Can you trust VPN Providers?

Possibly one of the most important considerations for a VPN is the trust that you have in that provider and their security practices. Consider this, in order to connect to a VPN you have to connect and reveal your real IP address to that VPN server which is directly traceable back to you. The VPN provider can if it so chooses to log all the sites that you visit and everything that you do. However, you can mitigate this if you use an extra layer of encryption or a nested VPN.

But the VPN is a man in the middle by definition so could perform in the middle attacks on you if wanted or was coerced to do so. A bad VPN service is no different from a bad internet service provider but with a VPN you can change provider and you can change the location and jurisdiction which you can't do with your Internet service provider. So one should at least try to go with a VPN provided that you trust at least more than your ISP or there's really no point going with one at all. And even if you trust all the claims of the VPN provider or most of them they can be served with court orders to disclose information under penalty of fines or even worse depending on the country that they're in. And one attempt to mitigate against this that they've started using is something called warrant Canary. And if I read from Wikipedia a Warrant Canary is a method by which a communications service provider aims to inform its users that the provider has not been served with a secret government subpoena.

The idea is that if this is removed then they have had some sort of subpoena letting the users know that they should cease using the service. There are services like Canary watch which watch all of the warrant Canary's are out there. if you visit the site you can see there's plenty of them and many sites do have warrant Canary's, not just VPNs

I'm very skeptical about the real effectiveness of these warrant Canary's, let me quote here Bruce Schneier who I think summarized it quite well and he says "I have never believed Warrant Canary's would work It relies on the fact that a prohibition against speaking doesn't prevent someone from not speaking. But courts generally aren't impressed by this sort of thing and I can easily imagine a secret warrant includes a prohibition against triggering the warrant canary and for all I know there are right now secret legal proceedings on this very issue" And I agree exactly as I see no reason why these court orders couldn't stop them from taking down the warrant Canaries.

So many VPN providers operate in the United States and actually they do that because there are no mandatory data retention laws in the U.S. which means they are not forced to log; they're not forced to log your IP address and not forced to log information about you. The EU, however, does have data retention laws and it also has VAT laws which means that the VPN or the security service providers do have to retain information about your identity. Now this is actually a pretty complex issue with some countries complying, some not complying some flat out refusing to comply so this is something that you would have to actually personally research but there are some good resources. Below is the EFF which is a brilliant site and you can find out here what the latest is on mandatory data retention.

Like I said it's a complex issue. I think in the EU the following places seem ok Bulgaria, Cyprus, Iceland, Luxembourg, Netherlands, Romania, Serbia, and Sweden. But for reasons of data retention you really ought to avoid all VPN companies in jurisdictions where they are forced to log information that will reveal your identity and you might even want to avoid services based in those locations as well. Even though they have no data retention laws in the United States. VPN providers and other security services are known to be targeted by the NSA, GCHQ, and other nation-states to cooperate in de-anonymizing its users. for example, Lavabit, if you are familiar with them, went out of business instead of complying with an NSA demand to secretly let them spy on Lavabit customers. To sacrifice your business and livelihood under these circumstances is pretty heroic I mean think about how many other companies have been paid a visit and now provide information to nation-states.I think Lavabit is probably the exception, the fact that they actually chose to shut down their business and there are many incidents of VPM providers not living up to their claim so even if a VPN provider states that they don't log your traffic you have no way of knowing that this is true. Plus when pushed by an adversary such as a nation-state will they roll over? Well probably yes to keep their business going and just because they don't keep logs now doesn't mean that they can't switch them on and there's a number of incidents where this has happened. And just to give you an example and got one here where a hide my ass VPN user was arrested after the IP was handed over to the FBI
So for reasons of spying and subpoenas companies in the jurisdiction of the five eyes should be avoided- Australia, Canada, New Zealand, United Kingdom, United States of America and even potentially the 14 eyes could be avoided and you also might want to avoid services based in those locations too.

We know from Edward Snowden the extremely sophisticated programs exist mandatory key disclosure laws exist to force VPN to cooperate. But maybe you don't live in any of the five countries or the 49 countries, you still would want to avoid using VPN providers who are registered in the jurisdiction of the nation-state you wish to avoid. Think that's probably obvious! So If you are in Iran, China, India, Russia, etc.. avoid using VPN providers registered in these locations or part of their sphere of influence. With VPN providers no matter how great the claims and how well they set up security and anonymity you can never fully trust them. From the examples that you saw, I mean I would even bet money that a number of nation-states actually run and own some of the VPN services I mean why wouldn't they. It's not a particularly difficult or expensive task to set up your own VPN service. If I was doing this I'd definitely set up a VPN service, It would be a good way to monitor people.

So in choosing a VPN, you need to start by at least having a VPN with good security practices and then mitigate the risks by distributing trust. A single VPN service has a common owner and a manager which is a key vulnerability. If you distribute the trust collusion between multiple parties are required to compromise your identity and privacy such as nested VPNs, using hotspots, nested Tor, etc.. which we will talk about in the future.

So VPNs have their purpose, they can protect you on public Wi-Fi from hackers from corporate trackers from Internet service provider monitoring but you have to understand their limitations against a powerful adversary.