Thanks Andy, for responding promptly and clearly to these questions. I'm sure I'm not alone in appreciating the first rate quality of service you provide.

Richard Glynos.


From: Andy Smith <andy@bitfolk.com>
Sent: 23 November 2016 23:57:17 CET
To: users@lists.bitfolk.com
Subject: Re: [bitfolk] IP Bill, BitFolk, and VPNs

Hi Chris,

On Mon, Nov 21, 2016 at 11:49:30AM +0000, Chris Dennis wrote:
 Here's a question: is BitFolk an 'ISP' for the purposes of the
 bill?

Probably not, as it stands. Practically speaking they will roll out
the data-gathering requirement to the largest four or five internet
access providers in the UK, which will cover more than 90% of UK
households.

There is probably enough vagueness in it for anything connected to
the internet in UK to be ruled in-scope, if deemed necessary.

 does it collect metadata about traffic in and out of my VPS?

Not in general. BitFolk stores 12 hours of (time,srcip,dstip) logs for
outbound TCP port 22 connection attempts in order to monitor the
rate of outbound SSH connections. Only SYN packets to port 22 remote
addresses are logged. This helps in spotting compromised VPSes.

BitFolk has a strong privacy policy which doesn't allow for handing
over data to third parties unless accompanied with a proper warrant
or court order. This has been tested a couple of times in the past
with real requests; so far there have been no follow-ups with real
court orders. Though if there had been then I wouldn't be able to
tell you about that. But in that case I also wouldn't be lying and
saying there had been none.¹

Although this Act does seem to give the power to compel us to
install some black box on our network that logs all the Internet
Connection Records (once they've decided what those are), it seems
extremely unlikely that they would ever bother to do that. They'd
get far more return on
the effort by doing it at peering points and
other places where traffic is far more concentrated.

So I can make a big scene by promising I'll never allow black boxes
on our network, or that I'll never carry out logging of all traffic
if compelled, but honestly I don't think BitFolk will ever need to
make that decision.

Once a bit more is known about how the Investigatory Powers Act (and
the Digital Economy Bill if it passes and becomes an Act) will
actually work then BitFolk will publish a statement about it.

Cheers,
Andy

¹ At this point people sometimes like to bring up the topic of
  warrant canaries:

  https://en.wikipedia.org/wiki/Warrant_canary

  Some UK companies do have warrant canaries, but the concept of a
  warrant canary has never been tested in English law. Therefore at
  the moment my policy on
them is that I would not like to start
  publishing one only to find out, in the middle of dealing with a
  specific incident, that the best legal advice would be to continue
  publishing the canary (lying to you).

  If anyone would like to fund a legal study into whether a warrant
  canary is likely to stand up against the Regulation of
  Investigatory Powers Act and the Investigatory Powers Act then do
  let me know; I've asked ORG before but they don't seem interested
  unfortunately.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting


users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users