On its website, the company Private WiFi sells virtual private networks that it says can resist government snooping. “Don’t want the government to know what you are doing? Then it’s time to get a VPN," the company says.
Another such company, HideIPVPN, makes a similar promise.“NSA and FBI are spying on you," its website says. "VPN can limit what they know!”
A third firm, Faceless.me, offers a “surefire way” to protect your anonymity. “You don’t need to worry about Internet monitors and people knowing which sites you visit. A VPN will help you hide your tracks online,” the company says on its site.
Virtual Private Networks, or VPNs, can disguise the locations of computers and encrypt Internet traffic to allow people to get around firewalls or prevent outside snooping. Businesses that sell the networks are using the NSA scandal as a marketing tool, promising to protect customers from the prying eyes of government spies. But new revelations from former NSA contractor Edward Snowden have raised doubts about whether such services really provide as much privacy as they claim.
On Wednesday, NBC News reported that the British spy agency, GCHQ, had identified a member of the hacker group Anonymous by tracing his virtual private network.
When the hacker clicked on a link sent by an undercover spy, the spy could see the hacker's IP address and determine his name and location.
It was unclear how GCHQ found out the identity of the hacker, known online only as pOke. NBC News suggested the spy agency may have hacked into the virtual private network or asked the VPN provider, which was not named in the story, for the hacker’s personal information.
Privacy activists responded to the news by warning that virtual private networks may not be so private. "If your VPN provider retains logs and turns over user data to law enforcement, what is the point?" Christopher Soghoian, a security and privacy researcher, tweeted. Another well-known privacy researcher, Jacob Applebaum, tweeted to his followers: “Stop using #VPNs for privacy protection.”
Virtual private networks are not just for hackers trying to cover their tracks. They have been used for years for a variety of purposes, including bypassing the government’s firewall in China and securing online activity at public Wi-Fi hotspots.
Numerous startups have recently started marketing virtual private networks to individual consumers, charging between $5 and $15 per month for the promise of greater online privacy.
But before using a virtual private network, consumers should consider whether the provider retains their IP address records. “If they have records, they can be forced to hand them over" to law enforcement, Soghoian said.
In 2011, for example, the FBI arrested Cody Kretsinger, a 23-year-old from Phoenix, on charges of helping LulzSec, an offshoot of Anonymous, hack the website of Sony Pictures.
Kretsinger had used a virtual private network provider called “Hide My Ass," based in London. But the FBI traced the attack against Sony to an IP address owned by the VPN provider, then forced the company to turn over chat logs with a court order, leading to Kretsinger's arrest. Last year, Kretsinger was sentenced to one year in prison.
After Kretsinger's arrest, Hide My Ass defended itself in a blog post, saying its service “is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).”
“It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences," the company wrote.
Kent Lawson, president of Private WiFi, said his company does not keep logs of customer activities. “Therefore, if we were ever subpoenaed (which we have not been, yet) we would simply respond that we have no such information,” he said.
Adrian Crismaru, the owner of HideIPVPN, said his company keeps only three days of customer activity logs, and only for troubleshooting purposes, in order "to protect our customers from NSA."
Faceless.me did not respond to a request for comment.
Earlier this month, HideIPVPN and Faceless.me were named by the website Torrentrfreak as among about 20 VPN services that "take your anonymity seriously." A full list can be found here.
With numerous VPN providers competing for the claim of being NSA- or FBI-proof, some have sought to clear up misconceptions that virtual private networks guarantee total privacy and anonymity.
“The people behind the VPN server are the ones in control," Tomás Touceda, the privacy officer at SpiderOak, a data storage company, said in a recent blog post. "Privacy and anonymity do NOT go hand in hand with VPNs, and that’s the end of the story. "