Librem Tunnel and the acquisition of Private Internet Access

Before I get into it, here is some background information that you’ll need to know. First off, Librem Tunnel is basically a rebranded PIA client for PIA services.

Secondly PIA announced this week that they are being purchased by CyberGhost. This is deeply concerning because CyberGhost is owned by Kape Technologies which used to be known as Crossrider. There is a troubling history when it comes to CyberGhost and privacy which this article explains in far greater detail than I care to as part of this post. Here are a few relevant tidbits:

Crossrider changed its name to “Kape Technologies” in 2018 – for reasons that we’ll explain below.

Then in October 2018, Kape purchased Zenmate, a Germany VPN provider, for an undisclosed amount. This lines up with the trend we’ve observed of VPNs getting bought up by outside investors. It is the consolidation of the VPN industry.

Now here’s where things get interesting. When you research the company Crossrider (now Kape) you learn it is a company known for infecting devices with malware.

When you research the company Crossrider, you find numerous articles about Crossrider malware and adware, such as this article from Malwarebytes:

Crossrider offers a highly configurable method for its clients to monetize their software. The common method to infect end-users is software bundlers. The installers usually resort to browser hijacking. Targeted browsers are Internet Explorer, Firefox, Chrome, and sometimes Opera. Crossrider not only targets Windows machines but Macs as well.

PUP.Optional.Crossrider installs are typically triggered by bundlers that offer software you might be interested in and combine them with adware or other monetizing methods.

According to Malwarebytes and many other reputable online security websites, Crossrider was hiding malware in software bundlers, which would then infect the user’s computer with “adware or other monetizing methods”.

So yeah for those reasons, as somebody who has been buying VPN service from PIA for the last three years, I severed my ties with them earlier this week. I want nothing do with this company at all.

The question for Purism here is simple: Are you going to transition Librem Tunnel to a different VPN provider and if so, which ones are you considering? If not, can you explain why you don’t consider PIAs new owners and their shady history to be an issue here?

2 Likes

This was from Kyle in the community/librem-5 Matrix channel.

Right now things are staying as they are as currently everything on that side is the same. we need to vet the parent organization like we originally did with PIA to make sure we all share the same values long term

4 Likes

This is definitely something that needs to be followed up on. Not just in case of Librem Tunnel, but as a VPN service in general. PIA has been - so far - a very privacy oriented company.

For completeness, here’s the actual announcement of PIA:
https://www.privateinternetaccess.com/blog/2019/11/bellum-omnium-contra-omnes-the-war-of-all-against-all/

And here’s a follow up announcement that is interesting to read.
https://www.privateinternetaccess.com/helpdesk/news/posts/november-20-2019-the-continually-evolving-fight-for-freedom

This is something that should surely be discussed in detail and followed closely. The merger is not through yet, PIA is PIA still, there’s time, I don’t think rash actions are required.

Full disclosure: I’m not actually using LibremTunnel or LibremOne, as they say, don’t put all your eggs in one basket.

3 Likes

I may have the Dunning-Kruger effect when it comes to VPN, but here it comes anyway

I assume that VPN solves two main problems:

  1. prevents snooping of data transfers while mobile, and
  2. blocks the surveillance-capitalism or other spy-type org’s from building information graphs of individuals.

I set-up the part of my home router that lets me OpenVPN in while I’m away to do certain things which protects me from 1, but not from 2. This VPN on my router I can connect to using the Librem Tunnel software.

I understand this post is saying that some VPN’s were assumed to be protecting the user’s from 2 but were really just preparing to sell out their users to surveillance-capitalism companies. And now that cashing-out risk is encroaching on Purism/Librem services.

I’m wondering if this couldn’t be solved by some sort of distributed federated type cloud randomized VPN type thing.

2 Likes

Technically yes, Tor is built upon mesh-connected random-path-selected socks proxies so the similar principle could be used for openvpn peering - you connect with openvpn to your home node and then you are randomly routed via various peerings.

3 Likes

But let’s be realistic about that: even if they conclude that this relationship needs to be ended, that will take time. I would not expect anything before summer 2020.
Partially due to what’s already on their plate and needed negotiations and research, partially possibly because of contract conditions.

And obviously, before having an alternative, you don’t proclaim that PIA sucks now.

Also, where do you go?
“We chose NordVPN as they have a proven track record …”
Ohwait

(Maybe actually Nord would be a good choice, didn’t look into it, but certainly people would criticize it)

5 Likes

Protonvpn could be an alternative. With respect to Nord: I take the approach that any system has issues and data breaches are unavoidable. So sign up for your vpn with an anonymous account, use an anonymous payment method, and a unique email…

4 Likes

from your second link … “all of your web browsing data appears to originate from the VPN itself, rather than your own Internet Service Provider” - am i the only one who finds the word “appears” in this context to be confusing ?

1 Like

Here’s a great take on the PIA acquisition by Michael Bazzell on his Privacy Security & OSINT show podcast:
https://soundcloud.com/user-98066669/145-account-security-audits

Segment starts at 21:24. It’s a very basic take on the PIA acquisition, but it has interesting strategy implementation.

1 Like

Appears is correct as the traffic does technically originate from you then go to the VPN then from the VPN elsewhere. As far as “elsewhere” can see it came from the VPN (hence appears to come from the VPN), the VPN then knows which data goes back to which origin point.

Hope that helps.

3 Likes

it appears i am less confused … kind of like saying i know where the explanation originated from and that it has value but still it did not come from me :stuck_out_tongue:

but seriously who else thinks that a VPN is a great honeypot ? like taking out Protons’ service in Belarus … just when official presidential elections are taking place in that area …

UPDATE Nov. 19, 2019: We have recently confirmed that our users in Belarus can access ProtonMail and ProtonVPN once again. While there has been no official communication as to why ProtonMail and ProtonVPN were unblocked (or why we were blocked in the first place), public outcry seems to have played a part.

1 Like

Surprised no one here has mentioned Mullvad. The only one actually recommended by privacytools.io

1 Like

I was about to mention Mullvad while reading through this thread. I started using their service soon after they started some years ago and find them very trustworthy. They are Linux guys and they know what they are doing. I had correspondence with them over the years and always got helpful answers on a high technical level. I tested NordVPN for a review some time ago and tried to access their quality of support. I found out that in parts they did not even know what some of my Linux related questions were about. So, yay for Mullvad.

4 Likes
Thread hijacking warning

Similar but different, I just found out that Amazon’s “ring doorbell” project hired an executive to oversee the facial recognition part of the project in Ukraine while denying that they are doing facial recognition.

https://foundation.mozilla.org/en/privacynotincluded/products/ring-video-doorbell/

1 Like

To be fair, privacytools.io, in their Providers / VPN section, does ProtonVPN and IVPN under “Other VPN Providers to Consider”. For ProtonVPN however they state “Not audited” and for IVPN “No security audit”.

The only “downside” of Mullvad seems to be “No mobile clients”. Oh well, install OpenVPN and there you go. Recommendable anyway.

3 Likes

Here’s show I see it: this could either be very good (more money/resources for PIA to develop better tech) or very bad.

Presumably (hopefully) Purism has a contract with PIA requiring them to uphold user privacy. Purism should push to make sure when PIA sells to Kape, it is written into the agreement that PIA’s founders have the right to unilaterally veto any policy or product changes from the parent company which infringe on user privacy.

1 Like

Mullvad has a custom mobile client for Android:

For WireGuard you have to install the standard client:

Also, some reddit user posted a great dissertation on what you should be very wary of PIA after this acquisition announcement especially in light of the what CyberGhost is willing to admit to just in their own publicly accessible privacy policy.

Everybody here should read it.

1 Like

Agree with the Mullvad recommendation. I just left PIA after a lot of years due to this news. It’s a shame because PIA used to be a champion of its users and an industry leader in this space. But money talks. I’m not saying I think Andrew Lee and Ted Kim deliberately sold us out. I am saying that ultimately money prevailed over the users’ concerns.

This wouldn’t have been as big a deal if PIA had communicated with us better. If they had come out and said hey, this is what has to happen to make the company survive and grow, these are the benefits, and this is how we’re going to be able to PROVE that we will continue to honor our privacy policy with regular external audits, etc. then I think a lot of people would have felt good about it.

But that’s not what happened. The announcement was buried inside a ridiculous, self-important fluff piece by Andrew Lee making himself out to be like the savior of the internet for taking $95 million dollars. It was laughable. It was sad. Then, the executives went into hiding. They’ve sent support staff onto forums to keep repeating the official PR stance, but the executives haven’t come out themselves to clearly answer questions. It’s been very evasive and the opposite of the transparency I expected from PIA.

So I’m out. Started using Mullvad and really like it so far. It actually has better speeds than PIA and an easier app. For now, Purism should kick PIA to the curb and use the generic OpenVPN app (or a rebranded version of it) on the Librem 5, giving users options on which provider to use. But if you’re going to partner with a provider, try Mullvad. They are transparent, have been around for a long time, and they are growing. But sticking with PIA without proof? Well, that just won’t fly for Purism standards.

3 Likes

Reviving this thread to point out that Kape Technologies has now entered into a partnership with mobile carrier 3 Hong Kong:

This is the first co-operation between PIA and a telecom operator. PIA VPN will be available for 3 Hong Kong’s postpaid and prepaid customers who can subscribe to the service directly with 3 Hong Kong.

https://uk.advfn.com/stock-market/london/kape-technologies-KAPE/share-news/Kape-Technologies-PLC-PIA-introduces-a-new-way-of/85590953
(and there are other source documents out there available upon searching)

So that makes at least three VPN providers and one mobile carrier partnership that Kape has now scarfed up. In my opinion, this raises numerous red flags.

Edit: Also be aware of this:
In March 2021, news broke that Kape had purchased Webselenese, which is the parent company of vpnMentor and Wizcasehttps://restoreprivacy.com/vpn-review-websites-owned-by-vpns/

Edit2: The review/recommendations site safetydetectives[.]com is also owned by Kape.

History of Kape Technologies’ acquisitions according to https://www.crunchbase.com/organization/crossrider/company_financials:

2021: Webselenese (Tel Aviv, Israel) - VPN review sites
2019: Private Internet Access (Grandville, MI, USA) - VPN provider
2018: Zenmate (Berlin, Germany) - VPN provider
2018: Intego (Austin, TX, USA) - Internet security/privacy software for Macs
2017: Cyberghost (Bucharest, Romania) - VPN provider
2016: DriverAgent (North Andover, MA, USA) - driver search/updater
2014: Reimage (Nicosia, Cypress) - internet-based Windows system repair
2014: Definiti Media (Tel Aviv, Israel) - Crossrider ad network
2014: Ajillion LLC (Tel Aviv, Israel) - interfaced custom cloud-based business solutions