VPN just shifts the trust from your ISP to the VPN company.
It doesn't matter where they're based. If you pay with a credit card under your real name the burden of risk is always on you and if the company has agreements with whichever jurisdiction you are in then they will collaborate with LE.
that said, trust is fickle: The ultimate example of why not to put trust in companies was WoSign/StartCom.
WoSign acquired Startcom because they were a trusted fresh player with a still untarnished name and available cheaply (also thanks to Eddy Nigg and his investor Wes Kussmaul who both saw no conflict of interest and indeed claimed in public Eddy didn't know who the buyer actually was until it was too late).
When somebody shows up with a fat cheque and tells your VPN company that Christmas came early, and that they're being bought out, then you have no reason to continue to trust or? Yet people do continue to trust (see the N.N. Taleb Turkey problem). People then are forgetting their trust assumption actually doesn't hold when main mode of growth for the company is M&A and not product development & innovation.
When trust is just a commodity that can be acquired and resold willy-nilly by some people with enough cash, then the product/service is automatically snake-oil (no matter if the crypto and the implementation of the software is 100% rock solid and was written by gods).
For VPN's a good rule is to choose a neutral company that has very little in common with you. If you are doing shit in Iran don't use an Iranian VPN company. likewise if you do shit in Russia then US/UK VPN should be safer than a VPN located in Cyprus.
If you do "shit" against Turkey, with a VPN in Australia while you are based in Taiwan that's 3 jurisdictions and much better than doing shit against Turkey connecting from Australia with your VPN based in Australia.
Finally it is best not to do shit, but sometimes doing shit is the only way crimes by governments and those in power can be exposed.
Not to forget that sometimes the definition of shit changes over time and while the things you were doing were not classified as shit at the time, after a certain date they might become (even retroactively) so.
I thought the VPN protects me from US tech firms scooping up my data. Private browsing + VPN means each session looks like a new person and they can’t tie my browsing back to me (pretty innocent browsing but still).
Not quite. Try using Panopticlick [0] for an overview of how your browser can be tracked. Less unique is better. There's also sometimes new methods discovered to track users, but that's not something you would usually care about.
Firefox has good settings you can set in about:config [1].
If you don't have WebRTC disabled, there's a good chance a service can get your public IP address directly.
Make sure you're not using an operating system that would be unpopular among the IP block you're VPN-ing through. Also, better have the same browser, screen resolution, fonts installed, ...
Likely the reason why a lot of VPN apps are Chinese is because there is an actual demand for VPN usage in China.
You then multiply that with the population size (19% of the world is Chinese or roughly 1 in 5 people in this world) and you will have a massive market to grow for local Chinese VPN developers and for them to prosper.
The article author sounds surprised but it is quite logical if you think about it.
This is not entirely true. Some, if not all, of these companies start outside of china, but end up getting bought by chinese capital. I do not have a source for this, i just know from my chat with friends.
It works both way. I used to use a shadowsocks based service called "God Use VPN" or 佛跳墙 in Chinese, which is a dish name. It was so popular to the extend that google translation used to believe that the English name of that Chinese dish known as "佛跳墙" is "God Use VPN".
It was recently sold to a foreign owner and stopped provided any Chinese based services - if you send them some emails in Chinese, you get English responses. Pretty clear sign that they quit the Chinese market for whatever reason.
> Pretty clear sign that they quit the Chinese market for whatever reason
Well, I'm not very sure, but we had few crack downs on VPN selling recently in China, some people even received prison time plus fine.
It's not very safe to operate VPN company in China, so maybe the best way is to sell that hot potato to whatever who wants to take it. The only exception is probably "Game Accelerator"(s) which is a special type of VPN that only transports game traffic.
In fact they don't care that much if you are deemed reliable, like some state institutes, researchers, there's is a priviledged net CSTNET for those people, they don't block anything on that. They are far more lenient on English sites, presumably due to the requirement of high education level to read.
And there is a university net, it's slightly less blocked than public nets.
They've charged someone for selling VPN online, but charging users is effectively unprobable due to the sheer number,
but since Chinese laws are generally vague, judges and prosecutors are easily influenced and arbitrary on party security cases, they can always pick couple guys off to make a statement or set an example, like Sabotaging Computer Systems.
That myth was perpetuated for a long time. So far, I have not seen any genuine "unblocked network" in China. The few companies and universities with campus-wide unblocked internet simply use VSAT, or just a regular VPN. I've been on Microsoft's campus once, and the external IP of their wifi was that of an HK colo, same with the famed "very secret" Nottingham uni network that had Singaporean IPs.
Not even people in Qinghua (number one uni in China, if you don't count central party school) I know, know of anything that amounts to that.
The very same thing with MPLS, and allegedly "physically uninterrupted" links to HK. They also have GFW on them.
There is nothing that amounts to "officially permitted VPN" in China. That's a myth.
The only thing that amounts to that are microwave to HK/Macau, HK SIM, VSAT, or a cable across Sham Chun, and all of this is being actively looked for by police and three letter services.
Some are based in e.g. Hong Kong which is in China but separately administered. (E.g. Chinese residents in Hong Kong are allowed dual citizenship while mainland Chinese are not.)
Heck, many free mobile VPN apps don't even encrypt your traffic. An analysis of VPN apps on Android done back in 2016 found 84% leaked IPv6, 66% leaked DNS, 38% contained malware...and 18% didn't even encrypt anything...
I don't trust any free VPN.
You can install vpn yourself (for example using opensource outline). There are many choice, AWS, Google cloud, Vultr, digitalocean ...
I say this a lot, but running your own VPN service loses almost all the privacy. This is something people don't bring up when they recommend doing it.
With a paid VPN service, part of the attraction is that you're one of quite a few users on any given server at any given time.
Edit: If your only goal is to get past stuff that's blocked, that's different. Though if you get a VPS, you're still using an IP in a range that's likely to be blocked if a service doesn't want VPN traffic.
If a provider is offering free and paid plans, free plan is usually used to attract customers to try your service. The free plan is "paid off" with money that would otherwise go to marketing.
Mullvad offers unlimited 3-hour trial accounts. A few days messing around with that was enough for me to decide become a lifetime customer.
That's the correct model for onboarding with free services, not offering a free service tier with restricted speeds.
It's simply stupid as a user to forward all of your traffic to another company for free. Thus any VPN that offers such a service does not believe in fully educating its users of the dangers involved in using a VPN, and are operating at an ethical boundary.
I feel like I could theoretically just spend an hour writing a script to abuse acquiring the apparently unlimited Mullvad trial accounts, and just post it on GitHub. Sounds like a business problem.
You can't be suggesting that the first time someone attempts to do something like this on a large scale, that Mullvad's team would be surprised.
You surely can't be suggesting that this didn't come up in meetings, and that the opportunity cost wasn't determined and taken into account when offering this trial service.
The painlessness of the service, along with the encouragement to generate as many new account numbers as needed while testing, along with allowing full feature access without throttling, meant that I generated two weeks' worth of trials before finally deciding Mullvad was right for me.
But now I know they are right for me, and as I said in an earlier post I am now a customer for life. As long as nothing changes, that will remain so, and I will, as I am now, frequently proselytize their service and encourage others to try them out for free. I'd say they calculated the opportunity cost correctly.
I'm not suggesting that they didn't think of it or that it would be surprising, I'm suggesting that if it were to be abused, it could downgrade the experience of paid users until they noticed and fixed the situation. I just believe that VPNs which offer only some servers to free users or limit bandwith have a good model.
You can easily pay an ISP $50/mo for broadband, so why should you trust a paid VPN that will handle all your traffic for only $5-8/mo on top? Is the difference all infrastructural costs? What about those cheap $3/mo VPNs? Where do you draw the line?
I presume the majority of that difference is because there's a healthy market for VPNs with practically no barrier to entry, whereas your ISP is a monopoly usually, or a duopoly if you're lucky.
Not outside the US. E.g., in our apartment, we can subscribe to fiber, cable, and DSL. On fiber and DSL, there are many ISPs to pick from. However, the prices are still similar to the US (you just get a lot more bandwidth for the same price).
I think it is more that the costs of running an ISP are much higher, you do not only need peering, but the networks including the last mile need to be put in the ground and maintained. Plus, in to some extend, people in areas with high-density populations subsidize expansion into lower-density areas.
The VPN market is really different. In principle anyone could start a VPN using just a VPS (it wouldn't be the best, but many VPNs are terrible anyway).
I assume that the VPNs buy bulk bandwidth, and also they have to compete with each other, whereas the ISPs have to run (or lease) the actual lines to my home.
I'm not surprised, because the Chinese also have the most need for a VPN. Contrary to the article I think them "trying to keep a low profile" is not a bad sign at all, and you shouldn't really need to worry about privacy if you're using end-to-end encryption through the VPN.
Privacy is not a big concern for the Chinese based VPN services. It’s useful for both accessing websites blocked inside China, and also Chinese content blocked outside China
Almost all of the utility apps (battery cleaners, ram optimizers etc) are owned by chinese, and they are a bigger threat than vpn services. They have a huge footprint of devices outside of china, and have a lot of permissions granted
Not a VPN that supports P2P filesharing, but a VPN where the users are the "servers", like Hola used to be before it started sucking (can't even select country now without paying).
I wouldn't recommend using one. P2P VPNs are great for people to commit crimes with, so unless every time your VPN is off, you want to be solving reCAPTCHAs all day, and not be able to make a purchase online, I would avoid it.
P2P VPNs don't offer much in the way of privacy, decentralization is only better in theory here. For unblocking services, many normal VPNs can do this fine as well.
Is this really something desirable? It seems like it would be asking for somebody to commit crimes using your connection (without the plausible deniability/justification that you are running a VPN company).
Providing vpn services is almost illegal in china. The party doesnt ask for logs; it shuts down vpn services and punishes the providers. So the odds of vpn provider sharing logs with the government is ironically low.
The party doesn’t need to offer them free vpn. Instead, it figures out what vpn services they are using and shuts them down. It goes as far as using machine learning to detect vpn traffic.
I guess this is more effective because dissents is a very small subset of vpn users, and application layer encryption makes it hard to extract much information even if you can monitor vpn traffic.
Given the scale of VPN usage in China, it’s unlikely the party could do anything about it even if it got access to some logs. Vast majority of the users of these services inside China are most likely very educated group of people, like academia, software engineers, scientists etc. Large tech companies usually have some way for their employees to access banned websites in China, but mostly just for accessing tech related information. It’s just yet another gray area
My guess is that the once ubiquitous Chinese VPN companies one found ads for everywhere in China have been driven out of the local market leaving people with gear and no customers, moving to courting offshore (from China) customers is the obvious move for these guys
"If you aren't paying for it, you are the product".
Also, VPN isn't a magic cure for the disease of privacy violation. You are just choosing to trust the people running the VPN service over the people running your ISP. Should you trust a VPN company more than your ISP? I really can't say, but VPN isn't a magic fix.
Sorry, but this is just not true at all. There are thousands of open (and closed) source projects, software, and services that do not fall under this silly statement.
Does it mean that if you do pay for a product, that you still can't "be the product"?
It doesn't matter where they're based. If you pay with a credit card under your real name the burden of risk is always on you and if the company has agreements with whichever jurisdiction you are in then they will collaborate with LE.
that said, trust is fickle: The ultimate example of why not to put trust in companies was WoSign/StartCom.
WoSign acquired Startcom because they were a trusted fresh player with a still untarnished name and available cheaply (also thanks to Eddy Nigg and his investor Wes Kussmaul who both saw no conflict of interest and indeed claimed in public Eddy didn't know who the buyer actually was until it was too late).
When somebody shows up with a fat cheque and tells your VPN company that Christmas came early, and that they're being bought out, then you have no reason to continue to trust or? Yet people do continue to trust (see the N.N. Taleb Turkey problem). People then are forgetting their trust assumption actually doesn't hold when main mode of growth for the company is M&A and not product development & innovation.
When trust is just a commodity that can be acquired and resold willy-nilly by some people with enough cash, then the product/service is automatically snake-oil (no matter if the crypto and the implementation of the software is 100% rock solid and was written by gods).
For VPN's a good rule is to choose a neutral company that has very little in common with you. If you are doing shit in Iran don't use an Iranian VPN company. likewise if you do shit in Russia then US/UK VPN should be safer than a VPN located in Cyprus.
If you do "shit" against Turkey, with a VPN in Australia while you are based in Taiwan that's 3 jurisdictions and much better than doing shit against Turkey connecting from Australia with your VPN based in Australia.
Finally it is best not to do shit, but sometimes doing shit is the only way crimes by governments and those in power can be exposed.