On the heels of the arrest of Cory Kretsinger, aka “Recursion”, for one of the Sony data breaches, following an FBI request for traffic records from his VPN provider, users wonder whether anonymizing service providers really are all that anonymous.
Using a VPN to connect securely out of reach of prying eyes, is a common business practice. Similar technology is also used by folks who want to “hide their tracks” if they plan on engaging in activities that might attract plenty of unwanted attention. Some providers use a more simplistic topology to do this, which tends to be easier to track. Normally, however, a VPN provider would be combined with a few other technologies to make it difficult to trace the original source of the traffic, or so the theory goes.
Turns out the providers sometimes keep logs of the traffic, and can be subject to legal pressure, if a court orders the provider to turn over the records. This has some users more than a little upset. Regardless of the users’ motivation, they took extra steps to keep their data protected in transit, and would prefer the provider did as well, with or without a court order or warrant.
Some companies put users’ traffic through a more labyrinthian route than just a VPN, layering TOR technology along with various other network tricks to basically absolve them of questions of whether they knew, or should have known that criminal activity might be taking place. Since legal action requires conclusive knowledge of the identity of the person originating the traffic, this type of topology would skirt the issue because the provider argues it doesn’t even really know WHO you are, so has nothing to either hide or be compelled to provide.
Expect some national policy to urge providers more emphatically to be required to keep and produce traffic logs upon demand. Also expect a providers who’s customers place the highest premium on anonymity to choose other providers and/or technologies if they do. Also, since customers may not know when the Terms of Service changes for their provider, expect there to be ferocious opposition to attempts to make anonymous data public, for any reason. Some customers will also choose providers not based in the country requiring the production of traffic logs upon demand.
There is a moral undercurrent to the argument. The question is asked why users should fear potential legal pressure if they’re not engaged in illegal activity? Opponents argue that sensitive communication like whistleblowing or avoiding overbearing censorship or traffic restriction may still be valid use cases, but certainly still be sensitive, especially when the original communicator might be real physical danger. Either way, expect continued pressure toward keeping the information available for law enforcement/court activities, and expect equal pressure from the privacy crowd who feel the efforts smack of personal rights erosion.
Author Cameron Camp, ESET