You Probably Need a VPN

Vice recently ran an article with the attention-grabbing headline, You Probably Don’t Need a VPN. The main problem with the article is that it confusingly conflates several separate issues.

The objections to using a VPN boil down to:

  1. It doesn’t really matter if your Internet access provider (ISP, etc.) see what sites you are connecting to because the actual connections themselves are encrypted. All ISPs can collect these days is metadata about who you connect to and when.

    The objection that the only thing Internet access providers can collect is essentially browser history metadata seems absurd given how much we know about the value of that metadata. Many ISPs turn around and sell that metadata about their customers precisely because it has value.

    I have little trust or faith in the Internet access providers that I use in the United States. There are essentially zero legal protection for consumers at the moment for how ISPs can use and sell that data. Even if there were, these providers themselves typically employ bottom of the barrel security practices (looking at you Breach-Mobile), and such data will likely be stolen if not sold at some point.

  2. There are a lot of lousy VPN companies, many of which represent a potentially bigger data risk than your local Internet access provider.

There are a lot of lousy companies, period. The one cool trick that changes everything here is not to pick a terrible VPN company.

Pretty much the only VPN I recommend to ordinary people these days is ProtonVPN. Their basic $4/month plan will likely meet most people’s needs. Their VPN client is well-designed, and I trust their no-logs policy.

The other VPN I recommend is AirVPN, but not for casual users. In my opinion, if you want to do a lot of high-speed torrenting, AirVPN is the best option out there. Let’s just say in the last ten years, I’ve yet to receive a DMCA notice and leave it at that.

TorrentFreak’s 2018 Roundup Of VPNs

TorrentFreak recently published the latest version of its annual roundup of which VPNs really protect their user’s privacy. The last thing you want to do is pay extra money to a VPN for the “benefit” of having them log your Internet activity anyways.

As with past such roundups, TorrentFreak is here relying on responses from the VPNs themselves, so this should be the start, not the end, of research you’d want to do on any VPN you’re thinking about using.

I still use AirVPN as my VPN, and am very happy with it. AirVPN allows BitTorrent connections, and has relatively high speeds for the price. However, my primary use case is to keep my activity private from ISPs and copyright authorities. If I were worried about 3-letter agencies or other state actors, I might take a closer look at other alternatives.

Anyway, here is how AirVPN answered TorrentFreak’s 12 questions.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

No, we don’t.

2. What is the name under which your company is incorporated, and under which jurisdiction does your company operate?

The name of the company is Air and it is located in Italy.

3. What tools are used to monitor and mitigate abuse of your service, including limits of concurrent connections if these are enforced?

We do not use any monitoring or traffic inspection tools. We do associate a connections counter for each account to enforce the limit of five simultaneous connections per account. We also promptly investigate any service (website etc.) running behind our service to prevent phishing and other scams (malware spreading, bot controllers, etc) if we receive a complaint about them. However, checking those services after a complaint or a warning from a third-party does not require any traffic monitoring.

4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?

Absolutely not.

5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?

They are ignored.

6. What steps are taken when a court orders your company to identify an active or past user of your service? How would your company respond to a court order that requires you to log activity going forward? Has any of this ever happened?

The matter is handled by our law firm which explains to the competent authorities how our system works and why it is not possible to track a user “ex-post” when such identification requires access to traffic logs, which simply do not exist. We have so far not received any order trying to force us to “log activity going forward” and we would not be able to comply for strictly technical reasons.

7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

Yes, BitTorrent (just like any other protocol) is allowed on all servers without any re-routing.

8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?

Nowadays we use Coinpayments, BitPay, PayPal and Avangate. We accept a wide variety of cryptocurrencies and several credit cards. We also planned to accept payments in Bitcoin (and some other cryptocurrency) directly in late 2018, with no need for any third party payment processor, which anyway does not require any personal data to complete a transaction.

We do not keep any information about account usage and/or IP address assignments, so there can’t be any correlation with any payment. As usual a customer needs to consider that any payment via a credit card or PayPal will be recorded for an indefinite amount of time by the respective financial companies. We also accept cryptocurrencies inherently designed to provide a strong layer of anonymity.

9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

We recommend only and exclusively OpenVPN. A proper configuration must include TLS mode, Perfect Forward Secrecy, 4096 bit Diffie-Hellmnn keys, and at least 2048 bit (preferably 4096 bit) RSA keys. About the channels ciphers, AES-256 both on the Control Channel and the Data Channel is an excellent choice, while digests like HMAC SHA (when you don’t use an AED cipher such as AES-GCM) for authentication of packets are essential to guarantee integrity (preventing for example injection of forged packets in the stream), both on the Control and the Data channels.

Our service provides all of the above. About Elliptic Curve Cryptography, since it is finally of public domain that at least one random number generator (Dual_EC_DRBG) had a backdoor, and that an NSA program did exist with the aim to implement backdoors in some curves and then have exactly those curves recommended by NIST, momentarily we would suggest to drop ECC completely, just to stay on the safe side and according to Bruce Schneier’s considerations.

10. Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

Yes, of course. They are integrated in our free and open source software “Eddie” released under GPLv3. Anyway, usage of our software is not mandatory to access our service, so we also provide guides to prevent any kind of traffic leaks outside the VPN “tunnel” on a variety of systems.

11. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Do you use your own DNS servers? (if not, which servers do you use?)

The VPN server management is never outsourced. Even the IPMI, which has proven to be the source of extremely dangerous vulnerabilities, is patched and access-restricted by the AirVPN core management persons only. The Air company does not own datacenters. Owning a datacenter would put Air in a vulnerable position in the scenario described in your question number 6 (second part: court order to start logging traffic).

12. What countries are your servers physically located? Do you offer virtual locations?

We do not offer “virtual” locations. No IP address geo-location trick, hidden re-routing or any other trick is ever performed. We do not use Virtual Servers at all. Currently, we have physical (bare metal) servers really located in the following countries: Austria, Belgium, Bulgaria, Canada, Czech Republic, Germany, Hong Kong, Japan, Latvia, Lithuania, Netherlands, Norway, Romania, Singapore, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States.

AirVPN 6th Anniversary

AirVPN recently celebrated its sixth birthday,

From a two servers service located in one tiny country providing a handful of Mbit/s in 2010, the baby has grown up to a wide infrastructure in 16 countries in three continents with 165 VPN dedicated servers and several secondary servers aimed to additional services, providing now up to 156900 Mbit/s to tens of thousands persons around the world. The number of available VPN servers since the last birthday has almost doubled. An outstanding growth that makes us very proud!

I have been using AirVPN since 2011 and route all of the Internet traffic on my two personal laptops through their service (other than times when I’m playing online games where the lowest possible latency is a must).

Based on what I’ve read, AirVPN is the best VPN for when you don’t want your ISP or other network provider monitoring what you’re doing over the Internet. I appreciate things like their client’s “Network Lock” feature, which prevents any Internet traffic that doesn’t traverse the AirVPN network so as to prevent any leakage which might allow my ISP or others to monitor what I’m connecting to.

As I’ve written on my blog before, if I were engaged in activities where I was worried about a state actor and where connection speed isn’t important, I would use something like Tor. But for keeping the MPAA and my ISP’s monitors at bay, AirVPN does the trick.

Finally, the price for AirVPN has stayed fairly stable–a one year subscription costs roughly $59 (the company bills in Euros)–while the company has expanded the number of concurrent connections it allows to three, so that I can have both of my laptops and occasionally my phone connected simultaneously.

AirVPN’s Responses to TorrentFreak’s VPN Questions

Back in 2011, TorrentFreak did a survey of third party VPN services in response to some high-profile incidents in which companies running VPNs ratted out their customers. Recently, TorrentFreak did a similar survey that had a fairly striking omission–TorrentFreak didn’t include and apparently didn’t bother to even ask its questions of AirVPN, which I and others concluded was the best VPN available based on its 2011 survey. TorrentFreak hasn’t explained why AirVPN was left out, but AirVPN went ahead and answered TorrentFreak’s questions in their user forums, and TorrentFreak finally got around to updating its original story to include AirVPN’s answers.

Anyway, since I don’t like the format in which TorrentFreak offered up the answers, here are their questions with AirVPN’s answers, which  highlight why I continue to be a loyal AirVPN customer.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

No, we don’t keep any log that might be exploited to reveal customers’ personal data during connections, including real IP address. For example OpenVPN logs are sent to /dev/null (Air is based on OpenVPN). Our privacy policy is available here: https://airvpn.org/privacy

On top of that our VPN servers do not maintain any account database.

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

Italy. We do not share any information with any 3rd party.

3. What tools are used to monitor and mitigate abuse of your service?

Automatic triggering based on patterns to detect and if possible block as soon as possible various types of attacks (for example UDP floods) against or from our servers.

4. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

They are ignored. Now and then we reply asking for a more substantiated proof and asking to disclose the technical method according to which a takedown notice has been prepared, but so far none of the entities we queried disclosed such information, in absence of which the notices pertaining to p2p are simply vague and unproven claims from some private entity.

5. What steps are taken when a valid court order requires your company to identify an active user of your service?

No help can be given about past connections because we don’t log, monitor or inspect our clients traffic, and we don’t and can’t require a proof of identity from our customers. However, if the court order pertains to presumed actions which infringe our Terms of Service and in particular that in any way violate, directly or indirectly, or aid the violation of, the ECHR, we can try to help the court in the best way we can with subsequent investigations and if possible with the help of proper and competent authorities.

6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

Yes. p2p protocols are perhaps a set of the most exciting protocols invented in the last 12-13 years, so they are actively encouraged on every server. We do not discriminate against any application or protocol, in compliance with our mission and to stay a mere conduit of data.

7. Which payment systems do you use and how are these linked to individual user accounts?

We accept Bitcoin, many credit cards, PayPal. Each payment is linked to an account only in order to provide service delivery and to comply to our refund policy.

8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

We put into practice the recommendations of security expert and best practices on our setup, based exclusively on OpenVPN with the following features:

Data Channel: AES-256-CBC
Control Channel: HMAC SHA1
RSA keys size: 2048 bit
PFS (Perfect Forward Secrecy): yes. TLS re-keying is performed by default every 60 minutes through DHE as well as at each new connection. As an additional option the re-keying time interval can be lowered by the client unilaterally.

The client key is used to authorize the access to the system, not to encrypt the data channel, so that even if an adversary catches the client private key, the client traffic can’t be decrypted.

How Much Privacy Can VPN Providers Really Offer?

Nick Pearson, an EFF member and founder of IVPN.net, wrote a thorough article for TechDirt on precisely what sort of privacy VPN providers can and cannot offer customers.

I’ve been using AirVPN for a couple years now, and there are two basic forms of privacy I’m trying to achieve.

First, I do not want people who have access to the networks I’m using have the capability of monitoring what I amdoing. For example, I regularly connect my laptop to WiFi networks that I do not control, and want to ensure that no other users (including the operators of those networks) are able to see or record my activity.

Second, I do not want entities on the other end able to directly track my activity back to my actual IP address.

So for my case the most important thing was finding a VPN that doesn’t do any logging. As Pearson points out, a number of popular VPNs based in the United States — VyprVPN, HideMyNet, StrongVPN, etc. — actually keep logs of all activity through their systems so they can respond to DMCA requests. Pearson makes the case that not only is this the height of stupidity for a VPN, but that it is not even remotely required by US law.

The next most important thing, in my opinion, is to avoid any VPN based in the United States. With a lot of services, that option just isn’t there. With VPNs, many of them are based outside of the US and Europe, and the more obscure the jurisdiction the better.

Pearson raises a third use case for VPNs — avoiding monitoring by law enforcement.

So what happens if a law enforcement agency approaches a VPN, serves a subpoena, and demands a the company trace an individual, based on the timestamp and the IP address of one of their servers? VPN services, like all businesses, are compelled to abide by the law. However, there is no way of complying with the authorities if the data they require does not exist.

One of the few ways law enforcement could identify an individual using a privacy service, without logs, is if they served the owners a gag order and demanded they start logging the traffic on a particular server they know their suspect is using. We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same. So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react, your privacy would be protected.

While I appreciate Pearson’s activism, I wouldn’t count on that sort of activist mentality to shield me from law enforcement. If law enforcement monitoring were a serious concern, I’d use multiple VPNs, switch servers within those VPNs regularly, and cycle through the VPNs I was using on a regular basis (as well as use TOR and other anti-monitoring countermeasures)

Even then, there are ways beyond direct logging for a persistent-enough law enforcement agency to track Internet activity back to specific users given enough time.

TorrentFreak Overview of VPN Services and Anonymity Policies

TorrentFreak published an interesting survey in which they asked various VPN providers about what, if any, logging of customers they do and what legal jurisdiction the companies operate in.

Not surprisingly, the worst for logging were StrongVPN and VyprVPN. I’ve used both in the past primarily because I wasn’t doing any file sharing while using the VPNs, but rather was using them to avoid being spied on locally over wireless and wired Ethernet.

That is still my primary goal with a VPN service, but it is also becoming more and more difficult to determine what is and is not illegal to do on the Internet, even in the United States.

Using the TorrentFreak overview as a starting point I looked over the various options and finally settled on AirVPN. AirVPN doesn’t maintain any logs, and is surprisingly cost-effective — I paid just $21 for a three month subscription.

AirVPN is OpenVPN-based, and the connection speed is generally good. The difference between something like AirVPN vs. StrongVPN — aside from the excessive logging of the latter — is the difference in server choices. StrongVPN had numerous servers I could choose from in the United States. AirVPN has just two.

Personally, though, I never had a need to switch servers while I was using StrongVPN. I’ve never seen the servers at AirVPN at capacity or had any problem connecting, so they’re keeping their capacity at an appropriate level which is all I care about.

Assuming the next couple months go as smoothly as October went, I’ll be going for the year’s subscription which cuts the cost to $6/month.