Our Ethics, Transparency and VPN Privacy
A company’s values are most often a direct reflection of the executives and CEO that run the company. One could argue that this statement is never truer than for companies that provides data privacy services. When a data privacy service potentially has access to your most private thoughts and secrets you would be wise to always keep an eye out for signs that the company does not have your best interest at heart. Sometimes it can be very hard to determine the values of the company you are trusting to secure your data and provide VPN privacy. Snowden trusted Lavabit and Mr. Levison decision to shut Lavabit down instead of playing ball with the USA Government shows that Snowden at least in this instance picked a good privacy service. Snowden clearly broke the law. Some say he even committed treason by blowing the whistle. Clearly Mr. Levison’s code of ethics was such that he could not willingly hand over the keys to Lavabit’s network without its users knowing so he choose to close shop and continue the fight in court. When VPN privacy is talked about often times the discussion of the company’s ethics is left out of the conversation completely. In a perfect world the ethics of a VPN privacy company should not be factored into the equation because in a perfect world the only person with any reason to fear their government is that one guy with insider knowledge about extraterrestrial technology being reversed engineered at Area 51 and let’s face it no one is actually going to take him seriously anyway. There are different schools of thought on “privacy services” like LiquidVPN, Lavabit, TorMail, Proxysh, Hide My Ass and <Insert Any Provider> when it comes to their terms, policies and conditions.
VPN Privacy & Blanket Policies
Many if not all VPN privacy services openly state what they do not allow on their network. Some take it a step further and assure users that they do not monitor what subscribers are doing on the network. Often times when asked about their ethics they will simply provide a blanket statement about not sharing information with law enforcement unless there is a valid court order no matter what the situation is. I believe blanket statements like this are detrimental to a VPN subscriber concerned with privacy. I do not say this because I have something against VPN providers that make these claims. I say it because VPN & privacy services that rely on blanket statements frequently use the same approach for their Terms of Service.
This is the most common method used by VPN and privacy services when implementing policies because it is provides a simple method of handling abuse in a private way and gives the VPN service plausible deniability.
Adding the Code of Ethics
Including an ethics policy is a newer school of thought taking hold in the VPN & privacy service industry. Until recently cyber criminals, Area 51 alien whistleblowers fearing for their life and hackers had more incentive to go out and seek ways to protect their privacy online. That changed when WikiLeaks and Snowden news broke. With the huge increase in every day mostly law abiding citizens signing up for privacy services like LiquidVPN many VPN privacy advocates warned that the blanket “we can do what we want with any data created on our network whenever we want and without telling you” policies of the past must be adjusted even if the VPN privacy service does not keep records. With this in mind some privacy minded VPN providers worked with foundations like the EFF to come up with policies and procedures that would allow them to be more transparent but still keep the power to deal with complaints. This resulted in the implementation of three key new features (ethics policy, warrant canary and transparency reports) put in place to verify the privacy of the network, secure the subscribers usage details and to provide the subscribers a method to keep track of what is being done to combat all forms of abuse on the network. One of the main advantages of having a code of ethics is the inclusion of a clearly defined policy that dictates what is required to file a complaint and the possible actions (if any) that the privacy service will take if the complaint is found to be valid. Some services like LiquidVPN has taken it a step further by providing a contractually binding statement to uphold the terms laid out in the code of ethics.
The Other White Meat
A lot of privacy VPN’s and services in general have chosen to tell their users that they keep a certain amount of logs. Usually in the form of time stamps, IP Addresses and other miscellaneous AAA data. This method of operating is very popular. Many of these VPN services take a lot of heat because of the amount of logging perceived but it is their network and they can run it how they see fit. The good thing about these types of services is the fact that they are being honest in what data they retain and how that data is being used. So for the most part users on these services tend to be the ones that just want to encrypt guest networks, stream Netflix content and get on twitter while they are at work. Some would argue that this is exactly what a VPN should be used for.
LiquidVPN Privacy & Ethics
Which one is right and which one is wrong is really a matter of opinion. I was of the opinion that full disclosure is and always will be the best option. After a lot of internal meetings with the LiquidVPN team, discussions with our loyal subscribers and a couple chats with the law firm that represents LiquidVPN. I felt like most of the people I spoke with agreed with me and so I decided to take LiquidVPN down the path of full disclosure. Some of you have already commented on the new sections of the website but if you have not seen them then I recommend you take a look at the transparency reports, network status reports, warrant canary and ethics policy. The reason we have decided to publish our ethics policy is because we wanted to be perfectly clear about what we do not allow on our network and to provide details on exactly how the various types of complaints we may receive are handled. This policy has given us the opportunity to create an obligation to be transparent. As part of that obligation we have voluntarily created a daily warrant canary. Our thinking behind this is if there ever comes a time when there is any type of intervention on or network by law enforcement that we are unable to report as a transparency report then until we can relocate to another jurisdiction we can stop updating the warrant canary and users can infer from that about the true status of our network. The network status reports will allow you to view issues regarding our network. Whether it be temporarily blocked services on a VPN server, a node being taken offline or even a problem on the website these public reports will be for all to see. I invite you to comment on our policies and welcome any and all questions.