I've been a happy PIA subscriber since the Snowden controversy. However every time I see them becoming more popular (at least 4 of my friends have signed up with them in the past few weeks) and earnestly trying to make themselves more secure, I also realize that someone, somewhere within the NSA (and yes, other intelligence agencies around the world) is elevating them on a list of VPNs to break.
I've said this before, but PIA and other similar VPN providers are great security against most drive-by hackers. I am a happy customer for this reason.
But if your threat model includes "NSA/CIA/FBI/DEA", you are going to have to spend more than $4 a month to remain secure.
Okay, I'll bite. My budget is more than $4 a month, but not thousands. Is there any way to keep myself secure from the NSA/CIA/FBI/DEA/etc in a simple VPN-way?
> if your threat model includes "NSA/CIA/FBI/DEA"...
I think there are two vastly different threat model within that - (a) large-scale and indiscriminate vacuuming up of the average citizen's Internet usage data to fill up datacenters and do analytics, and (b) active targeting of a specific subject.
I'm hoping a VPN will insulate me against (a) too. But for (b), I don't think I stand much of a chance even if I spent $400 a month.
"Failsafe" is unnecessary. Come on, we call ourselves engineers here, right? A cardinal rule of engineering is to not let "perfect" get in the way of "good enough".
They don't store any user logs (I have no reason to suspect they'd lie about that). So there's not much stored data to break. Which means the focus will be on breaking their traffic encryption protocols.
Not necessarily. There's no need to break the encryption or have logs if the NSA can monitor all the traffic going in and out of the proxy server. They just have to correlate your incoming encrypted connection with the outgoing unencrypted data to remove the layer of anonymity. I'd frankly be a little surprised if they weren't doing this or something like it.
I would guess that using PIA makes you less secure against NSA snooping since it makes you more of a target and provides weak anonymity.
> I would guess that using PIA makes you less secure against NSA snooping since it makes you more of a target and provides weak anonymity.
So you're saying not using encryption and VPN services is a safer choice as regards Internet usage today? You seem to be going against the grain of most of what's been discussed around privacy & Internet surveillance on HN recently.
I wouldn't make a blanket statement like that. Depends what VPN and how you're using it and what you're doing on the internet and (in particular) what threat you're trying to protect yourself against. PIA will do a good job of protecting the contents of your messages from someone sniffing your wifi hotspot, but is useless against someone with the ability to monitor all internet traffic. The data leaving the PIA proxy is just as unencrypted as it would be if you weren't using a VPN, except your attempt to secure it will likely draw extra attention. There's strong evidence [1] that the NSA has special rules that allow enhanced collection and analysis of encrypted traffic.
Hypothetically, I believe a US entity could be forced to start logging and simultaneously be forced to not mention that logging had been turned on (and, indeed, to lie if asked about it).
Based on their sites, I believe they're UK-based company (and US endpoints are just endpoints, in case someone wants to have US-located exit to access US-only services), so it makes somehow reasonably harder (but not impossible) to correlate between the client and their traffic.
Still, I don't see any significant difference between NSA and GHCQ, except that we have (thanks to Snowden) some details of former's operations leaked, but the latter's remain secret (or I didn't pay enough attention to the news, maybe).
"Q: Where are you located? A: We are located in the US. Being in the US is optimal for VPN Privacy services since the US is one of the few countries that does not have a mandatory data retention policy. Countries in the EU are forced to log, even though some claim they do not."
