Virtual private network (VPN) providers make their money based in large part on trust. When shielding customers’ web traffic from outside inspection, the customers are trusting that the VPN provider isn’t doing the inspecting themselves or helping other parties to do so. One of the most popular such providers, Private Internet Access, has gained the acclaim of so many privacy advocates due to their trustworthiness.
For example, Private Internet Access always scores high marks on TorrentFreak‘s VPN services that take your privacy seriously list. When Ars Technica profiled the company last year, they boasted of a sterling privacy record and customer-friendly policies. The big headline was that PIA has not handed over user data to law enforcement.
However, some questions still lingered. I decided to go to PIA and clear things up.
A little background
While we cannot explain the exacts in and outs of what a VPN is, a working knowledge is necessary. Basically, we have to connect to the Internet somehow. In your home, chances are you pay an Internet service provider (ISP) to use their network to connect to the rest of the web.
That means your ISP is uniquely positioned to spy on everything you do on the web, if they so please. This isn’t standard operating procedure, but it’s a strategy exploited by the NSA to a great extent. A VPN encrypts all of your browsing data before it leaves your computer, to be decrypted upon receipt by the intended target. Your ISP could see that there is data, but nothing about it, when using a VPN.Albeit simplistic, this diagram from Private Internet Access pretty much explains it.
Another practical use of VPNs is use on public or other untrusted networks. Even novice hackers can do a lot of damage when you are connected to the same network, including hijacking your browsing sessions on popular sites like Facebook.
If the VPN provider has built-in a backdoor for entities like the NSA, though, all you’ve been given is a false sense of security. Another important responsibility of the VPN provider is the records it keeps about customers. A practice called “logging” refers to the practice of noting which customers are connected to which VPN servers and when. This could be potentially incriminating information, so it is generally accepted that you don’t want to patronize VPN providers who do this.
Where does Private Internet Access stand?
Private Internet Access has been at the forefront of the movement to disavow logs. Incidentally, the USA is one of the few jurisdictions that do not currently require VPNs to keep these logs. While there is good reason to be hesitant to buy a VPN from an American company, that concern has to be balanced with those concerns about logs.
Back in 2013, PIA told Ars Technica several important pieces of information:
[Private Internet Access lawyer John] Arsenault has said that the company has never handed over any user data, as it does not log traffic. He said that PIA has never been ordered to log any user data, nor has it received a National Security Letter, nor has it been compelled to handover SSL keys.
That’s important! A National Security Letter could compel the company to jeopardize user privacy for legal purposes while forbidding them from talking about whether or not they’ve been forced to do that. An affirmative “no” to that question is a big deal.
However, there were several open-ended items of equal importance at the time of the Ars piece’s publication. Notably, a warrant from the federal government that they said represented the most substantive request for user data to date had been received and had not yet been resolved. PIA also spoke about the possibility of issuing transparency reports to reveal the number of requests and other details about governmental data warrants.
Also, they teased the possibility of using a warrant canary. A warrant canary is a defense against the gag orders that come with National Security Letters and other secret subpoenas. With a warrant canary, the site would some sort of message posted saying, for example, “we have not received a secret subpoena as of July 24, 2014.”
If that message disappeared or failed to update, those in the know would interpret that to mean that they had received such a subpoena; this would appear not to violate the gag order, though the legality of this method hasn’t been tested in court.
Time for a status update
To address these lingering questions, I managed to get in touch with Andrew Lee, the company’s CEO. He answered forthrightly and quickly.
Asked if they had executed any warrants on users, Lee says, “no, this is not possible given the fact that we do not log any session/meta nor traffic data.” In other words, there’s no purpose in following through with a search warrant once the authorities realize PIA has nothing to share. He added that he doesn’t believe any VPN provider operates this way, but I cannot verify that at this time.
Of course, since they have not participated in any searches for law enforcement, Lee indicated that no types of user info had been shared with law enforcement. This could have included things like payment information to confirm that a given person used the service, but does not. Note: PIA accepts Bitcoin and consumer gift cards as more anonymous payment methods.
As for transparency reports, don’t hold your breath. With many other concerns occupying their resources, Lee says, “it is difficult to pin a date on a transparency report.” He nonetheless assured me that PIA is “meticulously working hard, every day, to improve both the user experience and overall transparency of our business.”
Warrant canaries, too, will not be on the horizon. Lee is no fan: “Warrant canaries are, unfortunately, more hype than substance.”
With that said, Lee understands the underlying desire for canaries. After all, there is so much trust involved in this industry that thrives on distrust. He says he’s hard at work on something “far better” than canaries and “will hopefully set new precedents in our industry.”
Will that be more hype than substance? Time will tell. Until then, Private Internet Access users are probably relieved to hear that law enforcement has not yet made any inroads into this VPN service.