As the privacy versus security debate in government bodies, the media and especially on the internet continues, the tech savvy have long been protecting their privacy using Virtual Private Networks (VPN’s) which allows them to surf anonymously online. Or so it was thought.
But the arrest of alleged LulzSec hacker Recursion has put a big dent in that conviction. On September 22nd the FBI picked up 23-year-old Coby Kretsinger believing him to be the man behind the handle. Recursion is suspected of participating in the Sony hack in which the hackers managed to traipse around in Sony’s systems undetected for 7 days.
The FBI press release states that Kretsinger “allegedly sed a proxy server to hide or mask his IP address”. The day after the arrest it became clear that the FBI had tracked down Kretsinger by obtaining logs of a VPN provider called HideMyAss (HMA).
HMA offers its subscribers anonymous internet access by rerouting the traffic through their servers. When a connection with a third party server is established, it only knows it is communicating with the HMA server. It can’t trace to whom the HMA server is relaying the data.
The only one knowing who is talking to who is the HMA server. And, as it turns out, HMA kept logs of those data transfers. Which, of course, makes the whole anonymity part of the scheme rather dependable on what happens to those logs. Unlike what you might expect from a company which explicitly claims on its homepage it wants to secure the online privacy of hackers, it did not hesitate to hand over the log files to the FBI.
This caused an outrage amongst privacy advocates. HMA defended itself saying it was court ordered to release the files. But in the uncharted space that is cyber law companies have a right to question governments’ insatiable thirst for private data. As privacyinternational.org points out: “In 2006 Google resisted a US Department of Justice subpoena for search logs. More recently Twitter successfully unsealed a secret demand for information.”
Some commentators doubt HMA’s claim that it was slapped with a court order altogether. Wondering how a British based company can be held accountable by a United States law enforcement agency.
The HMA debacle shook other VPN providers as they considered it damaging to the reputation of the industry. Their responses, however, were quite diverse. Torrentfreak.com reported that the VPN Council which represents some VPN providers took the events as a cue to dust of an old idea to implement a ‘shared fraud database’.
The Council agreed to store and share identifying data of clients who make illegitimate use of VPN’s in order to be able to ban them. The course the council is taking is to try to establish a ‘clean’ client base so that there’ll never come a government body knocking on their door. But by storing their clients’ data (whom are paying them for anonymity) they will always be vulnerable to data disclosure requests. What if a government whistleblower uses their networks, or a free speech activist from a free speech hostile country? Each time they will have to make a moral judgment.
Quite contrary is the reaction of AirVPN. The company asks its clients to not disclose any information about themselves. “The key is that we must NOT know who you are”, AirVPN writes on its website. It suggests clients make their payments with bitcoin using TOR.
Torrentfreak.com decided to ask VPN providers outright how anonymous their anonymizing services actually are. They presented leading providers with two straightforward questions:
1. Do you keep ANY logs which would allow you or a 3rd party to match an IP address and a time stamp to a user of your service? If so, exactly what information do you hold?
2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?
Last weekend, Sabu, a LulzSec member who has been able to keep his identity secret, made a rare public appearance on the social (news) sharing forum Reddit. In an AMA (Ask Me Anything) he answered questions posted by Redditors. When asked what he would recommend to people who want to browse the web safely, he answered: “Security is a myth, really. Nothing is really safe.”
Photo: source gnosisarts.com