Throughout the past week, the folks at TorrentFreak have gotten in touch with us about the situation that emerged last week-end and that we outlined in this article, explaining that we are against activities directly harmful to individuals and that we are the only VPN provider to keep you updated about any sort of interventions happening behind the scenes.
This conversation led one of their lead journalists, Andy, to publish yet another article today about us. While we have had excellent exchange with the entire TorrentFreak team, we are a bit surprised about the way reporting was done about our story as it misses essential facts and somehow makes fun of us about others. It is important to recall that TorrentFreak is essentially financed by U.S.-based VPN providers such as PrivateInternetAccess or TorGuard.
In order to shed some light on the situation and really let the People decide about what's wrong or not in this VPN industry, we have decided to release the complete Q&A session that took place earlier this week between our CEO and Andy. We will not discuss much about the attitude of TorrentFreak as we have immense respect for them and they have been helpful by quoting us in their early lists (and promised to bring us back soon). We believe it is just important that everyone knows where we stand by. TorrentFreak will certainly follow up on proper reporting as they have always done.
October, 3rd 2013 - World Wide Web
(TorrentFreak) In addition to abiding with its obligations under the law in dealing with cases of abuse, Proxy.sh has an additional layer of rules that users have to abide by. Called the "ethical policy", Proxy.sh expressly forbids its customers from carrying out any activity that will hurt an individual or group of individuals. Users breaking this policy run the risk of being investigated by Proxy.sh following complaints from a 3rd party.
(Proxy.sh) This only concerns directly human beings, so individuals but not groups of individuals. A group to us is an entity (religious, political, nationalistic, corporatist, etc.) and the ethical policy does not apply to such entities. It's all about being harmful directly to other persons, but not groups or non-human entities (even though they may be subsequently made of human beings).
(TorrentFreak) So, if a family member of mine is being harassed by a Proxy.sh user, can I get you to take action against him or her based on my word alone or is some formal legal process required?
(Proxy.sh) First of all, you need to get in touch with a lawyer to characterize the crime in a legal context. Then, you need to get in touch with a forensic IT expert who can gather evidences of your misfortune (in computer meaning). Then you all three need to get in touch with us to report a complaint.
(TorrentFreak) What safeguards are in place to ensure that customers aren't monitored or identified based on false accusations?
(Proxy.sh) Our legal team checks the validity of the legal concern, while our engineering team checks the validity of the forensic evidence. Moreover, the latter must be provided by a renowned academic/scholar who has published at least one paper about security or IT in general. Minimum forensic experience is also expected, but not necessary. If the forensic evidence is valid to us, but not signed by a public expert, it will be discarded and we will ask the complainant to come back to us with better grounds to support his or her case.
(TorrentFreak) Proxy.sh details several activities that are banned due to your ethical policy. We all understand what pedophilia is, there can be no real confusion there, but other things are listed too such as "any sexually highly offensive content such as pornography" although the parameters are very vague. Are your customers banned from accessing or distributing pornography? If so, what are the parameters? How do you assess what is damaging to an individual in this case?
(Proxy.sh) Our customers are fully allowed to access or distribute pornography. They should just avoid pornographic content that has [been] or is directly harmful to human beings. Definition of what may be harmful or non-harmful to human beings is indeed complex here, that is also why we hardly see a concrete enforcement of this. This statement is simply here to allow us not to accept a very rare case in the porn world, yet existing: a pornographic video representing the death of a person, or snuff movie.
(TorrentFreak) Customers are also banned from being racist, being involved in drug-related activity and any religiously or politically sensitive activities if they harm others. On these controversial topics, isn't it incredibly difficult to assess who is right and wrong and where that line lies? For example, if I hypothetically use Proxy.sh to whistleblow against my government by leaking classified information and that results in harm to the individuals in my country, isn't that a good thing for my country's enemies? How do you choose sides?
(Proxy.sh) Of course it is tough to assess who is right or wrong, and unless we do not hold strong grounds, we will never move forward. Once again, the policies are here to describe possible situations and not to describe mandatory actions we will take when hearing this or that. In the specific case of whistleblowing, this is perfectly cool with us. A government is not a human being, it is an entity and even though it is subsequently made up of human beings, we do not feel ethically concerned to protect it (except of course that of Seychelles where we must owe respect of our host).
(TorrentFreak) TorrentFreak once ran a story about porn downloads taking place in the Vatican and we were accused by email of stoking sectarian and religious tensions in Northern Ireland. If an individual was hurt as a result of this kind of report, following a third party complaint would you go ahead and monitor your servers to identify the writer?
(Proxy.sh) Once again you are referring to a group of individuals, or religions. We are only against activities directly harmful to human beings. Talking openly your opinion and offending other religions or nations is no problem with us, as long as you do not target or importune a specific individual. So for instance with your story in Vatican, we would be against your activity if you quoted the name of the guy who downloaded porn, and subsequently suggested action should be taken against him. As long as you have kept it general and with respect of all individualities, this is no problem for us. Moreover you brought fun in the story, so it’s even less applicable with our policy.
(TorrentFreak) Following our recent discussions it appears that Proxy.sh is indeed trying to be open about how it operates its service, you say you even go as far as warning your customers in advance if you intend to monitor a server. That said, you do admit to monitoring and logging servers based on your own set of rules following complaints from people other than law enforcement. That's something we've never seen before and it surprised us.
(Proxy.sh) That is weird because in your article, http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/, several providers are pointing out at the fact that they monitor/log their services temporarily for troubleshooting, maintenance and other situations. To us, all the VPN providers around the world indeed will log at one time or the other one of their nodes, to undertake a troubleshooting, or simply to respond to a legitimate law enforcement situation. Those who say they don't are lying - because they are not even respecting the local laws where they are registered and that will force them one day to interact with their network. Even though your services run from the RAM, are using most performing algorithms and are not linked to an account identification, you still need to check with wireshark problems such as exceptional high-usage, network routing issues or the need to gather patterns of packets for investigations related to your terms or policies, especially domestic law enforcement inquiries.
(TorrentFreak) Do you think that the existence of an ethical policy is a benefit to your users and if so, how? Also, being bold, what are the drawbacks?
(Proxy.sh) We do believe it is actually a benefit to our users because we make it clear that our network is free of any activity directly harmful to individuals. Hence, because our IPs are shared and multiple users are being hidden by the same route, each and everyone can feel confident that they will never be accused, formally or informally, of something they have never done. The only downside we see is for people who wish to make activities harmful to individuals: they will have to find another network. Those who do not wish will never be affected by our ethical policy, even by accident, as our process to respond to complaints involves both lawyer and IT forensic expertise, and both would point out whether the problem is intentional or accidental (and we would also be able to confirm it).
(TorrentFreak) Doesn't your ethical policy create a level of uncertainty over what is acceptable behavior versus a provider that doesn't try to govern use of their services other than in accordance with the law?
(Proxy.sh) Of course. There are always been some uncertainty in policies and terms. We do not think we are an exception here and we are happy that you take the time with us to define them more in depth. All the people who have got in touch with us with questions about our terms or policy know that we have always answered transparently and as openly as possible to make them even more understanding on case-by-case basis. It is actually good policy before you turn to any VPN provider, to come and ask it precise questions you need answers for.
(TorrentFreak) In addition to all the wonderful people online there are some hateful individuals too. Do you think it's a service provider's job to appoint itself judge and jury over their behavior? What do you say to people who say that as a privacy service provider you should keep out of their private communications?
(Proxy.sh) This is a very good question and actually the onus behind our move. To us, a service provider that acts in a jurisdiction where law enforcement is of quality should not feel responsible for interfering with any ethical or legal matter, as the jurisdiction in which it operates is supposed to provide all the necessities. I am thinking here of the United States of course who can through subpoenas directly access the infrastructures of the businesses incorporated in its economy. On the other side, a service provider that acts in a jurisdiction where law enforcement may unfortunately not be of quality (for various reasons and by various aspects), should in turn feel responsible for interfering with some ethical or legal matters, to prevent the loophole it uses to avoid legislation it finds unacceptable (e.g. DMCA) from being turned into one that avoids pretty much any sort of legislation. A last aspect of whether you may or not may feel responsible is the payment methods you employ, and how you proceed with them. If you use PayPal with direct link to packages, or you avoid providing options that cannot or hardly be tracked (Bitcoins, etc.), then you can indeed feel less responsible for the activity that will happen on your network, knowing that the payment structure provides a link with third-party law enforcement to make sure wrongdoers can be caught through your network. Our payment methods are not linked with our packages, and we welcome hard-to-track payment methods, so we in turn feel more responsible for our network, knowing that third party law enforcement will have very little opportunity (if none at all) to seize wrongdoers through it.
(TorrentFreak) How do you think ISPs would fare if they introduced their customers to the same ethical terms as Proxy.sh?
(Proxy.sh) Once again, it will most likely depend of the jurisdiction in which they are offering their services. If they choose to go offshore like us to ensure a real higher level of security and privacy protection, they should consider protecting their network to in turn protect their users. Their users will most likely appreciate it. On the other side of course, a U.S. based ISP doing so would be seen as someone interfering with what is already working well, at least for most U.S. citizens, and would just fall into a marketing blob. Of course we are seeing a decline in our revenues since the last intervention, but once again we far prefer to remain transparent and serious, than to seek profits by hiding truths.
(TorrentFreak) You've stated that other VPN providers will not tell their customers when they are required to monitor a server but Proxy.sh has a policy to let its users know. Do you think that being open about monitoring your own customers is better than having to stay quiet when a government demands it?
(Proxy.sh) Of course. We are sons of anarcho-capitalism. We believe in the sovereignty and self-consciousness of individuals, not of those of States or other entities such as agencies or corporations. We also especially value transparency. We believe this is what terribly lacks in today's world. Here at proxy.sh we offer users the full choice of both knowing and deciding to opt out (or simply switching to another node part of our network) when an intervention needs to take place. We do not believe this choice should be left only to governments and VPN suppliers themselves, but rather to the entire customer-base; in other words, to everyone involved.
(TorrentFreak) Finally, for now at least, the issue of trust. You say that you are completely transparent about monitoring some abusive users and other VPN providers are not. Why should people believe you and not the other dozens of providers out there?
(Proxy.sh) Indeed philosophy tells you that both trust and truth are highly relative to various factors and it is hard to define itself on both trust and truth levels. With this said, we believe the power of logics can help here to resolve this dilemma. As a matter of fact, the most trustful VPN provider you can get is named DIY. By operating your own proxy, you can be both user and operator, hence decide yourself when you need to take intervention on your own activities (although reality will rather make you delete everything in case of problems). In such case, you can be sure of absolutely all interventions and surroundings of your network. But sometimes, you lack of either time or the skills to deploy your own proxy service, and you decide to turn to VPN providers. You now face two options: choose a provider that tells you when it will intervene on its network (even though you can't be 100% sure it will actually tell you all the time), or choose one that actually never tells you anything. I don't know about you, but for me I actually prefer one that at least keeps me updated about some, especially when one states that he does keep me updated about all of them. No matter if I can or cannot be 100% sure, this provider will always be to me between DIY and other VPN providers who don’t disclose anything in the trust hierarchy.
(TorrentFreak) Sorry for the long list, I want to make sure we have everything covered. Let's aim to get this article out on Sunday, it will be a long read and people have time to digest it at the weekend. Possibly a couple more follow up questions, but generally I think I have enough now.
(Proxy.sh) No problem at all. We are actually very thankful of the time you take with us. Of course, the double fact that you removed us from the to-be-trusted VPN list, and that you listed the intervention that took place with us as problematic to your readers, has had a little impact on our business, as we have seen a drop of 5% in daily financial performance. With this said, we would be happy with this drop being as high as 99% as long as the situation allows us to spread out our philosophy and unveil the true onuses of the current VPN industry, as well as the position we have between DIY and other providers in terms of trust you can have with VPN and proxy in general.
NB: As you can see, we have been very relaxed with them (perhaps too much some would say, but we aim at being ultra transparent and making a dent into the VPN universe). Most importantly, we do not yet understand why they did not report the complete story (e.g. missing facts about academia support, payments infrastructures vs. automated link to third party agencies, the dilemma to provide a clean network when law enforcement really cannot help) as it would be perfect material to highlight the downside of our competition.