Fowarded ports and Privacy

[pepelegal 1]

Good evening everyone!

 

I'm concerned about fowarded ports and privacy. This concern have generated some questions:

 

1) Does the "website" keep log of the user's ip?

2) Does the "website" keep log of the user's fowarded ports?

3) Does the "website" keep log of the user's current and past contact email accounts?

4) Does the "website" keep log of the e-mails that was sent to and received from user?

5) If a user changes the contact e-mail account, is the previous contact e-mail account still stored in AIRVPN?

6) If a Government force AIRVPN to tell wich "website" user account is using port number X, ip number that have accessed this account on "website" and e-mail accounts associated to that account, will AIRVPN provide this information?

 

RMK: I'm talking about the website, not the VPN sessions.

[Staff 9744]

Good evening everyone!

 

I'm concerned about fowarded ports and privacy. This concern have generated some questions:

 

1) Does the "website" keep log of the user's ip?

 

Hello!

 

No.

 

2) Does the "website" keep log of the user's fowarded ports?

 

No. However, remotely forwarded ports are kept in the database, otherwise it would be impossible to reserve them to the appropriate accounts and dynamically forward them according to the server the customer's client connects to. Ports are deleted when the user un-forward them from the control panel. By default no port is remotely forwarded. The database is not on the web site servers.

 

3) Does the "website" keep log of the user's current and past contact email accounts?

 

The current e-mail address is stored (on the db servers, not on the web site servers). This is essential to guarantee some services such as password reset, but a user is not forced to associate a real e-mail address to an account. Of course the best solution is picking an e-mail address that can't be exploited to disclose an identity.

 

4) Does the "website" keep log of the e-mails that was sent to and received from user?

 

No.

 

5) If a user changes the contact e-mail account, is the previous contact e-mail account still stored in AIRVPN?

 

No.

 

6) If a Government force AIRVPN to tell wich "website" user account is using port number X, ip number that have accessed this account on "website" and e-mail accounts associated to that account, will AIRVPN provide this information?

 

Remotely forwarded ports, if not deleted, can indeed compromise privacy under certain conditions. Even if deleted, they can expose the customer to correlation attacks, if a customer forwards them both on the VPN and on his/her system physical network interface(s) or router(s) etc (as clearly underlined in the FAQ). Before we can answer completely, we need that you elaborate your question. In particular, what crimes in which legal framework would you commit in this hypothetical scenario, which government and which force do you refer to?

 

As clearly stated in the Terms of Service, a direct or indirect violation of any fundamental right (as enshrined in the ECHR) and some other acts (described in ToS art. 4) are a violation of our Terms of Service, REGARDLESS of the fact that the infringement is a crime or not according to the legal framework of the country which the customer infringes the ECHR from. On the other hand, a fact that is considered a crime according to some out of jurisdiction country legal framework has no relevance for us/is not our concern, since we (quite obviously) do not recognize the authority of any entity or the validity of any law that are out of jurisdiction. That matter will have to be faced by that country authorities without any cooperation from Air owners.

 

Kind regards

[pepelegal 1]

Thx for reply!

[pepelegal 1]

I'd like to insist in question 6, elaborating it in another way:
Is it possible to identify a "website" user account by the "fowarded ports" and get its associated e-mail accounts or correlated information (access.log with IP, UA)?

[Stalinium 43]

Legendary 6 and a half years necromancy.
Though its been 3 weeks now without an answer. It would be good to hear an official response. I will bump and add my thoughts:

On 3/25/2021 at 7:10 PM, pepelegal said:

Is it possible to identify a "website" user account by the "fowarded ports" and get its associated e-mail accounts or correlated information (access.log with IP, UA)?

Forwarded, yes. Forwarded ports are globaly unique for AirVPN and it's possible to know whose account it's currently forwarded on.

I think the question to ask you what scenario you are trying to avoid was very on point. I very much doubt they'd give out your information to any small fish without a court order (that would be illegal, a violation of GDPR). And if it's a court order it'd need to be in Italy or be enforcable there (ianal). Basically until someone (not you obviously) angers some very big pockets, the privacy should be safe.

If you want to be sure, rotate the forwarded port every 24 hours. Better yet, every time you connect (assign port) and disconnect (remove port). AirVPN has an API, use this unique feature to your advantage.

As requested though. A Scenario:
Let's say I host a website on a non-default port (port-forwarded) with satire and comedy of a certain Winnie Pooh and R. Dogan political leaders. Somehow they visited my funny comedic website but didn't find my short stories and comics about them funny and cried (a lot). They decide to sue AirVPN for identifiable information. The port is still tied to my account. Obviously AirVPN has no obligation to respond to Winnie Pooh's country's court system, but what if Mr. Dogan manages to get a court within the EU to issue an order?

1. What if that order is issued in Italy vs. Non-Italy (EU member state)? In what case will AirVPN cause indirect harm to an aspiring comedian and disclose information?
2. Can the comedian hope to be notified by AirVPN of this fact?
3. (A non-question: can an AirVPN admin miss the button and accidentally click "unbind port" instead of "pwn user" button? Mistakes can happen, right?)