Thursday, January 23, 2020

VPN privacy policies and privacy threats

People use commercial VPNs as anonymity and privacy tools. To be useful as such a tool, the VPN provider must not store any information that would identify a real IP address of its user when given the details of IP packets from/to the website that the user has visited or his software (e.g. a BitTorrent client) has automatically communicated with. In other words, a user who uses BitTorrent or visits "shady" sites is expected that the VPN provider will not be able to point to him when asked "who torrented" or "who has visited this site".

Off-the shelf VPN server software does log connections by default, and this is useful in a corporate setting for incident investigations. So, VPN providers often make an explicit "no-logs" statement in their privacy policies to indicate that they, well, don't log certain data or discard those logs after a predetermined amount of time. Here is an example of such policy statement, taken from Ivacy:
We strictly do not log or monitor, online browsing activities, connection logs, VPN IPs assigned, original IP addresses, browsing history, outgoing traffic, connection times, data you have accessed and/or DNS queries generated by your end. We have no information that could associate specific activities to specific users.
It looks like this statement is short and to the point. Is it enough? Unfortunately, by itself, the statement above is insufficient. It would be perfectly compliant with the wording above if they streamed the connection events, VPN IPs assigned, encryption keys negotiated, etc., and mirrored the traffic (including the original connection IPs) to a third party in real time. Exfiltration is not the same as logging, and it is still true that the hypothetical evil Ivacy keeps no information that could associate specific activities to specific users.

It is not only Ivacy who has the problem with the privacy policy focusing only on logging as the privacy threat — the problem is in fact very common, probably because nobody except me really thought about other ways to betray privacy. It became even more important in 2018, when it became the norm for VPN providers to undergo audits. And guess what, one common form of an audit is called a "No-Log Audit". Not a general "Privacy Policy Adherence Audit", but a narrow "No-Log Audit"!

It is an interesting question what an auditor should do here. If this is a "No-Log Audit", then, formally, deliberate real-time exfiltration is out of scope. So are deliberately introduced cryptographic weaknesses that would allow third parties to fully decrypt connections (though, this is in scope for a "Security Audit", which is a completely different thing). Even during a more general policy compliance audit, targeted at the entirety of the privacy policy, formally, an auditor has the right not to report deliberate exfiltration as a finding, provided that the policy is worded carefully enough (so that data exfiltration is not a privacy policy violation as worded).

Note the word "formally" above: it is all about the worst case. Some auditors do care about the spirit of the policy, not only about the letter. I have asked three companies that conducted No-Log Audits of various VPN providers in the past about this dilemma, and, so far, received one useful reply (from cure53, regarding their No-Log & Privacy Audit of IVPN).
Q: Was there any attempt during the audit to check that personally identifying information does not leave the company via network connections, as opposed to the on-disk logs that you have already confirmed as non-existing?
A: Yes and no. We checked that on the servers we got access to. In the IVPN case we could not find any evidence that points towards them attempting that. While this doesn't mean that they, IVPN, don't do it at all, we at least didn't catch them trying.
<...>
Q: Would any of the above privacy violations (if IVPN were engaging in such activities) be caught/flagged/result in a failed audit?
A: As a matter of fact, yes. Short after IVPN we audited another provider and it ended up in massive drama because they indeed logged and found different excuses every time. It was pathetic.
NordVPN is one of the VPN providers that does address the issue with the wording. Let me quote the relevant bits from their privacy policy (emphasis mine):
Nord guarantees a strict no-logs policy for NordVPN Services, meaning that your internet activity while using NordVPN Services is not monitored, recorded, logged, stored or passed to any third party.
Much more clear and reassuring. Let's hope that other VPN providers read this blog post and apply the same simple fix.

Disclaimer: I am a customer of some VPN services mentioned here. I have, at the time of this writing, absolutely no evidence that they engage, or engaged in the past, in the hypothetical malpractice described in this post. It was just an example. I am sure that, for every existing privacy policy in the world, a sufficiently advanced hairsplitter can figure out a way to "comply" in a similar way.