September 2011 will be a month that VPN provider HideMyAss will want to forget. Dozens of news outlets retold the story that an alleged Lulzsec member, allegedly partly responsible for attacks on Sony, the UK’s Serious Organised Crime Agency, AT&T, Viacom, Disney, EMI, NBC Universal, AOL and NATO, not to mention the newspapers The Sun & The Times, had used their services to remain anonymous.
But his plan failed in the biggest way imaginable. HideMyAss (HMA) keep logs and as a UK company when given a court order to cough up information, they do so. After matching timestamps to IP addresses, in the blink of an eye Luzlsec member ‘Recursion’ became 23-year-old Cody Kretsinger from Phoenix. The FBI had their man.
While the outrage from the public has been well reported – many pro-privacy activists accused HideMyAss of becoming SellMyAss – what has not yet been documented is how elements of the VPN industry have reacted to the news.
VPN Council is probably best described as a trade organization for some, but not all, VPN providers. A document obtained by TorrentFreak which was penned by their Chief Information Officer and sent on September 25th, shows they are very concerned by recent events.
“There has been a lot of controversy, especially on Twitter that the actions taken by HMA were the wrong ones to take. I disagree with their consensus and I believe its time to implement tougher security reviews on new clients signing up for any VPN service,” the memo begins.
“Earlier this year several companies in our industry had discussed ideas about a shared fraud database between VPN providers. I believe in light of this incident that a renewed call for this would be a good idea and I’d like to re-open discussions on this because if we all sit back and do nothing and continue on with normal business like nothing happened, these same folks will go around popping off more VPN companies and causing more havoc than we’ve ever seen before,” the memo continues.
“I’m in favor of strengthening our respective industry and protecting it as well. We all share the same responsibility of protecting our legitimate clients and the industry as a whole and I’d be in favor of listening to you folks and seeing what additional ideas you guys have in this endeavor.”
In the days that followed, discussions between the VPN providers went ahead and reached consensus on the foundations of an “anti-fraud database” that would be shared among them.
In a second document titled ‘PROTECTING VPN INDUSTRY: FRAUD DB’ and dated September 28th, the problem of high profile hackers such as those from Lulzsec using VPN services is framed as a “direct threat to business survival.”
The document goes on to suggest a framework for the creation of a centralized fraud database which will enable VPN providers to “assess the quality of orders” for their services.
Items suggested for inclusion in the database (along with the supplied descriptions as provided in the memo) are listed as follows:
Fraud Data (hashed): This is a hashed piece of information that can be used to flag an order as fraud. This information could be: IPs, emails, user names (any other data susceptible of indicating fraud can be added).
Fraud Type: Identifier of the fraud type. We need to agree on fraud types list.
Hits: Number of hits (submissions from different VPN providers) this data has had. This will give more latitude to providers to decide to act on a given database result.
Submitter id: Identification of the VPN provider that has submitted the record.
An API will be created to interact with the database and integrate into payment processing systems.
Action points for the future are noted as decisions on database structure, hashing to be employed, parameters on what activities should be considered fraud and a decision on which VPN providers can access the database and who can update it. It is suggested that a single VPN provider should have responsibility for the entire list and others should have to pay their share of its maintenance costs.
What is clear from the above is that the included VPN providers will begin sharing information they hold on their customers with each other (albeit in hashed form), ostensibly to combat fraud. However, the alleged activities of the Lulzsec member in question aren’t easily described as fraud, and it is far from clear how a database of this nature would have prevented, for example, Sony being hacked.
TorrentFreak contacted the VPN Council and enquired on the depth of their definition of ‘fraud’ since confusingly hacking seems to come under that banner and indeed sparked the apparent need for this database. For instance, would copyright infringement come under that heading too?
“Copyright infringement is not factored into our plans,” VPN Council CIO Jared Twler told us. “This is more about financial payment fraud and network abusers/hackers. This is more to the tune of preventing federal disasters happening on VPN provider networks.”
But of course, when copyright infringement is considered serious enough by the US government it can become a big criminal issue, recent ICE and FBI activity against sites and certain file-sharers and release groups show that.
Clearly the activities of malicious hackers cannot be condoned by the VPN providers and combating fraud is a requirement in many online businesses. But what we see here and in the Lulzsec/HideMyAss fiasco is a clash of ideals that could prove catastrophic.
Most VPN providers sell their services on the notion that by using them the subscriber becomes anonymous. It became crystal clear in September that, given the right pressure, what certain VPN providers are really interested in is upholding the law and thereby saving their own asses from ending up in court. Why this should come as a surprise to anyone is a mystery.
What does come as a surprise is how many VPN providers are allowing themselves to get into this conflict of interests in the first instance. In the HideMyAss case the company clearly held enough information for a 3rd party to match a HMA external IP address and a timestamp to a HMA user account and subsequently a real-life identity.
So, for the purposes of illustration, let’s dismiss the notion that the service was used to attack Sony. Let’s pretend it was a dissident, or a government whistleblower, or some other equally vulnerable individual relying on the service to provide anonymity, as advertised. Let’s be absolutely clear – thanks to the myriad of logs kept by HMA, when someone really needs to count on the service, there is no anonymity that a court order can’t destroy.
Many VPN companies argue that they don’t log the sites visited but some logs are necessary to make sure that ‘criminals’ can’t abuse their services. But logs don’t discriminate. Quite simply, criminal or not, if a VPN provider logs the external IP addresses they hand out to a user along with a timestamp, subscribers are not anonymous.
But while all VPN providers have a duty to uphold the law and be accountable to the government in the country where they are based, not all of them are required by law to carry logs – so they don’t. But who are they?
If you’re a VPN provider and take privacy seriously, contact us immediately to be included in tomorrow’s VPN anonymity report. We’ll ask you two very simple but crucial questions.