If government comes to you and says you must send data here and there or log this and that and you must not tell anybody about it, then you have to comply and you can't do much about it even with your best intentions. I don't think it should be like this but as far as I understand it is the current state of affairs.
Even if they shouldn't be able to force you to do some things the best you can do is take them to court, still completely outside public eye, and they can provide some plausible reasons regarding say national security which are likely pretty much impossible to verify.
> government comes to you and says you must send data here and there or log this and that and you must not tell anybody about it, then you have to comply and you can't do much about it
Eh, this is unsettled law [1]. If you have logs and the U.S. asks for them, you must turn them over. But it's unclear the U.S. can compel you to write new software.
> Swedish authorities have no legal right to force developers to write any software.
“A party which conducts activities which are subject to a reporting obligation pursuant to Chapter 2, section 1 of the Electronic Communications Act (2003:389) ("LEK") is obligated, upon request of the enforcement agency, to cooperate in connection with the enforcement of covert surveillance of data.”
> 2. What significance does the law have for the Mullvad service?
> Mullvad cannot be made subject to a duty to cooperate in connection with the enforcement of a decision authorising covert surveillance of data since VPN services are not an activity subject to a reporting obligation pursuant to Chapter 2, section 1 of the LEK.
> If government comes to you and says you must send data here and there or log this and that and you must not tell anybody about it, then you have to comply and you can't do much about it even with your best intentions.
Even if you go the nuclear option, you might risk being arrested:
> Levison said that he could be arrested for closing the site instead of releasing the information, and it was reported that the federal prosecutor's office had sent Levison's lawyer an email to that effect.
> Even if you go the nuclear option, you might risk being arrested:
Surely, in a free society, you are free to close down your business for whatever reason you want? Someone might feel like the business is no longer fun to run for X reason, it just happen to have coincided with law enforcement wanting to add wiretaps.
He is free to close down his business//not take on new customers, but that doesn't change his non compliance with a warrant for previous customer information.
Much like you are free to destroy your belongings in general, but not once their is or there will be a legal order for their surrender (I.e. Destruction of evidence).
Regarding printing it in 0.5 font, I don't think this kind of passive-aggressive rebellious act accomplishes anything, and actually highlights how powerless he is. It caused extra work and frustration for the poor guy who got handed the job of transferring the private key from paper, but nobody else was bothered. His shutting down the service was much more of a stance.
There is also the distinct possibility that a government would just hack your system secretly if they thought it was a worthwhile target. I would assume that is the case for these well known VPN companies that operate outside US jurisdiction. The actual attacks that might be used are a different discussion but I don't think this is a remote possibility. I think it's quite likely the US government would target companies like these.
Do you know any countries where this actually works? Usually if a powerful country wants something from a small supposedly independent country, this doesn't really apply anymore. One well documented example is how the US lobbied Sweden into raiding The Pirate Bay (https://torrentfreak.com/pirate-bay-investigator-to-cash-in-...)
The Pirate Bay was openly defying copyright as defined in just about every country except Sweden with barely any legitimate use. It’s a household name for lawlessness.
That’s really not comparable to a vpn service if a significant proportion of users are using it to legitimately protect against privacy invasion when using an open WiFi network.
You don’t need to actually know, it’s enough to extrapolate from their own advertising material and the general public sentiment.
Besides, if it’s “terrorism” and “child pornography” the vpn endpoints would attract attention quickly enough. It’s not like a VPN is a magical anonymous entry into the internet, it just changes the location and mixes your traffic with other customers’.
> You don’t need to actually know, it’s enough to extrapolate from their own advertising material and the general public sentiment.
I'm pretty sure if someone is determined enough to shut down a service or force them to add logging they don't really care about the marketing material of said service. Just like EncroChat didn't brand themselves as phone brand for organized crime.
I there's an entity that wants WireGuard to add logging they'll make up a "terrorism" reason and all the existing "anti-terrorism" laws will open many doors to do just that.
Sure but with no evidence either way the task of proving it to a judge, politicians or the general public could be done pretty effectively using the companies marketing material or general public sentiment.
Encrochat was never really taken down, it took itself down because it was cracked and so lost its sole asset, the secrecy of the communications.
I don’t think that Apple “caved” per se, but the authorities seem to have found a path to what they want, and somehow Apple hasn’t been able, willing, or motivated to close those holes.
Apple also tweaked things like iMessage to make that data available in the cloud (ie available via subpoena or warrant) in most common scenarios.
Tor isn't the almighty all-in-one-solution one might think it to be. Other OPSec measures need to be take in addition to Tor. FBI agents tracked Harvard bomb threats despite Tor [1].
Admittedly from the article: "used two separate anonymity tools to cover his tracks — the routing service Tor, which covered his web traffic, and the temporary mail service Guerrilla Mail, which offered a one-time email"
Then they noticed that "that the originating IP address would have been revealed in the email header, which would have indicated Tor usage"
And from there "agents checked to see if anyone had accessed Tor through the local wireless networks. That led them to <culprit>, who promptly confessed."
Doesn't sound like they even had to engage with Tor infrastructure or Guerrilla Mail backends, just 'hmmm did a student use Tor, oh some did, let's check them out in full FBI livery' which freaked the kid out and he confessed.
It's easy to check if an IP is a Tor exit node, but unless you happen to also have egress logs it's still a thornier problem to de-anonymize without heavy resources.
> but unless you happen to also have egress logs it's still a thornier problem to de-anonymize without heavy resources.
It's an easy problem if you control the majority of the nodes. All it takes is throttling traffic on an exit node and watching which inbound traffic is affected. It is cheap for the US to fund the operation of all Tor nodes in return for the massive intelligence boost it offers.
At the end of the day, it's a DARPA project originally, I'm sure the US Gov't has been _heavily_ invested in monitoring it for a while. Still I'd argue when doing anything on the web the behemoth that is the US could probably flex some of that spending muscle to levy massive resources.
However FBI tracing bomb-threat is probably still not using NSA-level resources... given the whole not our citizens wink wink thing.
> given the whole not our citizens wink wink thing.
Intercepting encrypted domestic communication is fair game as far as the TLAs are concerned. They also always have the option of routing domestic traffic outside the country to make it "foreign origin".
Not saying that's not laudable. But any company beholden to any government that has any law with the wording along the lines of being able to get the logs of citizens using it and with a court system that can enforce such judgement then the only outcome I can see is:
1. Something happens (terrorism/cpam/insert-bad-thing-here) and a court case ensues and the defense says we don't have logs as we pipe them to /dev/null and the judge says haha nice try here's a fine that puts you out of business or worse jail time.
No matter what they think and what they advertise. They use the same silicon, same motherboards, same designs as everyone else. So, they have all the risk that everyone else has, no matter the implementation. You don't know jackshit about the silicon and the firmwares that control them.
Mullvad is not bad, but until average people don't have the means to create their own silicon in a cheapo way, you are just farting in the wind.
Sure you can never prove anything 100% but VPN providers can still make moves that make them more or less credible.