Never of course. To make them illegal would force the question of a constitutional right to privacy. So in the US at least it won't happen.
That being said, I expect various people to continue to obfuscate and make it confusing. At some point I expect a 'VaaS' type service to be announced with pretty compelling economics, and it will be impossible to tell that the service provides access to certain third parties.
Phil Zimmerman is doing his part with Silent Circle. That too is looking to force the question.
My impression is that the govt sees the internet as a Constitution-free zone, and the only question is how quickly they can boil the water without us frogs getting active.
I have been advocating startups build privacy in to their systems as differentiation points over their competitors. As privacy breaches make the headlines, it makes for PR that you can piggyback on to fairly effectively.
At Blekko we've been very aggressive at building privacy in from the start, and we talk about that with folks all the time.
When I was at Sun I was deeply involved in doing security work both in the kernel and on the network. There were lots of places to improve.
In both the Blekko and Sun cases the 'better' version doesn't seem to carry a lot of retail influence. Which is to say if you offer a consumer a choice, the 'secure' one which costs a bit more (either in cash or in complexity) or the 'insecure' one which is cheaper, not enough people pick 'secure' to make the investment pay off. You have to pay for your investment somehow, and the fewer people who are willing to pay for a feature, and the more it costs to implement, means a higher per-consumer price for that feature. Security often pushed that cost threshold over the limit into 'non-business'.
When we were discussing implementing the best privacy policy and technology in any search engine I was pretty clear that having the 'best privacy policy of any search engine' was a nice add-on feature but you couldn't base your business on it. We had to have a search engine that was just as good or better than the competition, and the fact that 'oh by the way its got the best privacy policy' could be icing on the cake, but for the majority of people it would not be their reason for using it.
You can see this sort of effect in lots of different communities.
Tor has its own issues (difficult set up, high latency), as well as VPNs (single point failure / tracking, US-based companies must obey warrants).
Perhaps there's an opportunity for a company based in Switzerland to run a private TOR network for obfuscation with guaranteed bandwidth. Private TOR network has its own problems though. You need a large number of users to anonymize each other's data, and the block of assigned IPs can be treated as a single entity and blocked / rerouted as a result.
I'd argue Tor has removed the difficult set-up recently. Now it's as simple as downloading the recommended Browser Bundle, run it and you get a standalone (branded?) Firefox completely set up and ready for Tor surfing.
Admittedly, it is still complicated to set-up your existing web-browser to use it, and latency is still a huge issue - not helped by the limited number of exit nodes.
The problem with the latency on Tor is not the bandwidth, (Tor can download a 1mb file quite quickly), it's the ping. This is an aspect of the onion routing model, not the fact that volunteers run nodes. There are proposals to switch from HTTP to a faster protocol from the exit to the user. It's expected this would result in an observable latency improvement for web browsing.
[ though all of that ex-SEAL presence among the founders sets off some of my paranoid alarms about US government backdoors ]
I certainly hope there's enough demand to sustain privacy protection services…but I'm not optimistic. I've never had much luck convincing "regular" people that privacy concerns are worth abandoning the convenience/entertainment of things like Google and Facebook.
VaaS: I use http://www.getcloak.com and am quite happy with it as a security measure. For bypassing "the great firewall", my girlfriend is a flight attendant; she and several of her coworkers use it, so that they can browse the web normally when in China.
They'll never become illegal, it will just become like guns in crime, use a VPN, get an extra 5 years for whatever your thoughtcrime might be. Paid with bitcoins? Here's 10.
Maybe they won't be outright illegal, but I could see laws being passed so VPNs must keep extremely detailed logs of users and their activity, thus making them useless as a way to mask online activity.
But I can also see America forcing their will on other countries and forcing them to keep detailed logs too (let's face it, the UK is right there with America)
Countries like the one that hosts TPB may hold out as long as possible, but eventually the rest of the "internet world" could just ban those IPs or whatever. (just like they are banning the TPB IP now).
What I'm saying is, I can see the day where it's illegal or extremely difficult to use a VPN anonymously, from any country.
You're ignoring the possibility of surveillance. It's possible to 'wiretap' a VPN connection that you use all the time. Any VPN company would have to comply with a court order in that jurisdiction.
It seems unlikely that VPNs will ever become completely illegal, at least not in the US. Too many very large companies use them for Congress to consider it. They may make them illegal for non-corporate uses, but that would be difficult to enforce and overall useless.
I can easily see governments forcing ISPs to blacklist the IP addresses of known VPN servers. I'm only slightly surprised that this hasn't happened yet in the UK and other such places. The first step is to try to ban direct access to websites. Then they'll likely try to ban the workarounds. Yes, power users will always find a way around these things, but it will work to stop many, I suspect.
And as for corporate/government VPN users, maybe this will be an excuse to introduce a VPN "license" for those who will be allowed to use them.
The big tech companies I've worked for use VPN heavily for remote workers, so my first reaction was, "This could never happen."
But now that you mention it, I could see a situation where domestic VPN providers are forced to log user data (or be on the hook for copyright violations when the VPN is used by employees) and ISPs are strong-armed into blacklisting overseas VPN providers. That's actually kind of scary.
Eh, it very well might be the best answer. It's a "Have you stopped beating your grandmother?" kind of question. Perhaps the famous Zen non-answer "Mu" would be better, but "No" is about as close an English equivalent as you'll get.
Never. The article is mostly fear mongering on a slow news day. The
reason why it would be impossible to make a "VPN" illegal is simple;
Internet commerce transactions are done over an encrypted tunnel
(httpS via SSL/TLS), and there is really no simple technical differences
between one kind of secure tunnel and another.
For those that don't know, SSL/TLS based VPN's do exist, and the most
common implementation is OpenVPN. It's based on the same OpenSSL
(library) code that your web browser is (most likely) using.
The SSL/TLS based VPN's use "only" 128 to 160 bit encryption, and if
your tin foil hat is on tight enough to cut off your circulation, then
this fact makes you nervous. You can run OpenVPN via UDP over a "tun"
interface (OSI Layer 3) or even a "tap" interface (OSI Layer 2), and
compared to many VPN-ish alternatives, it's pretty fast in my tests.
The other common light-weight approach to VPN's is using PPTP (Point to
Point Tunneling Protocol). I have NOT (recently) studied the crypto
employed in PPTP implementations, but I'd guess it's nearly on par with
SSL/TLS. It's been eons since I've messed with PPTP, so I'm going to
keep my (outdated) opinions mostly to myself. The most fair thing to
say is there is (can be) some crypto involved, and it can be pretty fast.
Though I'm currently working on some OpenVPN stuff for firends, I
personally prefer the more (ahem) sophisticated (read: difficult and
complicated) VPN solutions based on SSH, or better, IPSec. They are a
lot more work, but they tend to be more robust and more resistant (when
done properly --and any VPN done wrong is just a false sense of
security). The down-side with SSH based tunnels is there is a greater
performance overhead with TCP based connections, and hence, you get
reduced throughput. IPSec is better, but it's even more difficult to get
right.
For a lot of testing I use Tunnelr.com. They offer both OpenVPN and SSH
(SOCKS) based VPN's for a cheap price.
It's kind of sad that privacy is being equated with piracy, but the
"lump it altogether" folks are idiots. There are actually lots of
extremely good (and legal) reasons to use both VPN's and other types of
secure connections... --Every time you buy something from Amazon or
similar, you're most likely using a secure connection.
Sadly, the above listing of data retention policies of various VPN
providers is already out of date. For example, iPredator (from the folks
at ThePirateBay) are now logging IP address in accordance with the EU
data retention laws going into effect in Sweden.
The iPredator/TPB blog post is intentionally distracting and painfully
vague on details about the logging they've implemented to comply with
the law. (NOTE: I stumbled on the poorly named iPredator service of TPB
because they offer PPTP based VPN's.)
The same may or may not be true of other EU based services listed in the
TorrentFreak link above. See the following for reasonably updated info:
If you do any work on Computer Vision (CV) or other types of image/video
analysis (Machine Learning) based on data downloaded from the Internet,
you need to be extremely careful. When you have scripts/programs/spiders
downloading (image/video) data for you, your never know what "kind" of
data is on the other end of any link, and that data may very well be
illegal! --It sucks, but this is the reality everyone lives with. If you
take a step back, you'll realize how normal browsing of the Internet is
really no different than running your own spider to collect data. Every
link you click is a potential violation of some law.
OpenVPN supports all ciphers supported by the OpenSSL library, so you can for instance get 256 bit AES-CBC if you want. I´ve seen benchmarks with one tunnel running >400 Mbit, so you can certainly get some nice performance.
PPTP* is broken, and should only be used for anonymisation, never to ensure confidentiality or integrity of the data in the tunnel. PPTPs encryption scheme is MPPE which is based on RC4, and tunnel traffic can be decrypted in a matter of minutes unless the key is sufficiently strong. This is almost never the case since the password is the only thing used for key material. IMHO this is pretty much irrelevant anyway since you can do a MITM attack to hijack the connection or downgrade the session to not use encryption. So basically the encryption doesn´t matter.
* I´m told the exception would be to use PPTP with EAP-TLS which is certificate-based. However I don´t have any experience setting that up, so I´m staying quiet on that one.
As for data retention, I don´t see how VPN providers have any obligation to log. And even if they did perhaps a little bit of collective civil disobedience might be in order?
What is your opinion on SSTP ? The problem with most VPN tunnels is that you cannot use them if your corporate firewalls only allow port 443/80. SSTP gets you around that.
I haven´t read the specs thoroughly enough to have an opinion.
As for firewalls, as long as they´re not doing DPI (Deep Packet Inspection) you can just run the VPN on the right ports. In addition to the standard ports, we run our VPNs on tcp/80, tcp/443, udp/53 among others. That takes care of most firewalls.
I don't know which VPN service you run, but I looked at tunnelr and the showstopper for me is that it only supports OpenVPN.
In order to use VPNs on my Mac and on my mobile devices, I have to pay for two separate VPN services, which is a deal breaker.
I would much rather use a service that supports both OpenVPN and PPTP, with a bunch of disclaimers. I understand the tradeoff and I am willing to make it.
You might want to take a closer look at tunnelr.com. They do support
both OpenVPN and OpenSSH based tunnels, and both of these work fine on
MacOS. I don't own a "normal" Mac, but I did see MacOS tutorials on
their site, in fact, there are two tutorials, with each using a
different method.
You were a bit vague when simply stating "mobile device" but if memory
serves me, Both OpenVPN and OpenSSH will work on some "mobile" platforms
(Android, iOS, etc.). I've never tried it personally, and I don't know
what kind of "mobile device" you use, so for your specific case, I could
very well be wrong.
Using OpenSSH via SOCKS support in applications or by using a
SOCKS-Wrapper like "DSOCKS" by Dug Song or similar ("Sockify for
windiws, etc), take more effort than running OpenVPN. It might take more
effort, but if you don't mind the hassle, it's most likely more secure
than the common alternatives (OpenVPN, PPTP, etc.). The only thing
better than OpenSSH (in my opinion) would be using a correctly
configured IPSec implementation. But getting IPSec right makes OpenSSH
look very easy.
You might want to note how in this discussion both Fredrik Strömberg
(kfreds -runs the Mullvad VPN service) and myself have intentionally
tried to avoid disparaging PPTP. Whether good or bad, a lot of people
like PPTP for various reasons, and a lot of VPN services offer it as an
option. Other than for the sake of curiosity, learning, and
experimentation, I would never use PPTP. When it comes to both security
and privacy, PPTP has many known problems and some VPN service providers
refuse to support it due to these issues.
Trying to be fair to those who like PPTP is being a bit too generous
since the security and privacy of people is at stake. None the less,
development work is still being done on PPTP, and it has supposedly
made some improvements over the years.
EDIT: I misspelt Fredrik Strömberg's name. Sorry. (sigh).
iOS devices do not support OpenVPN nor OpenSSH. You can use L2TP, PPTP or IPSec for VPNs.
So, I can either pay for tunnelr.com and have zero VPN support on my iOS devices, pay for two separate services, or switch to a provider that supports both. I suggested that while it's fine to tell people not to use PPTP, some of us will still want to use it, because it is better than nothing at all (please don't make me argue that it really is better than no VPN at all).
Here's a statement of fact: at present, the only reason tunnelr.com does not get my money is because it does not support PPTP alongside OpenVPN.
> please don't make me argue that it really is better than no VPN at all
No argument at all from me. ;)
What you've said seems blatantly pragmatic to me. --It's sad how so
much of HN these days is pointless arguments. Sure, it's good that
we're accurate in what we say, and fair about it, but every word we
utter should not lead to an argument. Oh well...
Anyhow, I did find one SSH app for iOS (iPad) when I last looked,
but I still agree; Whether or not it's possible to get other apps
to play well with SOCKS would be a real headache.
I'm not a real iOS user, but I have helped my parents with their iPad
a bit. I'm curious how much of a pain it is on iOS to get IPSec set up
properly?
IPSec can be really tricky to set up properly, but once you've got it
right, it's the very best VPN solution. A lot of companies have tried
to make IPSec more "usable" and "user-friendly" on desktops, but it's
still an unwanted pain for users. For admins, testing it for leaks is
often a convoluted nightmare. The thought of attempting both the setup
and testing on a mobile device (iOS/Android) makes me shudder.
My statements were not about preventing people from breaking laws,
instead, they are about never knowing that you're breaking a law until
after you have broken it.
Even if a link is on/to a reputable site and ends with ".html", it could
still be a link to JPG image of kiddie porn. You've just broken the law,
even though you had no intention of breaking the law, and had no
intention of being in possession of kiddie porn.
(NOTE: Sending an image file when a HTML file is expected is possible by
manipulating the MIME type sent by the web server for the ".html"
extension to tell the browser it is a JPEG image. Of course, another way
to do it is redirection, since by default, most browsers follow most
forms of redirection.)
Even if you had an automated agent (web spider) program following links,
it is YOUR connection that is logged as accessing the image.
If the kiddie porn image was part of some sting operation being run by
law enforcement, then you're stuffed.
This issue of "not knowing what you're accessing" is one of the long
standing and underlying flaws in the design of the Internet, so you can
be certain it won't be fixed any time soon.
The law does no work like that. You only broke the law after the conviction, up until that point it's in an undecided psudo quantum state. Due to things like mens reahttp://en.wikipedia.org/wiki/Mens_rea
So, for example if you buy a trunk at an estate sale that contains cocaine, open it realize it's cocaine, then call the cops. You did not break the law even though you where in possession of cocaine which is illegal. Work though some variations of this and you could literally be walking down the street with a suitcase full of cocaine and not actually be breaking the law while doing so.
PS: There are a relatively small number of strict liability crimes where intent is considered irrelevant. But, extenuating circumstances still come into play.
Technically, you may be right, but in many parts of the world the government and everyone else behave as if you're guilty until proven innocent. Good luck staying out of jail if you're caught carrying a suitcase full of cocaine!
True, although out of the things you listed, no company would try and fight to legalize any of those things under the companies best intrest in the way VPN could.
...it’s by no means unthinkable. In Iran, where a quarter of all Internet subscribers use VPNs, the government has already announced a crackdown on privacy-enhancing tools that bypass local law.
I don't think that's out of context at all, so I guess I'm reading it differently than you are. Seems clear to me that they are saying it happened there so therefore it could happen here.
I find it hard to believe that governments can ever do anything to stop file sharing in the long term. The more things are forced underground the harder they are to stop. The DMCA was intended to stop piracy but ultimately gave legal cover to numerous sites that would otherwise have been sued out of existence.
You should notice this is orchestrated by countries with consistently high scores on various internet freedom ratings. They turn blind eye on any violation if it's reasoned with IP protection, and they crack down on other countries for rumors or vague plans on blocking some sites or just "because".
IIRC, prohibition of VPN-type "circumvention" was already part of one or more draft legislation initiatives in the U.S. -- serious initiatives. I'm not sure, but was it part of the early SOPA/PIPA drafts -- a portion that was moderated or removed as part of the "appeasement" efforts of the legislation's proponents?
In summary, it's my recollection that this is already being pushed for, in and by the U.S. government and/or its lobbyist "masters". And they don't have to outlaw all VPN connections -- just establish either legal justification or extra-judicial powers to harass and/or arrest you if you can't qualify and justify your use of a VPN to their satisfaction.
Keep in mind: They don't have to apply such powers universally. Just enough to provide the desired effect.
Kind of a side point, as many people join and use the tor network, will the speed of tor increase - or atleast move towards the average Internet speed in the world?
Edit: Only reason why I don't use tor yet is that everytime I tried, speed was slow. Thanks for the opinions on the question.
It should definitely get better over time, but the latency issue is pretty tough to get around. Bouncing between a half dozen nodes, surely back and forth across an ocean once or twice between each request and piecing everything back together, is a pretty tough problem to solve. Especially when a disproportionate number of nodes seem to be located in Central Europe.
Its also an issue that most exit nodes restrict their outbound speed and ports they route outward. Without restricting the speed in my tor configuration my exit node holds a constant 10/MBs all day even with only common ports open. Once you stop restricting ports you'll be getting multiple cease-and-desist notices within a matter of days since all your traffic will be absorbed by torrents.
Someone will likely come up with an equally/more secure option before Tor gets all that close to your average user's connection speed.
Assuming Google's SPDY protocol catches on wide-scale (which is likely, I believe), then SSL will be pervasive; SSL is a requirement of SPDY. At that point, most web traffic will be encrypted.
That being said, I expect various people to continue to obfuscate and make it confusing. At some point I expect a 'VaaS' type service to be announced with pretty compelling economics, and it will be impossible to tell that the service provides access to certain third parties.
Phil Zimmerman is doing his part with Silent Circle. That too is looking to force the question.