Re: [bitfolk] IP Bill, BitFolk, and VPNs

Top Page
Author: Richard King
Date:  
To: users
Subject: Re: [bitfolk] IP Bill, BitFolk, and VPNs

Reply to this message
gpg: Signature made Mon Nov 21 19:16:32 2016 UTC
gpg: using RSA key 80942D57841B2390
gpg: Can't check signature: No public key
On 21/11/16 12:49, Chris Dennis wrote:
> Is BitFolk an 'ISP' for the purposes of the bill? -- does it collect
> metadata about traffic in and out of my VPS?


Whether Bitfolk currently collects metadata or "Internet Connection
Records" is irrelevant if it can be compelled to do so under the Act.
Whether the Act permits Bitfolk to be so compelled, and whether Bitfolk
is likely to be so compelled, are better questions.

If Bitfolk were required to do something under the Act, revealing that
fact might be a criminal offense. The IP Act grants immortality to
warrant canaries...

Andy: have you taken advice as to Bitfolk's exposure to the various
provisions of the Act? I think the list would be interested to hear
your thoughts, assuming you're in a position to share them.

> If not, would it make sense to use my BitFolk VPS as a VPN, so that
> it proxies my home internet connection? I've been toying with the
> idea of using software such as OpenVPN for this, and the bill (very
> nearly an Act now) gives me another reason for getting on with it.


What is your threat model?

https://ssd.eff.org/en/module/introduction-threat-modeling

If it includes the chilling effect on your freedom of expression and
association, and the loss of liberty caused by *mass* surveillance, I
think you would be best served by a VPN the endpoint of which is located
outside the UK - although a UK endpoint might be better than nothing. A
Bitfolk VPS account is just as personally identifying as a residential
ISP account - and traffic exiting a UK VPN-endpoint and then leaving the
country stands a high chance of being captured by TEMPORA. But you would
still avoid sensitive personal data ending up in one more vulnerable
database (your ISP's ICR system).

A non-UK VPN endpoint would come in handy for evading censorship
such as that proposed in the new Digital Economy Bill:

https://www.openrightsgroup.org/campaigns/digital-economy-bill-hub/stop-
uk-censorship-of-legal-content?refsid=8640

Don't rely on a VPN for strong anonymity! At best a VPN moves the trust
problem from your ISP to the VPN provider (which might be compelled to
betray that trust). At worst your VPN provider might log your activity
in a way that can be traced back to you.

http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/

Use Tor if your threat model includes being associated personally with
your surfing habits.

IANAL.

Regards


Richard.
- --
https://richardskingdom.net/
Twitter: @graphiclunarkid