kNOw Future Inc.

law, technology and cinema, washed down with wine

On VPNs, Filesharing & Illusions

Over the last while I’ve been checking out cryptoparties. As a forum for the self-education of users regarding online risks it has potential as a useful format, although it will need to avoid the temptation to drift into security-flavoured machismo. As it happens I think that those who could most benefit from it are users who are either inexperienced, mildly technophobic, or both. But in order to serve that constituency the delivery needs to be pitched at a specific, actionable level. More on that another time, perhaps. For now I want to make a couple of comments about a frequent topic which arises in that milieu, namely filesharing and anonymity, and VPNs (Virtual Private Networks).

VPNs can help protect the security of your communications with the network, and allow you to circumvent geo-blocking (where access to a resource is limited to those in a specific country). So far, so good. But there is a misconception circulating that use of a VPN provides a fail-safe cloak for filesharing, an error which is cultivated by the VPN companies themselves trumpeting claims that they keep ‘no logs’. This is obviously false. Otherwise every kiddie-porn trafficker, carder, scammer and spammer would be good to go. Companies operating retail VPN services have an obvious need to prevent such uses of their networks. Otherwise they would be blacklisted by those they purchase services from upstream. Secondly they will have to deal with police investigations and court orders consequent to criminal prosecutions.

The delivery of subscriber data on Lulzsec participants to police in the UK last year by Hidemyass is a case in point. I doubt any other service would have behaved much differently, unless they’re so shady that such stuff pales in comparison with what they and their other customers are up to – and you might think twice about transacting with such people. There may also be a services out there which are currently following another policy and who have not yet been brought into line, but that’s a matter of time: the court cases will come.

When No Logs Means… Just a Little Logging
When VPN providers say they keep no logs, they mean that they are not watching your traffic, but they will certainly know when you *log on* and *log off* their service, because such information is useful for them in managing their own network, supplying consistent quality of service and identifying abusive users so as to eject them. In many jurisdictions they are required to keep logs by law, as is the case under EU Data Retention and US Anti-Terrorism legislation. That said, there are wrinkles as to how long the logs must be retained, and this is an evolving legal question (the situation in Germany for example is in flux). This log data connecting a user with an internet protocol address is the information required by copyright enforcement agents who will have collected the other information necessary by observing your activity on whatever protocol you use – they just need to identify you.

What VPNs can change is the jurisdiction to which your virtual identity will be subjected if observed by a potential complainant. Copyright law is territorial, not as is sometimes wrongly put ‘international’. There are international treaties, and in the EU a process towards harmonisation, but court cases will be held in national courts and decided under national law. There are countries where copyright enforcement is still not regarded as a priority, or where the media companies have not installed an efficient processing infrastructure. This may be useful if you live in a place  with an enforcement apparatus industry. Even in Europe some jurisdictions may only require the handover of subscriber data if the complaint is criminal in nature, as has been the case in Spain, and thus will not stretch to common garden copyright infringement cases. But overall the situation of a VPN and an ISP are similar; they are both middlemen, the former is just more nimble in terms of setting its virtual location. In some cases ISPs are also willing to test the demands of complainants in courts because they have more resources, and interests, to do so.

With a little digging one discovers plenty of testimonies online by users who have had had their VPN service discontinued because their provider has received complaints under the Digital Millenium Copyright Act in the US. In fact, if one bothers to actually read (!) the Terms of Service, P2P and torrenting of copyrighted material is often listed as grounds for disconnection. Nobody is going to take serious heat to protect your mass entertainment supply – it’s not exactly wikileaks territory.

Fool’s Gold
If you want to snarf the latest Hollywood blockbuster, there is no technical silver bullet to guarantee that will not get grief. It has always been the case that the best protection in such scenarios lies simply in the huge numbers of people doing it. The likelihood of getting caught is low, but some people will. Ultimately this will only end when the current copyright are repealed. Until then (!) the more obscure and bounded the place where you’re trading files, the less likely it is to come under the radar; the internet is a big place with plenty of poorly mapped territories – check it out!

What I find wretched is that VPNs are just the latest in a sequence of products shilled to P2P users. First it was companies giving out malware-infected p2p clients, and making millions. Then came the direct download sites, distorting filesharing into a form of  FTP with a client/server architecture, and hitting the till register as they sold premium accounts – more millions. Next it was the turn of those peddling all you can eat Usenet subscriptions. Now is the time of the VPN spivs, trading on people’s fears.

What all of these companies have in common is that they want to sell you something you can either have for free, or that can’t be bought. Total anonymity in combination with high performance is simply inherently contradictory. You won’t enjoy torrenting over Tor! Anonymity ‘for hire’ is good only as long as you are faced with adversaries without sufficient motivation or resources. To believe otherwise is to delude yourself. As expert cryptoanalyst Bruce Schneier wrote:

“If you think security can solve your problem, then you haven’t understood security, and you haven’t understood your problem.”



ps No comments marketing commercial services please.


October 4, 2012 - Posted by | /, civil liberties, enforcement, p2p, technology

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: