The Privacy BlogThoughts on privacy, security, and other stuff.

Sep/11

27

Privacy, logging policies, and trackrecord

There has been a lot of attention recently to the arrest of an alleged LulzSec hacker after his anonymity was compromised by the anonymity service he was using, HideMyAss.com. Some articles on the event are here, here and the provider’s explanation here.

The reason this company was able to compromise the privacy of their user was that they had logs of user activity. They know what IP address is assigned to each user and can use that to attribute any activity back to the real identity of the person behind the account.

The real problem with logs is that they exist or they don’t. You can’t keep logs only for “bad users” but not for responsible “good users” because even if it was possible to identify them as such in advance, you would not find anything like agreement about who should fall in which category.

Many operators of privacy services, including myself, feel very strongly that such tools should be usable in countries like China to circumvent the censorship and surveillance there. Such actions are certainly illegal for the user, and probably for the provider. While being a UK company and only responding to UK court orders, they were “forced” to expose the identity of a person in the US who was then arrested by the FBI.

I don’t know enough about this case to debate whether or not this person is guilty or deserved to be arrested. My concern is that this case has demonstrated that anyone who can cause a UK court order to be severed against this company can expose their users. It also makes them a target for hacking, social engineering, infiltration and other attacks which could gain access to these logs without a UK court order.

As a general rule, if information exists and people want it, there is a very good chance it will escape, if only by accident.

Perhaps we should not be too surprised that this company failed to protect its users, when it has no visible privacy policy on the website, and there are no identifiable people standing behind the product and brand with their personal reputations.

I founded this company, Anonymizer.com, and I personally stand behind our services. We have clear privacy policies, we keep no logs of the surfing activities of our users, we have no way of identifying what user may have visited what website. We have an unblemished record of providing robust privacy since 1995.

As I have said in many previous posts, it all comes down to trust. If you don’t know who is providing the service, and don’t have the ability to research their history and gauge their integrity, you should not use that service.

· · · · · ·

30 comments

  • testuser · September 28, 2011 at 12:21 pm

    16 years is certainly an impressive record.

    But the way you are posing “anonymity by policy”, or credentials, record, assurances, etc., is plainly wrong.

    This Tor blog post approaches the issue most effectively:

    https://blog.torproject.org/blog/anonymity-design-versus-policy

    Assurances and reputation are certainly important, but what does that do for anonymous users if there’s a court order. A USA PATRIOT Act investigation?

    The only solution is for an anonymity service not to have any information on their users.

    Open source services that *can’t* determine the identities of their users is the best method.

  • Anonymous · September 28, 2011 at 7:36 pm

    Or you could just use Tor.

  • Author comment by lance · September 29, 2011 at 3:57 pm

    I know and respect the folks who built the TOR network, but I disagree with them at a fundamental level. Because anyone can set up a TOR node, there is no trust in the operators, yet there are many attacks TOR node operators can launch against you.
    Anonymizer keeps no logs of the activity of users of the Anonymizer Universal or Total Net Shield services. When subpoenaed, we have no information to provide. This has been tested hundreds of times over the years.
    Given the many cases of hackers, researchers and others gathering information and doing more hostile things with TOR nodes, I do not trust the node operators, the developers are great folks, and will not use them.
    It is a difference of security philosophy. Do what you are comfortable with.

  • Anonymous2 · October 2, 2011 at 4:15 pm

    Ok. Anonymizer doesn’t keep logs. But why does Anonymizer require name and address information for subscriptions if your users are to remain truly anonymous?

  • Author comment by lance · October 3, 2011 at 6:33 am

    Why do we ask for name and address information? Great question. It is all about billing. The vast majority of our customers have always chosen to pay us by credit card. To process those payments we need to collect name and address information.

    Your anonymity is protected with respect to other websites and with respect to your online activities. We know who you are, but not what you are doing. We can see your incoming IP address directly as well. It is basically impossible for us to avoid knowing who our customers are.

    We design our systems so that our having that information can not put our customers at risk of exposure.

  • Jeff · October 3, 2011 at 3:40 pm

    Lance,

    I need help to better understand your service. I presently use TOR via a thumb drive at the library in an attempt to keep a project as secret as I am able. I am not a computer person and do not understand how a TOR node operator could advantage or expose me. With regards to your service, I would like you to clarify if you keep any records that matches my IP to the new IP you assign? If you keep these records, how long before you destroy them? It seems to me that Hidemyass was keeping records of which users were assigned to which IP. This information could then be used to identify which person visited which website or sent which email. I am willing to use your service if you can keep me 100% anonymous. I am sorry to ask for clarification, but it would be great if your website had a “plain English” version of what you offer. Also, the TOR project says that they use the special Firefox browsers that does not contain Java because that can leave a trace as to my real identity. When using your service do I need to use a different browser? Please address and pardon my lack of technical knowledge.

  • Author comment by lance · October 4, 2011 at 6:33 am

    I have talked a bit before about vulnerabilities in TOR, so rather than repeat, I will link to those posts here.
    http://www.theprivacyblog.com/online-privacy/tor-hack-proposed-to-catch-criminals/
    http://www.theprivacyblog.com/online-privacy/rogue-nodes-turn-tor-anonymizer-into-eavesdroppers-paradise/
    http://www.theprivacyblog.com/online-privacy/tor-may-actually-reduce-your-privacy/

    We keep no logs of what IP addresses are assigned to our users. All of the users are randomly assigned to one of a small number of addresses that are active on any given day. There are a great many users attached to each IP address at any given moment. We have no idea what traffic comes from which users, and do not do any monitoring of that traffic.

    Our standard consumer services are targeted at typical users. People with very high threat models need to take additional precautions including running their operating system from a completely clean operating system every time.
    Turning off all active content can be effective, but it will prevent access to a lot of content, and absolutely flags you as someone very unusual (and potentially interesting).

    When thinking about the best tools to use, you need to think carefully about exactly who you are trying to protect against, and what capabilities they can realistically use against you.

    Any more detailed advice is likely to be too sensitive to conduct in the comment thread. Please email me at blog@anonymizerinc.com if you want more help.

  • testuser · October 8, 2011 at 6:38 am

    There are and will continue to be vulnerabilities in Tor software. The Tor developers are very clear about that. Note that all the releases continue to be ./dot releases.

    But since it’s open source software, meaning that the software code and the Tor network’s architecture is available for review and critique, it is in a separate category than services like Anonymizer.

    External parties are not in a position to do a full audit of Anonymizer. The software and network architecture are not open to all eyes.

    Again, I’m not interesting in attacking Anonymizer or Lance. For certain users with certain adversaries, it’s an appropriate solution. If you are dealing with an adversary such as the North Korean government, Anonymizer might be an adequate solution.

    But if Anonymizer is subject to any particular jurisdiction, such as the US, then all bets are off.

    As mentioned, with the USA PATRIOT ACT, the US government can grab logs, billing information, etc., while Anonymizer would face a gag-order to not make a peep about it. Not even to their users. There is no such option with Tor. The array of Tor node operators can be good or bad, but they can’t be put in the same pot or subject to the same governments, regulations, and so on.

    Open systems have their weaknesses. Tor itself is continually under attack day-to-day, not to mention at technical conferences. But that is also the beauty of open source systems. There can be that critique, thus driving more review and enhancements. Everyone gets to hear about the warts and blemishes without makeup. External parties are not able to do that with Anonymizer and other private proxy-type services.

    Quick note to Jeff: determine *who* your adversary is to assess your solution. It’s hard to say X or Y is the best fit for you without knowing if you’re a political dissident in China or a Wikileak-submitter at the Bank of America, or a teenager browsing pr0n to avoid your parents ;) Nevertheless, stick to the solution you are most comfortable with so that you can continually critique it and improve with experience. There are no snake oils in anonymity, unfortunately.

  • Author comment by lance · October 10, 2011 at 6:17 am

    Yes, you can confirm that your copy of the TOR software is clean. You can not confirm that the copy being run by the operators of a node is clean, nor that there have not been other changes or actions taken which could impact your privacy.
    I could open source the Anonymizer system, then actually run something completely different internally. It does not buy you anything.

    The failure of HideMyAss.com clearly shows the problem with keeping logs (in their case in the UK). You are correct that Anonymizer can be compelled to produce any logs that it possesses. We are not obliged to keep any logs which would show which of our subscribers visited what sites, when, or what they did there.

    If Anonymizer had been forced to hand over logs which penetrated a user’s privacy it would not stay secret. Again look at the example of HideMyAss.com. We have received a great many subpoenas and other kinds of court orders over the years. This is not a theoretical or academic point. Our policy has withstood this for many years. If we could be forced to expose our users, there would be lots of people shouting about it. We do know who our users are, but being an Anonymizer subscriber is not a crime, nor is it evidence of any kind of illegal or malicious activity. In particular it can not be tided to any specific incident or event.

    Try as the might, the code is not going to provide the privacy, people are. You need to trust those people. Yes, there is risk in that. Think very long and hard about who and where you choose to trust.

  • Jeff in Beantown · October 12, 2011 at 7:13 am

    Lance,

    Your reputation and that of Anonymizer is solid. I think I can trust you, but I’m paranoid. Tell me how you ensure someone else at Anonymizer, working undercover for the NSA or Chinese government for example, hasn’t installed a logger without your knowledge. And let’s say Anonymizer is bought out or you leave. The most trustworthy asset of Anonymizer is Lance Cottrell, not the technology. If you’re not in the picture or your control is compromised, will you broadcast that to your users immediately?

    Thanks. Stay honest.

    –Jeff

  • Author comment by lance · October 16, 2011 at 4:43 pm

    I commit to ensuring that it is widely known if I part ways with Anonymizer or feel that I can’t personally stand behind the company and product at any time in the future.

  • Anonymous2 · November 5, 2011 at 1:22 pm

    “We keep no logs of what IP addresses are assigned to our users.”

    Do you keep logs of or regularly track from what IP address a user connects to your service?

  • Darren Chaker · January 18, 2012 at 1:32 am

    I am impressed Anonymizer does not keep logs and but only wish other companies would take privacy as seriously as Anonymizer. If you commit to privacy, it’s all or nothing. Keep up the good work Lance.

  • Anonymous3 · February 12, 2012 at 10:54 am

    QUESTIONS TO LANCE
    1. What logs and records do you keep?
    2. Do you keep records of which customer logged at a certain time on a certain date?
    3. If you do, do you also have a record of what IP addresses (a list) may have been assigned to that customer?
    4. How long do you keep any of the records?
    5. In what cases have you provided information to law inforcement officials and how often has it happened?

    It’s a fine line between protecting privacy and potentially helping criminals. Wherever this line is, it is sure to be subject to criticism. Where does Anonymizer draw this line?

    Answering these questions will go a long way towards explaining what services Anonymizer provides and what services should not be expected. Not fully answering is an answer by itself. Many feel the answers have not been provided. We also understand that you may be under court order not to provide answers to some of these questions and you may not be able to reply.

    Whatever the answers are, they should not be criticized. Your company is providing a very valuable service. Where to draw the line when it comes to anonymity is up to you. There is no right or wrong here. However, it is critically important to know where the line is.

    With deep respect for what you have been doing and the great help you have provided to those living under repressive regimes,
    Anonymous3

  • Author comment by lance · February 23, 2012 at 10:04 am

    We keep billing records and logs of when a user logs in to detect account sharing and other abuse. We never keep any logs that would tell us what content a given user accessed.
    We do not track what IP address was used by any user, and a great many users are attached to the same IP at the same time to ensure that even if it was discovered it would not indicate any individual user.
    We have responded to subpoenas for billing records for users. We have been asked for information about which users had what IP addresses or who visited specific sites on specific days, but we have no such logs and so we have never provided that information.

  • Richenbach · April 22, 2012 at 12:02 pm

    Anonymizer was purchased by Abraxas corporation in 2008.

    https://www1.anonymizer.com/consumer/media/press_releases/05012008.html

    Why does a defense contractor own Anonymizer?

  • Author comment by lance · May 25, 2012 at 9:34 am

    Anonymizer has long provided privacy services to corporations, law enforcement, and other government organizations, in addition to our core consumer privacy services. It was a very strategic fit for both companies that improved our products and brought new skills and experience into Anonymizer.

  • Blue, White & Red all over · July 9, 2012 at 6:28 pm

    Mr. C,

    I’m a longtime admirer of Anonymizer and respect your attitude towards privacy.

    Let me ask a hypothetical but somewhat realistic question:

    Suppose a team of evildoers from the Peoples Republic of Nogoodnikstan have infiltrated Pleasanttown USA and are plotting evil deeds against its good citizens.

    Patriotic and well intentioned agents from the US Ministry for the Prevention of Evil come to you and explain the situation:

    They believe these are the men, and here are the names they might be using. Here is the house we believe them to be occupying, and here is the IP address registered to service at that house. And, by the way, here are all the IP addresses within ten miles of that house, in case they get clever and go over to Coffebucks or a library to use free wi-fi. The agents have information leading them to believe that they are using Anonymizer. They want any and everything you can tell them.

    Being a patriot yourself, and wanting to help the agents catch the evildoers, who are incidentally also by definition terms-of-service violators, what are the classes or types of information that you *could* provide to the agents?

    If provided with this kind of information ahead of time, could you alert the Ministry in real-time of the activities of the doers of evil? When they log in, from where, where they are going on the internet, what data they’re passing, etc. Could someone other than yourself or Anonymizer personnel produce this information if they were so inclined?

    Thanks.

  • Author comment by lance · July 17, 2012 at 12:05 pm

    We know our customer’s names and billing information. It would not be difficult for us to see what IP addresses were being used to access Anonymizer Universal.

    Given that, it would be technically possible for us to provide an alert any time a person matching IP or account criteria logs into the service. I would think that was an impermissibly broad request, and would fight it, but technically we could comply.

    We have worked hard to design the Anonymizer systems so that it is very difficult to collect any information beyond that. Specifically, we would not be able to know what activities were being undertaken by any given user. We would need to make significant changes to our infrastructure to be able to comply with such a request.

    In any case, having run privacy services since 1993, I have never run into a request or situation even vaguely like the one described.

  • zzAnonymizer · October 2, 2012 at 7:00 am

    You mention logs are never monitored or stored but the privacy link says “…..Anonymizer may monitor your use of the Anonymizer service, e-mail, or other electronic communications …..”. Can you explain the difference?

  • Author comment by lance · October 2, 2012 at 8:12 am

    There are two reasons for that part of the privacy policy.
    The first is that we sometimes need to deal with hackers or other attacks, and may need to do small amounts of packet capture in real time to work out how to stop it. This is generally done in such a way that we still don’t capture user identity and activity, but it may depend on the attack. This is very rare and only used reactively for the shortest possible time.
    The bigger reason for that clause in the privacy policy is to make criminals feel less comfortable using the Anonymizer service. If people want to engage in outright illegal activity on the Internet, I would rather that they use someone else to do it.

  • zzAnonymizer · October 2, 2012 at 12:51 pm

    Thanks, glad it is reactive to an actual event. On a side note isn’t legal vs illegal sort of subjective. After all, freedom of speech is “illegal” or restrictive in some countries. :)

  • Author comment by lance · October 2, 2012 at 1:00 pm

    No question, it is subjective. As a US company, US law is generally the standard we go by. I don’t have a problem with violating censorship laws in China, Iran, Russia, etc. I don’t want hackers, DDOS, child pornography, or extortion going through my servers if I can avoid it.

  • zzAnonymizer · October 2, 2012 at 5:22 pm

    Agreed. Thanks for taking the time to answer the questions.

  • Free_Energy_Researcher · October 4, 2012 at 8:59 pm

    Hi,

    I am a Free Energy Researcher and aspire one day to be a big inventor of a Free Energy Device (Zero Point Energy) that I can open source for the community to improve and benefit from. However, there is the problem that big oil industry in the US and worldwide does not want such device to see the light of day and any one that has been caught in the past successfully inventing such as device has been either murdered, or given millions of dollars to keep their mouth quiet. Well, I would like to know, would your service (anonymizer) be strong enough to keep me protected from entities like the US Oil Industry if I shall, one day decide to release the plans online on how to replicate a working solid state Zero Point Energy Device using your anonymizer IP address VPN?

    I know from your previous post that you say that you do not keep any logs, but when multi-billion dollar entities are behind wanting to find someone, sometimes things might just “change a little” and I would like to make sure that this wont be the case with your service.

    Thanks.

  • Author comment by lance · October 4, 2012 at 9:32 pm

    First, I doubt anything I could say would really put your mind at ease. As I have said many times, it is a matter of trust. I could claim anything about our systems and you still need to trust that I am not just making it up. Track record is all you have.
    Second, If you really invented such a thing, and wanted to give it away, it would be easy to make it basically impossible to put a lid on it.
    Conspiracies are very hard, and leaks are easy. Give it to a lot of people. Do that frequently along the way.
    As a former physicist, I think your chances of creating such a thing are vanishingly small, but as a member of the human race, I wish you the best of luck in your endeavors.

  • AnonymizerFan · November 13, 2012 at 11:16 am

    Lance, how do you think the recent events involving general Petraeus could affect the tolerance of legislators for routine, automated, casual invasions of privacy in the absence of any cause?

    http://www.guardian.co.uk/commentisfree/2012/nov/13/petraeus-surveillance-state-fbi

    ….

    As is now widely reported, the FBI investigation began when Jill Kelley – a Tampa socialite friendly with Petraeus (and apparently very friendly with Gen. John Allen, the four-star U.S. commander of the war in Afghanistan) – received a half-dozen or so anonymous emails that she found vaguely threatening. She then informed a friend of hers who was an FBI agent, and a major FBI investigation was then launched that set out to determine the identity of the anonymous emailer.

    That is the first disturbing fact: it appears that the FBI not only devoted substantial resources, but also engaged in highly invasive surveillance, for no reason other than to do a personal favor for a friend of one of its agents, to find out who was very mildly harassing her by email. The emails Kelley received were, as the Daily Beast reports, quite banal and clearly not an event that warranted an FBI investigation

    Recall how former Democratic Rep. Jane Harman – one of the most outspoken defenders of the illegal Bush National Security Agency (NSA) warrantless eavesdropping program – suddenly began sounding like an irate, life-long ACLU privacy activist when it was revealed that the NSA had eavesdropped on her private communications with a suspected Israeli agent over alleged attempts to intervene on behalf of AIPAC officials accused of espionage. Overnight, one of the Surveillance State’s chief assets, the former ranking member of the House Intelligence Committee, transformed into a vocal privacy proponent because now it was her activities, rather than those of powerless citizens, which were invaded.

  • Author comment by lance · November 13, 2012 at 11:59 am

    It is really hard to know how legislators will react to something like this. I could imagine reasons they might swing either way.

  • Anonymous · June 30, 2013 at 9:03 pm

    Hi Lance,

    I was just noticing that the Anonymizer Privacy Policy was updated on Dec 17, 2012, about a month after the last comment in this string. So, I wanted to ask if that Privacy Policy update changed Anonymizer’s logging policy.

    In particular, I noticed that the new Privacy Policy says, “Records of your billing information are kept separately from records of your Internet activities because our billing system and Anonymizer privacy and security services run independently.” What got my attention was the part of the sentence that said “records of your Internet activities”. Is Anonymizer now logging a user’s Internet Activities? It seems odd that verbiage would be in the Privacy Policy if logs were not being maintained.

    Thanks in advance for the extra detail.

  • Author comment by lance · July 1, 2013 at 8:04 am

    That is certainly an awkward sentence. No, we do not log our users web surfing activities, or any other activity, through Anonymizer Universal.
    Nyms has somewhat different privacy characteristics, because we have to know how to deliver email to the users we must therefor keep a mapping of Nyms to real email addresses and associated accounts.

Leave a Reply

<<

>>