Jump to content

Search the Community

Showing results for tags 'privacy'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. malakai1911

    Comprehensive Security Guide

    Comprehensive Security Guide NOTE: As of 1/1/2019 this guide is out of date. Until parts are rewritten, consider the below for historical reference only. i. Foreword The primary purpose of this guide is to offer a concise list of best-of-breed software and advice on selected areas of computer security. The secondary purpose of this guide is to offer limited advice on other areas of security. The target audience is an intermediately skilled user of home computers. Computer software listed are the freeware versions when possible or have free versions available. If there are no free versions available for a particular product, it is noted with the "$" symbol. The guide is as well formatted as I could make it, within the confines of a message board post. ii. Table of Contents i. Foreword ii. Table of Contents 1. Physical Security a. Home b. Computer c. Personal 2. Network Security a. Hardware Firewall b. Software Firewall 3. Hardening Windows a. Pre-install Hardening b. Post-install Hardening c. Alternative Software d. Keep Windows Up-To-Date 4. Anti-Malware a. Anti-Virus b. HIPS / Proactive Defense c. Malware Removal 5. Information and Data Security a. Privacy / Anonymity b. Encryption c. Backup, Erasure and Recovery d. Access Control (Passwords, Security Tokens) 6. Conclusion 1. Physical Security I just wanted to touch on a few things in the realm of physical security, and you should investigate physical and personal security in places other than here. a. Home How would you break in to your own home? Take a close look at your perimeter security and work inwards. Make sure fences or gates aren't easy to climb over or bypass. The areas outside your home should be well lit, and motion sensor lights and walkway lights make nice additions to poorly lit areas. If possible, your home should have a security system featuring hardwired door and window sensors, motion detectors, and audible sirens (indoor and outdoor). Consider integrated smoke and carbon monoxide detectors for safety. Don't overlook monitoring services, so the police or fire department can be automatically called during an emergency. Invest in good locks for your home, I recommend Medeco and Schlage Primus locks highly. Both Medeco and Schlage Primus locks are pick-resistant, bump-proof, and have key control (restricted copying systems). Exterior doors should be made of steel or solid-core wood and each should have locking hardware (locking doorknob or handle), an auxiliary lock (mortise deadbolt) with a reinforced strike plate, and a chain. Consider a fireproof (and waterproof) safe for the storage of important documents and valuables. A small safe can be carried away during a robbery, and simply opened at another location later, so be sure and get a safe you can secure to a physical structure (in-wall, in-floor, or secured to something reasonably considered immovable). You may be able to hide or obscure the location of your safe in order to obtain some additional security, but don't make it cumbersome for yourself to access. b. Computer Computers are easy to just pick up and take away, so the only goal you should have is to deter crimes of opportunity. For desktop computers, you may bring your desktop somewhere and an attacker may not be interested in the entire computer, but perhaps just an expensive component (video card) or your data (hard drive), and for that I suggest a well-built case with a locking side and locking front panel. There are a variety of case security screws available (I like the ones from Enermax (UC-SST8) as they use a special tool), or you can use screws with less common bits (such as tamper resistant Torx screws) to secure side panels and computer components. There are also cable lock systems available for desktop computers to secure them to another object. For laptop computers, you are going to be primarily concerned about a grab-and-go type robbery. There are a variety of security cables available from Kensington, which lock into the Kensington lock slot found on nearly all laptops, which you can use to secure it to another object (a desk or table, for example). Remember though, even if it's locked to something with a cable, it doesn't make it theft-proof, so keep an eye on your belongings. c. Personal Always be aware of your surroundings. Use your judgment, if you feel an area or situation is unsafe, avoid it altogether or get away as quickly and safely as possible. Regarding hand to hand combat, consider a self-defense course. Don't screw around with traditional martial arts (Karate, Aikido, Kung-Fu), and stay away from a McDojo. You should consider self-defense techniques like Krav Maga if you are serious about self defense in a real life context. I generally don't advocate carrying a weapon on your person (besides the legal mess that may be involved with use of a weapon, even for self-defense, an attacker could wrestle away a weapon and use it against you). If you choose to carry any type of weapon on your person for self-defense, I advise you to take a training course (if applicable) and to check with and follow the laws within the jurisdiction you decide to possess or carry such weapons. Dealing with the Police Be sure to read Know Your Rights: What to Do If You're Stopped by the Police a guide by the ACLU, and apply it. Its advice is for within the jurisdiction of the US but may apply generally elsewhere, consult with a lawyer for legal advice. You should a;so watch the popular video "Don't talk to the police!" by Prof. James Duane of the Regent University Law School for helpful instructions on what to do and say when questioned by the police: (Mirror: regent.edu) Travelling Abroad Be sure and visit the State Department or Travel Office for your home country before embarking on a trip abroad. Read any travel warnings or advisories, and they are a wealth of information for travelers (offering guides, checklists, and travel advice): (US, UK, CA). 2. Network Security As this is a guide geared towards a home or home office network, the central theme of network security is going to be focused around having a hardware firewall behind your broadband modem, along with a software firewall installed on each client. Since broadband is a 24/7 connection to the internet, you are constantly at risk of attack, making both a hardware and software firewall absolutely essential. a. Hardware Firewall A hardware firewall (router) is very important. Consider the hardware firewall as your first line of defense. Unfortunately, routers (usually) aren't designed to block outbound attempts from trojans and viruses, which is why it is important to use a hardware firewall in conjunction with a software firewall. Be sure that the firewall you choose features SPI (Stateful Packet Inspection). Highly Recommended I recommend Wireless AC (802.11ac) equipment, as it is robust and widely available. Wireless AC is backwards compatible with the earlier Wireless N (802.11n) G (802.11g) and B (802.11b) standards. 802.11ac supports higher speeds and longer distances than the previous standards, making it highly attractive. I generally recommend wireless networking equipment from Ubiquiti or Asus. Use WPA2/WPA with AES if possible, and a passphrase with a minimum of 12 characters. If you are really paranoid, use a strong random password and remember to change it every so often. Alternatives A spare PC running SmoothWall or IPCop, with a pair of NIC's and a switch can be used to turn a PC into a fully functional firewall. b. Software Firewall A software firewall nicely compliments a hardware firewall such as those listed above. In addition to protecting you from inbound intrusion attempts, it also gives you a level of outbound security by acting as a gateway for applications looking to access the internet. Programs you want can access the internet, while ones you don't are blocked. Do not use multiple software firewalls simultaneously. You can actually make yourself less secure by running two or more software firewall products at once, as they can conflict with one another. Check out Matousec Firewall Challenge for a comparison of leak tests among top firewall vendors. Leaktests are an important way of testing outbound filtering effectiveness. Highly Recommended Comodo Internet Security Comodo is an easy to use, free firewall that provides top-notch security. I highly recommend this as a first choice firewall. While it includes Antivirus protection, I advise to install it as firewall-only and use an alternate Antivirus. Alternatives Agnitum Outpost Firewall Free A free personal firewall that is very secure. Be sure to check out the Outpost Firewall Forums, to search, and ask questions if you have any problems. Online Armor Personal Firewall Free Online Armor Personal Firewall makes another great choice for those who refuse to run Comodo or Outpost. Online Armor 3. Hardening Windows Windows can be made much more secure by updating its components, and changing security and privacy related settings. a. Pre-install Hardening Pre-install hardening has its primary focus on integrating the latest available service packs and security patches. Its secondary focus is applying whatever security setting tweaks you can integrate. By integrating patches and tweaks, you will be safer from the first boot. Step 1 - Take an original Windows disc (Windows 7 or later) and copy it to a folder on your hard drive so you can work with the install files. Step 2 - Slipstream the latest available service pack. Slipstreaming is a term for integrating the latest service pack into your copy of windows. Step 3 - Integrate the latest available post-service pack updates. This can be done with a utility such as nLite or vLite, and post-service pack updates may be available in an unofficial collection (such as the RyanVM Update Pack for XP). Step 4 - Use nLite (Windows 2000/XP) or vLite (Windows Vista/7) to customize your install. Remove unwanted components and services, and use the tweaks section of nLite/vLite to apply some security and cosmetic tweaks. Step 5 - Burn your newly customized CD, and install Windows. Do not connect the computer to a network until you install a software firewall and anti-virus. b. Post-Install Hardening If you have followed the pre-install hardening section, then your aim will be to tweak settings to further lock down windows. If you hadn't installed from a custom CD, you will need to first update to the latest service pack, then install incremental security patches to become current. After updating, you'll then disable unneeded Windows services, perform some security tweaks, and use software such as xpy to tweak privacy options. Disable Services Start by disabling unneeded or unnecessary services. By disabling services you will minimize potential security risks, and use fewer resources (which may make your system slightly faster). Some good guides on disabling unnecessary services are available at Smallvoid: Windows 2000 / Windows XP / Windows Vista. Some commonly disabled services: Alerter, Indexing, Messenger, Remote Registry, TCP/IP NetBIOS Helper, and Telnet. Security Tweaks I highly recommend using a strong Local Security Policy template as an easy way to tweak windows security options, followed by the registry. Use my template (security.inf) to easily tweak your install for enhanced security (Windows 2000/XP/Vista/7): 1. Save the following attachment: (Download Link Soon!) 2. Extract the files. 3. Apply the Security Policy automatically by running the included "install.bat" file. 4. (Optional) Apply your policy manually using the following command: [ secedit /configure /db secedit.sdb /cfg "C:\<Path To Security.inf>\<template>.inf" ] then refresh your policy using the following the command:[ secedit /refreshpolicy machine_policy ] (Windows 2000), [ gpupdate ] (Windows XP/Vista/7) This template will disable automatic ("administrative") windows shares, prevent anonymous log on access to system resources, disable (weak) LM Password Hashes and enable NTLMv2, disable DCOM, harden the Windows TCP/IP Stack, and much more. Unfortunately my template can't do everything, you will still need to disable NetBIOS over TCP (NetBT), enable Data Execution Prevention (AlwaysOn), and perform other manual tweaks that you may use. Privacy Tweaks xpy (Windows 2000/XP) and vispa (Windows Vista/7) These utilities are great for modifying privacy settings. They supersede XP AntiSpy because they include all of XP Anti-Spy's features and more. You should use them in conjunction with the security tweaks I've listed above. c. Alternative Software Another simple way of mitigating possible attack vectors is to use software that is engineered with better or open security processes. These products are generally more secure and offer more features then their Microsoft counterparts. Highly Recommended Google Chrome (Web Browser) Mozilla Thunderbird (Email Client) OpenOffice.org (Office Suite) Alternatives Mozilla Firefox (Web Browser) Google Docs (Online) (Office Suite) Firefox Additions Mozilla has a Privacy & Security add-on section. There are a variety of add-ons that may appeal to you (such as NoScript). And although these aren't strictly privacy related, I highly recommend the AdBlock Plus add-on, with the EasyList and EasyPrivacy filtersets. d. Keep Windows Up-To-Date Speaking of keeping up-to-date, do yourself a favor and upgrade to at least Windows XP (for older PC's) and Windows 7 (or later) for newer PC's. Be sure to keep up-to-date on your service packs, they're a comprehensive collection of security patches and updates, and some may add minor features. Microsoft Windows Service Packs Windows 2000 Service Pack 4 with Unofficial Security Rollup Package Windows XP Service Pack 3 with Unofficial Security Rollup Package Windows XP x64 Service Pack 2 with Unofficial Security Rollup Package Windows Vista Service Pack 2 Windows 7 Service Pack 1 Microsoft Office Service Packs Office 2000 Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office XP (2002) Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office 2003 Service Pack 3 with the Office 2007 Compatibility Pack (SP3) and Office File Validation add-in. Office 2007 Service Pack 3 with the Office File Validation add-in. Office 2010 Service Pack 1 After the service pack, you still need to keep up-to-date on incremental security patches. Windows supports Automatic Updates to automatically update itself. However, if you don't like Automatic Updates: You can use WindowsUpdate to update windows periodically (Must use IE5 or greater, must have BITS service enabled), or you can use MS Technet Security to search for and download patches individually, or you can use Autopatcher, an unofficial updating utility. In addition to security patches, remember to keep virus definitions up-to-date (modern virus scanners support automatic updates so this should not be a problem), and stay current with latest program versions and updates, including your replacement internet browser and mail clients. 4. Anti-Malware There are many dangers lurking on the internet. Trojans, viruses, spyware. If you are a veteran user of the internet, you've probably developed a sixth-sense when it comes to avoiding malware, but I advocate backing up common sense with reliable anti-malware software. a. Anti-Virus Picking a virus scanner is important, I highly recommend Nod32, but there are good alternatives these days. Check out AV Comparatives for a comparison of scanning effectiveness and speed among top AV vendors. Highly Recommended Nod32 Antivirus $ I recommend Nod32 as a non-free Antivirus. Features excellent detection rates and fast scanning speed. Nod32 has a great heuristic engine that is good at spotting unknown threats. Very resource-friendly and historically known for using less memory than other AV's. There is a 30 day free trial available. Alternatives Avira AntiVir Personal I recommend Avira as a free Antivirus. Avira is a free AV with excellent detection rates and fast scanning speed. (Kaspersky no longer recommended, due to espionage concerns.) Online-Scanners Single File Scanning Jotti Online Malware Scan or VirusTotal These scanners can run a single file through a large number of different Antivirus/Antimalware suites in order to improve detection rates. Highly recommended. Whole PC Scanning ESET Online Scanner Nod32 Online Antivirus is pretty good, ActiveX though, so IE only. There is a beta version available that works with Firefox and Opera. b. HIPS / Proactive Defense Host-based intrusion prevention systems (HIPS) work by disallowing malware from modifying critical parts of the Operating System without permission. Classic (behavioral) HIPS software will prompt the user for interaction before allowing certain system modifications, allowing you stop malware in its tracks, whereas Virtualization-based HIPS works primarily by sandboxing executables. Although HIPS is very effective, the additional setup and prompts are not worth the headache for novice users (which may take to just clicking 'allow' to everything and defeating the purpose altogether). I only recommend HIPS for intermediate or advanced users that require a high level of security. Highly Recommended I highly recommend firewall-integrated HIPS solutions. Comodo Defense+ is a classic HIPS built into Comodo Internet Security, and provides a very good level of protection. Outpost and Online Armor provide their own HIPS solutions, and the component control features of the firewalls are powerful enough to keep unwanted applications from bypassing or terminating the firewall. If you want to use a different HIPS, you can disable the firewall HIPS module and use an alternative below. Alternatives Stand-alone HIPS solutions are good for users who either don't like the firewall built-in HIPS (and disable the firewall HIPS), or use a firewall without HIPS features. HIPS based on Behavior (Classic) ThreatFire ThreatFire provides a strong, free behavioral HIPS that works well in conjunction with Antivirus and Firewall suites to provide additional protection. HIPS based on Virtualization DefenseWall HIPS $ DefenseWall is a strong and easy-to-use HIPS solution that uses sandboxing for applications that access the internet. GeSWall Freeware GeSWall makes a nice free addition to the HIPS category, like DefenseWall it also uses sandboxing for applications that access the internet. Dealing with Suspicious Executables You can run suspicious executables in a full featured Virtual Machine (such as VMware) or using a standalone sandbox utility (such as Sandboxie) if you are in doubt of what it may do (though, you may argue that you shouldn't be running executables you don't trust anyway). A more advanced approach to examining a suspicious executable is to run it through Anubis, a tool for analyzing the behavior of Windows executables. It displays a useful report with things the executable does (files read, registry modifications performed, etc.), which will give you insight as to how it works. c. Malware Removal I recommend running all malware removal utilities on-demand (not resident). With a firewall, virus scanner, HIPS, and some common sense, you won't usually get to the point of needing to remove malware... but sometimes things happen, perhaps unavoidably, and you'll need to remove some pretty nasty stuff from a computer. Highly Recommended Anti-Spyware Spybot Search & Destroy Spybot S&D has been around a long time, and is very effective in removing spyware and adware. I personally install and use both Spybot & Ad-Aware, but I believe that Spybot S&D has the current edge in overall detection and usability. Anti-Trojan Malwarebytes' Anti-Malware Malwarebytes has a good trojan detector here, and scans fast. Anti-Rootkit Rootkit Unhooker RKU is a very advanced rootkit detection utility. Alternatives Anti-Spyware Ad-Aware Free Edition Ad-Aware is a fine alternative to Spybot S&D, its scanning engine is slower but it is both effective and popular. Anti-Trojan a-squared (a2) Free a-squared is a highly reputable (and free) trojan scanner. Anti-Rootkit IceSword (Mirror) IceSword is one of the most capable and advanced rootkit detectors available. 5. Information and Data Security Data can be reasonably protected using encryption and a strong password, but you will never have complete and absolute anonymity on the internet as long as you have an IP address. a. Privacy / Anonymity Anonymity is elusive. Some of the following software can help you achieve a more anonymous internet experience, but you also must be vigilant in protecting your own personal information. If you use social networking sites, use privacy settings to restrict public access to your profile, and only 'friend' people you know in real life. Don't use (or make any references to) any of your aliases or anonymous handles on any websites that have any of your personal information (Facebook, Amazon, etc..). You should opt-out from information sharing individually for all banks and financial institutions you do business with using their privacy policy choices. You should opt-out of preapproved credit offers (US), unsolicited commercial mail and email (US, UK, CA), and put your phone numbers on the "Do Not Call" list (US, UK, CA). Highly Recommended Simply install and use Tor with Vidalia to surf the internet anonymously. It's free, only downside is it's not terribly fast, but has fairly good anonymity, so it's a tradeoff. Keep in mind its for anonymity not for security, so make sure sites you put passwords in are SSL encrypted (and have valid SSL certificates), and remember that all end point traffic can be sniffed. You can use the Torbutton extension for Firefox to easily toggle on/off anonymous browsing. POP3/IMAP and P2P software won't work through Tor, so keep that in mind. Portable Anonymous Browsing The Tor Project now has a "Zero-Install Bundle" which includes Portable Firefox and Tor with Vidalia to surf anonymously from a USB memory stick pretty much anywhere with the internet. It also includes Pidgin with OTR for encrypted IM communications. Note: These won't protect you from Trojans/Keyloggers/Viruses on insecure public terminals. Never type important passwords or login to important accounts on a public computer unless it is absolutely necessary! Alternatives I2P functions similar to Tor, allowing you to surf the general internet with anonymity. IPREDator $ is a VPN that can be used to anonymize P2P/BitTorrent downloads. Freenet is notable, but not for surfing the general internet, it's its own network with its own content. b. Encryption For most people, encryption may be unnecessary. But if you have a laptop, or any sort of sensitive data (whether it be trade secrets, corporate documents, legal or medical documents) then you can't beat the kind of protection that encryption will offer. There are a variety of options available today, including a lot of software not listed here. A word to the wise, please, please don't fall for snake oil, use well established applications that use time tested (and unbroken) ciphers. Regardless of what software you use, the following "what to pick" charts will apply universally. If you have to pick an encryption cipher: Best: AES (Rijndael) (128-bit block size) Better: Twofish (128-bit block size), Serpent (128-bit block size) Good: RC6 (128-bit block size) Depreciated: Blowfish (64-bit block size), CAST5 (CAST-128) (64-bit block size), Triple-DES (64-bit block size) When encrypting large volumes of data, it is important to pick a cipher that has a block size of at least 128-bytes. This affords you protection for up to 2^64x16 bytes (264 exabytes) . 64-bit block ciphers only afford protection of up to 2^32x8 bytes (32 gigabytes) so using it as a full disk or whole disk encryption cipher is not recommended. The depreciated list is only because some of you might be stuck using software that only supports older encryption methods, so I've ordered it from what I feel is best to worst (though all three that are on there are pretty time tested and if properly implemented, quite secure). If you have to pick a hash to use: Best: Whirlpool (512-bit) Better: SHA-512 (512-bit), SHA-256 (256-bit) Good: Tiger2/Tiger (192-bit), RIPEMD-160 (160-bit) Depreciated: RIPEMD-128, SHA-1, MD-5. With all the recent advances in cryptanalysis (specifically with work on hash collisions) These days I wouldn't trust any hash that is less than 160-bits on principle. To be on the safe side, use a 192-bit, 256-bit, or 512-bit hash where available. There will be cases where your only options are insecure hashes, in which case I've ordered the "depreciated" list from best to worst (they are all varying levels of insecure). Many older hashes (MD4, MD2, RIPEMD(original), and others) are totally broken, and are not to be used. A quick software rundown, these applications are popular and trusted: Highly Recommended Freeware Whole Disk Encryption TrueCrypt Based upon E4M, TrueCrypt is a full featured disk encryption suite, and can even be run off a USB memory stick. TrueCrypt supports the whole disk encryption of Windows, with pre-boot authentication. Very nice. If you can't use whole-disk encryption (WDE), you can use the TCTEMP add-on to encrypt your swapfile, temp files and print spooler, and you can use the TCGINA add-on to encrypt your windows home directory. (Note: TCTEMP/TCGINA is less secure than WDE, and only preferable if WDE is not an option. WDE is highly recommended.) Freeware PKI Encryption GnuPG (GPG) GnuPG provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, and encryption and decryption of documents and email messages. Freeware Email Encryption Enigmail Enigmail is truly a work of art, it integrates with GnuPG and provides seamless support for encryption and decryption of email messages, and can automatically check PGP signed documents for validity. (Enigmail requires both Mozilla Thunderbird and GnuPG) Alternatives Encryption Suite (with Whole Disk and Email Encryption) PGP Full Disk Encryption $ PGP provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, encryption and decryption of documents and email messages, volume disk encryption, whole disk encryption, outlook integration, and instant messenger encryption support. c. Backup, Erasure and Recovery // This section is under construction. Backups Your data might be safe from prying eyes, but what if you are affected by hardware failure, theft, flood or fire? Regular backups of your important data can help you recover from a disaster. You should consider encryption of your backups for enhanced security. Local Backup Cobian Backup Cobian Backup is a fully-featured freeware backup utility. SyncBack Freeware, Macrium Reflect Free SyncBack Freeware and Macrium Reflect Free are feature-limited freeware backup utilities. Off-site Backup SkyDrive (25GB, filesize limited to 100MB), box.net (5GB) SkyDrive and box.net offer free online storage, useful for easy offsite backups. Be sure to utilize encrypted containers for any sensitive documents. Data Destruction It would be better to have your data residing in an encrypted partition, but sometimes that may not be possible. When sanitizing a hard drive, I recommend using a quality Block Erase tool like DBAN followed by a run-through with ATA Secure Erase if you really want a drive squeaky clean. Block erasing is good for data you can normally reach, but ATA secure erase can hit areas of the drive block erasers can't. As for multiple overwrite passes, there is no proof that data overwritten even one time can be recovered by professional data recovery corporations. For moderate security, a single pseudorandom block-erase pass (random-write) followed by an ATA Secure Erase pass (zero-write) is sufficient to thwart any attempts at data recovery. For a high level of security, a "DoD Short (3 pass)" block-erase pass followed by an ATA Enhanced Secure Erase will ensure no recovery is possible. Single-File/Free Space Erase If you are interested in just erasing single files or wiping free space, you can use the Eraser utility. Block Erase For hard drive block-erasure, use DBAN. ATA Secure Erase For ATA Secure Erasing, use the CMRR Secure Erase Utility. CMRR Secure Erase Protocols (.pdf) http://cmrr.ucsd.edu...seProtocols.pdf NIST Guidelines for Media Sanitation (.pdf) - http://csrc.nist.gov...800-88_rev1.pdf File Recovery Software This is kind of the opposite of data destruction. Keep in mind no software utility can recover properly overwritten data, so if it's overwritten there is no recovery. Highly Recommended Recuva Recuva is an easy to use GUI-based recovery utility. Alternatives TestDisk and PhotoRec These tools are powerful command-line recovery utilities. TestDisk can recover partitions, and PhotoRec is for general file recovery. Ontrack EasyRecovery Professional $ EasyRecovery is one of the best paid utilites for file recovery. d. Access Control (Passwords, Security Tokens) // This section is under construction. Secure Passwords //Section under construction. Your security is only as strong as its weakest password. There are a few basic rules to follow when creating a strong password. Length - Passwords should be at least 12 characters long. When possible, use a password of 12 or more characters, or a "passphrase". If you are limited to using less than 12 characters, you should try and make your password as long as allowable. Complexity - Passwords should have an element of complexity, a combination of upper and lowercase characters, numbers, and symbols will make your passwords much harder to guess, and harder to bruteforce. Uniqueness - Passwords should avoid containing common dictionary words, names, birthdays, or any identification related to you (social security, drivers license, or phone numbers for example). Secret - If you have a password of the utmost importance, do not write it down. Do not type them in plain view of another person or share them with anyone. Avoid use of the same password in multiple places. Security Tokens Security Tokens are cryptographic devices that allow for two-factor authentication. Google Titan Yubikey 5 Series 6. Conclusion And here we are at the end! I would like to thank all of you for taking the time to read my guide, it's a few (slow) years in the making and I've kept it up to date. This guide is always changing, so check back from time to time. Revision 1.10.020 Copyright © 2004-2012 Malakai1911, All Rights Reserved The information contained within this guide is intended solely for the general information of the reader and is provided "as is" with absolutely no warranty expressed or implied. Any use of this material is at your own risk, its authors are not liable for any direct, special, indirect, consequential, or incidental damages or any damages of any kind. This guide is subject to change without notice. Windows_Security_Template__1.10.015_.zip
  2. Hosting company Quadranet has asked a Florida federal court to dismiss the "VPN piracy" lawsuit that was filed by several independent film companies. The hosting company argues that it can't be held liable for the pirating activities of LiquidVPN subscribers, simply because the VPN provider happens to lease servers at Quadranet. A group of independent film companies has taken the piracy liability issue to a new level this year. After targeting site owners and individual pirates, the makers of films such as “Hunter Killer”, “I Feel Pretty” and “Shock and Awe” started going after VPN providers. And they didn’t stop there either. Over the past few months, several hosting companies have been sued as well. The movie companies argue that hosting services can be held liable because they offer their services to VPN providers which, in turn, have pirates among their customers. According to the movie companies, the hosting services should have terminated their agreements with these VPN companies after repeated copyright infringement warnings. However, the hosting companies see themselves as neutral service providers, not the Internet police. Quadranet Responds to Piracy Allgetions A few days ago, Californian hosting company Quadranet replied to the allegations in court. According to the company, the filmmakers’ complaint is a shotgun pleading, and it should be dismissed for that reason alone. However, Quadranet also believes that the copyright infringement claims fail. The company leased servers to LiquidVPN and did indeed receive copyright infringement notices, which it forwarded to the VPN service. That should be sufficient. Null-Routing Goes Too Far The filmmakers suggested that the hosting company should have ‘null-routed’ the offending IP-addresses or terminated its service to LiquidVPN, but that goes too far for Quadranet. “LiquidVPN is not a direct infringer. The only alleged direct infringers are some small portion of LiquidVPN’s customer base, who apparently utilized LiquidVPN to access BitTorrent software. “Quadranet had no right to interfere in the relationship between LiquidVPN and its customers, effectively pulling the plug on all of LiquidVPN customers,” the hosting company notes. At Least Two Steps Removed The hosting company stresses that it’s at least two steps removed from any ‘involvement’ in the alleged copyright infringements. Quadranet believes it was dragged into the case for tactical leverage only, not because there’s a valid copyright infringement claim. While some LiquidVPN customers may have shared pirated content, that doesn’t mean that a hosting company, whivh doesn’t even know who these customers are, should be held liable. “Under the law, the act of simply leasing computer servers is not ‘substantial’ enough to be considered a ‘material contribution’ to the infringement, much like credit card companies are not liable when they merely process credit card payments to provide access to infringing websites,” the company argues. 0.00001% of All Revenue The accusation that the hosting provider directly benefited from the infringing activities is refuted as well. Not only does LiquidVPN have many legitimate customers, but the associated revenue was also just a fraction of Quadranet’s income. “Plaintiffs cannot seriously suggest otherwise, especially given that revenue from leasing servers to LiquidVPN, for example, accounted for less than 0.00001% of Quadranet’s revenue during the relevant lease period.” Based on these and a variety of other arguments, the hosting provider asked the Florida federal court to dismiss the complaint. Shortly after the legal paperwork was posted, the court scheduled a mediation hearing, which will take place in April next year. This indicates that the came may eventually be settled in some form or another. — A copy of Quadranet’s motion to dismiss can be found here (pdf). The documents use QI and QE to refer to different Quadranet entities, we changed these to “Quadranet” in the citations above for the sake of readability Hosting Company Quadranet Asks Court to Dismiss ‘VPN Piracy’ Lawsuit
  3. Ireland's Data Privacy Commissioner (DPC) has hit Facebook-owned messaging platform WhatsApp with a €225 million ($266 million) administrative fine for violating the EU's GDPR privacy regulation after failing to inform users and non-users on what it does with their data. EU data regulators can impose maximum GDPR fines of up to €20 million (about $24.3 million) or 4% of the infringing company's annual global turnover – whichever is greater – for violating EU's privacy laws. The fine follows an investigation started in December 2018 after the data watchdog received multiple complaints from "individual data subjects" (both users and non-users) regarding WhatsApp data processing activities. Throughout the investigation, Ireland's DPC "examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service." "This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies," the regulator explained. WhatsApp's fine reflects the infringements the EU regulators found: In respect of Article 5(1)(a) of the GDPR (a fine of €90 million); In respect of Article 12 of the GDPR (a fine of €30 million); In respect of Article 13 of the GDPR (a fine of €30 million); and In respect of Article 14 of the GDPR (a fine of €75 million). On top of the fine, the Irish data watchdog also ordered WhatsApp to bring its processing into compliance with GDPR's requirements by taking a range of specified remedial actions with a deadline that will expire in three months. The decision of the Irish DPC can be found and read in full here. Fine quadrupled after objection from other EU data regulators What makes this fine stand out—besides its size—is the fact that eight other EU privacy regulators (including Germany, France, Hungary, Italy, Portugal, Holland, and Poland) opposed the initial €50 million fine the Irish data privacy watchdog proposed and ordered it to reassess. This led to the fine being increased by more than four times after the Irish watchdog was forced to consider all of WhatsApp's infringements when calculating the amount of the fine. "Following a lengthy and comprehensive investigation, the DPC submitted a draft decision to all Concerned Supervisory Authorities (CSAs) under Article 60 GDPR in December 2020. The DPC subsequently received objections from eight CSAs," the Irish regulator said today. "The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and triggered the dispute resolution process (Article 65 GDPR) on 3 June 2021. On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC. "This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB's decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp." WhatsApp will appeal the decision "WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so," the company said in a statement. "We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision." In May, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) banned Facebook from processing WhatsApp user data until the end of August after WhatsApp said it would restrict account features for users who refuse to give up control of their data and have it shared with Facebook companies. After the HmbBfDI ban, WhatsApp backtracked on its plans stating that "given recent discussions with various authorities and privacy experts, we want to make clear that we will not limit the functionality of how WhatsApp works for those who have not yet accepted the update." In related news, Amazon has also been hit with a record-breaking €746 million fine in July by the Luxembourg National Commission for Data Protection (CNPD) for GDPR violations regarding its targeted behavioral advertising, the largest ever fine issued by an EU data watchdog for GDPR violations. Amazon also told BleepingComputer that it would appeal the decision as it "strongly [disagreed] with the CNPD’s ruling." "The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation." WhatsApp to appeal $266 million fine for violating EU privacy laws
  4. Instagram really, really wants to know your birthday If you haven’t given Instagram your birthday, it’s about to start asking for it a whole lot more — and it’ll eventually be required for you to use the app. Instagram started requiring that new users add their birthdates in 2019, but if you had an older account, it was possible to skate by without providing that info. Now it seems that’ll become increasingly more difficult. According to the press release, Instagram will ask you for your birthday when you open the app, if you haven't already added it to your profile. You’ll be able to ignore it, but only up to a certain point — eventually, Instagram says, you’ll have to add your birthday if you want to keep using the app. Instagram also says that if it doesn’t have your birthday, it’ll ask for it before showing you posts that are marked as sensitive. It’s been blurring sensitive content for years, but now if you want to see it, your birthday will have to be on file with Instagram. Instagram will also ask your age before showing you sensitive content. Image: Instagram The company says these efforts are part of its work to make the platform safer for young people. In May, the company formally announced that it’s working on a version of Instagram for people younger than 13 — a feature that would obviously require the platform to know people’s ages. It’s also been working on other age protections, like making it so adults couldn’t DM minors who weren’t following them or by making accounts for people younger than 16 private by default. Instagram’s birthday support page also says it uses it to moderate ads. (For instance, people under 21 won’t get ads for alcohol.) The company says, in the future, it’ll use its age detection AI to sniff out people who are lying about their ages. In July, Facebook had a blog post about this tech, saying it was analyzing comments on your birthday posts, such as “happy 21st” or “happy Quinceañera.” According to its press release, if someone says they’re above a certain age like 13 or 18, but the AI says otherwise, Instagram will have them verify their age using a variety of methods (though it doesn’t say exactly what this will look like). Social networks have long asked you for your birthday, but having them required speaks to the growing need to make sure that kids are safe online and the feeling of invasiveness that can come with that. Snapchat users recently got a taste of the strangeness that can come when social networks have information you might not remember handing over: they discovered that the app knew the time and location they were born because they had given the info to Snapchat’s astrological profile feature — and then seemingly forgot that they’d done so. For Instagram users, though, this likely won’t be an issue. It’s going to be hard to miss the birthday information requests. You’ll have to tell Instagram your birthday to keep using the app
  5. As Android 12 introduces approximate location options on your Android phone, a pretty significant change is coming for both users and developers. In the past, you were only able to allow a system-wide setting when granting access, and if you wanted to change an individual app’s location permission, it meant diving deep into your phone settings. Apps that ask you to give permission to your location access get your precise location, which is usually accurate within a couple of meters. However, the approximate location changes this to a couple of hundred meters. This ability to choose whether to set your app’s permission to precise or approximate location is another significant step towards improved privacy. Certain apps do not need to know your exact location, for example, shopping and even weather apps. These apps can still work effectively from an approximated location. However, there will still be certain apps such as Google Maps and Geocaching apps that will require a precise location to work effectively. If you are running Android 12 and download a new app, you can easily set location permission. When running the app for the first time, you will be asked to grant location access. Now you will be able to choose ‘Approximate’ from this menu. If the app requires an exact location, you will receive a prompt notifying you and asking to change to ‘Precise’ location. To change this setting for apps that are already installed and have previously been granted location access, you can still change this to approximate locations. To do this, you will need to navigate to your Android phone’s settings, and then tap on ‘Location’ and choose which app you want to change the location permission on. Once in this menu, toggle the ‘Use Precise Location’ button off, and the app will start using approximate location instead. Closing words Privacy is becoming an increasing concern to smartphone users. This new feature on Android 12 lets you use the location features of apps without revealing where you are to advertisers and other third-party companies. As an Android user, I appreciate this new approximate location feature and the added privacy that it provides. Android 12 new privacy feature lets you grant approximate location access to apps
  6. Mozilla, maker of Firefox and other products, plans to offer a Privacy Pack later this year. Mozilla Privacy Pack combines the organization's products Firefox Relay, Firefox Monitor and Mozilla VPN into a single subscription-based product. Add-on tools and services are also planned. Some of the products are free to use at the time of writing, but Mozilla revealed plans to increase the functionality of the products to make the bundle more attractive. Sören Hentzschel, a blogger and Mozilla contributor from Germany, discovered mockups of Mozilla Privacy Packs. The mockups provide an overview but may differ from the final product when it is released. The price point, as displayed in the mockups, is between $9.99 and $12.99 per month. Mozilla VPN is available for $9.99 per month or $4.99 for the 12-month plan as a standalone product. Firefox Relay, Mozilla's email forwarding service, and Firefox Monitor, the organization's data breach monitoring service, are both included in the package. Mozilla Privacy Pack customers get enhanced versions of both products. Firefox Relay will support an unlimited number of email aliases, opposed to five email aliases of the free version of the product. Customers may also integrate custom domains in the product, but only as a subdomain of Mozilla's mozmail.com domain. Aliases would then be available in the form [email protected]<yourdomain>.mozmail.com. Firefox Monitor removes the email address limit of the service. Mozilla Privacy Pack subscribers are not limited in the number of email addresses that they may add to the service. Another new feature is the "remove my data" form. Customers may order Mozilla to remove their data from websites using a new form. It is not entirely clear how this removal feature will work at this point. Mozilla VPN, the third service that is part of the organization's Privacy Pack subscription service, does not come with extra features. Hentzschel notes that the pack may include additional services and tools. Mozilla seems to be working on a mobile application to control all three services in a single interface. Customers may gain access to privacy guides. Closing Words Mozilla Privacy Pack is another commercial product by Mozilla. The organization launched Mozilla VPN some time ago in order to reduce its dependence on search engine deals. Who is this for? Mozilla VPN customers who pay by the month may get a better deal out of the new offer. The enhanced Firefox Relay and Firefox Monitor functionality improves both services. It is unclear if the improved versions will also be available as standalone upgrades, or if they are exclusively available in the Privacy Pack. All in all, it may be an attractive package for Firefox enthusiasts who are already using Mozilla VPN and/or the other services, or Firefox supporters, provided that the price of the product is not too high. Mozilla's plan to offer a Privacy Pack
  7. New research shows users are willing to switch browsers for better privacy Privacy is becoming an increasing concern for internet users worldwide and new research from eyeo and Opera has revealed that 83 percent of users would consider switching to a different browser if it offered improved privacy protection. To compile their new research, the German ad-filtering company and the maker of the Opera browser surveyed 2,500 global internet users to gain a better understanding of their attitudes toward privacy. Surprisingly the survey found that only a quarter (25%) of respondents trust their current browser with their personal information which underlines the need for better trust and transparency. Founder and CEO of eyeo, Till Faida provided further insight on the survey's findings in a press release, saying: “The research shows that internet users have quite a complex relationship with their browsers. They clearly hold them in high regard in many respects and recognise the major benefits they bring to their online experience. At the same time, users are very privacy-conscious, particularly when it comes to intrusive advertising or excessive use of tracking cookies. There’s a better balance to be struck here, where advertising remains a core element of the browsing experience, but is done in a responsible manner that respects user privacy.” Striking the right balance In order to protect their privacy when browsing the web, 50 percent of respondents admitted to using an ad blocker in the last month to prevent ads from being displayed while 64 percent have made a conscious decision to delete tracking cookies. Although more users are now leveraging ad blockers and calling for improved privacy protection, the data from eyeo and Opera's survey shows that many are willing to compromise when advertising is concerned. Of those surveyed, 35 percent acknowledge the valuable role cookies play in the internet ecosystem and 69 percent are happy to see some ads if doing so provides them with access to free news. Faida also explained that most internet users realize that ads are necessary to help maintain a free and accessible internet. By using technologies such as ad filtering, consumers can allow noninvasive ads to appear when browsing while hiding the more annoying ones such as pop-ups or animated ads. Those interested in making the switch to a more privacy-focused browser should check out our complete list of the best anonymous browsers as they allow you to browse the web securely without being tracked online. Privacy is now the most important factor when picking a browser
  8. We all know vaguely our data has value and that privacy is not free, but after the backlash Google received for their FLoC proposal it appears the company is aiming to make the trade-off between privacy and the services your data pay for a bit more explicit. The company has been working on a new Privacy Review page in Chrome Settings, and in the latest Chrome Canary release that section has been filled in with a page called “Review settings for search and browsing optimization.” The page explains that if you share the site you are currently browsing with Google with the intent to allow Google to process it to “understand the browsing behaviour“, Google will reward you with: Faster browsing: For example, proactively load specific further content based on the current page Improved browsing: For example, suggestions in the Omnibox before you start typing Improved Chrome using page metrics Of course, Google is not completely honest on the page, since the company wants to understand YOUR browsing behaviour, not the nebulous 3rd person Google appears to be referring to. We assume at some point this page will be used to gain the consent of users for targeted advertising. Google’s FLoC proposal would have used your Chrome browsing history to categorise you into a small group of similar people and then pass this data to websites so they can deliver relevant ads. Of course, Google is not wrong in that much of the internet is funded by advertising, and being able to explicitly opt both into and out of the deal is a welcome improvement over assuming consent simply by using the browser. via techdows Google makes privacy trade-off more explicit in new Chrome Privacy Review settings page
  9. Every other year, Facebook announces that it has changed the settings of its web version and/or applications. This month's change is rolling out to all users of Facebook's mobile application, and its main purpose is to streamline the layout, make things easier to find, but without removing any of the previous settings. Facebook's privacy settings were changed in 2018 the last time. Back then, the company claimed that the new design would make "things easier to find", because settings were now found in a single place. Today's update changes Facebook's setting page significantly. The company reduced the number off categories and decided to rename these to "more closely match people's mental models". Facebook notes its new system takes into account user expectations, so that specific settings are easier to find in the application. The six categories that Facebook's settings page is divided into are Account, Preferences, Audience and Visibility, Permissions, Your Information, and Community Standards and Legal Policies. And Privacy? The privacy settings have been moved to the relevant categories, to meet user expectation, according to Facebook. Facebook's research suggest that "privacy settings can be easier to find when they're presented in short, well-organized menus, and that "grouping settings based on users' mental modes about which privacy topic(s) the settings address can be even more helpful". Our research shows that using more specific and descriptive names makes settings easier to find. That’s why we’ve unbundled the Privacy Settings category and moved the settings previously contained within it into other categories. Finally, to more easily guide you through important privacy and security settings on Facebook, we’ve added another shortcut to Privacy Checkup, right at the top of the Settings landing page. As a user of Facebook's mobile application, you will find location privacy settings under permission, post visibility settings under audience and visibility, and the activity log under your information. Users may also use the search tool to find specific settings, and there is the privacy checkup tool to make some privacy-related changes using the tool. Closing Words Many existing users will have difficulties finding specific settings that they accessed in previous versions of Facebook's mobile apps. Critics might argue that the redesigned settings make it more difficult for users to find and change privacy settings; tighter privacy settings may provide Facebook and third-parties with less data, and that may affect the company's bottom line. Ultimate, users need to go through all the settings one-by-one to make sure that they don't miss an important setting. Facebook scatters privacy settings all over the place on mobile
  10. Amazon fined massive $888 million by EU Privacy Regulator The Luxembourg data protection authority, the CNPD, has fined Amazon a massive $888 million for violating GDPR regulations, reports Bloomberg. Amazon is based in Luxembourg in the EU and the regulator has the power to fine Amazon for up to 4% of its global revenue. The fine is based on a 2018 complaint by French privacy rights group La Quadrature du Net who accused Amazon of processing the data of EU citizens without their consent. They wrote: Amazon is criticized for announcing that it is carrying out certain processing operations personal data concerning the persons in whose name the this complaint is lodged (2.2) without, however, basing this processing on one of the legal bases required by law (2.1), rendering therefore these illicit (2.3). The news was not announced by CNPD but was confirmed by Amazon who disclosed it in a regulatory filing today, saying it was “without merit.” “We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.” The original complainant is not running a victory lap either yet. “It’s a first step to see a fine that’s dissuasive, but we need to remain vigilant and see if the decision also includes an injunction to correct the infringing behaviour,” said Bastien Le Querrec, a member of La Quadrature’s litigation team, adding the group hadn’t received the decision yet. Amazon fined massive $888 million by EU Privacy Regulator
  11. Google: Android apps must provide privacy information by April 2022 Google has announced today more details regarding their upcoming Google Play 'Safety section' feature that provides users information about the data collected and used by an Android app. In May, Google pre-announced upcoming changes to the Google Play Store requiring app developers to share what info their apps collect, how collected data is used, and what privacy/security features the apps utilize. This information will appear in a new 'Safety section' for each app on Google play starting in the first quarter of 2022, allowing users to see the types of data collected by the app, its privacy policy, and security features before they install it. Google Play safety section for an Android app Source: Google Some of the information users will see for an app include what data is collected, what data is shared with third parties, whether an app uses data encryption, follows Google's Families policies, or whether it has been independently audited against global security standards. Today, Google also announced additional policy changes that are requiring all app developers to include a privacy policy and that they must also disclose data used by an app's third-party libraries or SDKs. In addition, Google provides developers an updated timeline for when they can begin submitting this information, when users can start to see the Safety section, and the deadline for developers to provide the information. Timeline for developers Source: Google Starting in October 2021, the "App privacy & security" will become available on an app's content page on Play Console. Developers can then begin to complete the questionnaire to provide information about the data collected, security features used, and the app's privacy policy. In early 2022, Google Play users will now begin to see an app's "App privacy & security," including all of the data provided by the app developer. For this section to appear, the developer must have provided a privacy policy for the app. Finally, in April 2022, all apps will be required to have a completed "App Privacy & security," including a privacy policy. If there are unresolved issues with this section, Google Play will reject all app updates until complete. Features and data usage that must be disclosed Google's Help Center has provided developers a list of features, accessed data types, and purposes for using the data that will need to be disclosed as part of this process. Some of the questions that developers must answer about their app's features and security practices include: Encryption in transit: Is data collected or shared by your app encrypted in transit? You’ll have the opportunity to disclose this on your label. Deletion mechanism: Do you provide a way for users to request deletion of their data? You’ll have the opportunity to disclose this on your label. Families policy: Does your app's data collection practices comply with Google Play's Families Policy? Independent security review: Are you interested in taking your app through an external security review based on a global standard? You’ll have the opportunity to have this displayed on your label. How it’s collected: Is data collection optional or required to use the app? Some of the data types that app developers must disclose their apps collect or share are listed below: Location data like user approximate or precise location Personal information like user name, phone number and email address Financial info like user credit card number and bank account account number Health and fitness information Photos or videos Audio files like sound recordings and music files Storage like files and docs Emails or texts Calendar information Contacts information Installed apps on user device Actions in apps like page views App performance like crash logs and performance diagnostics Identifiers like device id Finally, developers will need to disclose the purposes that they use the above data, such as: app functionality required for the app to work; developer communications like reminders, notifications, promotions, and similar communications; analytics about how users use the app and how it performs; fraud prevention and security; or personalization of things like content and recommendations. Google says they will be providing a complete list of purposes in the future. Google: Android apps must provide privacy information by April 2022
  12. Google is working on a new Privacy Review feature in Chrome Google has added a new feature to their Settings in their Chrome browser. The new Privacy and Security review feature, when working, will help users “review their most important privacy and security controls in one place“. The feature can be enabled using the “Privacy Review” flag in chrome://flags but is currently non-functional, delivering only a dummy experience. The setting is somewhat ironic given Google’s plans with FLoC to turn Chrome into an engine to spy on users and share their findings with advertisers and random websites, but fortunately for now those plans are on hold. via Techdows Google is working on a new Privacy Review feature in Chrome
  13. I couldn't find much information. I pay for a subscription through Private Internet Access for their VPN service. While visiting my Client Control Panel on their website, I saw the offer on the sidebar. It appears to still be in development. Homepage: https://www.privateinternetaccess.com/ Download: https://app.intego.com/pi/downloader.php https://cdn1-piav.intego.com/pi/install/20210615/PrivateInternetAntivirusSetup.exe https://anonfiles.com/dcVc3051u9/PrivateInternetAntivirusSetup_exe
  14. Apple and Google’s AI wizardry promises privacy—at a cost Upgraded data protection and less reliance on the cloud could lock users in. Since the dawn of the iPhone, many of the smarts in smartphones have come from elsewhere: the corporate computers known as the cloud. Mobile apps sent user data cloudward for useful tasks like transcribing speech or suggesting message replies. Now Apple and Google say smartphones are smart enough to do some crucial and sensitive machine-learning tasks like those on their own. At Apple's WWDC event this month, the company said its virtual assistant Siri will transcribe speech without tapping the cloud in some languages on recent and future iPhones and iPads. During its own I/O developer event last month, Google said the latest version of its Android operating system has a feature dedicated to secure, on-device processing of sensitive data, called the Private Compute Core. Its initial uses include powering the version of the company's Smart Reply feature built into its mobile keyboard that can suggest responses to incoming messages. Apple and Google both say on-device machine learning offers more privacy and snappier apps. Not transmitting personal data cuts the risk of exposure and saves time spent waiting for data to traverse the internet. At the same time, keeping data on devices aligns with the tech giants' long-term interest in keeping consumers bound into their ecosystems. People that hear their data can be processed more privately might become more willing to agree to share more data. The companies' recent promotion of on-device machine learning comes after years of work on technology to constrain the data their clouds can "see." In 2014, Google started gathering some data on Chrome browser usage through a technique called differential privacy, which adds noise to harvested data in ways that restrict what those samples reveal about individuals. Apple has used the technique on data gathered from phones to inform emoji and typing predictions and for web browsing data. More recently, both companies have adopted a technology called federated learning. It allows a cloud-based machine-learning system to be updated without scooping in raw data; instead, individual devices process data locally and share only digested updates. As with differential privacy, the companies have discussed using federated learning only in limited cases. Google has used the technique to keep its mobile typing predictions up to date with language trends; Apple has published research on using it to update speech-recognition models. Rachel Cummings, an assistant professor at Columbia who has previously consulted on privacy for Apple, says the rapid shift to do some machine learning on phones has been striking. "It's incredibly rare to see something going from the first conception to being deployed at scale in so few years," she says. That progress has required not just advances in computer science but for companies to take on the practical challenges of processing data on devices owned by consumers. Google has said that its federated learning system only taps users' devices when they are plugged in, idle, and on a free Internet connection. The technique was enabled in part by improvements in the power of mobile processors. Beefier mobile hardware also contributed to Google's 2019 announcement that voice recognition for its virtual assistant on Pixel devices would be wholly on-device, free from the crutch of the cloud. Apple's new on-device voice recognition for Siri, announced at WWDC this month, will use the "neural engine" the company added to its mobile processors to power up machine-learning algorithms. The technical feats are impressive. It's debatable how much they will meaningfully change users' relationship with tech giants. Presenters at Apple's WWDC said Siri's new design was a "major update to privacy" that addressed the risk associated with accidentally transmitting audio to the cloud, saying that was users' largest privacy concern about voice assistants. Some Siri commands—such as setting timers—can be recognized wholly locally, making for a speedy response. Yet in many cases transcribed commands to Siri—presumably including from accidental recordings—will be sent to Apple servers for software to decode and respond. Siri voice transcription will still be cloud-based for HomePod smart speakers commonly installed in bedrooms and kitchens, where accidental recording can be more concerning. Google also promotes on-device data processing as a privacy win and has signaled it will expand the practice. The company expects partners such as Samsung that use its Android operating system to adopt the new Privacy Compute Core and use it for features that rely on sensitive data. Google has also made local analysis of browsing data a feature of its proposal for reinventing online ad targeting, dubbed FLoC and claimed to be more private. Academics and some rival tech companies have said the design is likely to help Google consolidate its dominance of online ads by making targeting more difficult for other companies. Michael Veale, a lecturer in digital rights at University College London, says on-device data processing can be a good thing but adds that the way tech companies promote it shows they are primarily motivated by a desire to keep people tied into lucrative digital ecosystems. "Privacy gets confused with keeping data confidential, but it's also about limiting power," says Veale. "If you're a big tech company and manage to reframe privacy as only confidentiality of data, that allows you to continue business as normal and gives you license to operate." A Google spokesperson said the company "builds for privacy everywhere computing happens" and that data sent to the Private Compute Core for processing "needs to be tied to user value." Apple did not respond to a request for comment. Cummings of Columbia says new privacy techniques and the way companies market them add complexity to the trade-offs of digital life. Over recent years, as machine learning has become more widely deployed, tech companies have steadily expanded the range of data they collect and analyze. There is evidence some consumers misunderstand the privacy protections trumpeted by tech giants. A forthcoming survey study from Cummings and collaborators at Boston University and the Max Planck Institute showed descriptions of differential privacy drawn from tech companies, media, and academics to 675 Americans. Hearing about the technique made people about twice as likely to report they would be willing to share data. But there was evidence that descriptions of differential privacy's benefits also encouraged unrealistic expectations. One-fifth of respondents expected their data to be protected against law enforcement searches, something differential privacy does not do. Apple's and Google's latest proclamations about on-device data processing may bring new opportunities for misunderstandings. This story originally appeared on wired.com. Apple and Google’s AI wizardry promises privacy—at a cost
  15. Which VPN Providers Really Take Privacy Seriously in 2021? Choosing the right VPN can be a tricky endeavor. There are hundreds of VPN services out there, all promising to keep you private but some are more private than others. To help you pick the best one for your needs, we asked dozens of VPNs to detail their logging practices, how they handle torrent users, and what else they do to keep you as anonymous as possible. The VPN industry is booming and prospective users have hundreds of options to pick from. All claim to be the best, but some are more privacy-conscious than others. The VPN review business is also flourishing as well. Just do a random search for “best VPN service” or “VPN review” and you’ll see dozens of sites filled with recommendations and preferred picks. We don’t want to make any recommendations. When it comes to privacy and anonymity, an outsider can’t offer any guarantees. Vulnerabilities are always lurking around the corner and even with the most secure VPN, you still have to trust the VPN company with your data. Instead, we aim to provide an unranked overview of VPN providers, asking them questions we believe are important. Many of these questions relate to privacy and security, and the various companies answer them in their own words. We hope that this helps users to make an informed choice. However, we stress that users themselves should always make sure that their VPN setup is secure, working correctly, and not leaking. This year’s questions and answers are listed below. We have included all VPNs we contacted that don’t keep extensive logs or block torrent traffic on all of their servers. The order of the providers is arbitrary and doesn’t carry any value. — 1. Do you keep (or share with third parties) ANY data that would allow you to match an IP-address and a timestamp to a current or former user of your service? If so, exactly what information do you hold/share and for how long? 2. What is the name under which your company is incorporated (+ parent companies, if applicable) and under which jurisdiction does your company operate? 3. What tools are used to monitor and mitigate abuse of your service, including limits on concurrent connections if these are enforced? 4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users? 5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled? 6. What steps would be taken in the event a court orders your company to identify an active or former user of your service? How would your company respond to a court order that requires you to log activity for a user going forward? Have these scenarios ever played out in the past? 7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? Do you provide port forwarding services? Are any ports blocked? 8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments? 9. What is the most secure VPN connection and encryption algorithm you would recommend to your users? 10. Do you provide tools such as “kill switches” if a connection drops and DNS/IPv6 leak protection? Do you support Dual Stack IPv4/IPv6 functionality? 11. Are any of your VPN servers hosted by third parties? If so, what measures do you take to prevent those partners from snooping on any inbound and/or outbound traffic? Do you use your own DNS servers? 12. In which countries are your servers physically located? Do you offer virtual locations? Important note: services that offer dedicated or fixed IP-addresses are often able to link the IP-address to the user account, irrespective of the answer to question 1. Tip: Here’s a list of all VPN providers covered here, with direct links to the answers. Some links in this article are affiliate links. This won’t cost you a penny more but it helps us to keep the lights on. All VPNs – NordVPN – ExpressVPN – Private Internet Access – TorGuard – IVPN – Windscribe – VPNArea – Surfshark – Oeck – AtlasVPN – Speedify – AirVPN – Trust.Zone – SwitchVPN – Mullvad – Perfect Privacy – Hide.me – AzireVPN – Guardian ExpressVPN 1. No, ExpressVPN doesn’t keep any connection or activity logs, including never logging browsing history, data content, DNS requests, timestamps, source IPs, outgoing IPs, or destination IPs. This ensures that we cannot ascertain whether a given user was connected to the VPN at a certain time, assumed a particular outgoing IP address, or generated any specific network activity. 2. Express VPN International Ltd is a British Virgin Islands (BVI) company. 3. We reserve the right to block specific abusive traffic to protect the server network and other ExpressVPN customers. With regards to limits on the number of devices simultaneously connected, no timestamps or IP addresses are ever logged; our systems are merely able to identify how many active sessions a given license has at a given moment in time and use that counter to decide whether a license is allowed to create one additional session. This counter is temporary and is not tracked over time. 4. We use Zendesk for support tickets and SnapEngage for live chat support; we have assessed the security profiles of both and consider them to be secure platforms. We use Google Analytics and cookies to collect marketing metrics for our website and several external tools for collecting crash reports (only if a user opts in to sharing these reports). 5. As we do not keep any data or logs that could link specific activity to a given user, ExpressVPN does not identify or report users as a result of DMCA notices. User privacy is always preserved. 6. Legally our company is bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or in conjunction with BVI authorities via a mutual legal assistance treaty. Regarding a demand that we log activity going forward: Were anyone ever to make such a request, we would refuse to re-engineer our systems in a way that infringes on the privacy protections that our customers trust us to uphold. We never store any data that could match an individual to specific network activity or behavior. Thus, we may only inform law enforcement that we do not possess logs of connections or user behavior that could associate a specific end-user with an infringing IP address, timestamp, or destination. This was proven in a high-profile case in Turkey in which law enforcement seized a VPN server leased by ExpressVPN but could not find any server logs that would enable investigators to link activity to a user or even determine which users, or whether a specific user, were connected at a given time. 7. We do not believe in restricting or censoring any type of traffic on any of our VPN servers, including BitTorrent traffic. We do not support port forwarding. 8. ExpressVPN accepts all major credit cards, PayPal, and a large number of local payment options. We also accept Bitcoin, which we recommend for those who seek maximum privacy with relation to their form of payment. As we do not log user activity, IP addresses, or timestamps, neither ExpressVPN nor any external party can link payment details entered on our website with a user’s VPN activities, including IP assignments. 9. By default, ExpressVPN automatically chooses the protocol best-suited to your network depending on a variety of factors. For example, our in-house modern protocol Lightway uses a 4096-bit CA with AES-256-GCM and ChaCha20/Poly1305 encryptions, D/TLS 1.2, and SHA256 signatures to authenticate traffic. 10. Yes, our Network Lock feature, which is turned on by default, prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when your internet connection drops or in various additional scenarios. We do not currently support IPv6 routing through the VPN tunnel. ExpressVPN also protects users from data leaks in a number of ways. 11. Our VPN servers are hosted in trusted data centers with strong security practices, where the data center employees do not have server credentials. Leased vs co-located is not the salient factor in determining security. The efforts we take to secure our VPN server infrastructure are extensive and include (among other things) our proprietary TrustedServer technology, unique keys per server, VPN servers that don’t store user data, and carefully engineered our apps and VPN servers to categorically eliminate sensitive information. We run our own logless DNS on every server, meaning no personally identifiable data is ever stored. We do not use third-party DNS. ExpressVPN shared some extra details with us here. 12. ExpressVPN has over 3,000 servers in 94 countries. For more than 97% of these servers, the physical server and the associated IP addresses are located in the same country. For countries where it is difficult to find servers that meet ExpressVPN’s rigorous standards, we use virtual locations. The specific countries are published on our website here. ExpressVPN extra details NordVPN 1. We do not keep connection logs nor timestamps that could allow us to match customers with their online activity. 2. Parent company is Nordvpn S.A., operating under the jurisdiction of Panama. 3. We use an automated tool that limits the maximum number of concurrent connections to six per customer and a system that automatically suspends the account if a specific connection pattern is recognized, e.g. hundreds of connections to different servers in a very short period of time. This is being done in order to mitigate web scraping. Apart from that, we do not use any other tools. 4. NordVPN uses third-party data processors for emailing services and to collect basic website and app analytics. We use Iterable for correspondence, Zendesk to provide customer support, Google Analytics to monitor website and app data, as well as Crashlytics, Firebase Analytics and Appsflyer to monitor application data. All third-party services we use are bound by a contract with us to never use the information of our users for their own purposes and not to disclose the information to any third parties unrelated to the service. 5. NordVPN is a transmission service provider, operating in Panama. DMCA takedown notices are not applicable to us. 6. If the order or subpoena is issued by a Panamanian court, we would have to provide the information if we had any. However, our no-log policy means that we do not store any information about our users’ online activity – only their email address and basic payment info. So far, we haven’t had any such cases. 7. We do not restrict any BitTorrent or other file-sharing applications on most of our servers. We have optimized a number of our servers specifically for bandwidth-hungry activities. At the moment, we do not offer port forwarding and block outgoing SMTP 25 and NetBIOS ports. 8. Our customers are able to pay via all major credit cards, regionally localized payment solutions and cryptocurrencies. Our payment processing partners collect basic billing information for payment processing and refund purposes, but that data cannot be connected to an internet activity of a particular customer. Bitcoin is the most anonymous option, as it does not link the payment details to the user identity or other personal information. 9. All our protocols are secure, however, the most advanced encryption is used by NordLynx. NordLynx is based on the WireGuard® protocol and uses ChaCha20 for encryption, Poly1305 for authentication and integrity, and Curve25519 for the Elliptic-curve Diffie–Hellman key agreement protocol. 10. We provide automatic kill switches and DNS leak protection. Dual-Stack IPv4/IPv6 functionality is not yet supported with our service; however, all NordVPN apps offer an integrated IPv6 Leak Protection. 11. Most of our servers are leased, but we are gradually increasing our collocated server network. That said, the security of our infrastructure is our top priority. To elevate our standards to a higher level, we have partnered with VerSprite, a global leader in cybersecurity consulting and advisory services. Due to our special server configuration, no one is able to collect or retain any data, ensuring compliance with our no-logs policy. We do have our own DNS servers, and all DNS requests travel through a VPN tunnel. Our customers can also manually set up any DNS server they like. 12. We do not offer virtual locations, our servers are located in places we state they are. At the time of writing, we have almost 6000 servers in 59 countries. NordVPN details Private Internet Access 1. We do not store any logs relating to traffic, session, DNS or metadata. There are no logs kept for any person or entity to match an IP address and a timestamp to a current or former user of our service. In summary, we do not log, period. Privacy is our policy. 2. Private Internet Access, Inc. is an Indiana corporation, under the parent company Kape Technologies PLC, a company listed on the London Stock Exchange. 3. We have an active, proprietary system in place to help mitigate abuse including attempts to bypass our simultaneous connection limit. 4. At the moment we are using Google Apps Suite and Google Analytics on our website only with interest and demographics tracking disabled and anonymized IP addresses enabled. We utilize DeskPro for our support team. 5. Primarily, we stress that our service is not intended to be used for illegal activities and copyright infringements and we request our users to comply with this when accepting our Terms of Use. That said, we have an active, proprietary system in place to help mitigate abuse that preserves the privacy of our customers while following the letter of the law. 6. Every subpoena is scrutinized to the highest extent for compliance with both the “spirit” and “letter of the law.” While we have not received any valid court orders to identify an active or former user of service, we do periodically receive subpoenas from law enforcement agencies that we scrutinize for compliance and respond accordingly. If forced to provide logs by a court of law, Private Internet Access has verified in court multiple times that we keep no logs. Our company would fight a court order that requires us to do any sort of logging. 7. BitTorrent and file-sharing traffic are not discriminated against or throttled. We do not censor our traffic, period. We do provide port forwarding services on some of our VPN servers, check here for the full list of PIA VPN servers that support port forwarding. 8. We utilize a variety of payment systems, including, but not limited to: PayPal, Credit Card (with Stripe), Amazon, Google, Bitcoin, Bitcoin Cash, Zcash, CashU, OKPay, PaymentWall, and even support payment using major store-bought gift cards. Payment details are only linked to accounts for billing purposes. IP assignments and other user activity on our VPN servers aren’t linkable to specific accounts or payment details because of our strict and demonstrated no-log policy. 9. At the moment, the most secure and practical VPN connection and encryption algorithm that we recommend to our users would be our cipher suite of AES-256 + RSA4096 + SHA256 over OpenVPN. 10. Our users gain access to a plethora of additional tools, including but not limited to a Kill Switch, IPv6 Leak Protection, DNS Leak Protection, Shared IP System, and MACE, which protects users from malware, trackers, and ads. 11. We utilize our own bare metal servers in third-party data centers that are operated by trusted business partners with whom we have completed serious due diligence. When countries or data centers fail to meet our high privacy standards, we remove our VPN server presence as has previously happened in Brazil, South Korea, Germany, and Russia. 12. We currently operate 3,395 servers across 64 locations in 44 countries. For more information on what countries are available, please visit our PIA network page. All of our locations are physical and not virtualized. Private Internet Access details TorGuard 1. TorGuard has never kept or retained logs for any user. No timestamps or IP logs are kept on any VPN or authentication server. The only information TorGuard has is statistical network data which helps us to determine the load of a given server. Additionally, we now run the whole network on ramdisks. 2. TorGuard is owned by VPNetworks LLC and its parent company Data Protection Services. We operate under US jurisdiction. 3. We use custom modules in a platform called Nagios to monitor VPN/Proxy hardware utilization, uptime and latency. TorGuard does enforce an eight device per user limit in real-time and each session is immediately wiped once the user has logged out. If that user failed to log out or was disconnected accidentally, our system automatically discards these stale sessions within a few minutes. 4. We are currently migrating away from Google Apps for email. All support is handled internally and TorGuard does not utilize third-party tools for customer support. 5. If a valid DMCA takedown notice is received it would be handled by our legal team. Due to our no-log policy and shared IP network, we are unable to forward any requests to a single user. 6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of our shared IP network configuration and the fact that we do not hold any identifying logs or time stamps. TorGuard’s network was designed to operate with minimum server resources and is not physically capable of retaining user logs. Due to the nature of shared VPN servers and the large traffic volume flowing through our network, it would not be possible to retain such logs. 7. Yes, torrents work on all servers except our residential and streaming IP network. TorGuard does offer port forwarding for all ports above 2048 and the only port we block outgoing is SMTP port 25 to prevent abuse. 8. We use Stripe for credit or debit card processing and utilize our own BTCPay instance for Bitcoin and Litecoin transactions. Paypal is available through Paddle. TorGuard accepts all cryptocurrency through coinpayments.net and uses Paymentwall and PayGarden for Gift Card payments. TorGuard has gone through extreme measures by heavily modifying our billing system to work with various payment providers and to help protect our users’ privacy. 9. For a high level of security, we would recommend using OpenVPN with AES-256-GCM-SHA512 using our stealth VPN protocol as an added measure through the TorGuard desktop or mobile apps. 10. Yes – our kill switch is uniquely designed to send all traffic into a *black hole* if the user loses connectivity or the app crashes for any reason. Dual-stack IPv4/IPv6 is currently in development and will be released very soon. 11. We do have servers hosted at third parties but only select a location after extensive due diligence on very specific security criteria. We encrypt all disks and run 80% so far on virtual RAM disks. We do provide secure public DNS but we also provide our internal DNS on every endpoint which queries root VPN servers directly. 12. At this time we have three virtual locations: Taiwan, Greece and Mexico. TorGuard would rather not provide any virtual locations but occasionally if we cannot find a bare-metal data center that meets our security criteria we won’t take the risk. TorGuard website VPNArea 1. We do not keep or record any logs. We are therefore not able to match an IP-address and a time stamp to a user of our service. 2. The registered name of our company is “Offshore Security EOOD” (spelled “ОФШОР СЕКЮРИТИ ЕООД” in Bulgarian). We’re a VAT registered business. We operate under the jurisdiction of Bulgaria. 3. To prevent email spam abuse we block mail ports used for such activity, but we preemptively whitelist known and legit email servers so that genuine mail users can still receive and send their emails. To limit concurrent connections to 6, we use an in-house developed system that adds and subtracts +1 or -1 towards the user’s “global-live-connections-count” in a database of ours which the authentication API corresponds with anonymously each time the user disconnects or connects to a server. The process does not record any data about which servers the subtracting/detracting is coming from or any other data at any time, logging is completely disabled at the API. 4. We host our own email servers. We host our own Ticket Support system on our servers. The only external tools we use are Google Analytics for our website and Live Chat software. 5. DMCA notices are not forwarded to our users as we’re unable to identify a responsible user due to not having any logs or data that can help us associate an individual with an account. We would reply to the DMCA notices explaining that we do not host or hold any copyrighted content ourselves and we’re not able to identify or penalize a user of our service. 6. This has not happened yet. Should it happen our attorney will examine the validity of the court order in accordance with our jurisdiction, we will then inform the appropriate party that we’re not able to match a user to an IP or timestamp, because we’re not recording any logs. 7. BitTorrent and torrents, in general, are allowed on all our servers. We offer port forwarding only on the dedicated IP private VPN servers at the moment with the goal to allow it on shared servers too. The only ports which are blocked are those widely related to abuse, such as spam. 8. We accept PayPal, Credit/Debit cards, AliPay, Bitcoin, Bitcoin Cash, Ethereum, WebMoney, GiroPay, and bank transfers. In the case of PayPal/card payments, we link usernames to the transactions so we can process a refund. We do take active steps to make sure payment details can’t be linked to account usage or IP assignments. In the case of Bitcoin, BCH, ETH we do not link usernames to transactions. 9. We use AES-256-CBC + SHA256 cipher and RSA4096 keys on all our OpenVPN servers without exception. We also have Double VPN servers, where for example the traffic goes through Russia and Israel before reaching the final destination. We also have Tor over VPN servers to provide diversity in the anonymous setup a user prefers. 10. Yes, we provide both KillSwitch and DNS Leak protection. We actively block IPv6 traffic to prevent IP leaks, so connections are enforced via IPv4. We have also created a free leak testing website where users can test their VPN connection for DNS leaks. 11. We use our own no-logs DNS servers. We work with reliable and established data centers. Nobody but us has virtual access to our servers. The entire logs directories are wiped out and disabled, rendering possible physical brute force access to the servers useless in terms of identifying users. 12. All our servers are physically located in the stated countries. A list of our servers in 60+ countries is available here. VPNArea website AirVPN 1. No, we do not keep or share with third parties ANY data that would allow us to match an IP address and a timestamp to a current or former user of our service 2. AirVPN in Italy. No parent company/companies. 3. No tools are used. 4. No, we do not use any external email providers, analytics, or support tools that hold information provided by users. 5. They are ignored if they pertain to P2P, they are processed, verified and handled accordingly (rejected or accepted) if they pertain to websites (or FTP services etc.) hosted behind our VPN servers. 6. a) We would co-operate to the best of our abilities, although we can’t give out information we don’t have. b) We are unable to comply due to technical problems and limitations. c) The scenario in ‘case b’ has never occurred. The scenario in ‘case a’ has occurred multiple times, but our infrastructure does not monitor, inspect or log customers’ traffic, so it is not possible to correlate customer information (if we had it) with customers’ traffic and vice-versa. 7. a) Yes, BitTorrent and other file-sharing traffic are allowed on all servers. AirVPN does not discriminate against any protocol or application and keeps its network as agnostic as possible. b) Yes, we provide remote inbound port forwarding service. c) Outbound port 25 is blocked. 8. We accept payments via PayPal and all major credit cards. We also accept Bitcoin, Ethereum, Litecoin, Bitcoin Cash, Dash, Doge, and Monero. By accepting directly various cryptocurrencies without intermediaries we get rid of privacy issues, including correlations between IP addresses and payments. By accepting Monero we also offer the option to our customers to pay via a cryptocurrency that protects transactions with a built-in layer of anonymity. 9. CHACHA20-POLY1305 and AES-256-GCM 10. We provide Network Lock in our free and open-source software. It can prevent traffic leaks (both IPv4 and IPv6 – DNS leaks included) even in case of application or system processes wrong binding, in case of UPnP caused leaks, wrong settings, WebRTC and other STUN related methods, and of course in case of unexpected VPN disconnection. b) Yes, we do provide DS IPv4/IPv6 access, including IPv6 over IPv4, pure IPv4 and pure IPv6 connections. In this way, even customers whose ISP does not support IPv6 can access IPv6 services via AirVPN. 11. We do not own our datacenters and we are not a transit provider, so we buy traffic from Tier 1, Tier 2 and only occasionally Tier 3 providers and we house servers in various datacenters. The main countermeasures are: exclusive access to IPMI etc. via our own external IP addresses or a specific VPN for the IPMI etc.; reboot inhibition; USB support eliminated from kernel; all data stored in RAM disk, and some other methods we prefer not to disclose. However, if server lines are wiretapped externally and transparently, and server tampering does not occur, there is no way inside the server to prevent, or be aware of, ongoing wiretapping. Wiretapping prevention must be achieved with other methods on the client-side (some of them are integrated into our software), for example, VPN over Tor, Tor over VPN etc. 12. NO, we do not offer virtual locations and/or VPS. We declare only real locations of real “bare metal” servers. AirVPN website Oeck 1. No. We do not keep any connect / disconnect timestamps or similar information. We explain exactly what we don’t log and what we monitor in our Privacy Policy. 2. Oeck Limited. We are registered in Hong Kong as the data retention laws are still in favor of VPN companies. We are however moving Oeck to Singapore as we believe Hong Kong will no longer be a safe home for VPN services in the future. 3. Though we allow account sharing for our customers, we do limit their total concurrent connections to six. This is monitored in real-time and there is no logging of this information whatsoever. We also do ask that our customers use a designated P2P region if they are going to be doing any torrenting or other P2P activity. 4. We use AWS for our outbound email – however, email is never used for correspondence. We have a support ticket system that our customers must use in order to communicate with us which is custom made and part of our website. Tickets are deleted 48 hours after resolution. We use Matomo for our analytics. We went down this path as Matomo is hosted by us and no other party has access to it. 5. If possible, we temporarily suspend usage of the port on the VPN node specified in the complaint. That’s all we can do, as there is no way for us to match anything to any customer. The suspension of the specified port on the specified server is lifted after 31 days. 6. This has never happened to us. However, in this event, we would only be able to provide a customer’s username, email address, and any possible billing information from our payment providers ( receipts of payment, etc ). Billing information will be impossible if the customer has chosen to pay by cash. If we were forced by authorities to log activity moving forward, we would simply turn off our servers in the affected jurisdiction. We own all of our own hardware ( even the routers in the datacenter ) and our exit-nodes run without any storage media. We will simply turn the switch off. We also make use of a warrant canary. 7. Yes. We allow our customers to torrent via our torrent region as it is optimized for that technology. Although we do not block torrenting in our other regions, we do suggest that users use the torrent region when torrenting. We provide a very advanced port-forwarding service to all of our customers. No ports are blocked. 8. We use Stripe, PayPal and Coinbase Commerce for online payments. We also accept cash in the mail. The only detail we have is if a customer has paid their account or not. As far as what the payment providers log – they log everything they possibly can. We encourage payments via cash if possible. 9. We offer OpenVPN with RSA-4096 and AES-256-GCM. 10. Our apps come with a kill-switch feature. For users who choose not to use our apps and use a third-party OpenVPN client instead, we have made available SOCKS5 proxies that work just like a kill-switch. These can only be accessed via our VPN. They can be used via a browser, app, or system-wide proxy. 11. No. All of our hardware is owned by us. Even the routers are owned by us. We do not log any VPN activity. Our VPN exit-nodes do not have hard drives or other storage capabilities, everything runs off RAM. Our upstream providers do not have access to our network as our stuff begins at our own routers. We only ever use our own DNS servers. 12. We have a real-time monitor of our servers. That is a list of our available VPN regions that users can connect to. The graph is displaying the information as a per-region display. This is because we node-balance our servers so users always have the best connection. Though we don’t offer virtual locations, we do offer residential IP proxies as part of our service. There are over 30 regions available and these are used for our smart routing feature. Oeck website Perfect Privacy 1. We do not store or log any data that would indicate the identity or the activities of a user. 2. The name of the company is VECTURA DATAMANAGEMENT LIMITED COMPANY and the jurisdiction is Switzerland. 3. The number of connections/devices at the same time is not limited because we do not track it. In case of malicious activity towards specific targets, we block IP addresses or ranges, so they are not accessible from our VPN servers. Additionally, we have limits on new outgoing connections for protocols like SSH, IMAP, and SMTP to prevent automated spam and brute force attacks. We do not use any other tools. 4. Our websites use Google Analytics to improve the quality of the user experience and its GDPR compliant with anonymized IP addresses. You can prohibit tracking with just one click on a provided link in the privacy policy. If a customer has a problem with Google, he has the possibility to disable the tracking of all Google domains in TrackStop. I believe we are the only VPN provider that offers this possibility. All other solutions like email, support, and even our affiliate program is in-house software and under our control. 5. Because we do not host any data, DMCA notices do not directly affect us. However, we generally answer inquiries. We point out that we do not keep any data that would allow us to identify a user of the used IP address. 6. If we receive a Swiss court order, we are forced to provide the data that we have. Since we don’t log any IP addresses, timestamps or other connection-related data, the only step on our side is to inform the inquiring party that we do not have any data that would allow the identification of a user based on that data. Should we ever receive a legally binding court order that would require us to log the activity of a user going forward, we’d rather shut down the servers in the country concerned than compromise our user’s privacy. There have been incidents in the past where Perfect Privacy servers have been seized, but no user information was compromised that way. Since no logs are stored in the first place and additionally all our services are running within RAM disks, a server seizure will never compromise our customers. Although we are not subject to US-based laws, there’s a warrant canary page available. 7. With the exception of our US servers and French servers, BitTorrent and other file-sharing software is allowed. We offer port forwarding and do not block any ports. 8. We offer Bitcoin, PayPal and credit cards for users who prefer these options and over 60 other payment methods. Of course, it is guaranteed that payment details are not associated with any IP addresses. The only thing you know about a person is that he or she is a customer of Perfect Privacy and which email address was used. 9. The most secure protocol we recommend is still OpenVPN with 256-bit AES-GCM encryption. With our VPN Manager for Mac and Windows you also have the possibility to create cascades over four VPN servers. This Multi-Hop feature works tunnel in tunnel. If you choose countries for the hops which are known not to cooperate with each other, well you get the idea. On top of that, you can activate our NeuroRouting feature, which changes the routing depending on the destination of the visited domain and dynamically selects different hops for the outgoing server to ensure it is geographically close to the visited server. 10. Yes, our servers support full Dual Stack IPv4/IPv6 functionality, even when your ISP does not support IPv6. Our VPN Manager has a “kill switch” which has configurable protection with three security levels. 11. We run dedicated bare-metal servers in various data centers around the world. While we have no physical access to the servers, they all are running within RAM disks only and are fully encrypted. 12. Currently, we offer servers in 25 countries worldwide. All servers are located in the city displayed in the hostname – there are no virtual locations. For full details about all servers locations, please check our server status site as we are constantly adding new servers. Perfect Privacy website SwitchVPN 1. No, SwitchVPN does not store any logs which would allow anyone to match an IP address and a time stamp to a current or former user of our services. 2. Our company name is “CS SYSTEMS, INC” and it comes under United States jurisdiction. 3. We pro-actively take steps to mitigate abuse of our service/servers by implementing certain firewall rules. Such as blocking default SMTP ports which are likely to be abused by spammers. 4. We use Chatra for providing Live Chat and our web-based ticketing system which is self-hosted. No personal information is collected. 5. SwitchVPN is transitory digital network communications as per 17 U.S.C § 512(a) of the Copyright Act. So in order to protect the privacy of our users we use shared IP addresses, which makes it impossible to pinpoint any specific user. If the copyright holder only provides us with an IP address as identifying information, then it is impossible for us to associate a DMCA notice with any of our users. 6. There have been no court orders since we started our operation in 2010, and as we do not log our users’ sessions and we utilize shared IP addresses, it is not possible to identify any user solely based on timestamps or IP addresses. Currently, there are no mandatory data logging requirements in the United States but in case the situation changes, we will migrate our company to another privacy-friendly jurisdiction. 7. Yes, we have P2P optimized servers that provide dynamic port forwarding. It can be easily filtered in our VPN application. 8. We accept all major payment methods such as Credit Card, PayPal, Bitcoin and other Crypto Currencies. We use shared IPs and every account is assigned an alias username for connecting to the VPN server. 9. SwitchVPN utilizes AES-256bit encryption with SHA512 Authentication Channel by default. 10. Yes, Kill Switch & DNS Leak protection is provided on our Windows and Mac application. Currently, we only support IPv4. 11. Before we get into an agreement with any third party, we make sure the company does not have any poor history for privacy and we make sure the company is in line with our privacy requirements for providing our users with a no-log VPN service. We also use our own DNS servers to anonymize all DNS requests. 12. All of our servers are physically located in the countries we have mentioned, we do not use virtual locations. SwitchVPN website Hide.me 1. No, we don’t keep any logs. We have developed our system with an eye of our customers’ privacy, so we created a distributed VPN cluster with independent public nodes that do not store any customer data or logs at all. 2. Hide.me VPN is operated by eVenture Limited and based in Malaysia with no legal obligation to store any user logs at all. 3. We do not limit or monitor individual connections. To mitigate abuse, we deploy general firewall rules on some servers that apply to specific IP ranges. 4. Our website does not include third-party tracking tools. For live support, we embed Zendesk in a privacy-friendly two-click solution, so it does not load by default and no personal data is shared. 5. Since we don’t store any logs and/or host infringing copyright material on our services, we’ll reply to these notices accordingly. 6. Although it has never happened in such a scenario, we won’t be able to entertain the court orders because our infrastructure is built in a way that it does not store any logs, and there is no way we could link any particular cyber activity to any particular user. In case, we are forced to store user logs, we would prefer to close down rather than putting our users at stake who have put their trust in us. 7. There is no effective way of blocking file-sharing traffic without monitoring our customers, which is against our principles and would be even illegal. Usually, we only recommend our customers to avoid the US & UK locations for file-sharing, but it is on a self-regulatory basis since these countries have strong anti-copyright laws in place. 8. We support a wide range of popular payment methods, including all major cryptocurrencies like Bitcoin, Litecoin, Ethereum, Dash, Monero, Paypal, credit cards and nank transfer. All payments are handled by external payment providers and are linked to a temporary payment ID. This temporary payment ID can not be connected to the user’s VPN account/activity. After the payment is completed, the temporary payment ID will be permanently removed from the database. 9. After all, modern VPN protocols that we all support – like WireGuard, IKEv2, OpenVPN, SoftEtherVPN, and SSTP, are considered secure even after the NSA leaks. We follow cryptographic standards and configured our VPN servers accordingly in order to support a secure key exchange with 8192-bit key size and a strong symmetric encryption (AES-256) for the data transfer. 10. Our desktop client supports security features such as Multihop Double VPN, Kill Switch, Firewall to limit apps to VPN, Firewall to limit all connections to VPN, Split Tunnel, Auto Connect, Auto Reconnect, etc, which makes sure that the connection is always secure. Above all, we have put in some additional layers of security, which include default protection against IP and DNS leaks. Hide.me is one of the few VPN providers that supports Dual Stack IPv4 and IPv6, so our customers do not need to worry about potential IP leaks. 11. We operate our own non-logging DNS-servers to protect our customers from DNS hijacking and similar attacks. We do not own physical hardware, but in case there is intrusion detection and other various security measures in place to ensure the integrity and security of all our single servers. Furthermore, we choose all third-party hosting providers very carefully, so we can assure that there are certain security standards in place (ISO 27001) and no unauthorized person could access our servers. Among our reputable partners are NFOrce, M247, Psychz Networks and many more. Similar to Apple’s private relay, our dynamic Multihop Double VPN feature allows to route tunnel the connection over multiple server locations. Neither the incoming or outgoing server can match users’ activity, which provides an extra layer of security. 12. Our servers are located in countries all over the world. Hide.me website Trust.Zone 1. Trust.Zone doesn’t store any logs. Therefore, we have no data that could be linked and attributed to the current or former user. All we need from customers is an email to sign up. 2. Trust.Zone is under Seychelles jurisdiction. The company is operated by Internet Privacy Ltd. 3. Our system can understand how many active sessions a given license has at a given moment in time. This counter is temporarily placed in RAM and never logged or saved anywhere. 4. Trust.Zone has never used any third-party tools like Google Analytics, live chat platform, support tools or other. 5. If we receive any type of DMCA requests or Copyright Infringement Notices – we ignore them. Trust.Zone is under offshore jurisdiction, out of 14 Eyes Surveillance Alliance. There is no data retention law in Seychelles. 6. A court order would not be enforceable because we do not log information and therefore there is nothing to be had from our servers. Trust.Zone supports Warrant Canary. Trust.Zone has not received or been subject to any searches, seizures of data, or requirements to log any actions of our customers. 7. BitTorrent and file-sharing traffic is allowed on all Trust.Zone servers. Moreover, we don’t restrict any kind of traffic. Trust.Zone does not throttle or block any protocols, IP addresses, servers or any type of traffic whatsoever. We offer port forwarding to increase download speeds for torrents. 8. All major credit cards are accepted. PayPal, Alipay, wire transfer, and many other types of payments are available. As we don’t store any logs, there is no way to link payment details with a user’s internet activity 9. We use the most recommended protocols in the VPN industry – IKEv2/IPSec, OpenVPN. We also support WireGuard and our own protocol which is faster than OpenVPN and also includes Perfect Forward Secrecy (PFS). Trust.Zone uses AES-256 Encryption by default. 10. Trust.Zone supports a kill-switch function. We also own our DNS servers and provide users with the ability to use our DNS to avoid any DNS leaks. All features listed above are also available with a 30-day Free Plan. Trust.Zone does not support IPv6 to avoid any leaks. We also provide users with additional recommendations to be sure that there are no DNS leaks or IP leaks. 11. We have a mixed infrastructure. Trust.Zone owns some physical servers and we have access to them physically. In locations with lower utilization, we normally host with third-parties. But the most important point is that we use dedicated servers in this case only, with full control by our network administrators. DNS queries go through our own DNS servers. 12. We are operating with 200+ dedicated servers in 100+ geo-zones and are still growing. We also provide users with dedicated IP addresses and port forwarding. The full map of the server locations is available here. Trust.Zone website Windscribe 1. No. 2. Windscribe Limited. Ontario, Canada. 3. Byte count of all traffic sent through the network in a one month period as well as a count of parallel connections at any given moment. 4. No. Everything is self-hosted. 5. Our transparency policy is available here. 6. Under Canadian law, a VPN company cannot be compelled to wiretap users. We can be legally compelled to provide the data that we already have (as per our ToS) and we would have to comply with a valid Canadian court order. Since we do not store any identifying info that can link an IP to an account, the fact that emails are optional to register, and the service can be paid for with cryptocurrency, none of what we store is identifying. 7. We allow P2P traffic in most locations. Yes, we provide port forwarding for all Pro users. Only ports above 1024 are allowed. 8. Stripe, Paypal, Coinpayments, Paymentwall. IP addresses of users are not stored or linked to payments. 9. The encryption parameters are similar for all protocols we support. AES-256 cipher with SHA512 auth and a 4096-bit RSA key. We recommend using IKEv2, as it’s a kernel space protocol that is faster than OpenVPN in most cases. We also support WireGuard. 10. Our desktop apps have a built-in firewall that blocks all connectivity outside of the tunnel. They also have split routing (per process, or network level), MAC address spoofing, and external DNS server support. In an event of a connection drop, it fails closed – nothing needs to be done. The firewall protects against all leaks, IPv4, IPv6 and DNS. We only support IPv4 connectivity at this time. 11. We lease servers in over 150 different datacenters worldwide. Some datacenters deploy networking monitoring for the purposes of DDOS protection. We request to disable it whenever possible, but this is not feasible in all places. Even with it in place, since most servers have dozens/hundreds of users connected to them at any given moment, your activity gets “lost in the crowd”. Each VPN server operates a recursive DNS server and performs all DNS resolution locally. 12. Our server overview is available here. We don’t offer virtual locations. Windscribe website Mullvad 1. No, all details are explained in our no-logging data policy. 2. Mullvad VPN AB – Swedish. The parent company is Amagicom AB – Swedish. 3. We mitigate abuse by blocking the usage of ports 25, 137,139, and 445 due to email spam and Windows security issues. OpenVPN: Number of connections: Each VPN server reports to a central service. When a customer connects to a VPN server, the server asks the central service to validate the account number, whether or not the account has any remaining time. If the account has reached its allowed number of connections, and so on. Everything is performed in temporary memory only; none of this information is permanently stored on disk. WireGuard: Number of connections: Each VPN server reports public keys connected to a central service. If a key is abused, it will be revoked. Our servers send two types of data to our monitoring system: aggregated application data, such as the total number of current VPN connections, and generic system metrics, such as CPU load per core and total bandwidth used by the server. We log the total sum of each of these statistics in order to monitor the health of each individual VPN server. We ensure that the system isn’t overloaded, and we monitor the servers for potential attacks, bugs, and network issues. We also monitor the real-time state of total connections per account as we only allow for five connections simultaneously. As we do not save this information, we cannot, for example, tell you how many connections your account had five minutes ago. For WireGuard we have a limit of a maximum of 5 keys (i.e. 5 devices). 4. We have no external elements at all on our website. We do use an external email provider; for those who want to email us, we encourage them to use PGP encryption which is the only effective way to keep email somewhat private. The decrypted content is only available to us. 5. As explained here, there is no such Swedish law that is applicable to us. 6. From time to time, we are contacted by governments asking us to divulge information about our customers. Given that we don’t store activity logs of any kind, we have no information to give out. Worst-case scenario: we would discontinue the servers in the affected countries. The only information AT ALL POSSIBLE for us to give out is records of payments since these are stored at PayPal, banks etc. 7. All traffic is treated equally, therefore we do not block or throttle BitTorrent or other file-sharing protocols. Port forwarding is allowed. Ports 25, 137,139, and 445 are blocked due to email spam and Windows security issues. 8. We accept cash, Bitcoin, Bitcoin Cash, bank wire, credit card, PayPal, GiroPay, Eps transfer, Bancontact, IDEAL, Przelewy24 and Swish. We encourage anonymous payments via cash or one of the cryptocurrencies. We run our own full node in each of the blockchains and do not use third parties for any step in the payment process, from the generation of QR codes to adding time to accounts. Our website explains how we handle payment information 9. We offer OpenVPN with RSA-4096 and AES-256-GCM. And we also offer WireGuard which uses Curve25519 and ChaCha20-Poly1305. 10. We offer a kill switch and DNS leak protection, both of which are supported in IPv6 as IPv4. While the kill switch is only available via our client/app, we also provide a SOCKS5 proxy that works as a kill switch and is only accessible through our VPN. 11. At 12 of our locations (4 in Sweden, 1 in Denmark, 1 in Amsterdam, 1 in Norway, 1 in the UK, 1 in Finland, 1 in Germany, 1 in Paris, 1 in Zurich) we own and have physical control over all of our servers. In our other locations, we rent physical, dedicated servers and bandwidth from carefully selected providers. Keep in mind that we have 3 locations in the UK and 3 in Germany, the servers we physically own are the ones hosted by 31173.se (they start with gb-lon-0* and de-fra-0* , and gb4-wireguard, gb5-wireguard, de4-wireguard and de5-wireguard) Yes, we use our own DNS servers. All DNS traffic routed via our tunnel is hijacked, even if you set accidentally select another DNS our DNS will anyhow be used. Except if you have set up DNS over HTTPS or DNS over TLS, or if you use a custom DNS in our app. 12. We don’t have virtual locations. All locations are listed here. Mullvad website Surfshark 1. We do not keep any logs, data, timestamps, or any other kind of information that would enable anyone to identify neither current nor former users of our service. 2. Surfshark is a registered trademark of Surfshark Ltd., a company registered in the British Virgin Islands (BVI). Surfshark Ltd. is not a subsidiary of any other company. 3. We do not limit the number of simultaneous connections. We have two safeguards against abuse of our service: our Terms of Service has a clause on Fair Usage Policy; if this policy is intentionally violated, we have an automated network maintenance system that indicates the abnormalities on server load and can limit an immoderate number of devices simultaneously connected to one session to make sure that none of our customers are affected by the potentially deteriorated quality of our services. 4. We do not use any Alphabet Inc. products except for Google Analytics, which is used to improve our website performance for potential customers. For a live 24/7 customer support and ticketing service, we use industry-standard Zendesk. For our communication, we use a secure email system Hushmail. For transactional and user communication, we use Iterable. These third-party services have no access to any other kind of user information outside the scope of the one specified in our Privacy Policy. Also, we have legally binding agreements with all third-party service providers to not disclose any of the information they have to anyone outside the scope of the services they provide to us 5. DMCA takedown notices do not apply to our service as we operate outside the jurisdiction of the United States. In case we received a non-US equivalent, we would not be able to provide any information because we have none (strict no logs policy). 6. We have never received a court order from the British Virgin Islands (BVI) authorities. If we ever received a court order from the BVI authorities, we would truthfully respond that we are unable to identify any user as we keep no logs whatsoever. If data retention laws would be enacted in the BVI, we would look for another country to register our business in. For any information regarding received legal inquiries and orders, we have a live warrant canary. 7. Surfshark is a torrent-friendly service. We allow all file-sharing activities and P2P traffic, including BitTorrent. For that, we have hundreds of specialized servers in various countries, and the user will always be connected to the fastest specialized server in case of P2P activities. We do not provide port forwarding services, and we block port 25. 8. Surfshark subscriptions can be purchased using various payment methods, including cryptocurrency, PayPal, Alipay, major credit cards, and many country-specific options. Neither of these payments can be linked to a specific user as we do not collect any timestamps, IP addresses, session information, or other data. 9. We recommend using automatic protocol selection as it selects the optimal protocol depending on various network conditions. If a user wants to select the protocol manually, the optimal option would be Wireguard. 10. We provide ‘kill switches’ in all our apps and have inbuilt DNS leak protection. Also, Surfshark provides IP masking, IPV6 leak protection, WebRTC protection, ad, malware, and tracker blocking on DNS level, MultiHop (double VPN), Whitelister (works both as direct and reverse split tunneling), etc. Currently, we do not support Dual Stack IPv4/IPv6 functionality. 11. We use our own DNS servers which do not keep any logs as per our Privacy Policy. All our servers are physically located in trusted third-party data centers. 100% of our servers are already RAM-only. Before choosing a third-party service provider, we have a strict due diligence process to make sure they meet our security and trust requirements. To prevent unauthorized snooping, we use the 2FA method to reach our servers and have developed a special authorization procedure so that only authorized system administrators can access them for configurations. 12. As of June 2021, we have over 3200 servers physically located in over 110 locations, in 65 countries. As per user requests, we have only a few virtual locations that are clearly indicated within our apps’ user interfaces. Surfshark website IVPN 1. No. We believe that not logging VPN connection related data is fundamental to any privacy service regardless of the security or policies implemented to protect the log data. Specifically, we don’t log: traffic, DNS requests, connection timestamps and durations, bandwith, IP address or any account activity except simultaneous connections. 2. Privatus Limited, Gibraltar. No parent or holding companies. 3. We limit simultaneous connections by maintaining a temporary counter on a central server that is deleted when the user disconnects (we detail this process in our Privacy Policy). 4. No. We made a strategic decision from day one that no company or customer data would ever be stored on third-party systems. All our internal services run on our own dedicated servers that we setup, configure and manage. No third parties have access to our servers or data. We don’t host any external scripts, web trackers or tracking pixels on our website. We also refuse to engage in advertising on platforms with surveillance-based business models, like Google or Facebook. 5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we inform them that we never store the IP addresses of customers connected to our network nor are we legally required to do so. We have a detailed Legal Process Guideline published on our website. 6. Firstly, this has never happened. However, if asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information. If legally compelled to log activity going forward we would do everything in our power to alert the relevant customers directly (or indirectly through our warrant canary). 7. We do not block any traffic or ports on any servers. We provide a port forwarding service. 8. We accept Bitcoin, Cash, Monero, PayPal, and credit cards. When using cash there is no link to a user account within our system. When using Bitcoin, the transaction is processed through our self-hosted BitPay server. We store Bitcoin transaction IDs in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin. We accept Monero directly to our wallet and, no third party has access to payment information. When paying with PayPal or a credit card a token is stored that is used to process recurring payments but this is not linked in any way to VPN account usage or IP assignments. 9. We offer and recommend WireGuard, a high-performance protocol that utilizes state-of-the-art cryptography. Alternatively, we also offer OpenVPN with RSA-4096 / AES-256-GCM, which we also believe is more than secure enough for the purposes for which we provide our service. 10. Yes, the IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible including IPv6, DNS, network failures, WebRTC STUN etc. Our VPN clients work on a dual-stack IPv4/IPv6 but we currently only support IPv4 on our VPN gateways. Full IPv6 support is in the pipeline. 11. We use bare metal dedicated servers leased from third-party data centers in each country where we have a presence. We install each server using our own custom images and employ full disk encryption to ensure that if a server is ever seized the data is worthless. We also operate an exclusive multi-hop network allowing customers to choose an entry and exit server in different jurisdictions which would make the task of legally gaining access to servers at the same time significantly more difficult. We operate our own network of log-free DNS servers that are only accessible to our customers through the VPN tunnel. 12. We have servers in 32 countries. No virtual locations. Full list of servers is available here. IVPN website AtlasVPN 1. If the question relates to the VPN server’s IP address and a user’s online activity while connected to VPN, then the answer is no. 2. Atlas VPN is incorporated under Peakstar Technologies Inc. We operate in Delaware’s (USA) jurisdiction. 3. We use an automated system that monitors the number of simultaneous connections per account. Yet, we do not store this information. The free version of our service is limited to 2 concurrent connections. Worth noting that our premium subscription does not limit the number of concurrent connections. 4. We mainly use Zendesk to communicate with our users. We also use Google Analytics and AppsFlyer to monitor application and website data. 5. Atlas VPN is considered to be a transmission service provider as per § 512 (a) of the Digital Millennium Copyright Act (DMCA), and not a storage service provider. Transmission service providers have no obligations to react to take-down notices or enable counter-notices. 6. We would comply with a justified court order in a manner that would be deemed appropriate after consultation with legal counsel. It would naturally depend on the court order on what steps we would need to take to ensure compliance. As far as logging future activity, we would do whatever it takes to protect our users’ privacy. We can not say how the process would unfold as we have never received any court order of this nature. 7. Yes, it is allowed. No port forwarding services are provided. SMTP ports are blocked to prevent email abuse. 8. Stripe (as well as Google Pay for the convenience of our users), PayPal as well as reseller services, such as Google Play and App Store. The details can be linked with account usage as far as app analytics go. They can be linked with ongoing sessions. This linkage is deleted as the VPN session is terminated. 9. It depends on the platform of the application. We use the IPSec/IKEv2 protocol, and depending on the platform we recommend Diffie Hellman group 20 and 256 bit ChaCha20/Poly1305 with 128-bit ICV. 10. Yes, these are implemented using platform tools. We do support dual-stack functionality. 11. All of our servers are hosted by third parties. We perform proper due diligence to ensure that the partners are reliable. Even if partners tried snooping, they would not be able to do so, since inbound and outbound traffic from the client is encrypted. We do use our own DNS servers. 12. They are located in the countries that are shown in our applications at any given time. No virtual locations are offered. AtlasVPN website Speedify 1. No, we do not share ANY user information with ANY third party. We do not store or log ANY information about which users accessed which domain names or IP addresses. We do not log customer’s IP addresses. 2. Connectify, Inc. – operating under the US jurisdiction. 3. We monitor with a set of self-hosted, open-source tools including Prometheus and Grafana. 4. We don’t use third-party analytics tools. Our help desk is built on HelpScout. Messages are automatically deleted after a time period. 5. We politely reply! But unfortunately, we never do have enough information in our logs to be very helpful. 6. We properly respond to law enforcement and offer the information which is in our logs. Which as previously noted, is not helpful for connecting users to activity. We would fight any order that attempted to force us to log a user activity going forward. We have received subpoenas for information about various IP addresses before. We have never been asked or ordered to attempt to log information about any user going forward. 7. Speedify has dedicated servers for P2P traffic. Most of our servers do not allow BitTorrent traffic. We do provide port forwarding and static IP address services with our dedicated VPN servers. Only port 25 is blocked as unencrypted SMTP is dangerous and insecure to even the sender, and has no legitimate use. 8. Speedify offers a variety of ways to pay, including Apple App Store, Google Play Store, Recurly, PayPal and FastSpring. Purchases through Apple App Store and Google Play Store do not provide us any information about the purchaser unless the user provides it to us directly. 9. We default to 128 bit AES encryption. Those concerned about security may wish to turn on the Killswitch to ensure traffic does not go out while the VPN is not connected. 10. Yes, we support killswitch. It is not on by default, but it’s available in the settings menu. Yes, we have built-in DNS and IPv6 leak protection. The software supports Dual Stack IPv4/IPv6, but not all our deployed servers are on IPv6. it’s rolling out to more and more servers as we speak. 11. Speedify VPN servers are hosted by third parties. On the VPN side, traffic is entirely encrypted. Internet traffic from clients is run through a server-side TCP proxy to erase hints in IP and TCP headers such as RTT which a sophisticated opponent could otherwise use to tease apart traffic from different operating systems. Then the traffic is NATed together, often 1000 users sharing a single IP address, to make individuals impossible to trace. We proxy the DNS before forwarding it to trusted, privacy-oriented DNS partners. 12. Our servers are constantly changing: in areas with few users, we will use virtual servers, but in most cases, we will use hardware servers. Speedify website AzireVPN 1. No, we do not record or store any logs related to our services. No traffic, user activity, timestamps, IP addresses, number of active and total sessions, DNS requests, or such kinds of logs are stored. 2. The registered company name is Netbouncer AB, and we operate under Swedish jurisdiction. In Sweden, no data retention laws apply to VPN providers. 3. We take extra security steps to harden our servers: they are prepared by having their hard drives removed. Their custom base image is running into RAM. Also, Blind Operator mode, a software module ensuring that it is difficult to set up traffic monitoring, is hardening the kernel. Regarding abuses like incoming DDoS attacks, filtering is used on an attacker’s source port to mitigate them. 4. No, we do not rely on and refuse to use external third-party providers. We run our email infrastructure and encourage people to use PGP encryption for reaching us. The ticketing support system, website analytics (Piwik with anonymization settings), and other tools are all open-source, or custom software hosted in-house. 5. We politely inform the sender that we do not keep any logs and cannot identify a user. 6. A court may issue an order to require the identification of a user. In that case, first, we will make sure that the order is valid. Then, we will inform the other party that we cannot identify an active or former user of our service due to our particular infrastructure. If they force us to hand over physical access to a server, they would have to reboot it to disable the Blind Operator mode due to the nature of this kernel module. Rebooting would make all data lost as the image is running in RAM. So far, we have never received any court order, and we have never given out any personal information. 7. Yes, BitTorrent, peer-to-peer, and file-sharing traffic is allowed and treated equally to any other traffic on all of our servers. We do not provide port forwarding services yet, but we are working on it and expect to release it in the incoming months. However, we propose a public IPv4+IPv6 addresses mode on OpenVPN that assigns IP addresses being used by only one user at a time for the whole duration of the connection. In this mode, all ports are opened, except for unencrypted outgoing port 25 TCP, usually used by the SMTP protocol, which is blocked to prevent abuse by spammers. 8. Anonymous payment methods include cryptocurrencies or sending cash via postal mail. Available cryptocurrencies are Bitcoin, Litecoin, Monero, and some others. Classic payment options such as PayPal (with or without recurring payments), credit cards (VISA, MasterCard, and American Express through Paymentwall), and Swish are accepted. We do not store sensitive payment information on our servers; we only retain an internal reference code for order confirmation. Our database is getting all transaction information deleted after six months. 9. We recommend the use of our WireGuard servers. Our new custom clients are available on Windows, Android, and iOS. Otherwise, it is preferable to use official tools on Linux, macOS, and routers (using OpenWrt or DD-WRT). WireGuard is a new VPN protocol using the modern ChaCha20 and Poly1305 encryption cipher for authentication and data integrity. 10. We offer easy-to-use and look-alike custom VPN applications for Windows, Android, and iOS, which do not require manipulating configuration files. We are planning to add a kill switch and DNS leak protection to our desktop client in the future. We provide our users with a full dual IPv4+IPv6 stack on all servers and VPN protocols. Thus, we do not need to include any loose IPv6 leak protection. Also, connection to our WireGuard servers is possible through IPv4 or IPv6, depending on one’s Internet line. 11. We physically own all our servers in all locations. Our team sends them to data centers that meet our strict criteria, like closed racks for security and neutral Internet carriers for privacy. Also, we host our non-logging DNS servers in each location; our VPN tunnels use those by default. Static DNS servers are available for use outside of tunnels. 12. We operate 65 servers across 19 locations on three continents. During the last year, we launched new servers in France, Germany, Italy, Romania, Spain, Switzerland, and the United States. There are no virtual locations. AzireVPN website Guardian 1. We do not. 2. Sudo Security Group, Inc. United States of America. 3. No limits on concurrent connections, though we may introduce bandwidth throttling if we notice huge amounts being consumed. We still won’t track, just would limit speeds in such cases. 4. Zendesk, so if you send an e-mail to support, it will have a help ticket for the inquiry you’ve sent. No analytics. 5. We simply block the port that they allege was in use. We do not retain any useful records and thus have no further action to take. 6. We have not had such a case occur. If one were to happen, we would engage with our legal counsel on how to fight it. 7. We currently have no terms for or against specific types of traffic. If a DMCA request is filed and says a specific port is being used for file sharing activity, we will block the port. 8. We use Apple’s in-app purchase system on iOS, and Stripe on the web. Our payment authorization systems are separated from our VPN credential generation systems. 9. We make use of AES-256, SHA-384, and DH Group 20 for the IKE Security Association, and AES-256-GM with DH Group 20 for the child Security Association. 10. We currently only support IPv4, with IPv6 on our roadmap. We do not support what may be deemed a “kill switch” in a traditional sense due to limitations of iOS. 11. We use for DNS, and we use baremetal servers (not shared VMs) on our hosting provider. We are in the process of setting up our own data centers. 12. No virtual locations. We are in United States, Canada, France, Germany, Netherlands, London, Japan, Singapore, and Australia. Guardian website *Note: Private Internet access, ExpressVPN and NordVPN are TorrentFreak sponsors. We reserve the first three spots for them as a courtesy. This article also includes a few affiliate links which help us pay the bills. We never sell positions in our review article or charge providers for a listing. Which VPN Providers Really Take Privacy Seriously in 2021?
  16. Early tests show Apple’s Private Relay feature does not live up to speed promises Apple introduced a new iOS 15 feature at WWDC called Private Relay. The feature is designed to frustrate companies tracking you on the internet by routing your data via two servers, one belonging to Apple and the other to a 3rd party. When Apple introduced the service they promised it would not reduce your connection speed or “compromise your performance“, something which was frankly hard to believe. Now early tests have shown that promise was indeed too good to be true. Google employee Thomas Steiner has tested the service and showed these results with and without the proxy service. The numbers show download speeds dropped from 400 Mb/sec to 180 Mb/sec while latency increased from an enviable 3ms to a laggy 78ms. Given the Tor-like routing system in use, the numbers are not unexpected. Apple has however made lofty promises, and it should be borne in mind that the service being tested is still in beta, so the company may still manage to pull a rabbit out of the hat at launch time. Early tests show Apple’s Private Relay feature does not live up to speed promises
  17. Apple adds welcome privacy features to Mail, Safari Say goodbye to IP tracking Apple has always stressed user privacy as part of its core mission. At its WWDC 2021 event, it announced it would be adding a spate of powerful new functions to Mail and Safari, as well as giving users broader insight into what their installed apps are doing with their information. First, Apple’s Mail appears to have declared war on tracking pixels, which can be included in some emails to give third parties insight into if or when their messages were opened — though it didn’t provide much detail on how it will win said war. According to Apple’s manager of user privacy software Katie Skinner, Mail will also now hide user IP addresses by default. Safari, likewise, will hide IPs. More surprisingly, Apple announced it’s adding an App Privacy Report, which will live in settings and provide an overview of, as you might have guessed, privacy-related matters as they relate to installed apps. For example: how often apps use your contacts, microphone, location, or other data and identifiers. The App Privacy Report will also show which third-party domains are receiving your information. Apple adds welcome privacy features to Mail, Safari
  18. WhatsApp caves in: Won't limit features if you reject privacy changes WhatsApp says that it will no longer limit the app's functionality for users who disagree with the new privacy policy requiring them to share their data with Facebook companies. This change of mind comes after WhatsApp updated its Privacy Policy and Terms of Service in January, leaving users three choices: to accept sharing their data with Facebook, stop using the app altogether, or delete their accounts. Four months later, in early May, the company gave up on its plans to delete user accounts, saying that, starting May 15, features would be removed one by one for users who don't agree with the new policy changes. WhatsApp reverses course once again Now, WhatsApp backtracked on its decision again, changing the wording on its website to say that users will not have their accounts deleted or lose any app functionality on May 15, even if they disagree with the privacy policy update. The change of mind comes after the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) banned Facebook in May from processing WhatsApp user data for three months. "Given recent discussions with various authorities and privacy experts, we want to make clear that we will not limit the functionality of how WhatsApp works for those who have not yet accepted the update," the company said in a statement. "We will continue to remind users from time to time and let them accept the update, including when they choose to use relevant optional features like communicating with a business that is receiving support from Facebook." Even though "the majority of users who have seen the update have accepted," WhatsApp will keep showing reminders, "providing more information about the update and reminding those who haven't had a chance to do so to review and accept." Facebook companies that could access WhatsApp users' data according to the new privacy changes include Facebook, Facebook Payments, Onavo, Facebook Technologies, and CrowdTangle. "We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings, including the Facebook Company Products," WhatsApp explains. WhatsApp was forced to provide additional information on how its apps handle user data starting with December 2020, after Apple began requiring it from all apps listed on the App Store. Right now, App Store privacy labels on WhatsApp Messenger's entry say that it is likely collecting and linking the following type of data to its users' profiles: How to back up data or delete your account If you want to migrate to other messaging platforms, you can download a report of their account and export your chat history using your iOS or Android device. If you also want to delete their accounts before switching platforms, you can do it by following step-by-step instructions for Android, iPhone, or KaiOS users. "Deleting your account is something we can't reverse as it erases your message history, removes you from all of your WhatsApp groups, and deletes your WhatsApp backups," the company says. Although your account will not be deleted for not agreeing to share your data with Facebook companies, WhatsApp also warns that accounts get automatically deleted after 120 days of inactivity, as stated in the current inactive account deletion policy. WhatsApp caves in: Won't limit features if you reject privacy changes
  19. Latest version of Windows privacy tweaker O&O ShutUP10 is ready for Windows 10 version 21H1 O&O ShutUp10 is a popular Windows privacy tweaker, which we reviewed back in 2017 for the first time. The latest version of the Windows program introduces support for Microsoft's latest version of Windows 10, version 21H1. O&O ShutUp10 version 1.8.1421 was released on June 2, 2021. The new version installs without issues over existing installations of the program; configured tweaks should remain as they are, provided that the tweaks are still supported by the new version of the Windows operating system. You can check the installed version of the program by selecting Help > About. Microsoft released Windows 10 version 21H1 last month. The update is rolled out gradually to the entire Windows device population. Currently, only select devices, running Windows 10 version 2004 or 20H2, receive the update offer via Windows Updates. Other versions of Windows can be upgraded using installation media or other means. Support for Windows 10 version 21H1 is not the only new feature of the application. The new version of Windows 10 introduces new features, including the News and Interests widget on the taskbar and Meet Now, also in the taskbar. The new version of O&O ShutUp10 supports disabling both features for the current user or on the entire device. NEW: Disable “Meet now” in the task bar on this device NEW: Disable “Meet now” in the task bar for current user NEW: Disable news and interests in the task bar on this device NEW: Disable news and interests in the task bar for current user The options are displayed in the Miscellaneous group in the program. The option to disable the News and Interests widget was not listed on a test system, but the feature was not available on the device yet. You can check out our guides on disabling Meet Now and disabling News and Interests, if you prefer to disable these features manually. The release notes suggest that the startup of the application has been optimized in the new release. The program started quickly in previous versions, at least on the systems that I tried it on. If you noticed start up issues, this one may fix them for you or speed things up at the very least. O&O ShutUp10 is just one tweaker, but one that is updated regularly to address issues that arise from new Windows 10 releases and to add options to disable new features in the new versions of the operating system. Latest version of Windows privacy tweaker O&O ShutUP10 is ready for Windows 10 version 21H1
  20. Google reportedly made it difficult for smartphone users to find privacy settings The details come from unredacted documents in Arizona’s lawsuit against the company Unredacted documents in Arizona’s lawsuit against Google show that company executives and engineers were aware that the search giant had made it hard for smartphone users to keep location information private, Insider reported. The documents suggest that Google collected location data even after users had turned off location sharing, and made privacy settings difficult for users to find. Insider also reports that the documents show Google pressured phone manufacturers into keeping privacy settings hidden, because the settings were popular with users. Arizona Attorney General Mark Brnovich filed a lawsuit against Google last May, alleging the company illegally tracked Android users’ location without their consent, even if users had disabled location tracking features. The lawsuit suggested Google kept location tracking running in the background for some features, and only stopped the practice when users disabled system-level tracking. Earlier this week, a judge ordered parts of the documents in the case to be unredacted in response to requests from trade groups Digital Content Next and News Media Alliance, Insider reported. The unredacted documents show one Google employee asked if there was “no way to give a third party app your location and not Google?” adding that it didn’t sound like something the company would want revealed to the media, according to Insider. Google did not immediately reply to a request for comment Saturday. The company said in a statement to The Verge last year that Brnovich had “mischaracterized our services” in the lawsuit. Google reportedly made it difficult for smartphone users to find privacy settings
  21. WhatsApp’s New Privacy Policy Just Kicked In. Here’s What You Need to Know Instead of a hard cutoff, the messaging app will gradually degrade and eventually cease to function if you don’t accept the changes. WhatsApp's been sharing account data with Facebook since 2016—which came as a surprise to many of its users.Photograph: John Lamparski/Getty Images At the beginning of the year, WhatsApp took the seemingly mundane step of updating its terms of use and privacy policy, mostly focused on the app's business offerings. The changes sparked a major backlash, though, because they inadvertently highlighted WhatsApp's years-old policy of sharing certain user data, like phone numbers, with parent company Facebook. Rather than change the policy that sparked the controversy, WhatsApp instead moved the deadline for users to accept it from the original date of February 8 to Saturday. If you don't? WhatsApp will become unusable. But not all at once. If you haven't accepted the new policy by now, you'll start to see more pop-ups in WhatsApp outlining the changes with a big green Accept button at the bottom. If you tap it, WhatsApp will continue to share certain account data of yours with Facebook. If you'd rather not agree, you'll at first be able to hit a back arrow in the upper left corner of the overlay. Over time, though, the pop-ups will appear more frequently. Eventually you won't be able to click away at all, and the app's functionality will start to degrade. WhatsApp originally indicated in February that anyone who declined the updates would immediately lose functionality. But the company has since opted to let the wheels very gradually come off the car over several weeks before the app careens into a ditch and stops working altogether. “For the last several weeks we've displayed a notification in WhatsApp providing more information about the update,” the company said in a statement. “After giving everyone time to review, we're continuing to remind those who haven’t had the chance to do so to review and accept. After a period of several weeks, the reminder people receive will eventually become persistent.” Once you reach the point that WhatsApp has plastered its policy notification atop its interface, you'll still be able to use the app in some capacity for a time. You'll be able to field incoming calls, for instance, and if you have notifications turned on you can read and respond to messages that way. But you won't be able to see your chat list or initiate contact of any kind with WhatsApp friends, because again, a privacy policy update will be blocking your path. After a few weeks of that stunted experience, WhatsApp will fully pull the plug, and you won't even get calls or messages anymore. The reality is that for most users, accepting the privacy policy changes won't impact their interactions with WhatsApp very much. All communications on WhatsApp will still be end-to-end encrypted by default, meaning that your messages and photos will still only be viewable by you and the users you're chatting with. And WhatsApp still won't be able to access any of your communications or share them with Facebook. Meanwhile, WhatsApp will be able to share user account information like your phone number, logs of how long and how often you use WhatsApp, device identifiers, IP addresses, and other details about your device with Facebook. Plus, WhatsApp can share transaction and payment data, cookies, and location information with Facebook if you grant permission. All of which has been true since 2016. The strength of the backlash likely caught WhatsApp off-guard, given that it reminded users of an existing policy rather than creating a new one. Mere days after WhatsApp first announced the changes on January 4, the messaging app Telegram said it had gained tens of millions of users, and Signal boasted “unprecedented” growth. In an attempt to staunch the bleeding, WhatsApp delayed the full rollout of the new policies for months so users would have more time to learn about the changes. “We've spent the last few months communicating directly with users about our update,” a spokesperson told WIRED in a statement. “The majority of people have already accepted the update, and for anyone who hasn't, we won't be deleting their account on May 15 and we'll be giving plenty of opportunities for them to review the update in the future. We know WhatsApp is a lifeline for many people around the world.” There's still the matter, though, of the lengths WhatsApp has had to go to to carry off this routine policy update. “When your users have made it clear that they would rather not accept a new policy, and your response is to very gradually push them out of an airlock, it doesn't prove that they're happy about it just because they eventually accept," says Johns Hopkins University cryptographer Matthew Green. The other option would be to sever those connections with Facebook, but after years of sharing certain account data, both organizations likely consider rolling back the 2016 change as either inconceivable or intolerable. Or both. The gradual removal of features is unusual, says Whitney Merrill, a privacy and data protection lawyer and former Federal Trade Commission attorney. But other companies go even further, she says, locking users out altogether until they accept a new policy. “In a way this is more friendly,” Merrill says. From WhatsApp's perspective, the slow burn gives users more chances to accept and keep using the app rather than being shut out and defecting to competitors for good. "WhatsApp is being relied on more than ever right now and we want to keep it that way,” the spokesperson told WIRED. Merrill points out though, that WhatsApp is in this situation in the first place because users clearly didn't understand the privacy policy changes the company made back in 2016. “If you don’t give users a good, clear notice when you make a change, people freak out whenever it’s eventually communicated properly,” she says. "This is why simple, easy-to-read policies go a long way, as do updates that include a summary of the major changes." For WhatsApp, that bill from its 2016 privacy policy changes came due this year. Holdouts who steadfastly refuse to accept the new policy in the weeks to come will have 120 days after their accounts becomes inactive to reconsider. After that, the protracted, conscious uncoupling will really be over. WhatsApp’s New Privacy Policy Just Kicked In. Here’s What You Need to Know (may require free registration)
  22. A New Facebook Bug Exposes Millions of Email Addresses A recently discovered vulnerability discloses user email addresses even when they’re set to private. PHOTOGRAPH: MIRAGEC/GETTY IMAGES STILL SMARTING FROM last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher—who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed—fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts." Ars obtained the video on condition the video not be shared. A full audio transcript appears at the end of this post. In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video. The researcher, whom Ars agreed not to identify, said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it." Facebook has been under fire not just for providing the means for these massive collections of data, but also for actively promoting the idea that they pose minimal risk to Facebook users. An email that the company inadvertently sent to a reporter at the Dutch publication DataNews instructed public relations people to "frame this as a broad industry issue and normalize the fact that this activity happens regularly." Facebook has also made the distinction between scraping and hacks or breaches. It's not clear if anyone actively exploited this bug to build a massive database, but it certainly wouldn't be surprising. "I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped," the researcher said. Here's the written transcript of the video: So, what I would like to demonstrate here is an active vulnerability within Facebook, which allows malicious users to query email addresses within Facebook, and have Facebook return any matching users. This works with a front-end vulnerability with Facebook, which I've reported to them, made them aware of, um, that they do not consider to be important enough to be patched—which I would consider to be quite a significant privacy violation and a big problem. This method is currently being used by software which is available right now within the hacking community. Currently it's being used to compromise Facebook accounts for the purpose of taking over Pages groups and, uh, Facebook advertising accounts for obviously monetary gain. I've set up this visual example within no JS. What I've done here is I've taken 250 Facebook accounts, newly registered Facebook accounts, which I've purchased online for about $10. I have queried or I'm querying 65,000 email addresses. And as you can see from the output log here, I'm getting a significant amount of results from them. If I have a look at the output file, you can see I have a user ID name and the email address matching the input email addresses, which I have used. Now I have, as I say, I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 accounts. I have tested this at a larger scale, and it is possible to use this to extract feasibly up to 5 million email addresses per day. Now there was an existing vulnerability with Facebook earlier this year, which was patched. This is essentially the exact same vulnerability. And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it. So I am reaching out to people such as yourselves, in hope that you can use your influence or contacts to get this stopped, because I am very, very confident this is not only a huge privacy breach, but this will result in a new, another large data dump, including emails, which is going to allow undesirable parties, not only to have these email-to-user ID matches, but to append the email address to phone numbers, which have been available in previous breaches. I'm quite happy to demonstrate the front-end vulnerability so you can see how this works. I'm not going to show it in this video, simply because I don't want the video to be, um, I don't want the method to be exploited. But I would be quite happy to demonstrate it if that is necessary. But as you can see, it continues to output more and more and more. I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped. Source: A New Facebook Bug Exposes Millions of Email Addresses
  23. Samsung SmartThings Update Aims to Prevent Tracker-Based Stalking Ahead of Apple's "Spring Loaded" event later today, Samsung has announced an update to its SmartThings Find platform that can scan for unknown Galaxy SmartTags and other Tile-like trackers nearby and alert the user if one appears to be moving along with them in their vicinity. Called "Unknown Tag Search," the anti-stalking feature aims to detect if someone has slipped a SmartTag into the user's bag or vehicle and is surreptitiously tracking their location. iOS and iPadOS 14.5 beta 3 includes a similar Find My feature called "Item Safety Feature" that helps prevent someone from stalking or tracking you with item trackers such as Apple's rumored AirTags. With the feature enabled, the user's iPhone can tell if someone has placed an AirTag or other Find My-compatible item tracker on their person and can prevent your location from being shared. In a related discovery, MacRumors contributor Steve Moser last year found code within iOS 14.3 beta 1 that states, "If you feel your safety is at risk due to this item, contact your local law enforcement. You may need the serial number of this item." In its announcement today, Samsung also explained that its Bixby voice assistant can now be used to find SmartTags based on their custom name and direct the user to their location with an audible alert. Apple's Siri is likely to offer similar functionality with ‌AirTags‌. Apple has already opened up its ‌Find My‌ network for third-party accessories makers to take advantage of ultra-wideband technology in Apple devices. Under the network, accessory makers will tap into the ‌Find My‌ ecosystem, allowing customers to track their items on their iPhones, iPads, and Macs. ‌‌AirTags‌‌ have been rumored to be launching for months now, and the most recent hope is that they will be unveiled later today during Apple's "Spring Loaded" virtual event. The event kicks off at 10:00 a.m. Pacific Time via a live stream on Apple's website and YouTube channel. If you can't watch the live stream, you can follow along for full coverage of all of the announcements from the event on MacRumors.com or follow us on Twitter at MacRumorsLive for our live tweet coverage. Source: Samsung SmartThings Update Aims to Prevent Tracker-Based Stalking
  24. Mozilla will remove Leanplum tracking from Firefox for Android and iOS Mozilla will remove the Leanplum integration of its mobile web browser Firefox for Android and iOS soon. Two new entries on the official GitHub project page highlight that Leanplum integration will be removed because Mozilla won't renew the contract with the company. Mozilla has decided to not renew our Leanplum contract for 2021-22. The current contract will expire on May 31, 2021. We need to turn off any Leanplum integrations in our products by that date. Mozilla describes Leanplum as a mobile-marketing vendor on a support page, which it uses to "test different features and experiences, as well as provide customized messages and recommendations to improve" user experiences. About 10% of Firefox mobile users from the United States with English set as the default language have Leanplum enabled currently according to this doc. The organization has been criticized by privacy advocates for integration of Leanplum in some of its products. Core points focus on the use of a third-party for data collection and the transfer and storage of the data in the USA. Leanplum collects telemetry data. Mozilla reveals that it assigns a unique ID per app, but does not get access to the "DeviceID, AdvertisingID or Firefox client ID". It tracks interaction data according to a support article: Leanplum tracks events such as when a user loads bookmarks, opens a new tab, opens a Pocket trending story, clears data, saves a password and login, takes a screenshot, downloads media, interacts with a search URL or signs in to a Firefox Account. Leanplum is also checking for the installation of Firefox Focus, Klar and Pocket, whether sync is enabled, whether Firefox is the default browser, and if Pocket recommendations for top sites is enabled. The full list of what is collected is accessible here. The data is transferred to a Leanplum server in the United States. Firefox users can disable the collection of marketing data, which means Leanplum, under Menu > Data collection > Marketing data. Shares data about what features you use in Firefox with Leanplum, our mobile marketing vendor. Mozilla plans to remove all Leanplum related code from Firefox before the end of May 2021, as the contract with the company ends on May 31, 2021. The removal of Leanplum is a step in the right direction, as it is quite hard to argue that an organization that heralds privacy should make use of third-party platforms for telemetry. Source: Mozilla will remove Leanplum tracking from Firefox for Android and iOS
  25. EFF Partners with DuckDuckGo to Enhance Secure Browsing and Protect User Information on the Web DuckDuckGo Smarter Encryption Will Be Incorporated Into HTTPS Everywhere San Francisco, California—Boosting protection of Internet users’ personal data from snooping advertisers and third-party trackers, the Electronic Frontier Foundation (EFF) today announced it has enhanced its groundbreaking HTTPS Everywhere browser extension by incorporating rulesets from DuckDuckGo Smarter Encryption. The partnership represents the next step in the evolution of HTTPS Everywhere, a collaboration with The Tor Project and a key component of EFF’s effort to encrypt the web and make the Internet ecosystem safe for users and website owners. “DuckDuckGo Smarter Encryption has a list of millions of HTTPS-encrypted websites, generated by continually crawling the web instead of through crowdsourcing, which will give HTTPS Everywhere users more coverage for secure browsing,” said Alexis Hancock, EFF Director of Engineering and manager of HTTPS Everywhere and Certbot web encrypting projects. “We’re thrilled to be partnering with DuckDuckGo as we see HTTPS become the default protocol on the net and contemplate HTTPS Everywhere’s future.” “EFFs pioneering work with the HTTPS Everywhere extension took privacy protection in a new and needed direction, seamlessly upgrading people to secure website connections,” said Gabriel Weinberg, DuckDuckGo founder and CEO. “We're delighted that EFF has now entrusted DuckDuckGo to power HTTPS Everywhere going forward, using our next generation Smarter Encryption dataset." When EFF launched HTTPS Everywhere over a decade ago, the majority of web servers used the non-secure HTTP protocol to transfer web pages to browsers, rendering user content and information vulnerable to attacks. EFF began building and maintaining a crowd-sourced list of encrypted HTTPS versions of websites for a free browser extension— HTTPS Everywhere—which automatically takes users to them. That keeps users’ web searching, pages visited, and other private information encrypted and safe from trackers and data thieves that try to intercept and steal personal information in transit from their browser. Fast forward ten years­—the web is undergoing a massive change to HTTPS. Mozilla’s Firefox has an HTTPS-only mode, while Google Chrome is slowly moving towards HTTPS mode. DuckDuckGo, a privacy-focused search engine, also joined the effort with Smarter Encryption to help users browse securely by detecting unencrypted, non-secure HTTP connections to websites and automatically upgrading them to encrypted connections. With more domain coverage in Smarter Encryption, HTTPS Everywhere users are provided even more protection. HTTPS Everywhere rulesets will continue to be hosted through this year, giving our partners who use them time to adjust. We will stop taking new requests for domains to be added at the end of May. To download HTTPS Everywhere: https://www.eff.org/https-everywhere For more on encrypting the web: https://www.eff.org/encrypt-the-web For more from DuckDuckGo: https://spreadprivacy.com/eff-adopts-duckduckgo-smarter-encryption/ Source: EFF Partners with DuckDuckGo to Enhance Secure Browsing and Protect User Information on the Web
  • Create New...