"As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order"
And then this:
"In 2005 we setup HMA primarily as a way to bypass censorship of the world-wide-web whether this be on a government or a corporate/localized scale."
If censorship is government driven, it means that the law prohibits you to see some things. If you still do it, you get arrested because you are breaking the law. This is an illegal activity and they should cooperate with law enforcement, as stated in the first point.
So, how do they decide what is illegal but permitted and what is not? If they allow some illegal behavior and not some other, they are actually judging the morality of an act, and not if it respect laws.
"Illegal" only has meaning within the context of a jurisdiction. Compare the rules on shooting unarmed burglars in California vs. Texas, for example.
The only reasonable way to read the article is to understand that "illegal" is shorthand for "Illegal in my jurisdiction, and in jurisdictions with enough power to get local law enforcement to turn the screws on me." It is simply impossible to follow all laws written by all countries; what is prohibited by one country may be mandatory in another.
No ISP in America is going to care if you post what would be protected speech in America from China where it may be illegal. From the point of view of the American courts, breaking that Chinese law is actually a public service; Here, the right to say bad things about our government is protected by our highest laws.
So yeah, I see no contradiction. The company is trying to obey laws that apply to them, and allowing customers to break laws that are outside of their jurisdiction.
I guess to them "censorship" is something only other countries do, not their own. I notice a lot of companies, and even the Government itself, want to fight against censorship in other countries, but when it happens in US, they're more than happy to comply, and sometimes they do it with just one phone call, like in Amazon or Paypal's case with Wikileaks.
I came in here to ask exactly that. They explicitly "forbid" illegal activity and then immediately promote their service as a way of breaking other countries' laws.
Exactly - I think they're a bit confused in their language. When HMA say:
"our VPN service and VPN services in general are not designed to be used to commit illegal activity"
...what they actually mean is:
"...not designed to be used to commit illegal activity in the USA"
Clearly one of their main selling points is the ability to circumvent censorship in countries where that's a problem. For better or for worse, trying to get around such restrictions can very well be illegal.
Of course, I'm not saying trying to get round oppressive censorship is a bad thing. Of course it's not - but HMA don't seem to acknowledge the hypocrisy of on the one hand saying "use our service to get around your government's laws" whilst on the other saying "but don't do any illegal activity!".
The real reason HMA have that attitude is that being based in the US they have everything to fear from US government action. This is the same reason online poker sites actively and aggressively block US players - because chances are at some point in the future you're going to do business in the US, and you don't want it coming back to bite you in the ass.
Similarly, why should HMA care about China or Iran getting upset at their service? But it's much more inconvenient if the FBI starts poking around, because they're based in the USA (I think).
The simple answer is that if a vendor provides a technology that can be used to facilitate crime, that vendor emphasizes that they made the technology for some nominally lawful purpose. The record companies asserted that cassette tapes were designed to infringe copyright, the manufacturers stressed that they recorded what-ever and there were lots of non-infringing uses for them. Plausible deniability as a stategy perhaps.
DeusEx's question boils down to, ``why does the company claim to serve law-breakers (here: citizens breaking censorship), but as soon as law enforcement knocked on their doors, they gave all the info away''. Which is a fair question to ask.
Somehow, the company claims to serve only ethical law breakers, and they want do the judging on ethics.
I read it that Deuce set up a strawman : "If censorship is government driven, it means that the law prohibits you to see some things. If you still do it, you get arrested because you are breaking the law. This is an illegal activity and they should cooperate with law enforcement, as stated in the first point."
The fallacy here is embedded in the amphiboly that 'government' in the first part is the same 'legal basis' in the second part. There is no law in the US about getting around Chinese censorship, nor does skirting the web nanny protections of a high school rise to the level of law breaking, so much as terms of service breaking (which is a civil matter).
HMA can, and does, claim they have legitimate uses. In order for them to be tolerated by 'law enforcement' they must have such uses otherwise they are simply hunted down like any other criminal activity.
But they also have to cooperate with the authorities when it is brought to their attention or face becoming tainted by illegal use of their service. Another good example of this is BitTorrent right? They have a service which some people use to infringe copyright but the service isn't about that, its a "general purpose peer to peer data distribution engine."
If censorship is government driven, it means that the law prohibits you to see some things
I don't think that's strictly true. Governments exert themselves in a number of ways that amount to 'soft censorship', and it is often neither illegal nor very difficult to circumvent these measures. They just want to make it inconvenient, and create an appearance of distance/disapproval. Politics rewards such hypocrisy.
For example, content filters on government-workplace or government-accomodation internet access. They may not really care if you tunnel around them – it's rarely illegal – they just want to make sure there's no appearance they condone the activity.
Even things like the national internet blacklists can fall into this category. They might require ISPs to block certain direct routes to disfavored sites, making access inconvenient. But the legal mandate is not to block all access via all means, and if you figure out how to access the target sites, you may not have broken any law (depending on what content you then copy/disseminate yourself).
I don't know what else a company can say than we choose to comply with court orders rather than face the consequence of not complying. The comment about bypassing censorship doesn't seem to have any value other than to placate users of the service.
It's quite ironic how he says "Our VPN service and VPN services in general are not designed to be used to commit illegal activity", and then "there are many other legitimate uses such as the ability to unblock GEO-restricted websites."
Hello, why do you think most of those sites are geo-restricted? Because of copyright laws. Circumventing those blocks in most cases means you're breaking those laws -- at the very minimum, you're breaking contractual obligations that you and the service are supposed to obey under penalty, and at worst you're committing fraud by claiming you come from a different country. By caving to the court order without a fight, HMA's owner opened the gates to every copyright troll under the sun to come knocking for logs, court order in hand.
I'm the first to admit I've used HMA's webproxy to get around some stupid company firewall; I knew perfectly well I was breaking company policy and could have been sanctioned. I clearly relied on HMA not to spill the beans. It's called HIDE MY ASS, for g*d's sake. Nice to see I was wrong.
A privacy service lives or dies on its reputation, and HMA's reputation is now gone forever.
Hello, why do you think most of those sites are geo-restricted? Because of copyright laws. Circumventing those blocks in most cases means you're breaking those laws -- at the very minimum, you're breaking contractual obligations that you and the service are supposed to obey under penalty, and at worst you're committing fraud by claiming you come from a different country.
Using a different IP address is, in absolutely no way, a mechanism for claiming that you come from a different country.
If I live on the Canadian border, and get my internet access via long-range wireless from the US, am I committing "fraud" by presenting a "US" IP address?
If it can be proved, above reasonable doubt, that you're using that IP on purpose, with the only aim to bypass such geographical restrictions on content distribution against the will of content owners... well, it'll be a tough day in court.
Note that I'm not saying that IP == actual physical person or GeoIP == actual physical location. A lawyer would have to prove that you were using that computer, with that specific IP, on that date-time, and you were accessing that content in full knowledge of the fact that only US-based consumers were allowed to do that... Which is very difficult, but not impossible. Laws are always interpreted, at the end of the day.
Then they'd have to show that spoofing your country was actually illegal, as opposed to just against their policies. Don't fall into the trap of equating terms of service with laws.
I've actually done work for the owner of this website, on this particular service (front end) and another couple services that he runs (back end). He is a good guy - I believe people are reading into this a bit too much. In the end, he is just like us; trying to build a business/s. He runs a few websites that are fairly successful, and I believe he sold one a year or so ago - good for him. I don't think he means any harm, or is trying to make a political statement - or be righteous in any way. He is just a guy, trying to make a buck. Maybe he made a mistake in the way he handled this, maybe he didn't.
For other people making comments about double standards when he obeys US law, but is circumventing laws of other countries. The fact is, he is a citizen of the UK, not the US. Just put yourself in his shoes - You run this website, the US govt. comes knocking at your door looking for records - what do you do? Thought so.
It happened. A guy committed a crime in a country with a lot of influence. Said influence persuaded another guy to hand over records and he complies (or else face the consequences). Move on.
And if the U.S. decides to assist with some other country's pursuit of a political dissident? Do you help then, too?
> You run this website, the US govt. comes knocking at your door looking for records - what do you do?
You truthfully say that you don't have any records to provide, because responsible privacy services don't log their customers' activities. I think that's the one part of this situation that I don't understand: why were there records in the first place?
Regardless, a lot of his customers -- the ones providing half of his revenue for this business -- are now aware that the service monitors their activities.
He states that only two things are recorded - the time you start using the service, and the time you stop.
I assume the FBI pieced that crime together based on this data. I honestly don't know much more than that, or what he has been up to in the past 2 years. I just know him from previously doing work for him, and thought I could give some insight to who he is and what he's like.
Three things would have to be recorded in that case: the "you" part of the start & stop times, as well as the times themselves.
I'll take your word for it that he's a decent person. I certainly have no reason to think otherwise. But that doesn't change that his service is recording information that it ought not to be.
The way you typically record this is start time, end time, and IP assigned. It's still not enough to identify what sites or traffic was visited, but when you get a spam email forwarded to you by your upstream provider, it's enough to identify a customer.
He has US based servers - perhaps it was "give us your logs, or we take your servers" (speculation). I just figured I know the guy more than the people here - or at least, used to and from what I could tell he was a good guy who tried to to do the right thing. That's all I can say.
It's a bit like Hushmail. Compare their new advice to customers about how Hushmail will comply with law enforcement; to the point of creating new malicious Java software and pushing that out secretly to the 'target' / 'victim' to compromise their communication.
Hushmail states all this clearly, allowing new customers to make an informed choice.
when something is specifically promoted as protection against oppressive laws/regulations, and then caves at the first opportunity to do so, that's problematic. The service clearly never intended to fight such orders, only to use such claims as marketing tools. I dont care if he is a "guy just like me" thats a scummy, shitty thing to do.
I'm not really going to argue, I guess it's a matter of opinion. I don't feel that the service is particularly positioned in the way that it's promoted to fight oppressive law - based on the landing page anyway; I'm unaware of his other marketing initiatives though, afaik, he uses word of mouth. I guess that's really all I can say.
Does that mean US court order got executed in UK, on UK citizen, just like that? Asking because I can't get any company information out of their site, nor from whois data to confirm if that's indeed UK company and/or individual.
I'm not sure. I have not been in contact with him since 2008 and it would be weird to contact him out of the blue based on this situation - although, I'm very tempted. If I do decide to look into it, I'll let you know.
"You run this website, the US govt. comes knocking at your door looking for records - what do you do? Thought so."
I'm not sure what you're referring to in "this website", but I can tell you that jurisdictional arbitrage, and being able to protect my customers data in exactly this situation is something I spend a lot of time thinking about.
Of course, nobody wants to fight a powerful government, so a better strategy is to make it such that the powerful government never comes knocking on your door, or you don't have any useful information for that powerful government, or your site infrastructure is in the jurisdiction of a government that has no interest in rolling over to that powerful government, like say, singapore.
The US government can try to swing its weight around in singapore and will likely be told to go pound sand. And if the singapore government agrees with the US government, then what you hand over may not contain any sensitive client information (because you don't keep sensitive client information when you don't have to. If you have to, it is a different matter.)
I think every one of us working on web services should think long and hard about how we're going to deal with the reality that the US government, without cover of law, regularly demands information (using the PATRIOT act) that it doesn't have the legal right to, and regularly censors (the torrent site takedowns, etc.) content providers who have never even been charged, let alone convicted of violating the law.
You don't want your business shut down, that's true. (also a reason not to domicile your business in the USA, or keep your banking there.)
These are issues you should think about before, or early, in the period of starting your business.
Interesting that you use website as a synonym for company. The web site of this company is nothing more than a front end for interfacing with the public for marketing and customer service. Presumably, the company also has their actual VPN structure which they use to deliver their service to their customers, offices (optional), bank accounts, etc.
I was always curious as to what they were doing to hide their identities. I read the logs, and I am a bit disappointed that the extent of their methods of hiding themselves were so narrow - involving only VPN providers.
The old way of doing this was to own a series of boxes around the world and setup your own SOCKS server, ssh forwards etc. You use boxes that are being used internally at small companies for email or web hosting, meaning that there aren't any admins on there looking for weird traffic patterns.
You setup a group of servers like that, and chain them together. Symlink all logs to null, and make sure the first box you jump onto is the most unsuspecting (and one that you have most control over).
With a group that I was a member of 10+ years ago we would abandon boxes that had a sysadmin that seemed like he knew what he/she was doing (looking at history logs) or boxes that had a lot of user activity on them but not a lot of resources (it only takes one user to wonder why the net connection is slow for the exploit and you to be found ). The best best were to scan for old ftpd's running on old kernels.
These were boxes that had been bought and setup for something like email or a small webpage and then forgotten about (usually setup by external IT). You patch the exploit so nobody else can get it, install a backdoor, and not do anything noticeable. We had access to such boxes for years and as far as I know we were never noticed by anybody.
VPN providers are constantly monitoring for abuse, and when they get a law enforcement notice they will comply. It is only a matter of time before you get caught if you are using them. I would suspect that law enforcement found out which VPN providers were being used some months ago, and set up honeypots at each one waiting for members of anonymous to reconnect.
for some reason i sympathize this team, but really.. if you are so high profile hackers group, why use mostly-legitimate-use vpn service when you can buy:
1) vpn service hosted in the bot net (i.e. on zombies machines)
2) hosting on the bot net (i.e. one you can not stop at all, you can not track it)
These "services" quite possible to buy and they are not really expensive. The only downside is link speed which should be pretty slow keeping in mind that bots are hosted on regular home PC on adsl/cable internet connection..
From an edit to the article:
"We have had a few queries as to our logging policies. We only log the time you connect and disconnect from our service, we do not log in any shape or form your actual internet traffic."
So, the information possibly gained by law enforcement is that "account X was connected to our proxy service at the time the crime was committed". I don't know how large their user base is, but it seems unlikely that the above is all that informative. Unless there are enough "criminal events" to knock the total "set of users connected during all events" down to a manageable size.
Why don't these guys hack from a virtual machine, in starbucks, then delete the virtual machine, then never visit the same coffee shop again? how would they get traced from doing that?
MAC addresses are easily changed. You don't have to be in a store, or even near it, to use its wifi. And you don't have to bring your cell. Or you could use a throwaway prepaid.
Long story short, no competent hacker would get caught using hidemyass, and the Feds are once again putting on a dog and pony show.
He's such a good guy that he prevents anyone from commenting on his blog.
His willingness to play junior deputy for corrupt governments is disturbing. He says UK court but that's nonsense. He's getting a call and coughing up everything out of fear. Oh and a couple of his servers are doing mitm on Gmail. It's been noticed by others and posted in his forum.
Now the log retention is 30days? He said 5 on the forum. Nothing but lies. He received a phone call, nothing from a court. Someone is going to prison for FIFTEEN YEARS for nothing. It's disgusting.
I wouldn't be surprised if they log EVERYTHING because they mine the traffic. It's how they under sell other providers.
I'm not a lawyer either. I was wondering about this a bit and tried to see if any of the restaurants where Mafia members met in the 70's took any heat because of crimes that had been planned within the establishment and could not find any. (it was the only analogy I could think of which the FBI might use as an example, if there are better ones please add them).
That being said, I would not be surprised if the FBI freely used a 'National Security Letter' [1] to force these guys to turn over data about specific connections. And since, as a service, these guys may be subject to the requirement of giving the FBI a way to wiretap their connections [2] it may be that once they knew the service was being used it was a 'simple' matter of compelling them to provide an unencrypted copy of sessions of interest.
Wait a minute, didn't these guys steal a whole bunch of information? Downloading a song and stealing credit card numbers seem to be two different types of theft.
If you knowingly purchase stolen goods, you are guilty of a crime. If the seller swears the goods aren't stolen and even signs a contract to that effect, you aren't guilty of a crime unless you know that the goods actually are stolen. They key element is the intent to buy goods that have been stolen; merely intending to buy goods is not enough.
More appropriate examples would be Napster or Limewire. Their TOS's barred using their programs for illegal ends, but both companies actively promoted illegal downloading. In the end, liability issues brought down both companies.
IAAL. Please don't armchair lawyer, or you'll end up like the guy who runs TechDirt.
>you aren't guilty of a crime unless you know that the goods actually are stolen.
Unless you're in a jurisdiction where the knowledge element can be satisfied by whether a reasonable person would suspect that the property was stolen. In that case you could be found guilty.
Which thankfully, does not apply to criminal charges in America. Where an intent element of "knowledgeable" must be proved, it must be proved that the specific individual knew, or should have known X. "Should have known" is a catch-some for people who willfully ignore what's going on right in front of them, but it does not encompass what a reasonable person would have suspected.
You're confusing the standards applicable to tort law (another person sues you for damages) or regulatory infractions (government sues you for money) with criminal law (government tries to send you to jail/prison).
On a separate note (by reading your comment), isn't funny how you need to be lawyer in order to find out whether you are breaking the law or no for trivial things as this one.
USSR perfected that approach but we are getting there.
You don't need to be a lawyer to know whether you are breaking the law for something like this. It's very simple:
Are you trying to buy stuff? --> You're okay, unless...
Are you trying to buy stuff that you know is stolen? --> That's a crime.
Lulzsec fiasco
Posted on September 23, 2011
We have received concerns by users that our VPN service was utilized by a member or members of the hacktivist group ‘lulzsec’. Lulzsec have been ALLEGEDLY been responsible for a number of high profile cases such as:
The hacking of the Sony Playstation network which compromised the names, passwords, e-mail addresses, home addresses and dates of birth of thousands of people.
The DDOS attack which knocked the British governments SOCA (Serious Organised Crime Agency) and other government websites offline.
The release of various sensitive and confidential information from companies such as AT&T, Viacom, Disney, EMI, NBC Universal, and AOL.
Gaining access to NATO servers and releasing documents regarding the communication and information services (CIS) in Kosovo.
The defacement of British newspaper websites The Sun & The Times.
The hacking of 77 law enforcement sheriff websites.
It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed about various VPN services they use, and it became apparent that some members were using our service. No action was taken, after all there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using. At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the above cases. As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).
Our VPN service and VPN services in general are not designed to be used to commit illegal activity. It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences. This includes certain hardcore privacy services which claim you will never be identified, these types of services that do not cooperate are more likely to have their entire VPN network monitored and tapped by law enforcement, thus affecting all legitimate customers.
We would also like to clear up some misconceptions about what we do and what we stand for. In 2005 we setup HMA primarily as a way to bypass censorship of the world-wide-web whether this be on a government or a corporate/localized scale. We truly believe the world-wide-web should be world-wide and not censored in anyway. A prime example of this would be the Egyptian revolution for which our service played a key role for protesters gaining access to websites such as Twitter which were blocked by the government, we experienced record traffic during this time. Although our web proxy accounts to a high percentage of our traffic, our VPN service accounts to nearly all of our revenue. Our main customer base use our VPN service to ensure their sensitive web traffic cannot be intercepted on insecure networks, though there are many other legitimate uses such as the ability to unblock GEO-restricted websites. Rummage through our review database and you’ll be able to gain a decent understanding of who uses our service and why.
Edit: We have had a few queries as to our logging policies. We only log the time you connect and disconnect from our service, we do not log in any shape or form your actual internet traffic.
I agree with numerous opinions in here that consider this a fiasco.
Many say that the law must be interpreted in it's context (uk) and that the guy behind the service couldn't much, etc. But honestly, why putting up a service bragging to fight the power all the time, specifically pointing out that it can be used to circumvent censorship, etc. if you're going to give in at the first trouble.
I don't recall them clearly stating that their service was not meant to provide means to those breaking laws. If they are so loyal to some country law, then they should clearly state it, instead of bragging how cool they are by rebelling against some other county law.
I say, if you put a service like this up, stand up for its integrity, or else, don't bother creating it in the first place.
"As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order"
And then this:
"In 2005 we setup HMA primarily as a way to bypass censorship of the world-wide-web whether this be on a government or a corporate/localized scale."
If censorship is government driven, it means that the law prohibits you to see some things. If you still do it, you get arrested because you are breaking the law. This is an illegal activity and they should cooperate with law enforcement, as stated in the first point.
So, how do they decide what is illegal but permitted and what is not? If they allow some illegal behavior and not some other, they are actually judging the morality of an act, and not if it respect laws.