Jump to content


Member Since 27 Mar 2016
Online Last Active Today, 04:55 PM

Topics I've Started

TorrentFreaks Annual VPN Questionnaire (2018)

06 March 2018 - 11:41 PM



This list and perhaps site too, should be taken with a grain of salt, not least because:


Note: several of the providers listed in this article are TorrentFreak sponsors. We reserve the first three spots for our sponsors, as a courtesy.


But it's still interesting to see the answers.


Here's how AirVPN responded:


1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

1. No, we don’t.


2. What is the name under which your company is incorporated, and under which jurisdiction does your company operate?

2. The name of the company is Air and it is located in Italy.


3. What tools are used to monitor and mitigate abuse of your service, including limits of concurrent connections if these are enforced?

3. We do not use any monitoring or traffic inspection tools. We do associate a connections counter for each account to enforce the limit of five simultaneous connections per account. We also promptly investigate any service (website etc.) running behind our service to prevent phishing and other scams (malware spreading, bot controllers, etc) if we receive a complaint about them. However, checking those services after a complaint or a warning from a third-party does not require any traffic monitoring.


4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?

4. Absolutely not.


5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?

5. They are ignored.


6. What steps are taken when a court orders your company to identify an active or past user of your service? How would your company respond to a court order that requires you to log activity going forward? Has any of this ever happened?

6. The matter is handled by our law firm which explains to the competent authorities how our system works and why it is not possible to track a user “ex-post” when such identification requires access to traffic logs, which simply do not exist. We have so far not received any order trying to force us to “log activity going forward” and we would not be able to comply for strictly technical reasons.


7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

7. Yes, BitTorrent (just like any other protocol) is allowed on all servers without any re-routing.


8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?

8. Nowadays we use Coinpayments, BitPay, PayPal and Avangate. We accept a wide variety of cryptocurrencies and several credit cards. We also planned to accept payments in Bitcoin (and some other cryptocurrency) directly in late 2018, with no need for any third party payment processor, which anyway does not require any personal data to complete a transaction.

We do not keep any information about account usage and/or IP address assignments, so there can’t be any correlation with any payment. As usual a customer needs to consider that any payment via a credit card or PayPal will be recorded for an indefinite amount of time by the respective financial companies. We also accept cryptocurrencies inherently designed to provide a strong layer of anonymity.


9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

9. We recommend only and exclusively OpenVPN. A proper configuration must include TLS mode, Perfect Forward Secrecy, 4096 bit Diffie-Hellmnn keys, and at least 2048 bit (preferably 4096 bit) RSA keys. About the channels ciphers, AES-256 both on the Control Channel and the Data Channel is an excellent choice, while digests like HMAC SHA (when you don’t use an AED cipher such as AES-GCM) for authentication of packets are essential to guarantee integrity (preventing for example injection of forged packets in the stream), both on the Control and the Data channels.

Our service provides all of the above. About Elliptic Curve Cryptography, since it is finally of public domain that at least one random number generator (Dual_EC_DRBG) had a backdoor, and that an NSA program did exist with the aim to implement backdoors in some curves and then have exactly those curves recommended by NIST, momentarily we would suggest to drop ECC completely, just to stay on the safe side and according to Bruce Schneier’s considerations.


10. Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

10. Yes, of course. They are integrated in our free and open source software “Eddie” released under GPLv3. Anyway, usage of our software is not mandatory to access our service, so we also provide guides to prevent any kind of traffic leaks outside the VPN “tunnel” on a variety of systems.


11. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Do you use your own DNS servers? (if not, which servers do you use?)

11. The VPN server management is never outsourced. Even the IPMI, which has proven to be the source of extremely dangerous vulnerabilities, is patched and access-restricted by the AirVPN core management persons only. The Air company does not own datacenters. Owning a datacenter would put Air in a vulnerable position in the scenario described in your question number 6 (second part: court order to start logging traffic).


12. What countries are your servers physically located? Do you offer virtual locations?

12. We do not offer “virtual” locations. No IP address geo-location trick, hidden re-routing or any other trick is ever performed. We do not use Virtual Servers at all. Currently, we have physical (bare metal) servers really located in the following countries: Austria, Belgium, Bulgaria, Canada, Czech Republic, Germany, Hong Kong, Japan, Latvia, Lithuania, Netherlands, Norway, Romania, Singapore, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States.



What do you think?


I think it's curious how many answer number 1 with some sort of "No we don't track users" and then when you get to number 4, they say "But we use XYZ Google system".

News article: Facebook promotes a VPN under the Onavo brand that collects even more dat...

14 February 2018 - 06:20 PM



I thought this piece of news was interesting and it underscores that it's important to look at who owns what and to read the terms, not just look at technical features or marketing text.


It seems quite cynical for FB to run this thing.

UK Conservatives Want A "New Internet" Which They Can Control

21 May 2017 - 01:37 AM



More worrying developments from the UK. The Conservatives, spear-headed by Theresa May, want to regulate the Internet further.


That is, if they win the upcoming election.


Article excerpts:




Enviable Upcoming EU Legislation: GDPR

04 May 2017 - 05:04 PM



Next year, around May, the EU will enact the GDPR. The General Data Protection Regulation adds some interesting new things to the requirements for how data is protected, how companies are punished for breaches and other measures that hopefully ensure that people can rest more easy in regards to data protection. I assume AirVPN will fall under these rules, being based in Italy. Although I suspect Air will have a vastly easier time living up to any and all rules, given it already tries to minimise how much it knows about its users. But for large companies, this new regulation is a huge headache. There's even talk about how ransomware could threaten companies with exposing the breach of company security to the public, thus meaning the company gets fined for a % of its global revenue. A potent threat.


After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. It will enter in force 20 days after its publication in the EU Official Journal and will be directly application in all members states two years after this date. Enforcement date: 25 May 2018 - at which time those organizations in non-compliance will face heavy fines. 


The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.


Some highlights from the above link, about GDPR:


What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.


Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

You can view the key changes here.


Thoughts? I think it's interesting. Even if everything doesn't go according to plan, I think that it's nice to see that someone is doing something for data security at least.

Servers online. Online Sessions: 15456 - BW: 45280 Mbit/sYour IP: Access.