Logs, raids and monitoring

[airyvnp 0]

Apologize if this has been asked before but the forum search is kind of twitchy and gives a lot of results. So i thought i may as well ask here. But should be a sticky for thread for these basic questions as laws change and positions of vpns change as well in time.

Questions:

1. Since no logs are kept, how do you find people who break your "Terms of service" (the European Convention for Human Rights, people trying to compromise security of airvpn, etc, etc as described by you on terms of service page)?

2. Again, is there any monitoring at all at a level less obvious ?

3. Say, if you are raided. What happens then. The users who are online at that moment might get exposed even though u may not log per se.

[Staff 9745]

Apologize if this has been asked before but the forum search is kind of twitchy and gives a lot of results. So i thought i may as well ask here. But should be a sticky for thread for these basic questions as laws change and positions of vpns change as well in time.

Questions:

1. Since no logs are kept, how do you find people who break your "Terms of service" (the European Convention for Human Rights, people trying to compromise security of airvpn, etc, etc as described by you on terms of service page)?

Hello!

We can't do that "ex-ante" (just like any true mere conduit of data), but we reserve the right to do that "ex-post". If a competent authority with competent jurisdiction warns us in any way about usage of our systems in order to perform or aid or abet a violation of ECHR (we are particularly sensitive to human trafficking, human exploitation and privacy violations) we will cooperate "ex-post" with the competent authorities.

2. Again, is there any monitoring at all at a level less obvious ?

No.

3. Say, if you are raided. What happens then. The users who are online at that moment might get exposed even though u may not log per se.

The real IP addresses of those users who are connected at that moment not over TOR would be exposed. The users who are connected over Air over TOR would not be exposed. You might like to look for "partition of trust" in the forum, the following post may give you useful information:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=54&limit=6&limitstart=6&Itemid=142#1745

Kind regards

[l33t 2]

I know this may seem a bit extreme, but do the AirVPN servers have a "kill-switch" that could be used to terminate all active connections in the event of a raid?

[l33t 2]

Thanks for the information, but it looks like you took my quote from a separate post that isn't on this Thread.

[Jinsong 5]

We can't do that "ex-ante" (just like any true mere conduit of data), but we reserve the right to do that "ex-post". If a competent authority with competent jurisdiction warns us in any way about usage of our systems in order to perform or aid or abet a violation of ECHR (we are particularly sensitive to human trafficking, human exploitation and privacy violations) we will cooperate "ex-post" with the competent authorities.

My only concern here would be regarding the criteria you use to identify a "competent" authority, as well as the loosely-defined phrase "warns us in any way" - as opposed to something less ambiguous, preferably something more along the lines of "presents us with a valid warrant/subpoena signed by a judge". The problem is that governmental authorities (in some/most? jurisdictions) are not necessarily obligated to be truthful about their intentions. By publicizing the issues you are "sensitive" to, that gives an open invitation for an adversary to solicit your cooperation under false pretenses. For example, if I'm a Federal agent trying to track down a political whistle-blower, I'm certainly not going to tell you that... instead, I'll say whatever I think is most likely to convince you to cooperate voluntarily. Therefore, I think it would be much safer (from a privacy standpoint) to require a proper and complete legal order before agreeing to assist in *any* investigation, rather than selective cooperation.

Having said that, a high-level adversary wouldn't really need AirVPN's cooperation in the first place... they could just show up at the data center with a warrant (maybe even without AirVPN's knowledge) and start sniffing traffic on the VPN server itself. This has actually been done before in some high-profile cases - I believe in Germany and elsewhere. Realistically, the threat of real-time surveillance is not an issue for most regular VPN users; but those who work with highly confidential data may need additional layers of protection (Tor, etc.) as suggested by admin. I also think it would be a good idea for AirVPN to add servers in some less "Western friendly" jurisdictions such as Russia, Ukraine, etc. for those users who need additional protection against this kind of governmental adversary.

[Staff 9745]

My only concern here would be regarding the criteria you use to identify a "competent" authority, as well as the loosely-defined phrase "warns us in any way" - as opposed to something less ambiguous, preferably something more along the lines of "presents us with a valid warrant/subpoena signed by a judge". The problem is that governmental authorities (in some/most? jurisdictions) are not necessarily obligated to be truthful about their intentions. By publicizing the issues you are "sensitive" to, that gives an open invitation for an adversary to solicit your cooperation under false pretenses. For example, if I'm a Federal agent trying to track down a political whistle-blower, I'm certainly not going to tell you that... instead, I'll say whatever I think is most likely to convince you to cooperate voluntarily. Therefore, I think it would be much safer (from a privacy standpoint) to require a proper and complete legal order before agreeing to assist in *any* investigation, rather than selective cooperation.

Hello!

The previous message might have been misunderstood and a clarification is due.

A judge with proper jurisdiction who serves us a valid warrant/subpoena is surely a competent authority. A USA federal agent who tells us that [aid to] a violation of human rights is performed via our servers is not, but we reserve the right to investigate further anyway, according to our ToS. In case we decide to investigate, that the results of our investigation will be handed over to him/her is a completely different matter. Being bound to our contract with you and to EU acquis, this will not happen, instead the proper EU authorities can be warned by ourselves, even in order to identify the person committing the act (we can't do that) in the cases reported in our ToS: [aid to] violations of the ECHR or usage of our systems with the aim of copyright enforcement through direct or indirect privacy violations.

Kind regards

[Jinsong 5]

Thanks for the clarification. I guess it's fair to say that even the best VPNs aren't 100% bulletproof, so one should always play it safe and try (to the best of one's ability) NOT to do anything to attract unwanted attention from a powerful/competent adversary in the first place.

[Royee 10]

Could we have some clarifcation on the above please ?

 

I noticed on here,  comments below the reviews:

 

http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/

 

Torora

AirVPN will log a user if asked by the court.

 

Was in regards to the human traffic ( ECHR ) Is this comment true ?    I read the above and it sounds like AirVPN will NOT give anything logs or information over,  obviously no one should ever do something like human traffiking.

 

 

 

[hashtag 151]

The real IP addresses of those users who are connected at that moment not over TOR would be exposed. The users who are connected over Air over TOR would not be exposed.

 

 

There was a case in Germany concerning another VPN provider where the police raided a server. This was in regards to Anonymous carrying out a DoS attack against payment processors in retaliation for the financial blockade of Wikileaks. As far as I know no one was arrested. The admin of that VPN replied that the police obtained only a list of usernames and hashed passwords since the server kept no logs. Would they have got the real IPs of users?

[B0R3D 3]

Even if the police did get the real ip's how would they possibly match it to who did what? No one was monitoring the packets.

[hashtag 151]

They won't have a record of who was doing what but I assume they would potentially have a list of real IPs of people who were using that server at that point in time.

[Royee 10]

That is if the VPN was able to keep and maintain logs of everyone's IPs.  As we know with AirVPN under client option our IPS are clearly shown but once disconnected there is no evidence.

 

I guess the whole idea of Tor over Air gives all Air users that comfort knowing not even AirVPN or the client area will get the real isp ip,  but the one that Tor network gives out.

[itsmeprivately 14]

Since AirVPN does not log, it can never prevent something ex-ante (before the fact). However, if something happens that breaches their terms of service, and the authorities inform AirVPN, HOW CAN THEY COOPERATE ex-post (after the fact)? This is not clear to me.

 

For example, some authorities tell AirVPN that their IP was used for human trafficking. AirVPN does not know who it was (ex-ante). So how to find out ex-post? Will AirVPN then surveill *all* users on *all* AirVPN servers, and *all* their data packets, until they find the black sheep when it strikes again?

 

But would this then not be total surveillance of all user data?

 

I would be happy if AirVPN could clarify how they can cooperate with autorities ex-post without surveilling all user traffic....

[Staff 9745]

@itsmeprivately

 

Hello,

 

it's just a matter of automatic triggers (when they are possible to implement) to be decided on a case by case basis.

 

Kind regards

[Royee 10]

Is it not best to assume if anyone is worried the AirVPN servers get raided or we are monitored in any shape or form just to do AirVPN with TOR ?

[retiredpilot 6]

The issue for folks in my country is that even connecting to TOR raises flags.  I don't want my ISP to know I ever used TOR.  Connecting to the VPN and then TOR may at times be acceptable, but the reverse is risky even if perfectly legit stuff is done only for privacy.  I wish there was an easy way to connect to VPN - >TOR -> VPN without having to launch a VM to do it.  The models I have studied make it appear too cumbersome to be enjoyable.  About the only option for me is to go to an open wifi area and connect to Air first if I have to use TOR for something.

[Staff 9745]

@retiredpilot

 

In your case (TOR usage raising alerts), TOR over OpenVPN might be a perfectly acceptable solution: our servers would come to know your real IP address, but our servers (and therefore any malignant entity that could have the power to fully monitor the server you're connected to) would know nothing about your traffic content, real origin, real destinations and real protocols (assuming that that malignant entity does not control, in addition to the server, even the relevant portions of the TOR network: extremely unlikely anyway). Your country would not see TOR usage from your node. Of course there is a major limitation, you can't use UDP over TOR. Evaluate this possible solution, only you can decide if it's ok or not.

 

Kind regards

[Staff 9745]

I know this may seem a bit extreme, but do the AirVPN servers have a "kill-switch" that could be used to terminate all active connections in the event of a raid?

 

Hello,

 

not that it really increases or lowers security in every circumstance, anyway the answer is yes.

 

Kind regards

[MapI6c 1]

I think you should make transparency reports about government requests (if there have been any), similar to what twitter, facebook etc have.
https://www.facebook.com/about/government_requests
https://transparency.twitter.com/information-requests/2013/jan-jun

[Staff 9745]

I think you should make transparency reports about government requests (if there have been any), similar to what twitter, facebook etc have.

https://www.facebook.com/about/government_requests

https://transparency.twitter.com/information-requests/2013/jan-jun

 

Hello!

 

That's a good suggestion. Since the birth of AirVPN in 2010, we have never received any request or interference from any government body or representative.

 

Kind regards

[Royee 10]

I do like that idea also,  that is also rather shocking to see England and US pretty much top of the investigations into crime/offences.

 

Also shows proof England and US are just police states,  and its safer and better to live else where

[retiredpilot 6]

 

I think you should make transparency reports about government requests (if there have been any), similar to what twitter, facebook etc have.

https://www.facebook.com/about/government_requests

https://transparency.twitter.com/information-requests/2013/jan-jun

 

Hello!

 

That's a good suggestion. Since the birth of AirVPN in 2010, we have never received any request or interference from any government body or representative.

 

Kind regards

Staff, with 40+ servers running in many countries that is an amazing statement!!  I know from other posts (Diadem server, etc...) that you guys must get lots of DMCA letters all the time.  I imagine that most here are just privacy seekers, but I/we sometimes worry about the small percentage that really go far over the line on the Air systems.