Secondly PIA announced this week that they are being purchased by CyberGhost. This is deeply concerning because CyberGhost is owned by Kape Technologies which used to be known as Crossrider. There is a troubling history when it comes to CyberGhost and privacy which this article explains in far greater detail than I care to as part of this post. Here are a few relevant tidbits:
Crossrider changed its name to “Kape Technologies” in 2018 – for reasons that we’ll explain below.
Then in October 2018, Kape purchased Zenmate, a Germany VPN provider, for an undisclosed amount. This lines up with the trend we’ve observed of VPNs getting bought up by outside investors. It is the consolidation of the VPN industry.
Now here’s where things get interesting. When you research the company Crossrider (now Kape) you learn it is a company known for infecting devices with malware.
…
When you research the company Crossrider, you find numerous articles about Crossrider malware and adware, such as this article from Malwarebytes:
Crossrider offers a highly configurable method for its clients to monetize their software. The common method to infect end-users is software bundlers. The installers usually resort to browser hijacking. Targeted browsers are Internet Explorer, Firefox, Chrome, and sometimes Opera. Crossrider not only targets Windows machines but Macs as well.
PUP.Optional.Crossrider installs are typically triggered by bundlers that offer software you might be interested in and combine them with adware or other monetizing methods.
According to Malwarebytes and many other reputable online security websites, Crossrider was hiding malware in software bundlers, which would then infect the user’s computer with “adware or other monetizing methods”.
So yeah for those reasons, as somebody who has been buying VPN service from PIA for the last three years, I severed my ties with them earlier this week. I want nothing do with this company at all.
The question for Purism here is simple: Are you going to transition Librem Tunnel to a different VPN provider and if so, which ones are you considering? If not, can you explain why you don’t consider PIAs new owners and their shady history to be an issue here?
This was from Kyle in the community/librem-5 Matrix channel.
Right now things are staying as they are as currently everything on that side is the same. we need to vet the parent organization like we originally did with PIA to make sure we all share the same values long term
This is definitely something that needs to be followed up on. Not just in case of Librem Tunnel, but as a VPN service in general. PIA has been - so far - a very privacy oriented company.
This is something that should surely be discussed in detail and followed closely. The merger is not through yet, PIA is PIA still, there’s time, I don’t think rash actions are required.
Full disclosure: I’m not actually using LibremTunnel or LibremOne, as they say, don’t put all your eggs in one basket.
I set-up the part of my home router that lets me OpenVPN in while I’m away to do certain things which protects me from 1, but not from 2. This VPN on my router I can connect to using the Librem Tunnel software.
I understand this post is saying that some VPN’s were assumed to be protecting the user’s from 2 but were really just preparing to sell out their users to surveillance-capitalism companies. And now that cashing-out risk is encroaching on Purism/Librem services.
I’m wondering if this couldn’t be solved by some sort of distributed federated type cloud randomized VPN type thing.
Technically yes, Tor is built upon mesh-connected random-path-selected socks proxies so the similar principle could be used for openvpn peering - you connect with openvpn to your home node and then you are randomly routed via various peerings.
But let’s be realistic about that: even if they conclude that this relationship needs to be ended, that will take time. I would not expect anything before summer 2020.
Partially due to what’s already on their plate and needed negotiations and research, partially possibly because of contract conditions.
And obviously, before having an alternative, you don’t proclaim that PIA sucks now.
Also, where do you go?
“We chose NordVPN as they have a proven track record …” Oh… wait…
(Maybe actually Nord would be a good choice, didn’t look into it, but certainly people would criticize it)
Protonvpn could be an alternative. With respect to Nord: I take the approach that any system has issues and data breaches are unavoidable. So sign up for your vpn with an anonymous account, use an anonymous payment method, and a unique email…
from your second link … “all of your web browsing data appears to originate from the VPN itself, rather than your own Internet Service Provider” - am i the only one who finds the word “appears” in this context to be confusing ?
Appears is correct as the traffic does technically originate from you then go to the VPN then from the VPN elsewhere. As far as “elsewhere” can see it came from the VPN (hence appears to come from the VPN), the VPN then knows which data goes back to which origin point.
it appears i am less confused … kind of like saying i know where the explanation originated from and that it has value but still it did not come from me
but seriously who else thinks that a VPN is a great honeypot ? like taking out Protons’ service in Belarus … just when official presidential elections are taking place in that area …
UPDATE Nov. 19, 2019: We have recently confirmed that our users in Belarus can access ProtonMail and ProtonVPN once again. While there has been no official communication as to why ProtonMail and ProtonVPN were unblocked (or why we were blocked in the first place), public outcry seems to have played a part.
I was about to mention Mullvad while reading through this thread. I started using their service soon after they started some years ago and find them very trustworthy. They are Linux guys and they know what they are doing. I had correspondence with them over the years and always got helpful answers on a high technical level. I tested NordVPN for a review some time ago and tried to access their quality of support. I found out that in parts they did not even know what some of my Linux related questions were about. So, yay for Mullvad.
Similar but different, I just found out that Amazon’s “ring doorbell” project hired an executive to oversee the facial recognition part of the project in Ukraine while denying that they are doing facial recognition.
To be fair, privacytools.io, in their Providers / VPN section, does ProtonVPN and IVPN under “Other VPN Providers to Consider”. For ProtonVPN however they state “Not audited” and for IVPN “No security audit”.
The only “downside” of Mullvad seems to be “No mobile clients”. Oh well, install OpenVPN and there you go. Recommendable anyway.
Here’s show I see it: this could either be very good (more money/resources for PIA to develop better tech) or very bad.
Presumably (hopefully) Purism has a contract with PIA requiring them to uphold user privacy. Purism should push to make sure when PIA sells to Kape, it is written into the agreement that PIA’s founders have the right to unilaterally veto any policy or product changes from the parent company which infringe on user privacy.
Agree with the Mullvad recommendation. I just left PIA after a lot of years due to this news. It’s a shame because PIA used to be a champion of its users and an industry leader in this space. But money talks. I’m not saying I think Andrew Lee and Ted Kim deliberately sold us out. I am saying that ultimately money prevailed over the users’ concerns.
This wouldn’t have been as big a deal if PIA had communicated with us better. If they had come out and said hey, this is what has to happen to make the company survive and grow, these are the benefits, and this is how we’re going to be able to PROVE that we will continue to honor our privacy policy with regular external audits, etc. then I think a lot of people would have felt good about it.
But that’s not what happened. The announcement was buried inside a ridiculous, self-important fluff piece by Andrew Lee making himself out to be like the savior of the internet for taking $95 million dollars. It was laughable. It was sad. Then, the executives went into hiding. They’ve sent support staff onto forums to keep repeating the official PR stance, but the executives haven’t come out themselves to clearly answer questions. It’s been very evasive and the opposite of the transparency I expected from PIA.
So I’m out. Started using Mullvad and really like it so far. It actually has better speeds than PIA and an easier app. For now, Purism should kick PIA to the curb and use the generic OpenVPN app (or a rebranded version of it) on the Librem 5, giving users options on which provider to use. But if you’re going to partner with a provider, try Mullvad. They are transparent, have been around for a long time, and they are growing. But sticking with PIA without proof? Well, that just won’t fly for Purism standards.
Reviving this thread to point out that Kape Technologies has now entered into a partnership with mobile carrier 3 Hong Kong:
“This is the first co-operation between PIA and a telecom operator. PIA VPN will be available for 3 Hong Kong’s postpaid and prepaid customers who can subscribe to the service directly with 3 Hong Kong.”
So that makes at least three VPN providers and one mobile carrier partnership that Kape has now scarfed up. In my opinion, this raises numerous red flags.