VPN

Vegan

Hello
Question for IT experts.
Ive been using VPNs for a while now. But all these new recent laws including TTIP and TPP and tougher laws in the UK are making me reconsider. For downloading, how safe is it? What are the legal implications? Can the location still be tracked? I know it depends on the VPN provider and the fine print. But still, what are the general implications and laws? Can they be tracked? Can one be prosecuted even if one is using VPNs and is apparently anonymous and anyone looking to track me would be invading my privacy?

myshirt

If you merely farted at a crime scene there are ways to trace you.

So yes, you ultimately can be traced, but by using a VPN you make it slightly more annoying and arduous. Pro-tip is to not base your education on Dr. Google. Google merchants are amongst the worst. Google will not solve for you.

Vegan

Hi
What exactly do you mean by dr. Google and merchants? Please elaborate

dbit

Commit a crime while on VPN and be sure that if the severity is high enough, That any private out sourcing VPN service will hand your ass over faster than you can say anonymous.

The only way to go dark is to truely go dark . Blank OS , TOR , Hacked internet connection either by clone or throw away burner 3g, No logins ever to be used upon your ninja machine . Then you can give two fingers to whom ever may be watching.

Vegan

Downloading torrents? What do you think are the implications for that?

dbit

Vegan wrote: »

Downloading torrents? What do you think are the implications for that?

Well the three two one rule that Eir signed up to long ago - they dont seem to be living up to it , I download torrents every day on Eir network last 1.5 years never got a single letter . Simply set the torrent client to ecnrypted and disallow it from handshaking with non encrypted or Legacy clients thus ISP cant see diddly squat . ( Bar the encrypted garbled junk you would see in that type of session)

the options explained :-

Protocol Encryption
• The Outgoing dropdown menu allows you to select the mode of encryption that you prefer µTorrent to establish. All modes will accept incoming encrypted connections, and the encryption is 2-way.
--Disabled will force µTorrent to attempt to establish only unencrypted outgoing connections.
--Enabled will allow µTorrent to establish encrypted and unencrypted outgoing connections, depending on how the peer responds to the handshake. This is the recommended option, as it provides µTorrent with the largest pool of peers to pick from for connecting to.
--Forced forces µTorrent to establish only encrypted outgoing connections. Any peer that doesn't support encryption will not be connected to. It is recommended that you not use this option unless your ISP actively searches for unencrypted outgoing connections, as it can impair your ability to connect to peers.
• Allow incoming legacy connections allows µTorrent to accept unencrypted incoming connections. If disabled, any incoming connection that is unencrypted will be ignored. It is recommended that you not disable this option unless your ISP actively searches for unencrypted incoming connections, as it can significantly impair your ability to connect to peers.


IF you go with forced they see nadda , it does hamper tracker connectivity (So they say) Yet i never have any issues . ( With full legal distros and the various gaming platfroms that like to distribute over torrent protocols)

anvilfour

Vegan wrote: »

Hello
Question for IT experts.
Ive been using VPNs for a while now. But all these new recent laws including TTIP and TPP and tougher laws in the UK are making me reconsider. For downloading, how safe is it? What are the legal implications? Can the location still be tracked? I know it depends on the VPN provider and the fine print. But still, what are the general implications and laws? Can they be tracked? Can one be prosecuted even if one is using VPNs and is apparently anonymous and anyone looking to track me would be invading my privacy?

Vegan,

Welcome to the Information Security forum!

I don't have much to add to what dbit has already said. A VPN will encrypt your connection and make it much harder to snoop on but I wouldn't rely on it for protection against more than the most passive surveillance e.g checking that you're not downloading over BitTorrent.

It is possible to mask your location to some extent but any fool with access to your VPN providers records would be able to see you'd connected to them and with a little extra work, what sites you connected to as a result and what you're downloading.

The anonymity networks Tor and I2P hugely reduce the chance of that happening if used correctly but are much slower than a VPN.

If you do wish to go down the VPN route, do bear in mind that not all VPN's are created equal. In an ideal world you would set up your VPN but this can be a bit tricky for newbies.

If you want to go with one of the many VPN providers out there, I understand the most secure protocol is OpenVPN - the others are easier to set up but not as secure.

Having established that your VPN provider is OpenVPN compatible, I would also suggest you check they are not housed in a jurisdiction which requires them to retain logs of their data, or can be required to by law.

An interesting comparison of VPN providers from TorrentFreak available here as well as how Ross Ulbricht the founder of the Silk Road got caught despite using a VPN.

The USA is a great example of a country which doesn't require VPN providers to log information about people connecting to their services by law but can stick a warrant on ISPs/VPN providers to make them record data about you as part of a criminal investigation. A small amount of peace of mind can be had by using a VPN provider using a warrant canary.*

The VPN providers I've used in the past have been based in Norway, Iran, and the Netherlands, all with either strong privacy laws or a strong incentive not to cooperate with requests/demands from Western Law Enforcement.

Finally, if possible try to pay for your VPN using a non traceable method e.g cash or Bitcoins. This means that even if someone hacks in or government grunts hammer down the door they won't be able to trace any activity back to you specifically.

TLDR:

- VPN's offer some anonymity but anyone with access to VPN server can trace your IP and may be able to see files you're downloading.
- VPN is not nearly as anonymous as using Tor or I2P but is much faster.
- Most secure method would be to rent a server but requires being comfortable with computers.
- If you choose to go with a VPN Provider, find one that supports VPN, is located in a jurisdiction which doesn't require them to log data, has a warrant canary and (ideally) lets you pay anonymously.

*The question of whether taking down a warrant canary would violate a subpoena has yet to be questioned in court. Still more security is better than none!

dbit

Ross Ulbricht "The Dred priate Roberts" I think is taking the fall for the real cuplrits (Personal opinion) Sorry off track i know but his ass was handed over with some very questionable actions on the part of US Gov . To me it looked as if he was setup . NO VPN service is safe unless you provide the endppoints both ways and even then it still not safe lols.

Vegan

Thank you guys. Ill try some of the other methods.

Khannie

dbit wrote: »

Commit a crime while on VPN and be sure that if the severity is high enough, That any private out sourcing VPN service will hand your ass over faster than you can say anonymous.

I respectfully disagree. We're in the process of setting up a "no log" VPN server and we have an agreement in place with another. You can tell fairly handy whether a VPN provider logs based on the number of their users who end up in court.

HMA + lulzec is a classic example. Nobody trusts HMA any more.

anvilfour

Khannie wrote: »

I respectfully disagree. We're in the process of setting up a "no log" VPN server and we have an agreement in place with another. You can tell fairly handy whether a VPN provider logs based on the number of their users who end up in court.

HMA + lulzec is a classic example. Nobody trusts HMA any more.

Khannie,

You know I have the deepest respect for your skills and experience but I would be wary of signing up with any VPN provider who claims to keep "no logs" if I wanted to do something particularly private.

Firstly if the provider has a large amount of users I wouldn't find it credible that they have no logs at all as they'd be unable to troubleshoot. Far better to rent a server of your own and set up a VPN by yourself as you are doing, that way you can disable logging and see it's been done!

Secondly though there are countries like the USA which don't have mandatory logging laws but where VPN providers and ISPs can be compelled by the government to monitor individual users.

This of course is not to diminish your efforts to provide privacy to the masses, your work thus far has been stellar in my ever humble opinion. I just think that given it's only a small amount of extra effort to rent a server in Iceland or similar and install openvpn yourself, you might as well avoid the big names altogether.

dbit

Khannie wrote: »

I respectfully disagree. We're in the process of setting up a "no log" VPN server and we have an agreement in place with another. You can tell fairly handy whether a VPN provider logs based on the number of their users who end up in court.

HMA + lulzec is a classic example. Nobody trusts HMA any more.

I seroiusly doubt the large name or branded VPN services out there think the same way you do , Nor do i agree with your opinion (Respectfully) . IT is nice to know that you are setting up a service that will deliver log less VPN . I still wouldnt sign up to one .

Khannie

Interesting viewpoints, lads. It's good to discuss these things. I've said in the past that the NSA would be mad not to set up cheap, high quality VPN's.

anvilfour wrote: »

I would be wary of signing up with any VPN provider who claims to keep "no logs" if I wanted to do something particularly private

I guess it depends on the use case alright. Tor would be the obvious solution there.

anvilfour wrote: »

Firstly if the provider has a large amount of users I wouldn't find it credible that they have no logs at all as they'd be unable to troubleshoot.

My (currently limited) understanding is that troubleshooting is done by turning on logging for internal test accounts in these scenarios. I've spoken with a good few VPN providers now and this is what they say.

anvilfour wrote: »

Far better to rent a server of your own and set up a VPN by yourself as you are doing, that way you can disable logging and see it's been done!

Ah! Now this isn't necessarily true. Logging on your (presumably virtual or chrooted or whatever) server isn't in place, but if you don't own the box itself then you can't assume all logging (for correlation purposes) has been disabled.

In my case I'll own the box. It's ouchies money but I'll be fully in control then.

anvilfour wrote: »

This of course is not to diminish your efforts to provide privacy to the masses, your work thus far has been stellar in my ever humble opinion.

Thanks. I do believe strongly in the right to privacy. Thankfully, Tim Cook agrees with me or I think we'd all be in trouble. The direction the UK is moving in is fairly surprising to me.

BigEejit

This thread appears to have gone off on a tangent from the original questions. I have a VPN, as much to hide my IP as to get around ISP throttling.

The company I use is Dutch based, they have VPNs in the Netherlands of course but also Eastern Europe, the UK and America. As far as I am aware Dutch law is the among the best in Europe to protect your privacy (Norway and Iceland are also very good) and the company I use says they only keep connection logs (no data on your traffic) for 3 days.

They have a handy Windows application that lets you select the country and vpn protocol (SSTP, L2TP, PPTP or OpenVPN) and the app can be configured to kill a program automatically when the vpn drops. So if you set your firewall to block your applications that you want to hide on your non-vpn interfaces and select your application to be killed if the vpn drops then you should be safe in the knowledge that you will not be spewing your real IP to all the other downloaders of debbie does dallas or similar.

If you are worried about downloading copyrighted material and whether the NSA would pass your details on to the MPAA to sue your infringing ass .... I wouldnt be at all concerned. And the MPAA themselves cannot do it, both for legal and technical reasons.

However, if you are doing something that is actually illegal (copyright infringement will not get you sent to jail) then I would expect that GCHQ/NSA would be knocking on your VPN providers door fairly fcuking quick and your ISP's shortly thereafter.