"One canary is not enough": VPN services are increasingly being asked for user data

As practice shows, the declared image and the real nature of the interaction of the owners of VPN services with the special services of different countries can have significant differences. Let’s discuss how events are developing in this niche and what to expect in the near future.

What’s happening

Every year, VPN services are increasingly drawn into proceedings related to the illegal distribution of content and various offenses. Typically, the owner companies are involved in these cases as a third party – they receive requests to disclose the data of users who are suspected of something by plaintiffs, law enforcement agencies or special services.

Often, such requirements are successfully ignored due to the technical features of the operation of services or the so-called “no logs policy”, which excludes the storage and transfer of user data to any organizations and structures. Another thing is that sometimes such a policy acts mostly in words, but in practice it does not allow VPN services to fulfill their promised promises due to their incomplete or selective implementation.

Marketing vs reality

Known situations, when companies operating the infrastructure of VPN services quickly enough handed over logs, flavored with a significant amount of other data, which initially “did not plan to collect”, or even at all could not transfer by virtue of belonging to another jurisdiction. In the latter case, it would be possible to do without the drain from the VPN service: the suspect carried out his dark affairs both from his personal and from a work computer, which simply forgot to “protect” in time and properly cover his tracks.

Similar case happened to a British service, to which law enforcement officers went out because the attackers only mentioned its name in the chat. Whether their logs and data were useful in the investigation is difficult to say.

Similar business on the distribution of the digital version of the painting “Fall of an Angel“Is currently being reviewed by the Federal District Court of Colorado. The essence of the proceedings boils down to the fact that the copyright holders were unable to obtain anything from the VPN service that the pirates allegedly used. The owner company had implemented a no-log collection policy a few years earlier, and proved her performance in court under another claim.

Another thing is that the torrent tracker used by the cybercriminals to distribute the movie quickly enough provided the available logs and information, including email, IP addresses and information about downloads in the accounts of more than a dozen users. Now the copyright holders are waiting for an answer to their request to mail services and believe that the very fact of working with a VPN suggests that users of such services have something to hide.

Where this rhetoric can be prompted by various courts, regulators, legislators and public opinion, it remains only to speculate and guess.

Of course, it happens that a company really does everything possible to implement the declared “no logs policy”, but for one reason or another misses out of sight vulnerabilities on the side of the used data center… It turns out that in this situation, the VPN service can be indirectly accused of not keeping its promises in the end.

Is the canary alive

In most cases, requests come along with a requirement not to disclose the very fact of the call and the subsequent exchange of data. But a few years ago, IT companies made an elegant attempt to notify the audience – they started to do it with the help of a “warrant canary”. It could be a badge or a separate page where the organization noted that it has not yet been contacted with a request to disclose personal data. As soon as the badge was removed, updated (or intentionally not updated), the company’s clients and users of the site received an unambiguous signal that “something” was happening. Somebody even introduced a canary update schedule and signed each one with a PGP key.

This practice was popular in the mid-2010s, but it didn’t last long. Many, including Signal founder Matthew Rosenfeld, spokethat their lawyers do not see the point in such activities. A similar opinion become adhere to large companies like Apple, and in some countries the “canary issue” decided at the level of legislation.

VPN services were no exception: some started behave strangely, others still continued regularly update the status and report on the “canary”.

What’s next

Even if you use services influenced by countries participating in the rapidly expanding Five Eyes Alliance, this does not mean that they necessarily store logs and user data. There are no direct requirements for VPN owners in this regard.

But in these jurisdictions, the request of the authorities and special services for a potential introduction of significant restrictions end-to-end encryption. Will he achieve his goals, or will we still see more more cases with receiving data through various loopholes on the side of hosters and data centers, will show the further development of events. Moderate resistance from VPN services can play an important role in this process.

What else to read on the topic: