It appears that throughout the past several hours, we hit headlines regarding the actions we took over the weekend. We would like to provide an official response here, as we have been unable to spread the word in press, as we wanted it to be (Torrentfreak unfortunately didn't relay in real time the communication we had with them and we hope they will fix that as soon as possible, like they obviously often do *sic*). Through this article, you will be able to judge our philosophy, the VPN industry's situation, and whether we really remain the best choice out there. Of course, we believe we do.
As a serious security and privacy insurance provider over the Internet, we offer services that allow you to encrypt and switch your traffic through tunnels made available all around the world (mostly thank to our custom software hand-crafted with love). This means we provide an encryption level made with a strong set of algorithms, and that this data cannot be decrypted by us or third party (unless speculation, but for this we are changing our 1024-bit RSA key every hour and we are rolling 4096-bit RSA and other algorithms in beta, to provide the "benefit of the doubt" to those who would like to seek higher encryption levels).
Nevertheless, as a responsible and trustworthy business operating from the Republic of Seychelles, there are laws we need to comply with. This is the same for any other VPN provider: no matter where they are based anywhere in the world, they have to comply with the legislation related to their activity. This means that from time to time, they have to look into their network for targeting sources of complaints.
Complaints may vary in form; often a lot. To be honest, that is the most exciting part of our job as a whole entity. Some providers choose to comply with any sort of complaints. Some others filter them out. We belong to the second category – with the most hardcore approach. Of course, only time will tell. But you should already know that only the complaints that are corresponding to infringements of our terms (that cover those of the Republic of Seychelles) or our ethical policy, have or will be taken into account. That means complaints regarding activities directly harmful to human beings only. At the time of posting, proxy.sh refuses more than 99% (yes!) of complaints it is being issued (either by lack of strong IT support or most often, by lack of jurisdictional or moral ground).
When a complaint relates to a server where legislation is in favour of the compliant (or is requested by the Seychellois authorities), we block the port related to the complaint and eventually block accounts from openly forwarding this port any further: the "stop-me-if-you-can approach". This is mostly spam related, but can also be related to copyright issues in the U.S. When the complaint goes against our services, such as seeking to retrieve any form of logging, we simply shut down the node, cancel our contract with the datacenter, and find another place (sometimes another state) to plant our new node within. This has occurred to us through time as we have been stating it in a previous article. We do not care about notices other than those corresponding to direct harm to human beings.
When a complaint relates to an activity that is directly harmful to a human being (harassment, e-violence, impersonation, stealing), we ask for the complainant to seek both legal and IT expertise. When both the IT expert and the lawyer provide us with ground about the complaint, we accordingly block the ports related about the problem. If the complaint persists and complies with our terms or ethics, we then install a wireshark instance on the specific node related to the problem, and this allows us to check the current traffic on this node. We can in turn identify patterns to seek collaboration and settlement through three distinct ways: private, expert-supported or fully public communication. All the times, we would seek resolution through networking and NGO pipelines rather than law enforcement and Nation-State's bodies.
It is our job to act forward as we play in a jurisdiction where domestic law enforcement is limited, and we do not want to end up being a nest of wrongdoers. We are here to protect the privacy of honest and careful people; not to hide the crimes of elements harmful to other human beings (which would probably after all defeat the objective of protecting privacy of others). Any other company in our situation that does not provide such ethical grounds, is actually not protecting your privacy, as it could not place itself at the risk level we do place ourselves in by doing truly non-logging. In other words, other companies are either logging or complying (temporarily logging) behind your back, unless they follow our philosophy: transparently telling you about wireshark use.
Wireshark allows you/us/them to analyse network activities. The traffic we can retrieve through wireshark is of course encrypted. We cannot see what you are doing. We can even less see the link between activities and packages (customers) as this is the part that is the most encrypted. We can only check for patterns: packets sent here, packets sent there. Same goes for providers that actually encrypt their network. However, these patterns allow us (and other providers) to dig informational details and then decide to act with them. This is of course not a lot, but sometimes it is enough to find a settlement with an infringer.
Anyway, here is the most interesting part, dear enlightened readers. Unlike other providers, Proxy.sh will always tell you when and why it is intervening on a node. Proxy.sh is also the only provider to shut down nodes (and commercial contracts) for the sake of any of its customers’ security and privacy, as long as covered by terms. Most importantly, Proxy.sh shows that it really does not log your activities, and never will, as it captures your attention when it intervenes with such policy according to our terms. Press and social networks are here to emphasize.
Most VPN providers you will come across (e.g. privateinternetacess and others) are being operated from the United States. That means they need to comply with domestic law enforcement, as well as the regulations covering such enforcement. Unfortunately, in the U.S., the law enforcement agencies can force a company not to inform its customers about the activities these agencies are doing across the company’s network (you got it, logging). Hence, these providers will never dare or worse, care about keeping you updated about what happens across their network. EFF and other experts will tell you - oh wait, EFF actually is partnering with a VPN provider that does not keep its customer base up-to-date about interventions. John Gilmore certainly sought for more transparency when founding the EFF. Read for more.
Since proxy.sh is the only provider to keep you updated when it temporarily monitors a node because of a valid complaint (once again, a complaint that has gone through the tough filters of our terms & policies and is only related to harmful activity to human beings), we question why you should trust a provider that actually never keeps you updated about such intervention. Both proxy.sh and them are not logging, encrypting everything and complying only as they feel they need; yet nobody but proxy.sh tells you what happens in the VPN network - behind the scenes if you prefer. Providers like privateinternetaccess or ipredator have been in business for a while, and yet to this date they never published a single notice about intervention regarding complaints. If they wouldn't interfere, they wouldn't comply and last. So they are interfering, but to what end? These providers, to us, do not sound like providers you should trust for your privacy. They could be sniffing your traffic for X or Y reasons: only proxy.sh tells you why, and is clear regarding when it will, or not, comply with “sniff-inquiries” as we funnily call them.
Proxy.sh is here to make a dent in the universe of the VPN industry. The VPN providers indeed need to comply with various regulations, and for this, they provide what they log and sometimes are forced to set up a wireshark instance to get further analytics (especially of course, when they log very little about their users, such as us). Proxy.sh does not log anything other than your e-mail address. And when we are asked or motivated to set up a wireshark instance, it will ever be related to solely an activity harmful to human beings, or we will defeat intervention, shut down our tunnel and move elsewhere.
The situation over the weekend was related to a complaint issued by a desperate family, with support of its lawyer and a third party IT expert. We had all the necessary details we needed to act forward, as the activity of the infringer was harmful to a human being and correlating with IPs belonging to our network. We started to block ports related to the problem. But the issue continued and we needed to intervene. Thankfully, the problem got settled peacefully as the troublemaking user both got in touch with the complainant and us to apologize. With this said, we never thought this intervention would be such a surprise, but most importantly, we never realized it could change the VPN industry forever, and also point out at the misconceptions that many, included press, have about our services or those of others.
Valuable VPN providers like us do not log what you are doing - I could quote among others privateinternetaccess, ipredator, ivpn or airvpn - they are running openvpn and other instances from RAM (at least hopefully, as this is what we do). They operate their business within a legislation, and provide terms that explain the limit of the privacy they can bring to their customers. Pretty much all VPN providers would only comply with authorities and law enforcement bodies where they are incorporated and where they are hosting their nodes. But most of these providers are incorporated in the United States or in the European Union, and all of them have servers either in the United States or in the European Union. When U.S. or E.U. law enforcement body contacts them, VPN providers have the only choice (because they do not log anything) but to set up monitoring software (usually wireshark) for a certain period of time, necessary for the body to undertake its investigation. You cannot be sure why this monitoring is being undertaken. Same goes with offshore VPN providers; unless they communicate, you have no idea about what is going on through their network, except that it is by default fully non-logging but will comply with some "standards" or "laws".
These providers are never making you aware of when they’re monitoring you over a short period either for maintenance or for responding to abuse. Proxy.sh does.
These providers may comply with whatsoever reason. Proxy.sh does not. We have set a clear philosophy since we started this business, and will continue to do so.
Finally, it is 100% true that DIY VPN solutions will always be better than our solutions or those of other providers. The best you can trust in this world is yourself. Nevertheless, when you lack of either time, skill or daring responsibility to set up a DIY VPN tunnel, we believe that proxy.sh is the best bet you can take, as it has a clear philosophy and a transparent communication, both things that are critically lacking in the VPN industry.
Turn the problem by either way you wish. Logic will tell you that the best solution is security you develop yourself, and second-best is solution provided by a transparent and trustworthy provider: proxy.sh.
*Disclosure: Lou is a former infamous black-hat hacker with expertise in both encryption and social engineering, who turned to academia by researching social law. She is part of our staff and contributed to the outcome of this article. She knows perfectly what can be achieved or not by a VPN provider, not on a legal ground, but on both technical and ethical grounds.*