TAG | international
Recently a colleague was reading a blog post by a Russian based VPN provider which talked about their privacy stance. He was incredulous. “Why would anyone trust a Russian VPN company?!?!”
It is a reasonable question about many locations. Russia, China, Iran, and many other companies are justifiably known for Internet monitoring and censorship. Of course, in the post Snowden era, a lot of attention has been focused on US surveillance as well.
I think that many people have the feeling that they should trust anyone but their own governments. After all, foreign intelligence services are unlikely to do anything about any intercepts unless they see some kind of global doomsday scenario. You might worry that your local intelligence agency could pass along information to local law enforcement, but that too seems generally unlikely. Exposing such intercepts would also expose sources and methods, which are some of the most highly protected secrets out there.
To me the question is what the VPN / Privacy provider is ALLOWED to keep private. It is clear that many governments put a huge amount of pressure, or actually pass laws, on companies to keep all kinds of user activity records. Interestingly that is not the case in the United States.
Anonymizer has no requirement to keep any records about what our users do through our service, or any way to identify associate any activity with a given user. Our systems are architected so that we don’t need to refuse to provide any of that information, we are simply incapable of doing so.
If this amendment passes, it will significantly reduce the perceived advantages of using servers outside the US. No only would the server still be subject to whatever legal process exists in the hosting country, but they would also be open to legal hacking by the USG.
A Brazilian court is enforcing a constitutional ban on anonymity by requiring Apple and Google to remove Secret, an anonymous social network chatting app from their app stores. Microsoft is being required to remove Cryptic, a similar windows phone app.
In addition to that, they have been ordered to remove the app from the phones of all users who have installed it. These kinds of retroactive orders to have companies intrusively modify the contents of all of their customer’s devices are concerning. At least these apps are free, if users had paid for them, that would introduce another complication.
One wonders how this will apply to tourists or business travelers visiting Brazil. Will their phones be impacted as well?
The law exists to allow victims of libel or slander to identify and confront their those speakers.
While this ruling only applies to Apple, Google, and Microsoft, and only with respect to the Secret and Cryptic apps, the underlying principle extends much further. There are still final rulings to come, so this is not the last word on this situation.
Anonymizer has had a great many Brazilian customers for many years. Anonymizer provides those users important protections which are well established in international human rights law. We certainly hope that they will continue to be allowed to use our services.
Irish Data Protection Commissioner Billy Hawkes has stepped in to have a database of civil registration records removed from the website IrishGenealogy.ie. The problem is that the database contains information on living persons which is often used for identity verification.
That would include things like mother’s maiden name and birth date. While these are public records, previously they had required payment of a fee, and it was not easily searchable on-line.
Of course, in the era of social media, these kinds of authenticators should have been disposed of long ago. Too many of them can be easily discovered by looking through Facebook accounts and the like.
This case also highlights the troubling nature of public records. In the past records were public in the sense that anyone could go to a government building and access the paper records. They could not be easily be searched as a whole, and the entirety of the records pulled into a private database. This is a kind of security by obscurity, but a useful one. With Internet records, many people are not comfortable with just how public much of this information is. The old inconvenience placed a low but real barrier to data access, effectively insuring that it was only done for specific people and for specific purposes. It is not at all clear how to get that without loosing all the advantages of Internet accessibility.
Vodafone recently released a “Law Enforcement Disclosure Report”. Because Vodafone provides services in so many countries, this provides a unique insight into the range of surveillance capabilities and requirements across a spectrum of nations. In six countries they are required to provide direct connections to their network for the local government. This allows those governments to capture content and meta-data without making individual requests to Vodafone. They are not saying which 6 countries those are out of fear of penalties or retaliation.
In Albania, Egypt, Hungary, India, Malta, Qatar, Romania, South Africa and Turkey it is illegal to reveal information about various kinds of intercepts, so the report does not provide information on those countries.
The report also provides good information on the frequency of requests for information from various countries.
One lesson from this is, despite the impression one might have gotten from the Snowden leaks, the US is far from the only country doing this kind of surveillance.
This article makes an interesting argument that sanctions against repressive regimes, particularly sanctions that block providing communications and security technologies to end users, harm dissidents more than they do the repressive regimes they are designed to target.
In particular, companies are unable to provide cryptography and anonymity tools to the people who really need them.
The law also requires web hosts to store all traffic information for two years. While the putative purpose of the legislation is privacy protection, it is widely assumed that this is an attempt to grab more control of the Internet, which has been repeatedly blasted by the Turkish government reporting on government corruption and graft.
As usual with these attempts at censorship, interested citizens can generally get around them. VPNs like Anonymizer Universal allow anyone to punch a hole through the national censorship firewalls to access any content.
I would be very interested to hear about efforts to block tools like Anonymizer in countries enforcing Internet censorship, like Turkey and the UK. Blocking of circumvention tools is already well documented in both China and Iran, and has been seen sporadically in many other countries.
The South China Morning Post reports that the ban on Facebook, Twitter, the New York Times, and many other sites, will be lifted, but only in the Shanghai free-trade zone.
The information came from anonymous government sources within China. The purpose is to make the zone more attractive to foreign companies and workers who expect open Internet access. The sources say that the more open access may be expanded into the surrounding territory if the experiment is successful.
It will be interesting to see if this actually comes to pass.
Two questions occur to me. First, will the free-trade zone be considered to be outside the firewall, and hard to access from within the rest of China? Second, is this as much about surveillance of activity on those websites as it is about providing free access?
Welcome to Episode 11 of The Privacy Blog Podcast, brought to you by Anonymizer.
In this episode, I’ll discuss the shutdown of secure email services by Lavabit and Silent Circle. In addition, we’ll dive into the problem with hoarding Bitcoins and how you can protect yourself while using the increasingly popular online currency. Lastly, I’ll chat about whether teens actually care about online privacy and an ad agency’s shocking decision to use high-tech trash cans to measure Wi-Fi signals in London.
Please leave any questions or feedback in the comments section. Thanks for listening.
Wired reports on a move by the Japanese government to ask websites to block users who “abuse” TOR.
I assume that TOR is being used as an example, and it would apply to any secure privacy tool.
The interesting question is whether this is simply a foot in the door on the way to banning anonymity, or at least making its use evidence of evil intent.
Currently, public privacy services make little effort to hide themselves. Traffic from them is easily detected as being from an anonymity system. If blocking becomes common, many systems may start implementing more effective stealth systems, which would make filtering anonymity for security reasons even harder.