BitTorrent is by no means a private way to share files, as YouHaveDownloaded demonstrated during recent weeks. However, it also illustrated that BitTorrent use is quite common.

Last month, the American Assembly, a non-partisan public policy forum affiliated with Columbia University, released a paper titled “Copyright Infringement and Enforcement in the US” which came to the same conclusion. To define the local piracy culture researchers conducted 2,303 telephone interviews, and they found that roughly half of all adults can be branded a pirate.

Sharing files among friends and family is the most common form of copyright infringement, and just over 13 percent of all respondents admitted to using file-sharing software such as BitTorrent to download content. File-sharing seems to be most popular among the younger demographic as can be seen in the graph below.

A section of the report that particularly piqued our interest concerns the use of tools to hide ones IP-address online. The original report shows that about 5 percent of the general population use these tools, but we expected this figure to be significantly higher among file-sharers.

The American Assembly was kind enough to share additional data with us which confirmed this suspicion. Among the people who use file-sharing software, little over 15 percent use tools to hide their IP-address online. In other words, one in 7 file-sharers in the US is anonymous.

Further analysis reveals that in particular younger adults hide their IP-addresses. A quarter of all file-sharers between the ages of 18 and 24 say they share files anonymously, while less than 5 percent of file-sharers older than 44 years hide their IP-address.

TorrentFreak talked to several VPN and proxy providers who all say they have witnessed substantial growth throughout the past year. The leading BitTorrent VPN and proxy service BTGuard even doubled its customer-base during the past 12 months.

“BTGuard has been consistently growing since we started. Compared to 2010, we increased by around 200% in 2011. The growth has really picked up lately which I contribute to SOPA and other censorship efforts,” BTGuard’s founder says.

“We grew 25% this month. If SOPA or something similar actually passes, the flood of Internet users seeking asylum from oppression would be staggering to say the least. Hopefully that doesn’t happen, the Internet is far more important to us then business.”

This uptick is not limited to the US either. All around the world BitTorrent users have become more aware of their privacy, as a survey among Pirate Bay users recently confirmed.

Although the data obtained through the American Assembly survey says nothing about people’s motivations to download anonymously, it is indeed safe to assume that the increased talk about anti-piracy laws, copyright alerts and file-sharing lawsuits are high up the list.

In the US alone over 250,000 BitTorrent users have been sued for alleged copyright infringements because their IP-address was captured by anti-piracy outfits. And in the coming year millions of sharers are expected to receive warnings through their Internet providers as part of a deal the major ISPs struck with copyright holders to educate and punish BitTorrent users.

A promising outlook for providers of VPN and proxy services, but whether these measures will have a significant effect on the prevalence of piracy remains to be seen.

Source: 15 Percent of US File-Sharers Hide Their IP-Address, More to Folllow

So what have you downloaded lately?

If you’re not using BitTorrent through a proxy or VPN, there’s a good chance that the rest of the world can see without asking.

YouHaveDownloaded is a new Russian-based service that claims to track about 20 percent of all public BitTorrent downloads. However, they go a step further than just collecting IP-addresses and file-names by exposing all the harvested information to the public on their website.

People who visit the site immediately see their download history, as far as it’s available in the site’s database. In addition, they can also search for files or IP-addresses to find out who’s downloading what. At the time of writing the database has information on 51,274,000 users who together shared 103,200 torrents.

TorrentFreak got in touch with Suren Ter, one of the site’s founders, to find out why they decided to create this spying tool.

“We just want to remind people that the Internet is not a place to expect privacy,” he says. “Nowadays many people use it without understanding what information they leave behind. Also, even those who understand choose to ignore it quite often.”

The Russian developers created the site partly as a wake-up call. Those who don’t want this kind of information to be public should take steps to anonymize their traffic, and do that right. This message is also reflected in the site’s ‘privacy policy‘.

“Baby, this is the Internet. There is no such thing as privacy around here. You are sitting in the privacy of your own house, clicking links, reading stuff, watching movies. It may seem like you are pretty much alone, but smart nerds are watching you. They watch your every move. You are not human to them. You are a target — a consumer,” it reads.

Jokes aside, the site does indeed make people aware of the public nature of BitTorrent, something that can’t be stressed enough. Of course not everyone will be happy to see that their information is being exposed, so the developers also offer an option to de-list an IP-address.

Apart from exposing download habits the developers are also considering the creation of a more private file-sharing protocol. They already have a theoretical concept based on Bitcoin’s technology, but a workable piece of software is still very far away.

“The general idea is similar to what Bitcoin does. The key is to have an anonymous and reliable identity for each peer, and a Bitcoin-like signature chain algorithm will help,” Suren said.

The developers are currently trying to find out how viable their idea is, and then they’ll decide whether they should continue working on it or not. For now, they’ll keep on tracking dozens of millions of downloaders, for all the world to see.

Source: I Know What You Downloaded on BitTorrent….

So what have you downloaded lately?

If you’re not using BitTorrent through a proxy or VPN, there’s a good chance that the rest of the world can see without asking.

YouHaveDownloaded is a new Russian-based service that claims to track about 20 percent of all public BitTorrent downloads. However, they go a step further than just collecting IP-addresses and file-names by exposing all the harvested information to the public on their website.

People who visit the site immediately see their download history, as far as it’s available in the site’s database. In addition, they can also search for files or IP-addresses to find out who’s downloading what. At the time of writing the database has information on 51,274,000 users who together shared 103,200 torrents.

TorrentFreak got in touch with Suren Ter, one of the site’s founders, to find out why they decided to create this spying tool.

“We just want to remind people that the Internet is not a place to expect privacy,” he says. “Nowadays many people use it without understanding what information they leave behind. Also, even those who understand choose to ignore it quite often.”

The Russian developers created the site partly as a wake-up call. Those who don’t want this kind of information to be public should take steps to anonymize their traffic, and do that right. This message is also reflected in the site’s ‘privacy policy‘.

“Baby, this is the Internet. There is no such thing as privacy around here. You are sitting in the privacy of your own house, clicking links, reading stuff, watching movies. It may seem like you are pretty much alone, but smart nerds are watching you. They watch your every move. You are not human to them. You are a target — a consumer,” it reads.

Jokes aside, the site does indeed make people aware of the public nature of BitTorrent, something that can’t be stressed enough. Of course not everyone will be happy to see that their information is being exposed, so the developers also offer an option to de-list an IP-address.

Apart from exposing download habits the developers are also considering the creation of a more private file-sharing protocol. They already have a theoretical concept based on Bitcoin’s technology, but a workable piece of software is still very far away.

“The general idea is similar to what Bitcoin does. The key is to have an anonymous and reliable identity for each peer, and a Bitcoin-like signature chain algorithm will help,” Suren said.

The developers are currently trying to find out how viable their idea is, and then they’ll decide whether they should continue working on it or not. For now, they’ll keep on tracking dozens of millions of downloaders, for all the world to see.

Update: For those who have dynamic IP-addresses the service is obviously going to show content that someone else has downloaded.

Source: I Know What You Downloaded on BitTorrent….

US Cyber Command completes major cyber attack simulation, seems pleased with the results originally appeared on Engadget on Fri, 02 Dec 2011 17:34:00 EDT. Please see our terms for use of feeds.

Permalink   |  Information Week  | Email this | Comments

US Cyber Command completes major cyber attack simulation, seems pleased with the results originally appeared on Engadget on Fri, 02 Dec 2011 17:34:00 EDT. Please see our terms for use of feeds.

Permalink   |  Information Week  | Email this | Comments

In April, The Pirate Bay renamed itself to The Research Bay and teamed up with the Cybernorms research group at Lund University to conduct the largest ever survey among file-sharers.

The Cybernorms group researches how the Internet creates new social norms in society, and to what extent these norms are or should be reflected in relevant legislation. Ultimately, the researchers hope the collated knowledge and insights will help legislators draft more sensible laws.

In just a few days 75,000 people responded and TorrentFreak was given the opportunity to share some results on the topic of anonymity. The respondents were asked whether they use services to make their BitTorrent downloads anonymous, or whether they were interested in using such services.

The results of the survey reveal that nearly 70 percent of The Pirate Bay users utilize a VPN or proxy, or are interested in doing so in the future. Of this group 4.8 percent already use a paid service, while 13 percent use a free solution. Another 51.5 percent do not use an anonymizer service, but are interested in doing so in the future.

Only 18.4 percent of the respondents said they were not interested in appearing anonymous online, and the remaining 12.4 percent weren’t familiar with terms like VPN, or were undecided about their usefulness.

The Pirate Bay users and anonymity

Looking at some of the regional differences a few interesting patterns appear.

Pirate Bay users from North America and Africa are most anonymous, 22.6 and 21.2 percent respectively. Within North America there are some striking differences as well. Only 14.7 percent of the Canadians use BitTorrent anonymously, versus 24.7 percent in Central U.S.

Within Europe there’s a great variation between the use of free and paid anonymizer services. In Russia free services (11.2%) are favored over paid services (1.9%), but in Northern Europe Pirate Bay users are more likely to use a paid (8.2%) than a free (7.7%) service.

The largest group that say they do not care about anonymity online can be found in Central and South America, with 27.8 percent. This group is the smallest in the U.S. and Oceania with 14.7 and 15.6 percent respectively.

Finally, we see that the more often people upload files themselves, the more likely they are to do so anonymously. Nearly a third of the Pirate Bay users who upload files nearly every day use an anonymizer service, versus 14 percent of the people who never upload files at all.

Overall, the results of the survey show that the vast majority of The Pirate Bay users do value anonymity, but that many of these users are currently not downloading and sharing anonymously. However, this could change at any time.

“We interpret this as a type of readiness by quite a lot of people in the file-sharing community to become more anonymous. This could happen when the risk of getting caught would increase or perceived as a more significant threat,”Stefan Larsson, co-founder and researcher at the Cybernorms research group told TorrentFreak.

There is definitely a large number of potential clients out there for proxy and VPN services, and with the increase of lawsuits and three-strikes policies this group may become even larger.

Source: The Pirate Bay Users Long for Anonymity

In April, The Pirate Bay renamed itself to The Research Bay and teamed up with the Cybernorms research group at Lund University to conduct the largest ever survey among file-sharers.

The Cybernorms group researches how the Internet creates new social norms in society, and to what extent these norms are or should be reflected in relevant legislation. Ultimately, the researchers hope the collated knowledge and insights will help legislators draft more sensible laws.

In just a few days 75,000 people responded and TorrentFreak was given the opportunity to share some results on the topic of anonymity. The respondents were asked whether they use services to make their BitTorrent downloads anonymous, or whether they were interested in using such services.

The results of the survey reveal that nearly 70 percent of The Pirate Bay users utilize a VPN or proxy, or are interested in doing so in the future. Of this group 4.8 percent already use a paid service, while 13 percent use a free solution. Another 51.5 percent do not use an anonymizer service, but are interested in doing so in the future.

Only 18.4 percent of the respondents said they were not interested in appearing anonymous online, and the remaining 12.4 percent weren’t familiar with terms like VPN, or were undecided about their usefulness.

The Pirate Bay users and anonymity

Looking at some of the regional differences a few interesting patterns appear.

Pirate Bay users from North America and Africa are most anonymous, 22.6 and 21.2 percent respectively. Within North America there are some striking differences as well. Only 14.7 percent of the Canadians use BitTorrent anonymously, versus 24.7 percent in Central U.S.

Within Europe there’s a great variation between the use of free and paid anonymizer services. In Russia free services (11.2%) are favored over paid services (1.9%), but in Northern Europe Pirate Bay users are more likely to use a paid (8.2%) than a free (7.7%) service.

The largest group that say they do not care about anonymity online can be found in Central and South America, with 27.8 percent. This group is the smallest in the U.S. and Oceania with 14.7 and 15.6 percent respectively.

Finally, we see that the more often people upload files themselves, the more likely they are to do so anonymously. Nearly a third of the Pirate Bay users who upload files nearly every day use an anonymizer service, versus 14 percent of the people who never upload files at all.

Overall, the results of the survey show that the vast majority of The Pirate Bay users do value anonymity, but that many of these users are currently not downloading and sharing anonymously. However, this could change at any time.

“We interpret this as a type of readiness by quite a lot of people in the file-sharing community to become more anonymous. This could happen when the risk of getting caught would increase or perceived as a more significant threat,”Stefan Larsson, co-founder and researcher at the Cybernorms research group told TorrentFreak.

There is definitely a large number of potential clients out there for proxy and VPN services, and with the increase of lawsuits and three-strikes policies this group may become even larger.

Source: The Pirate Bay Users Long for Anonymity

As detailed in yesterday’s article, if a VPN provider carries logs of their users’ activities the chances of them not being able to live up to their claim of offering an anonymous service begins to decrease rapidly.

There are dozens of VPN providers, many of which carry marketing on their web pages which suggests that the anonymity of their subscribers is a top priority. But is it really? Do their privacy policies stand up to scrutiny? We decided to find out.

Over the past two weeks TorrentFreak contacted some of the leading, most-advertised, and most talked about VPN providers in the file-sharing and anonymity space. Rather than trying to decipher what their often-confusing marketing lingo really means, we asked them two direct questions instead:

1. Do you keep ANY logs which would allow you or a 3rd party to match an IP address and a time stamp to a user of your service? If so, exactly what information do you hold?

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

This article does not attempt to consider the actual quality of service offered by any listed provider, nor does it consider whether any service is good value for money. All we are interested in is this: Do they live up to claims that they provide a 100% anonymous service? So here we go, VPN providers in the file-sharing space first.

 

VPN providers marketed strongly in the P2P space

 

 

BTguard

Response to Q1: “It’s technically unfeasible for us to maintain log files with the amount of connections we route,” BTguard explain. “We estimate the capacity needed to store log files would be 4TB per day.”

Response to Q2: “The jurisdiction is Canada. Since we do not have log files, we have no information to share. We do not communicate with any third parties. The only event we would even communicate with a third party is if we received a court order. We would then be forced to notify them we have no information. This has not happened yet.”

BTguard website

ItsHidden

Response to Q1: “No logs, they are not kept. Even system logs that do not directly link to users are rotated on an hourly basis.”

Response to Q2: “The company has recently been sold and falls under the Jurisdiction of the Seychelles. As such there is no requirement [to log] within that jurisdiction.”

ItsHidden website

TorrentPrivacy

Response to Q1: “We have connection logs, but we don’t store IP addresses there. These logs are kept for 7 days. Though it’s impossible to determine who exactly have used the service.”

Response to Q2: “We have servers in Netherlands, Sweden and USA while our company is based on Seychelles. We do not disclose any information to 3rd parties and this can be done only in case of a certain lawsuit filed against our company.”

TorrentPrivacy website

Ipredator

Response to Q1: “We don’t store the IP at all actually. It’s in temporary use for the session you have when you’re connected but that’s it. We’ve had very few issues with not having logs, but not keeping them makes it safer even for us since we can’t accidentally give out information about anyone.”

Response to Q2: “We fall – mostly – under Swedish jurisdiction when it comes to the service. When it comes to organisational stuff (who keeps the data, who owns the service, who owns the server, who owns the network etc etc) it’s very mixed, intentionally. This is to make it hard and/or impossible to legally bully us around if that would be the case.”

“We can’t be easily shut down, and we can’t be pressured by courts to implement stuff we would oppose. For end-users this is not affecting them in a negative way at all, only the opposite.”

Ipredator website

Faceless

Response to Q1: “We do not log any IP addresses and no information about what data is accessed by our users, so we have no information that could be interesting to third-parties.”

Response to Q2: “We have servers in The Netherlands and our company is based in Cyprus. If authorities would contact us we would have to tell them that we have no connection logs or IP-addresses saved on our systems.”

Faceless website

 

General VPN providers

 

 

AirVPN

Response to Q1: The company carries no identifying logs.

Response to Q2: “Jurisdiction is in the EU, under most circumstances Italy (country of the company and home of the person legally responsible for data protection), but applicable law may be one of the EU Member States where the servers of the network are physically located (no servers are in Italy),” AirVPN told us.

“We don’t share any information with anyone.”

AirVPN website

VPNReactor

Response to Q1: “Only for 5 days to stop abuse[..]. After 5 days we have absolutely no way to match any IP address or time stamp to any users. Privacy and Security is further enhanced for individual users because their VPN connections are basically lost in the crowd.”

“Our free VPN users share a block of IPs when they connect to the internet via VPNReactor. So at any given time hundreds/thousands of our VPN users that have active connections could all be sharing a single IP address. None of our VPN users are assigned individual public IPs.”

Response to Q2: “We strive to be upfront and transparent with our logging policies for the benefit of our VPN users.” Logs seen by TorrentFreak seemed to confirm no identifiable information being stored.

“We are a U.S. based company and are bound by U.S. based court orders,” VPNReactor continued. “However, if a U.S. based subpoena comes in requesting info for activity that occurred more then 5 days prior, we have absolutely nothing to provide as our logs would have expired off. Request for connection details outside a U.S. based court order will be fully ignored.”

VPNReactor website

BlackVPN

Response to Q1: “We do not keep any logs about our users internet activities including which sites they access or what data they transfer. We also run log cleaners on our systems which removes the IPs from logs before they are written to disk,” the company told TorrentFreak.

“For tax and legal reasons we do store some billing information (name, email, country), but it is stored with a third-party and separate from the rest of BlackVPN.”

BlackVPN say they hold a username and email address of their subscribers and the times of connection and disconnection to their services along with bandwidth consumption. Logging is carried out as follows:

“On our Privacy Servers, NL & LT we don’t log anything that can identify the user, but on our US & UK server where we don’t allow sharing copyrighted materials we do log the internal RFC1918 IP that is assigned to the user at a specific time,” BlackVPN explain.

“So to clarify, we don’t log the real external IP of the user, just our RFC1918 internal one, this we have to do to comply with local laws and to be able to handle DMCAs.”

Response to Q2: “We operate under the jurisdiction of the Netherlands and we will fiercely protect the privacy and rights of our users and we will not disclose any information on our users to anyone, unless forced to by law enforcement personnel that have produced the proper legal compliance documents or a court order. (In which case we don’t really have a choice).”

BlackVPN website

PrivatVPN

Response to Q1: “We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user our service. The only thing we log are e-mails and usernames but it’s not possible to bind a activity on the Internet to a user.”

Please note: PrivatVPN also offer use of a US server for watching services like Hulu. IP logs are kept when users use this service.

Response to Q2: “Since we do not log any IP addresses [we have] nothing to disclose. Circumstances doesn’t matter in this case, we have no information regarding our customers’ IP addresses.”

PrivatVPN website

Privacy.io

Response to Q1: “No logs whatsoever are kept. We therefore simply are not able to hand data out. We believe that if you are not required to have logs, then you shouldn’t. It can only cause issues as seen with the many data leaks in recent years. Should legislation change in the juristictions we operate in, then we’ll move. And if that’s not possible, then we’ll shut the service down. No compromises.”

Response to Q2: “We span several jurisdictions to make our service less prone for legal attacks. Servers are currently located in Sweden. We do not share data because we don’t have it. We built this system because we believe only when communicating anonymously, you can really freely express yourself. As soon as you make a compromise, you are going down a slippery slope to surveilance. People will ask for more and more data retention as seen around the world in many countries recently. We do it because we believe in this, and not for the money.”

Privacy.io website

Mullvad

Response to Q1: “No. And we don’t see why anyone would. It would be dishonest towards our customers and mean *more* potential legal trouble.”

Response to Q2: “Swedish jurisdiction. We don’t know of any way in which the Swedish state in practice could make us behave badly towards our clients and that has never happened. Another sign we take privacy seriously is that we accept payments in Bitcoin and cash in the mail.”

Mullvad website

Cryptocloud

Response to Q1: “We log nothing at all.”

Response to Q2: “We don’t log anything on the customer usage side so there are no dots to connect period, we completely separate the payment information,” they told us.

“Realistically unless you operate out of one of the ‘Axis of Evil Countries” Law Enforcement will find a way to put the screws to you,” Cryptocloud add.

“I have read the nonsense that being in Europe will protect you from US Law Enforcement, worked well for HMA didn’t it? Furthermore I am pretty sure the Swiss Banking veil was penetrated and historically that is more defend-able than individual privacy. The way to solve this is just not to log, period.”

Cryptocloud website

 

VPN providers who log, sometimes a lot

 

 

VyprVPN

VyprVPN is the VPN service connected to and offered by the Giganews Usenet service, although it can be used completely standalone. In common with many other providers we contacted, VyprVPN acknowledged receipt of our questions but then failed to respond. We’ve included them here since they have such a high-profile.

The company policy says that logging data “is maintained for use with billing, troubleshooting, service offering evaluation, [Terms of Service] issues, [Acceptable Use Policy] issues, and for handling crimes performed over the service. We maintain this level of information on a per-session basis for at least 90 days.”

On Usenet forum NZBMatrix several users have reported having their VyprVPN service terminated after the company processed “a backlog” of DMCA notices which pushed them over the “two-strikes-and-out” acceptable use policy.

So, does VyprVPN log? You bet.

SwissVPN

We included SwissVPN in our survey because they are well known, relatively cheap and have been used by those on a tight budget. To their credit, they were also the fastest company to respond. They are one of the few companies that do not make anonymity claims.

Response to Q1: “SwissVPN is being operated based on Swiss Telecommunications and Personal Data Protection Law. Session IP’s (not visited content, websites, mail, etc.) are being logged for 6 months,” the company told us.

Response to Q2: The company responds to requests from 3rd parties under Swiss criminal law (pdf).

SwissVPN website

StrongVPN

This company did not directly answer our questions but pointed us to their logkeeping policy instead.

StrongVPN do log and are able to match an external IP address to their subscribers. We have included them here since they were the most outwardly aggressive provider in our survey when it came to dealing with infringement.

“StrongVPN does not restrict P2P usage, but please note sharing of Copyrighted materials is forbidden, please do not do this or we will have to take action against your account,” they told us, later adding in a separate mail: “StrongVPN Notice: You may NOT distribute copyright-protected material through our network. We may cancel your account if that happens.”

StrongVPN website

 

Disappointing: VPN providers who simply failed to respond

 

In addition to the above, TorrentFreak also approached a number of other fairly well known VPN providers. It’s not clear if our questions were simply too tricky to answer in a positive light or whether there was some other reason, but disappointingly none of them responded to our emails, despite in some cases having acknowledged receipt of our questions.

They include Blacklogic.com, PureVPN.com, VPNTunnel.se [Update: VPNTunnel.se have now responded, see here], Bolehvpn.net [Update: Boleh responded after publication - they carry no logs] and Ivacy.com.

Should the above now feel able to respond directly to our questions, or if there are any other VPN providers reading who would like to be included in a future update, please contact us now with direct responses to the questions above. Apologies to the providers who contacted us at the last minute but were too late to be included in the report – we had to stop somewhere.

 

Final thoughts

 

When signing up to a VPN provider it really is evident that their their logging and privacy policies should be read slowly. And then read again, even more slowly than at first. Many are not as straightforward as they first appear (some even seem to be deliberately misleading) and that is the very reason why we asked our own questions instead.

In contrast to the the pessimism generated by yesterday’s report, as we can see from the list above, when it comes to offering real privacy there are plenty of services out there.

Source: Which VPN Providers Really Take Anonymity Seriously?

September 2011 will be a month that VPN provider HideMyAss will want to forget. Dozens of news outlets retold the story that an alleged Lulzsec member, allegedly partly responsible for attacks on Sony, the UK’s Serious Organised Crime Agency, AT&T, Viacom, Disney, EMI, NBC Universal, AOL and NATO, not to mention the newspapers The Sun & The Times, had used their services to remain anonymous.

But his plan failed in the biggest way imaginable. HideMyAss (HMA) keep logs and as a UK company when given a court order to cough up information, they do so. After matching timestamps to IP addresses, in the blink of an eye Luzlsec member ‘Recursion’ became 23-year-old Cody Kretsinger from Phoenix. The FBI had their man.

While the outrage from the public has been well reported – many pro-privacy activists accused HideMyAss of becoming SellMyAss – what has not yet been documented is how elements of the VPN industry have reacted to the news.

VPN Council is probably best described as a trade organization for some, but not all, VPN providers. A document obtained by TorrentFreak which was penned by their Chief Information Officer and sent on September 25th, shows they are very concerned by recent events.

“There has been a lot of controversy, especially on Twitter that the actions taken by HMA were the wrong ones to take. I disagree with their consensus and I believe its time to implement tougher security reviews on new clients signing up for any VPN service,” the memo begins.

“Earlier this year several companies in our industry had discussed ideas about a shared fraud database between VPN providers. I believe in light of this incident that a renewed call for this would be a good idea and I’d like to re-open discussions on this because if we all sit back and do nothing and continue on with normal business like nothing happened, these same folks will go around popping off more VPN companies and causing more havoc than we’ve ever seen before,” the memo continues.

“I’m in favor of strengthening our respective industry and protecting it as well. We all share the same responsibility of protecting our legitimate clients and the industry as a whole and I’d be in favor of listening to you folks and seeing what additional ideas you guys have in this endeavor.”

In the days that followed, discussions between the VPN providers went ahead and reached consensus on the foundations of an “anti-fraud database” that would be shared among them.

In a second document titled ‘PROTECTING VPN INDUSTRY: FRAUD DB’ and dated September 28th, the problem of high profile hackers such as those from Lulzsec using VPN services is framed as a “direct threat to business survival.”

The document goes on to suggest a framework for the creation of a centralized fraud database which will enable VPN providers to “assess the quality of orders” for their services.

Items suggested for inclusion in the database (along with the supplied descriptions as provided in the memo) are listed as follows:

Fraud Data (hashed): This is a hashed piece of information that can be used to flag an order as fraud. This information could be: IPs, emails, user names (any other data susceptible of indicating fraud can be added).

Fraud Type: Identifier of the fraud type. We need to agree on fraud types list.

Hits: Number of hits (submissions from different VPN providers) this data has had. This will give more latitude to providers to decide to act on a given database result.

Submitter id: Identification of the VPN provider that has submitted the record.

An API will be created to interact with the database and integrate into payment processing systems.

Action points for the future are noted as decisions on database structure, hashing to be employed, parameters on what activities should be considered fraud and a decision on which VPN providers can access the database and who can update it. It is suggested that a single VPN provider should have responsibility for the entire list and others should have to pay their share of its maintenance costs.

What is clear from the above is that the included VPN providers will begin sharing information they hold on their customers with each other (albeit in hashed form), ostensibly to combat fraud. However, the alleged activities of the Lulzsec member in question aren’t easily described as fraud, and it is far from clear how a database of this nature would have prevented, for example, Sony being hacked.

TorrentFreak contacted the VPN Council and enquired on the depth of their definition of ‘fraud’ since confusingly hacking seems to come under that banner and indeed sparked the apparent need for this database. For instance, would copyright infringement come under that heading too?

“Copyright infringement is not factored into our plans,” VPN Council CIO Jared Twler told us. “This is more about financial payment fraud and network abusers/hackers. This is more to the tune of preventing federal disasters happening on VPN provider networks.”

But of course, when copyright infringement is considered serious enough by the US government it can become a big criminal issue, recent ICE and FBI activity against sites and certain file-sharers and release groups show that.

Clearly the activities of malicious hackers cannot be condoned by the VPN providers and combating fraud is a requirement in many online businesses. But what we see here and in the Lulzsec/HideMyAss fiasco is a clash of ideals that could prove catastrophic.

Most VPN providers sell their services on the notion that by using them the subscriber becomes anonymous. It became crystal clear in September that, given the right pressure, what certain VPN providers are really interested in is upholding the law and thereby saving their own asses from ending up in court. Why this should come as a surprise to anyone is a mystery.

What does come as a surprise is how many VPN providers are allowing themselves to get into this conflict of interests in the first instance. In the HideMyAss case the company clearly held enough information for a 3rd party to match a HMA external IP address and a timestamp to a HMA user account and subsequently a real-life identity.

So, for the purposes of illustration, let’s dismiss the notion that the service was used to attack Sony. Let’s pretend it was a dissident, or a government whistleblower, or some other equally vulnerable individual relying on the service to provide anonymity, as advertised. Let’s be absolutely clear – thanks to the myriad of logs kept by HMA, when someone really needs to count on the service, there is no anonymity that a court order can’t destroy.

Many VPN companies argue that they don’t log the sites visited but some logs are necessary to make sure that ‘criminals’ can’t abuse their services. But logs don’t discriminate. Quite simply, criminal or not, if a VPN provider logs the external IP addresses they hand out to a user along with a timestamp, subscribers are not anonymous.

But while all VPN providers have a duty to uphold the law and be accountable to the government in the country where they are based, not all of them are required by law to carry logs – so they don’t. But who are they?

If you’re a VPN provider and take privacy seriously, contact us immediately to be included in tomorrow’s VPN anonymity report. We’ll ask you two very simple but crucial questions.

Source: VPN Providers Mull ‘Fraudster’ Database In Wake of Lulzec Fiasco

If you've been struggling to get your dose of Facebook or Twitter in China recently, then you're probably one of the many Internet users who've had their VPN access -- either free or paid for -- blocked over the last two weeks or so. That's right, the notorious Great Firewall of China is still alive and well, and leaving proxy servers aside, VPN is pretty much the only way for keen netizens to access websites that are deemed too sensitive for their eyes; or to "leap over the wall," as they say. Alas, the recent pro-democracy protests didn't exactly do these guys any favor -- for one, their organizers used Twitter along with an overseas human rights website to gather protesters, and with the National People's Congress meetings that were about to take place (and wrapped up last night), it was no surprise that the government went tough on this little bypassing trick. To make matters worse, PC World is reporting that Gmail users are also affected by slow or limited access, despite the service previously being free from China's blacklist.

We reached out to a handful of major VPN service providers, and they all confirmed a significant increase in the amount of blockage -- possibly by having their servers' PPTP IP addresses blocked -- over the last two weeks. One company even spotted the Chinese government subscribing to its paid service, only to work its way into the network to locate the company's PPTP server list, and then put them behind the firewall. Fortunately for some, the better-off companies had backup servers to rapidly resolve the problem, whereas the cheaper and free services were unable to dodge the bullet. This just goes to show that sometimes you get what you pay for. That said, with practically unlimited human hacking power at its disposal, it doesn't take much for the firewall to shut down everything heading its way. For the sake of our friends and expats there, let's just hope that the government will take things down a notch as soon as the storm calms.

China tightens grip on VPN access amid pro-democracy protests, Gmail users also affected originally appeared on Engadget on Wed, 16 Mar 2011 11:03:00 EDT. Please see our terms for use of feeds.

Permalink   |   | Email this | Comments