

      Steve Rambam words at Hope X should be taken serious:
      https://www.youtube.com/watch?feature=player_detailpage&v=dNZrq2iK87k#t=667
      “Everybody commits three prosecutable crimes a day”
      “It is about winning and loosing”
      “You can beat the charge…but you can’t beat the ride”
      (Swartz, Bowden, Mega,…)

      Operation Choke Point:
      https://www.youtube.com/watch?feature=player_detailpage&v=dNZrq2iK87k#t=1005
      “cut of the oxygen” (money) from even legal industries
      => see the aims list

  8. A regular

    The part about doing the right things for the right reason, you really nailed it.

    I am using Mullvad, their policy is pretty much the same as PIA. And they accept bitcoin, and cash in the mail, I’m using the latter, because I think the risk of being tracked is smaller than with BTC, and just for that extra semi-paranoid security I avoid getting fingerprints on the money or envelope and use stamps that doesn’t require licking (or I use water), and I put it in a mailbox that there are no CCTV cameras directed towards.

    Since the user number must be in the envelope so they know whose time to increase, this procedure, or hopefully also using BTC correctly, means that an attacker (read security sevice or other “evil” organization), can’t connect a person to a customer number. I don’t know why that would be important, if they break into their service while the connection is hot, they can just compare incoming IP and customer number, but since no logs are saved they shouldn’t be able to do anything with that knowledge, but I do what I do with the payments anyway, just in case there’s something I haven’t thought about. Better safe than sorry.

    I write here sometimes, but this time I won’t use my regular nick, so that these specially treated payments can’t be linked to it. Call me paranoid, but that’s me.

    1. Idee

      Sorry, that doesn’t matter (at all) if you use a regular nick or another name.
      https://www.youtube.com/watch?feature=player_detailpage&v=dNZrq2iK87k#t=6020
      “your unique writing style is a fingerprint”
      it is called forensic linguistics. Programs available for free in the internet.
      “they don’t even need a base sample”
      “they take the anonymous posting…and compare it to anything else in the internet” (1:41:28)
      But this isn’t really bad, you just stop writing :) or translate it into your best other language and re-translate it by a program.
      It’s said “they” took Orwell as a blueprint. There are computers called Cogs. IBM named his Watson. The brain of such a computer is the “complete” digital information available (not only the internet). So whatever someone wrote, each argument each pro/con on a theme…he has it. Some Call Centers already have such a Cog in the ear and screen while talking to customers and selling products. => borg

      1. gurrfield

        But then again, if such a fingerprint is unique it would need to have the properties of a good hash function or otherwise people can start “going backwards” generating text which would give the same fingerprint. Then the forensics would really not be reliable any more, since third parties could fake some one elses writing style by gathering the same information and building a generative model out of it.

        1. same

          You are totally right. Once you got (forensic linguistic) analyzed someone can easily sign, write, live in this persons name. There is this anecdote: Charlie Chaplin took secretly part in a Charlie Chaplin look a like contest and won the 5th place.
          At the end: It is not important to verify the writer/messenger but the information. Loyalty is a bad adviser when you have doubts in “true information”.

        2. gurrfield

          You are missing my point. It won’t be “in that persons name” because the forensics would be broken. People would not trust the forensics any longer if it could be used to create generative models.

          To see the resources which are spent on this is just silly. So much higher value in technologies for mind control than actually building anything practically useful. All that desperation to try and control people. How utterly pathetic.

        3. Antimon555

          This is something that everyone should start doing, just like encrypting e-mail. A one-in-a-million error rate is good enough for an upcoming crazy dictatorship. If we take Sweden for example, with no deeper research into the ones pointed out by the system, that would mean harassing, jailing or killing nine people in order to get to one dissident.

          However, if that was one in ten thousand, if that mimicking system was used, they would have 900. That would be noticed and fought.

          Why is nobody making programs for these purposes? There are tens of simple functions that could be used to simplify privacy and anonymity. There is no shortage of programmers working for FOSS, why are these kind of programs so low-priority? Is every expert in the pattern analysis area employed by governments and/or megacorporations like Google?

        4. again

          gurrfield first then Antimon555

          @gurrfield
          You don’t need to have (high value) technologies to (mind) control people. Most people will do what you want when they get properly motivated either positive (money) or negative (fear)
          => Children Parents
          => Pupils Teacher
          => Politician Lobbyist
          => xxx Intels …
          So you don’t have to copy them when you can achieve it with the original.
          http://www.washingtontimes.com/news/2015/mar/10/65m-people-with-active-social-security-numbers-are/
          There is that much “motivation” behind to get 6.5 million 112year old humans (or even dead ones) back to work.
          If you think i missed your point even now think about we write about the same in first place “=> borg”. When we all get a Cog in our ear/brain and not only call centers, we’ll soon get connected to everyone else’ Cog and we can’t tell if this connection is human human or human cog or cog cog. In this case forensics will not do any job while one borg is like another and no individuality might be analyzed.

          @Antimon555
          It is a Cyber War out there and civilians have not that high priority. Even huge banks can’t stand their ground and ask for military help in this combat. At the time when everybody notice that cyber attacks are as bad as nuclear threads once were…the hardest work is done.
          When you cyber attack someone you only need to know one weakness.
          When you cyber defend yourself you have to need to know all your weaknesses.
          You can imagine which one is cheaper. And unlike in the USA no one in Germany is fond of working with the government while having the StaSi-Background of the Ex-DDR lately. 16 Million Germans know on own experience what is like to get spied or repressed on. And the other ~70 Million Germans feel not quite comfortable either. There is no programm to help you in real life:
          When e. g. a health assurance offers two pay scale classifications you take the one you can afford. There are only two groups: the rich and the poor. And the poor ones have to take the assurance in which they “voluntarily” give information to the company. In other words: When you want a tooth assurance the company advise you to use a special tooth brush which sends information to an app of your handy when, how long, where (and so on) did you brush your teeth. Depending on that data you get services from the company to repair your teeth.
          You can’t hide a live within a VPN. “They” say they already have all the data tracks, they want to know what you do in between two of them. You just can choose whom you give your data in the first place: govs or companies.
          And “they” say it is nothing about good or bad. Just in case you can optimize the error rate to zero. That doesn’t matter to them:
          https://www.youtube.com/watch?feature=player_detailpage&v=dNZrq2iK87k#t=667
          (=> 12:05)
          They just strip you off your property:
          https://www.youtube.com/watch?v=3kEpZWGgJks
          civil forfeiture
          Sorry for that much Off Topics.

        5. gurrfield

          “So you don’t have to copy them when you can achieve it with the original.”

          That is – assuming that you can. That they don’t see through what you are trying to accomplish. Probably most interesting “originals” will learn one way or another what you are trying to do. The more methods you try, the more they will learn. Fear stops working if the person you try it on understands rationally what you are trying to pull. If anything, it rather increases their conviction. “Someone is spending this amount of resources on affecting my judgement here – that must mean that I am on to something”.

          Also, by definition to combat the surveillance would need to be in all important aspects informal. Of course also any employment will the goal to do so will need to be hidden or informal.

          Therefore we can not really know how large percentage of the technically skilled people do that – because it’s in their own interest to hide it…

        6. Autolykos

          @Antimon555:
          There are organizations dedicating a lot of volunteer time on proving that security technology isn’t. And quite successfully, too (the CCC in Germany is one of them). But nobody in charge of policy gives a flying fuck about them, because the technical arguments are too complicated for the average newspaper to write about and for the average voter to understand. And judging from the usual quality of laws concerning information technology, the lawmakers themselves are also incapable and/or unwilling to understand the subject.
          If you want to change politics, scaring dumb people is way more effective than convincing smart people.

  9. Idee

    I hope this comment’s content is not considered as ad or spam. This article is from Mar 12, 2015 about a VPN device. (Perhaps there is a chance to print such device with a 3D, someday.)

    http://arstechnica.com/information-technology/2015/03/ars-tests-exonet-the-personal-vpn-that-takes-you-home/
    “A hardware-based two-factor VPN that connects to your home LAN for Web privacy”

    And good news:
    UK Parliament considers TOR as infeasible to block
    http://arstechnica.com/tech-policy/2015/03/uk-parliament-says-its-technologically-infeasible-to-block-tor-online-anonymity-systems/

  10. Idee

    http://blogs.cisco.com/security/talos/whoisdisclosure
    “9 million cases of identity theft”
    “Cisco Talos became aware of this problem and immediately notified the Google security team. Within days the privacy settings were restored to the affected domains.
    However, the Internet never forgets. Affected users need to realize that this information has been publicized. These records will continue to be available to anyone with access to a cached database of WHOIS information.”

    In EU you don’t need a (Google) Leak anymore if EU Parliament doesn’t stop this:
    http://www.heise.de/newsticker/meldung/EU-Staaten-verabschieden-sich-von-der-Datensparsamkeit-2574967.html
    “Die Justiz- und Innenminister der EU wollen wesentliche Datenschutzprinzipien untergraben. So stellen sie die “legitimen Interessen” von Firmen und Ämter an Personendaten – etwas zum Zwecke des Direktmarketing – vor die Interessen der Betroffenen.”
    Translated with no care:
    “They” put the interest of companies and govs above individuals in order to address them (physical or virtual) for sale reasons. No data protection anymore.

    Just in case an excessive data drain protection remains. We know how they will circumvent it: 5 Eyes. No Country is allowed to spy on his own citizens. But if they share the data the bulk will be complete and a single “leak” isn’t “excessive.

    I like the news as the silver lining at the horizon:
    https://www.reddit.com/r/worldnews/comments/2yxwpd/the_pirate_party_is_now_measured_as_the_second/

  11. Idee

    I hope this is not that Off-Topic but have the VPN in mind while reading.
    There was an announcement from Microsoft to Upgrade Windows 7+ Systems to Windows 10 free for all and everywhere even the pirated versions; although unlicensed ones doesn’t get legal with this upgrade.
    There is a “feature” in Windows 10: the update switch. You might choose to update Windows 10 by retrieving data not from mother ship but from other “vessels”. It is a kind of this torrent file sharing style. Just put Windows 10 aside and imagine to “communicate” with decentralized other systems.
    Why was the Chinese Market mentioned in some articles? My guess is to vpn data through the strict censorship of the leading party. What will happen to that huge amount of citizens when they can express their freedom of opinion without a backlash. There is no country on earth in which peaceful citizens didn’t outnumber violent ones (military, police, else). They represent always the majority.
    Well, i don’t think that you really can compare a good VPN, which Rick joined, to a system spreading the word. But if the information hops that fast from one system to another you can’t eliminate it. This could be good or bad…and even that is just depending on which character you have.

Comments are closed.

arrow