For example, some VPN providers are required by law to keep logs and can be compelled by court to hand these over. Needless to say, whistle-blowers and activists are at risk of being identified by these services.

To increase transparency TorrentFreak previously asked several of the most prominent VPN service providers about their logging policies. With this information prospective users are able to make a more informed decision before they sign up.

However, this is just a start and VPN providers should take additional steps to gain more trust. The Seychelles based VPN provider Proxy.sh has taken an important step in the right direction with the launch of its very own transparency report.

Last month Proxy.sh appeared in the news after it started monitoring one of its users based on a complaint from a third-party. The user’s alleged actions violated the “ethical policy” of the provider which all users agreed to when they signed up.

One of the critiques against Proxy.sh’s decision was that the process lacked transparency. The company did inform users about the temporary logging, but details about the alleged offense weren’t posted. Responding to this, Proxy.sh is now the first VPN provider to openly publish all data and takedown requests it receives, as well as the action it takes in response.

“This section provides absolutely all the notices we receive either from third-party or the justice of Seychelles, as well as a precise description of the actions we take in response to them,” the company announces.

The first notices were posted before the weekend, and thus far all requests deal with the alleged distribution of pirated content. For example, yesterday Proxy.sh received a DMCA notice from HBO for a Game of Thrones episode that was shared through the IP-address 173.255.143.218.

Proxy.sh doesn’t keep logs, so it can’t forward the notice to the user in question. Instead, the VPN provider closed the port (56854) that was used to transfer the file.

With its transparency report Proxy.sh hopes to inform its users how the company responds to various abuse notifications and user data requests.

“We hope that by providing such transparency report, you will be able to adjust your usage but also make sure you are not being tracked by behind-the-scene interventions. We have always been clear: we will never collaborate with third-party if this involves providing data about you unless you do activities harmful to human beings,” the company notes.

In addition to the transparency report, several VPN providers are working on founding an independent body that can regulate and audit VPN providers to increase trust. In addition, TorrentFreak has learned that other VPN providers are hoping to start similar transparency reports in the near future.

Proxy.sh is to be applauded for taking the lead on this front, and we encourage other VPN providers to follow suit.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

There are many different VPN providers to choose from and endless configuration, pricing and location issues to consider. Those aside, current attitudes suggest that going with one that claims a zero logging policy, where it’s impossible to link any activity with a particular user, is a good starting point for a selection.

Proxy.sh is one such provider, but last weekend the company openly announced that it would install the Wireshark network monitoring tool on one of its servers in order to identify an individual who had been accused of harassing someone’s daughter. Surprised that the company would do so without a court order, on Monday TorrentFreak published an article on the topic.

We contacted Proxy.sh for comment and it soon become clear that they were unhappy with our general position that monitoring a user without a court order isn’t something that a VPN service should engage in. After discussing the matter with them all week we’d like to present our findings.

It’s an interesting situation in which legalities are important but the company’s ethical policy holds the real power. Interestingly and despite placing restrictions where other VPNs do not, Proxy.sh maintains that their policy makes users more secure, not less. The issues could be extremely important for users of all VPNs, no matter which provider they choose.

Brief background to last Saturday’s decision to monitor a user

Proxy.sh received a complaint “from a desperate family, with support of its lawyer and a third party IT expert” that a user of Proxy.sh was allegedly using Proxy.sh’s Illinois server 1 to “harass” a female.

“We were given backup of a rootkit-infected Android mobile with logs about one of our network’s node. Information retrieved via the rootkit-infected mobile was then utilized to harass the minor,” Proxy.sh told TorrentFreak.

The decision to monitor

In response to the complaint, Proxy.sh activated its “ethical policy” which forbids, among other things, racist, drug-related and pornographic activity, pedophilia and politically and/or religiously sensitive conduct. Proxy.sh say that in order to qualify as a breach the activity in question must be physically or morally harmful to an individual, not a company or corporation.

In Proxy.sh’s view the alleged activity against the female amounted to an ethical policy breach and without any court order it began monitoring a US-based server to identify the alleged perpetrator. In a matter of hours the alleged hacker apologized and Proxy.sh shutdown their monitoring.

The Ethical Policy and where the line is drawn

Given that Proxy.sh is setting standards by which users need to abide or risk being monitored in the event of a complaint, we dug a little bit deeper. Is porn banned if someone is ‘harmed’ by it? What defines harm? Are objectionable religious or political views a risky prospect? Where is the line drawn and how are users expected to know?

It turns out that porn is acceptable and what Proxy.sh meant to say is that they ban videos depicting “the death of a person, or snuff movie.” It’s not clear, gore fans, whether torrenting Faces of Death is out of the question.

On the religious front we posed a situation that affected TorrentFreak earlier this year when we reported on porn downloads taking place in the Vatican, a piece which apparently offended some residents of Northern Ireland. Is that outlawed too?

“With your story on the Vatican, we would be against your activity if you quoted the name of the guy who downloaded porn, and subsequently suggested action should be taken against him. As long as you have kept it general and with respect for all individuals, this is no problem for us,” Proxy.sh explained.

So we get the general idea – Proxy.sh isn’t going to sit around and do nothing if customers of their service hurt individuals. But the question is this – as a service provider and carrier of information, should they be getting involved at all and are they doing so based on the mere allegations of third parties?

How easy is it to have a user monitored?

“First of all, you need to get in touch with a lawyer to characterize the crime in a legal context. Then, you need to get in touch with a forensic IT expert who can gather evidences of your misfortune (in computer meaning). Then you all three need to get in touch with us to report a complaint,” the company explains.

Based on the above it’s far from clear how someone can carry out a religious or politically damaging ‘crime’, much less gather and present proof of it, but it seems that at the least there is some overlap in Proxy.sh’s ethical policy and the law, although in what country’s legal system (possibly ProxyLand’s) remains a blur.

However, with these gray areas identified we asked the company this – does its ethical policy create uncertainty as to what is acceptable behavior when compared to a provider that doesn’t try to govern use of their services other than in accordance with a specified country’s law?

“Of course. There has always been some uncertainty in policies and terms. We do not think we are an exception here and we are happy that you take the time with us to define them more in depth. All the people who have got in touch with us with questions about our terms or policy know that we have always answered transparently and as openly as possible to make them even more understanding on case-by-case basis. It is actually good policy before you turn to any VPN provider, to come and ask it precise questions you need answers for.”

In any event, if a third party complaint passes muster the company is openly prepared to monitor the alleged perpetrator’s VPN connection. That said, Proxy.sh says it will transparently announce that event on its website, something other providers do not.

Is transparency on monitoring better than complete silence?

“Of course. We are sons of anarcho-capitalism. We believe in the sovereignty and self-consciousness of individuals, not of those of States or other entities such as agencies or corporations. We also especially value transparency. We believe this is what terribly lacks in today’s world,” Proxy.sh says.

“Here at Proxy.sh we offer users the full choice of both knowing and deciding to opt out (or simply switching to another node part of our network) when an intervention needs to take place. We do not believe this choice should be left only to governments and VPN suppliers themselves, but rather to the entire customer-base; in other words, to everyone involved.”

Just because you can, does it follow that you should?

In addition to all the wonderful people online there are obviously some hateful individuals too. But is it a service provider’s job to appoint itself judge and jury over their behavior, no matter how objectionable? How does Proxy.sh respond to people who say that as a privacy service provider they should simply keep out of their customers’ business?

“This is a very good question and actually the onus behind our move. To us, a service provider that acts in a jurisdiction where law enforcement is of quality should not feel responsible for interfering with any ethical or legal matter, as the jurisdiction in which it operates is supposed to provide all the necessities. I am thinking here of the United States of course who can through subpoenas directly access the infrastructures of the businesses incorporated in its economy,” the company says.

“On the other side, a service provider that acts in a jurisdiction where law enforcement may unfortunately not be of quality (for various reasons and by various aspects), should in turn feel responsible for interfering with some ethical or legal matters, to prevent the loophole it uses to avoid legislation it finds unacceptable (e.g. DMCA) from being turned into one that avoids pretty much any sort of legislation.”

Conclusions

Aside from setting up your own VPN service, Proxy.sh says that realistically VPN users have a couple of choices.

“You now face two options: choose a provider that tells you when it will intervene on its network (even though you can’t be 100% sure it will actually tell you all the time), or choose one that actually never tells you anything.

“I don’t know about you, but for me I actually prefer one that at least keeps me updated about some, especially when one states that he does keep me updated about all of them,” Proxy.sh concludes.

The big question is this – what are customers happy with?

A VPN provider who states clearly no logs and no monitoring/logging but may or may not be forced behind the scenes to do so anyway? Or one that claims no logs, some monitoring/logging based on ethics, but promises to keep people informed?

Would customers prefer it if their VPN provider took the stance of a mere carrier and kept out of their business completely, or would subscribers be more happy knowing that their provider is taking an ethical responsibility for the data flowing through their networks in order to reduce harm?

The decision, is yours….

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.