We are proud to announce a new
Ethical Policy, the implementation of a
Warrant Canary, and some details about the strategy underpinning our fight for your privacy.
Why an Ethical Policy?Since we launched this service, it has always been our worry to make sure that our network would remain safe to everyone and that loopholes created because of where we operate from, the Republic of Seychelles, would not lead to unacceptable acts being committed through our network.
Indeed, it is important for an Internet service provider that cares for its customers’ privacy, to make sure that the network its customers connect to, is safe, well maintained, and does not infringe the privacy or safety of others.
This is why, at the moment we launched, we set up an Ethical Policy, which provides us the flexibility to move forward and make sure such guarantee about our network is respected.
The CriticsOur Ethical Policy, and the subsequent action we took against a harassing pedophile, was widely commented in the press and around social networks.
TorrentFreak pointed out at whether this should be the role for an Internet service provider to bring a moral judgment on some customers’ activity.
This was also the opinion of several commenters on social network Reddit, who also pointed out at the lack of transparency behind the intervention, and thus, the lack of clarity with the policy itself.
Finally, EFF staff attorney Nate Cardozo stated that our policy was the worst he has seen, as it was creating many loopholes that would let some governments or even third party bodies seek noxious actions against our customers’ privacy.
Our ViewsWe believe that Internet service providers, who are located offshore and provide global services, such as us, should have the ethical liberty to mitigate, as much as possible, illicit activities that are directly harmful to other human beings.
It does not mean that law should be avoided or replaced by another obligation, it means that in addition to law, it is excellent and ethical policy to have an implication in mitigating the potential misdeeds that may be carried out through an anonymous, non-logging and offshore-based VPN provider.
Finally, both our Ethical Policy and the subsequent action were not completely useless, as it helped a young girl being free from the harassment of a pervert.
Our MistakesWe nonetheless realized that our approach was seriously flawed, in many aspects.
First of all, it seriously lacked of transparency. At that time, pretty much like any other VPN providers, we didn’t publish anything about the case. This was a terrible mistake, as transparency is clearly required for a trustworthy service.
Secondly, the form of our Ethical Policy itself was flawed. It was far from being enough specific. It did not cover properly all eventualities. Worst, as pointed out by EFF’s Nate Cardozo, it was creating loopholes that could have been exploited by governments and third party bodies.
Thirdly, it shouldn’t have been our role to play the judge and investigate. This role is that of the law and law enforcement agencies. This was also a considerable mistake, pointed out by everyone, from EFF to TorrentFreak or on Reddit. Fortunately, this did not have any consequences, and today we are correcting this mistake.
The Transparency ReportAs a response to the lack of transparency, we have decided to create a
Transparency Report where we publish absolutely all abuse complaints we receive, and how we respond to them (including if we ignore them/do not take action).
We are the only VPN provider to do so, and we are even connected to the Chilling Effects Clearinghouse’s database, a joint-venture from EFF and few universities, that aims at bringing more transparency to DMCA and related take-down procedures.
The New Ethical PolicyIn order to correct other mistakes we did, we have been working on a new
Ethical Policy for past several weeks. This new policy takes effect on 30/11/2013 and applies to all our new and existing customers.
It has been written thanks to feedback we received from EFF’s staff attorney Nate Cardozo, Chilling Effects Clearinghouse and Harvard’s Berkman Center for Internet & Society’s Coordinator Adam Holland, as well as several of our customers who are law students or well-aware amateurs.
The first objective of this new Ethical Policy is to be clearly more specific, bringing a more precise language about each possibility this policy aims to cover. It also attempts to cover more aspects of when our corporate ethics are in play.
The second objective is to clearly state that it is no longer our role (nor our obligation) to monitor our servers in order to respond to abuse complaints, even when complaints are related to activities directly harmful to other human beings. The policy makes it clear that this is the role of the law, and appropriate law enforcement agencies, to investigate on such matters.
The third objective is to explain how we will not fully give up our ethics by altering the Policy. We will still take external actions against abuses (as they still infringe our Terms), such as closing ports or shutting down a node. Most importantly, we will be actively reporting these abuses to law enforcement bodies and concerned NGOs, to request further investigation, if necessary including across our network. In other words, we are evolving from a situation where we thought it would be our responsibility to investigate and take action, to one where our sole responsibility is to mitigate the problem and actively report the issue to authorities.
The fourth objective is to also clearly state what we have been echoing in the press lately: we will not hesitate to relocate if a jurisdiction is failing to provide decent protection of our privacy and that of our customers. Nonetheless, the policy also explains that while this may happen, we will still, of course, follow and apply the rules of law. The policy makes it clear that relocating will not be used as an attempt to bypass the application of the law, but rather as an attempt to avoid further infringement of our users’ privacy if the law has provided grounds to let authorities do it once.
The fifth objective is to bring a legal obligation to keep our customers alerted when we need to intervene on our network and use some software such as Wireshark to monitor the traffic. These interventions are here to respond to DDoS attacks or analyze discrepancies in network quality. Such intervention is recurrent to Internet service providers, and a necessity in order to maintain a fluid, stable and efficient network. Nevertheless, such interventions would technically allow our sysop team to view the encrypted traffic going through the network, and thus, it would infringe the customers’ privacy. This is why the new Ethical Policy sets an obligation for the sysop team to provide alerts within an appropriate timeframe when such an intervention needs to take place. We also urge other VPN providers to do so, as we know well that to maintain a correct VPN network, you still need from time to time to check your traffic, and thus temporarily becomes in contradiction with your no-logging policy.
Finally, the sixth objective of this new Ethical Policy is also to explain why we are operating from the Republic of Seychelles. It states that we have no weighted shareholder and that all our revenues are being exclusively redistributed across the costs (human and material) of operating and growing our network. Most of the staff is here on part-time basis. Some of them are working at Fortune Global 500. That is why we are not after profits or dividends. That is also why we are discreetly operating this service, as many of us still wish to enjoy their shared professional career.
The Warrant CanaryAs we provide more transparency and more guarantees about the protection of our customers’ privacy, there is a last loophole we need to correct: the eventuality that a government or a law enforcement agency might use the law to monitor our network without having our customers been made aware of it.
We attempt to close this loophole by providing a Warrant Canary, available at
https://proxy.sh/canary.txt, generated and crypto-signed every day by our senior network engineer.
This attempt has no sensitive legal grounds and is far from being 100% bulletproof: it has never been tested in any jurisdiction around the world so far. But we’re ready to take the initiative, as rsync and Apple did, for the sake of your privacy.
The StrategyIn conclusion, we are publishing this blog article because we would like to inform you about the new strategy we have adopted to guarantee, as best as it can be, the protection of your privacy.
First, our strategy involves being fully transparent about the abuse complaints, warrants or even seizure requests we receive, and how we respond to them. That’s why we have a
Transparency Report.Second, our strategy involves also being fully transparent about the interventions we need to undertake across our network, in order to keep it in excellent shape. That’s why we have a
Network Status with scheduled interventions (with a
dedicated RSS feed).
Third, our strategy involves fighting legal ways that governments or law enforcement authorities might enjoy, and that would lead to compromising the privacy of our customers. That’s why we have a
Warrant Canary.
By keeping you alerted about open abuses, technical/internal actions or hidden interventions, we are optimistic to cover all the possible ways where your privacy might be infringed, either by third party or us.
Open to ChangeThe present announcement clearly demonstrates our capacity to welcome, analyze and employ feedback into becoming a better Internet service tomorrow. We still remain open to any feedback, positive or negative, you may have about our new Ethical Policy or the whole underpinning strategy. We will do our best to implement your feedback so as to always better evolve.
Our Todo ListWe still need to link our Transparency Report and our Network Status alerts to our Twitter account (suggested by VPNCompare), so that you can be kept alerted in real time through third party communication channels (other than via our RSS feeds or our website).
Finally, our recent researches and tests about encryption have come to maturity, and we still need to keep you informed about the changes we have taken on that aspect. Stay tuned!
/EOC