Having open source reproducible and verifiable systems protects against secret surveillance orders and gag orders, not active legislative harms.
It will not protect against “VPNs are illegal” but will protect against “We can secretly force VPNs to serve malicious clients to log all data” type of laws.
I didn’t mean it is misleading; I meant it shouldn’t continue to be misleading in face of UK/Swedish/Swiss laws etc; if and when they come to pass (if they aren’t being enforced already). UK’s IPA has been in force since 2016!
If I am allowed to be critical (and pedantic):
- Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
Can they in face of govt letters the providers or their partners (co-hoster, for example) are subject to?
- Allowing you to bypass geo-restrictions on certain content.
Mostly true for VPNs with residential IPs. Not generally true and hence there’s no need to mention it.
good VPN providers will not cooperate with e.g. legal authorities from oppressive regimes
For sake of neutrality, must also include that the VPN providers themselves could be subject to draconian surveillance. “Oppressive regimes” sounds way too convenient (making folks reading it think … (Western) “democracies” must be fine).
Another common reason encrypted DNS is recommended is that it prevents DNS spoofing.
Standardized encrypted DNS transport protocols offer no such protection.
Other MPRs run by different companies like Google
Google has sunset their “One” VPN, afaik.
protection by segmentation only exists if you trust the two companies to not collude with each other to deanonymize you
Don’t believe this is true for Apple Private Relay. The guarantees are baked into the protocol/cryptography itself? Which is what MPRs at minimum should be, imo.
If you’re looking for additional privacy from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you.
May be not? Such reasoning implies ISPs are less trustworthy than VPNs because of government letters … but we now know govt letters are expanding to cover VPNs just the same?
We also think it’s better for the security of the VPN provider’s private keys if they use dedicated servers, instead of cheaper shared solutions (with other customers) such as virtual private servers.
Why is this sentence repeated on that page? “also think” can be removed as it is true that VPS’ slice of RAM is under the full control of the underlying Host OS (in most setups).
Mullvad is a fast and inexpensive VPN … IVPN is another premium VPN provider …
Premium? Inexpensive? Sounds sales-speak to me.
Bridges and proxies: Mullvad also allows you to use bridges or proxies to reach their API (needed for authentication), which can help bypass censorship attempts that block access to the API itself.
Also true for Proton… I hit their APIs from virtually any which place and it almost always has worked.
Mullvad is very transparent
Mullvad is transparent*
- Censorship resistance features designed to bypass firewalls without DPI.
Moot. All censors running a “firewall”, as they mature, eventually will employ DPI. That’s how this goes.
- VPN servers that use full-disk encryption or are RAM-only.
Won’t matter on a VPS.
While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include content blocking functionality, warrant canaries,
VPN providers subject to secret mandates can’t post canaries …
OK. So, the developer provides reproducible builds of their client, and presumably there are independent parties doing reproducible build verification to verify successful builds, maintain a transparency log of all production builds and also external and inbuilt infra for end users to counter-check that the builds they are receiving match those in the transparency logs.
This would remove the vendors ability to serve targeted updates, right? They are not prevented from serving malicious updates (through malicious code), but of course there is a reliance on the non-vendor parties involved to try and catch anything foul. As another criterion or bonus, would a rich variety of reproducible third-party clients also help here? Then the vendor has potentially no control over the client at all potentially (beyond spec and how the client needs to communicate with the server).
As a service provider or app developer, remote attestation and reproducible builds are a pretty good defence against powerful 3p adversaries (like, govts). It is a bit like Certificate Transparency, in a sense; in that, you place your trust in the service provider / app developer and no one else. Attestation and Reproducibility are keystones atop which that trust can be anchored cryptographically (see also: Secure/Trusted/Verified Boot).
The is why I think it’s wrong to believe that encryption solves everything when it comes to online privacy, which I think Naomi Brockwell (lover her!) sometimes leans too hard on.
If it were true that it is impossible for the server providers working together to deanonymize someone, there would be no need for two different server providers at all. Apple could simply run two different servers on their own and say the protocol between them protects users (which isn’t true).
So has INVISV. update: Remove mention of specific MPRs by jonaharagon · Pull Request #2981 · privacyguides/privacyguides.org · GitHub
As far as I know this has never actually been tested, so you can’t say this with confidence. Warrant canaries are an attempt to defend against secret mandates, and such attempts are still worthwhile until it is proven that they are ineffective.
All of this ignores the fact that recommending VPN providers in the face of potential secret government mandates still would not be misleading, because we don’t claim VPNs protect against government surveillance like this in the first place.
From my understanding Certificate Transparency is a reactive security measure. Both of you have taken the time to explain that the mentioned processes/techniques are “a pretty good defence” or “protection”, but just to be sure I am understanding correctly these measures disincentivise by increasing the chance the chance of exposure, rather than prevent the problem we are talking about, right?
I meant, as far as I have looked at the spec (Privacy Pass, specifically), Apple has designed Private Relay in a way that despite collusion (network side; excluding clients), “anonymity” guarantees remain. Also a reason why (I think) Privacy Pass could potentially be adopted by the Tor community (if they haven’t). I hope I am not wrong, but I am also not a cryptographer…
From what I’ve seen, such mandates / laws usually literally spell it out that businesses/orgs cannot post alerts/canaries. Or: It wouldn’t be “secret” surveillance, no?
Ah. Might also want to remove non-neutral / weasel words / sales-speak (inexpensive, premium, very transparent etc).
Can’t speak for @privacybaddie (or whoever @anon6884803 is) but:
“Trust” is what I am after. If I can trust an app developer to only ever build, ship, deploy whatever was in the public code repository (reproducible builds / remote attestation), that’s enough. As once they pwn when no one is looking… that record would be public, and from then on, they’d have lost my “trust”, if no one else’s.
Without attestation / reproducibility, I have no way to base my trust on something concrete, and I’d rather not rely on pinky promises in EULAs / T&Cs (especially when govts are passing laws that require these developers / providers to never talk of backdoors / secret surveillance publicly).
“Trust” is what I am after. If I can trust an app developer to only ever build, ship, deploy whatever was in the public code repository (reproducible builds / remote attestation), that’s enough. As once they pwn when no one is looking… that record would be public, and from then on, they’d have lost my “trust”, if no one else’s.
I very much agree with welcoming measures that significantly lower the barriers to exposing maliciousness. However, I notice here that you have talked about the app developers and the shipped client but not talked about the service provider. Am I right in understanding that the service provider is irrelevant in this case and as long as the app developer (third-party or not) employs those measures (publicly hosted code, verified reproducible builds, remote attestation) this would be acceptable?
I’m not sure what Tor would need a blind signature system like this for since you don’t need to authenticate anything. Private Relay needs to authenticate you as an Apple user.
Some (only Cloudflare & hCaptcha?) propose Privacy Pass as an alternative to endless captchas to prove one is a human and not a robot. For the Tor Browser specifically, I guess, the proposal went no where…
The points should apply equally to both apps & services.
Ah right yeah that would be really cool. There’s a proposal for a browser API called Private State Tokens, that would essentially take care of the problem for all browsers. Cloudflare and Apple have Private Access Tokens already. I guess the main thing holding it back is everyone has their own standard lol.
Despite its reputation, Switzerland has never truly been the ultimate haven for privacy that many believe it to be.
Well that’s not true at all.
In Swiss legislation, there have been and continue to be many ambiguities and gray areas regarding the handling of personal data and privacy rights, such as the legal classification of VPNs. In my opinion, it was only a matter of time before this topic would be addressed politically and judicially
I don’t know why but I ended up remembering that the Session messenger app moved or are moving to Switzerland.
I wonder if they will need to move again. 
Very true… Switzerland is not the privacy panacea many promote it to be.
New probe shows Switzerland’s involvement in “spectacular” international spy scandal—The Local: New probe shows Switzerland's involvement in "spectacular" international spy scandal - The Local
Swiss report reveals new details on CIA spying operation—Washington Post: Swiss report reveals new details on CIA spying operation - The Washington Post
CIA spying scandal in Switzerland shows the best way for intelligence services to read your messages is to OWN the platform—RT: CIA spying scandal in Switzerland shows the best way for intelligence services to read your messages is to OWN the platform — RT Op-ed
[Note: Not sure why the actual archive.is links are changed to the name of each article, and if I post just the archive.is links (without the name of the article), just the arhive.is link appears and not the name of the article. Strange…]
I am not sure the sources you posted mean that much in the context of Privacy Guides users. I don’t mean that to dismiss what you are saying. What I mean is that the first two sources seemed to be pretty clearly about governments, or at least government entities, coordinating to spy on other governments.
While I think the idea that this op-ed promoted is reasonable, its nothing new to Switzerland or the privacy community. Privacy communities are constantly concerned about companies being honeypots.
The part I found most concerning was from the first article you linked where it talks about the Swiss intelligence service acting on its own without even informing the government.
In a statement announcing the delegation’s findings Tuesday, parliament said the Swiss intelligence service had known “since 1993 that foreign intelligence services were hiding behind the company Crypto AG.”
The Swiss intelligence service had subsequently benefitted from an “information collaboration”, it said.
The Swiss government had meanwhile not been informed of the arrangement until late last year [2019], it said, warning that this raised concerns about gaps in the control over the intelligence service.
While I agree with this, I think compared to most countries where its reasonable for users to find privacy tools, this jurisdiction is better then average. I do wonder why somewhere like Iceland, as an example, that has notable privacy protections does not produce more VPNs and other tools.
I missed this.
In my previous reply, I point out that PG says VPNs can protect one from “anti-piracy orgs” and “oppressive regimes”. This is misleading:
Both those points are misleading. Also, as @anon6848291 says, why do folks want to hide traffic from their ISP in the first place (torrenting for example)? In most, if not all regions, the govt mandates ISPs report illicit activity. If VPNs (or their partners worldwide) now are mandated to do the same thing … what’s the point of PG only going on and on about “protects you from ISPs”? I find it misleading.
If jurisdiction isn’t important, why mention “Proton is based in Switzerland” / “Mullvad is Swedish” / “iVPN is registered in Gibraltar”…? The fact that these providers have network partners worldwide subject to respective local laws, and the fact that there’s not much visibility into the agreements between them.
Also, the min criteria for VPNs explicitly calls out “secret logging”, as mentioned before.
Edit: Are e2ee messengers, storage services, and email providers required to meet the “no secret backdoor” criteria? I don’t see such a requirement, presently. Better yet, as @anon6848291 says in this thread, reproducibility & attestation should be table stakes if govt mandates are already in place (like in the UK).
