Which anonymizing VPN is really anonymous?

On the heels of the arrest of Cory Kretsinger, aka “Recursion”, for one of the Sony data breaches, following an FBI request for traffic records from his VPN provider, users wonder whether anonymizing service providers really are all that anonymous.

Using a VPN to connect securely out of reach of prying eyes, is a common business practice. Similar technology is also used by folks who want to “hide their tracks” if they plan on engaging in activities that might attract plenty of unwanted attention. Some providers use a more simplistic topology to do this, which tends to be easier to track. Normally, however, a VPN provider would be combined with a few other technologies to make it difficult to trace the original source of the traffic, or so the theory goes.

Turns out the providers sometimes keep logs of the traffic, and can be subject to legal pressure, if a court orders the provider to turn over the records. This has some users more than a little upset. Regardless of the users’ motivation, they took extra steps to keep their data protected in transit, and would prefer the provider did as well, with or without a court order or warrant.

Some companies put users’ traffic through a more labyrinthian route than just a VPN, layering TOR technology along with various other network tricks to basically absolve them of questions of whether they knew, or should have known that criminal activity might be taking place. Since legal action requires conclusive knowledge of the identity of the person originating the traffic, this type of topology would skirt the issue because the provider argues it doesn’t even really know WHO you are, so has nothing to either hide or be compelled to provide.

Expect some national policy to urge providers more emphatically to be required to keep and produce traffic logs upon demand. Also expect a providers who’s customers place the highest premium on anonymity to choose other providers and/or technologies if they do. Also, since customers may not know when the Terms of Service changes for their provider, expect there to be ferocious opposition to attempts to make anonymous data public, for any reason. Some customers will also choose providers not based in the country requiring the production of traffic logs upon demand.

There is a moral undercurrent to the argument. The question is asked why users should fear potential legal pressure if they’re not engaged in illegal activity? Opponents argue that sensitive communication like whistleblowing or avoiding overbearing censorship or traffic restriction may still be valid use cases, but certainly still be sensitive, especially when the original communicator might be real physical danger. Either way, expect continued pressure toward keeping the information available for law enforcement/court activities, and expect equal pressure from the privacy crowd who feel the efforts smack of personal rights erosion.

Author Cameron Camp, ESET

  • P@r@c3l5u5

    Welcom to i2p

  • Suzanne Marie

    I am so frustrated. I have been a victim of my ex husband cyberhacking and cyberstalking me for the last 6 years. Each time I buy new equipment, I do as much as I can to prevent him from doing any infiltration and within a matter of days he starts his magic. I am on a limited budget, disabled, and he’s a freakin’ loon, but no one goes on behind closed doors and everyone thinks he must be so wonderful because he has top secret clearance with the defense department. Why would a man living with another woman, and her child, who won custody of my son from the courts because of his ability to lie and act like such a wonderful man when the facts speak otherwise. Why would this man continue to put SO MUCH time into writing new programs almost daily to keep his virtual network going of which I am an unwilling victim? This man must be crazy, yet the police won’t do anything, no do the FBI. I try to send messages for help and he shuts my computer down and reroutes the messages so I can’t even get word out. He is frightening. Yes, he uses VPN’s and so many other clever things that people never thought to do. He has taken over my mobile phone and uses it as a listening device. I have records of my boyfriend snoring in my bed from 4 years ago I recently found on an old phone hidden under sound files. And of my teenage daughter sleeping both audio and video picked up by her phone. What else does he have? I’m afraid to think. He has put my computer in an ad-hoc network and taken control of the Netbios. So even though it may say I am the administrator, looking deeper, there are scores of hidden files, that only User has access to. I don’t think anyone realizes how vulnerable this feels for a woman, who has been a victim of his abuse before. This type of obsession is crazy, especially when he fought so hard for the divorce and the prove I was an unfit mother when I wasn’t. I never knew how he knew all the information that was discussed privately in my own home and would use that in court. He also knew exactly what to produce for the law guardian determining who was to parent our youngest son. The oldest two refused to live with him. If he tapped into her phone the way he obviously tapped into mine, he could have listened to anything he wanted to and heard things he wasn’t supposed to hear so he would know just what kind of act to put on for her.
    I think it is criminal that there are not any law enforcement agencies out there to help women who are victimes like this. I am frightened enough that I have left evidence and told certain people that if anything happens to me this is no accident. People say that if you are not hiding anything, why should you care if he is looking at everything to do, listening to every phone call, sending each picture along to himself? Well, a new scheme of his was to force me out of Chrome and into internet explorer and I resisted as long as I could but I am attending college and so is my daughter and we need this computer. Tonight, he closed up shop and we were not able to access her school website that she needed to write an essay on, and he changed the date of my professor’s due date of the homework. Luckily, I remember the old one. He has taken my whole E: drive and has it with 4 root hubs with 4 ports each and reader cards etc, and to me the drive is now useless. It is all under his domain files and so I cannot record or play a CD or a DVD.
    Someone needs to do a better job watching these top bananas of defense industry. So much of his workday is spent hacking at my things. I’m sure he must be using technology he has gotten from there. My question is just how many of them do it and think it is a perk to “spy” on the people they don’t like or for whatever reason. This guy deserves to feel half the anguish and fear I have some nights worrying if he has crept in a window and is coming into my daughter or my own room.

  • Jack Kozakiewicz

    Anonymity to the whole world is one thing, but I am also concerned about logging on a VPN server side, as you cannot control it and only can trust your VPN provider. I do not want their admin to read my Facebook, for example. Is there any way to hide your traffic you send to the VPN server?

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.