So that, instead of the US using legal formalisms to gain access to your data, they can simply (under our law) hack it directly? While at the same time, whatever host country is involved can use their legal formalisms to get access to the data? How is that helping you?
It helps me because I use nested VPN chains. And because I alternate jurisdictions. With the goal of complicating log collection.
But in any case, I don't count on nested VPN chains for serious anonymity. Mostly I use them to avoid hassle from torrenting. And conversely, torrenting provides cover traffic, and as well a plausible reason for using VPN services.
But mostly I use nested VPN chains to hide Tor use from local observers. Because Tor usage is far less common than VPN usage, and so far more of a red flag for increased surveillance.
There is no legislation in the US that can be used to do this [1]. Some very misguided companies may voluntarily log, but those that care about privacy or, at the least, realize that holding people's data is a liability, won't make poor decisions like that.
Nah, he's right. The Core Secrets leak said the FBI was using some secret method to "compel" domestic targets to do the "SIGINT-enabling" of their networks. It might have been just fines and jail threats under the secret court (FISC). On top of that, the Patriot Act let them hold people indefinitely, they were kidnapping folks at airports for "extraordinary rendition" (torture), and there's the old civil forfeiture laws on top. That's the extreme stuff.
Less extreme, Lavabit was hit in court. Lavabit said giving their private key to the government would expose all their users' data. They said it would be bad for their business. The FBI countered that there would be no damage if nobody knew they did that. So, they just wouldn't tell anyone what the judge had ordered. Judge went along with that idea. So, that's how legislation and liability in the U.S. works. Especially when there's secrecy orders.
Pro tip: don't host anything that's supposed to be private in the U.S.. It's a surveillance/police state slash plutocracy disguised as a democracy. Anything that might be private can be ordered to not be private secretly with immunity.
ISPs and VPNs have different laws then, for example, email providers. Further, Yahoo Mail, would be storing data (thus "voluntary" logging, or in their case, there's few ways around it to deliver their services in any kind of usable way).
I repeat, after having evaluated this quite deeply, that there are no mandatory data retention laws in the US, period, for ISPs and VPNs. This is contrast to quite a few jurisdictions, and the poor actions taken by ISPs and VPNs in said areas seem to speak louder than words.
That being said, I can relate to the author. Trusting a random service without any reason to trust is definitely blind. However, trust can be earned, over time, and validated, but should never be absolute. Trust is earned, daily, forever.
That being said, at the end of the day, the best bet is to remove trust from the equation - to get closer to a zero knowledge state, thus creating zero trust.
We're working toward that, every single day, and I would love to hear from anyone that's interested in helping or has thoughts.
You're saying that organizations can avoid being subject to providing data if their service does not store the data. But I am not convinced. If the NSA or whatever 3 letter agency demanded the data be made available in a secret court, the company would have no choice but to comply.
They could require this in several ways. They could store the data directly on government servers, or set up a third party server and store the data on there, where both parties could access it. Either way, there is no technical reason the data can NOT be collected, so if the big boys want it, they will get it.
Before all this information got leaked, nobody knew about FISA section 702, nor had any idea how it was being interpreted and acted on by government agencies. I think it's quite clear that the secret courts in the US put huge demands on organizations to share and collect data on government behalf. Even worse, the organizations can not even publicly disclose information from the proceedings.
Until I see something to convince me otherwise, I assume any sizable organization that is operating within the United States shares any/all data requested. No loophole will protect them. If they don't collect the data, guess what, time to start collecting.
Perhaps not (I’m not certain about the issue), but they can be forced to hand over their private keys to let the NSA [ed: or other agency] do the logging for them – as happened with Lavabit.
Good catch, although... I looked it up, and apparently in Lavabit’s case the demand (under the Stored Communication Act) was actually issued by the FBI?
Because if you are going to carry out a propaganda campaign to destabilize or realign <non-Russian country>, then being able to identify them interests and vulnerabilities of each particular propaganda target is useful. Modern international propaganda includes what is exactly, or is equivalent to, targeted advertising, and everything useful to such advertising is useful to nation-state propagandists.
We've actually seen this in action throughout the West, including but not limited to the US, recently, so it's not merely a theoretical concern. We are no longer in a world where you need to be personally important to be a target of foreign nation-state information gathering and targeting, because the same factors that make that scale for private actors and your home government make it scale for foreign governments that may potentially be opposed to or wish to influence your home government.
Clarification: The point is to use nested VPN chains, alternating between jurisdictions that don't readily cooperate. And ideally, are virtually at war. Interleaved with ~neutral jurisdictions, to reduce oversight.
Why would the US care about you? And that's on top of the fact that the policy and regulatory regime in Russia has (over some years and quite openly) moved towards essentially full legal interception capability of everyone's internet comms. Roskomnadzor is out there actually doing the stuff the imaginary messageboard NSA does.
The Aristocrats? Lost me there, and I refuse to search.
It's really very simple. The VM host that I'm using connects to a mainstream VPN service, which is quite popular for torrenting and such, using a server in the EU. Through that VPN tunnel, I connect with a different VPN service, which operates in someplace like Russia.
Then, through that tunnel, I connect with a third VPN service, which operates in some ~neutral country. And so on, until I'm satisfied, or the latency blows up. I'm happy with 0.5-1 second, for whatever that's worth.
After the third VPN or so, I typically connect with the Tor network. And if I'm really feeling paranoid, I add some hidden service VPS proxies, just for fun.[0] Or a homage to Kevin Mitnick,if you like.
