Scegliere una VPN sicura per la propria privacy e sicurezza

Nel post scriptum del mio articolo "Rifugiati dentro TOR? E' possibile sfuggire allo spionaggio globale?" avevo suggerito la possibilità di abbinare Tor a una VPN, osservando però che il vero problema è capire quale livello di tutela della privacy può offrire il servizio scelto.

Nel recente articolo "Which VPN Services Take Your Anonymity Seriously? 2014 Edition", aggiornato al 16 giugno 2014 nel momento in cui scrivo, sono state riportate le risposte a una serie di domande rivolte ai gestori di servizi VPN, di cui suggerisco la lettura:

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?
2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?
3. What tools are used to monitor and mitigate abuse of your service?
4. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?
5. What steps are taken when a valid court order requires your company to identify an active user of your service?
6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?
7. Which payment systems do you use and how are these linked to individual user accounts?
8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

Vorrei segnalare le risposte di Mullvad, che tra l'altro offre un ottimo client per GNU/Linux sotto forma di pacchetto .deb:

1. No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users share each address, both for IPv4 and our upcoming IPv6 support.
2. Swedish jurisdiction. Under no circumstance we will share information with a third-party. First of all we take pains to not actually possess information that could be of interest to third parties, to the extent possible. In the end there is no practical way for the Swedish government to get information about our users from us.
3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.
4. There is no such Swedish law that is applicable to us.
5. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.
6. Yes.
7. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.
8. We use OpenVPN. We also provide PPTP because some people want it but we strongly recommend against it. Encryption algorithms and key lengths are important but often get way too much attention at the expense of other important but harder to measure things such as leaks and computer security.

Aggiornamento gennaio 2016: 20+ VPNs rated on privacy and security side-by-side

Vorrei ricordare alcuni suggerimenti di base per la privacy indicati nel mio articolo "Rendere il web un posto più pulito, senza pubblicità né tracciamento online: Firefox + Disconnect + Adblock", tra cui:

1. agire con prudenza e attenzione nell'immettere informazioni in rete;
2. usare il cellulare il meno possibile (meglio per niente);
3. usare esclusivamente software libero, a cominciare da GNU/Linux;
4. navigare un browser provvisto di sistemi antitracciamento opportunamente configurati.

Ricordo inoltre i consigli di Snowden:

1. use full disk encryption to protect your computer and devices;
2. use “network encryption” like SSL
3. use Tor and browser add-ons NoScript and Ghostery

Infine, suggerisco di controllare sempre il proprio indirizzo IP e la sua posizione geografica, in modo da verificare effettivamente con chi si è collegati quando è in uso una VPN. Ho creato una pagina ad-hoc, che diversamente da tante altre equivalenti disponibili in rete rispetta completamente la privacy di chi la usa:

Locate your IP Address (max privacy, page without trackers, ads or logs)
https://www.informatica-libera.net/detect-ip-without-tracker/

Francesco Galgani,
15 luglio 2014