A dangerous trend is spreading throughout the world. It began with the Investigatory Powers Bill (aka Snooper's Charter) in the UK. Then came the changes to Rule 41 in the US. And now, China has begun a new campaign to block all VPN services, and make all VPN services that are not pre-approved by the government illegal.
With the election of Donald Trump as the 45th president of the United States – a president that has on countless occasions expressed contempt for the media and declared net neutrality a threat – it is more important than ever to stay steady in our belief of a free internet.
A common theme in today's climate is that of a perceived threat – something born out of fear. A fear of terrorism, a fear of crimes, a fear of free speech. The Internet is free to be used by anyone and everyone, it is not inherently evil. Giving agencies the right to bulk surveillance of Internet-connected devices in a region is no different than opening all of the personal letters sent to and from people in a specific region. Restricting access to the Internet or forcing communication providers to keep logs is an affront to our integrity and privacy. Supporters of these laws often proclaim that if you have nothing to hide, you have have nothing to fear – a logical fallacy that unfortunately had an apparent influence on the proposed changes to Rule 41.
“Suspicionless surveillance does not become okay simply because it's only victimizing 95% of the world instead of 100%.” - Edward Snowden, former CIA employee
With the increased oversight, it is vital that both we – and you – stay up-to-date with current world events in regards to cyber security, integrity, and privacy. Therefore, the people behind OVPN are starting a new project, where we will actively publish blog posts in which we analyze and discuss these issues. We would like to start off this new project (and the new year) by quickly going through some recent events of great importance.
The Investigatory Powers Bill (Commonly referred to as the Snooper's Charter) was voted in to law in November, and gained Royal Assent in December. The law states that all Communication Service Providers (CSP) must keep logs for at least a year, and must be able to – if requested – present government agencies with encryption keys for the attained data.
The reason they use the term CSP rather than more popular known terms like Internet Service Providers is obvious; they want to coin a new term to encompass past, present, and future methods of telecommunication. A clarification on what communication in communication service provider entails according to the draft:
Signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus
The broad definition of a CSP means it can basically encompass any company sending traffic over the Internet in the UK. According to our internal analysis and discussions with a lawyer, VPN providers are likely to fall under this law. We are therefore uncertain if or when we will place any servers in the UK, as we do not want to risk our customers' security and integrity just to have a broader market.
Furthermore, in addition to keeping logs and giving access to encryption keys, the Investigatory Powers Bill gives foreign and domestic CSP's an explicit obligation to assist in giving effect to equipment interference warrants. This includes – but is not limited to – bulk hacking and targeted hacking.
“The UK may have voted to leave the EU – but we didn’t vote to abandon our rights and freedoms.” - Martha Spurrier, Director of the advocacy group Liberty.
Fortunately, the bill met opposition from some UK ministers. They brought the case to the European Court of Justice, which ruled parts of the bill as illegal. However, the ruling of the European Court of Justice could be rendered obsolete in light of UK leaving the European Union.In fact, Theresa May recently stated that they plan to invoke Article 50 no later than March, meaning that the United Kingdom may leave the European Union no later than April 2019. If that is the case, they may not have to follow the ruling of the European Court of Justice.
Rule 41 changes
The changes to Rule 41 has for the most part been swept under the rug, and has for many remained unnoticed. These changes, however, pose a very real danger to online integrity and privacy. The changes to Rule 41 are poorly defined, and can be interpreted to include almost anything or anyone.
(When protesting the proposed changes) “You don't punish victims twice in America. You wouldn't punish the victims of a tax scam or a Ponzi scheme with a painful audit.” - Ron Wyden, United States Senator
A magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:
(A) the district where the media or information is located has been concealed through technological means; or
(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are
protected computers that have been damaged without authorization and are located in five or more districts.
What exactly does this mean? It means two things.
Anyone who uses technological means to conceal media or information is subject to investigation. This would mainly include TOR user, VPN users, proxy users, users with encrypted emails, and users with encrypted hard drives. However, Electric Frontier Foundation argues it could also go as far as to include people who have turned off location services in their phones, apps or browsers, and even people who have changed their country settings on Twitter.
Anyone who has had their devices part of a bot-net as a result of computer malware, can now legally be hacked by government agents as part of their investigation. One could also argue that it gives the FBI the right to hack anyone that has been infected by any malware what-so-ever. It would even give them the right to intentionally infect target computers with malware, in order to later hack said computers – something the FBI has already done on numerous occasions, including back in 2015 with Operation Pacifier.
In other words, if you have denied an app to use your location, entered incorrect country when registering to a service, or used a proxy or VPN service to have access blocked services, agencies in the United States can legally monitor and hack your devices – even if you're not a US citizen.
As the famous proverb goes, the road to hell is paved with good intentions.
The Great Firewall
While many governments consider the Internet to be a disruptive influence, few nations go as far as China to limit what their citizens can experience online. For the past few years, both foreigners and Chinese nationals have played a cat-and-mouse game with the Chinese government to gain access to services such as Facebook, Google, and Twitter.
“I am disturbed by how states abuse laws on Internet access. I am concerned that surveillance programmes are becoming too aggressive. I understand that national security and criminal activity may justify some exceptional and narrowly-tailored use of surveillance. But that is all the more reason to safeguard human rights and fundamental freedoms.” - Ban Ki-moon, previous Secretary-General of the United Nations.
Now, the Chinese government has released a notice, stating that special cable and VPN services on the mainland need to obtain prior governmental approval – essentially outlawing most VPN providers in mainland China. For obvious reasons, one should not use a VPN service the Chinese government approves of.
This is worrisome, as it means the Chinese government uses its influence to silence and isolate its population from the rest of the world in order to push their own agenda. Further evidence of this can be found in China's decision to shut down two liberal think tanks – among them Unirule Institute of Economics – which have been critical of the Chinese government's economic policy.
Exactly why the Chinese government chose to act now is unclear. However, one likely explanation could be the 19th National Congress of the Communist Party of China that will be held in the autumn of 2017. In either case, the political crackdown of VPN services and parties critical towards the Chinese government is a worrying trend that can not be allowed to continue.
A lot of things are happening in the world. It is more important than ever to protect our human rights to privacy, integrity, and free speech. We can not allow countries or companies to abuse our rights to further their own agenda, and we can not allow companies to stay silent while their customers' rights get taken away. Fortunately, more and more people are realizing the importance of online privacy and integrity – something that is very fortunate for privacy activists, the privacy community, and people living under oppressive governments.
Recently, OpenVPN 2.4.0 was released, and with it and upcoming audit of OpenVPN. We were contacted by OSTIF in regards to donating money towards the audit, and while we feel an audit is an excellent idea and would have loved to participate, we were unfortunately not able to help them out financially due to our status as a young startup. We do pledge to donate to the OpenVPN project in the future, as we believe it is a pivotal part of online privacy.