"We can disclose only now that we had a server in Toronto seized in 2015, initially without our knowledge. Maybe a court order was served to the datacenter. For about 10 days we did not understand what happened to the server, which did not respond, while the datacenter did not provide information. After 10 days Italian police (and not any magistrate) contacted us. They informed us that Toronto police and FBI (*) asked for our help because they could not find any log in the server. Unfortunately their help request came after the server had been already seized. They did not even make a copy, they took it physically, therefore the server went offline, probably alerting the alleged criminals. It was obvious that forensic analysis could not find any log, simply because there were none. Our VPN servers did not even store the client certificates, go figure (now they also run in RAM disks, but in 2015 they did not). The whole matter was led by informing us without any document from any court or magistrate, but only through official and informal police communications, and only to ask for help after forensic analysis obviously failed completely.

We were not asked to keep confidentiality on the matter, but just to stay on the safe side and support the investigation on what it appeared as a serious crime (a whole database with personal information of a commercial service was cracked, stolen and published in public when the web site owners did not pay a “ransom”; while our server was apparently not used for the crack, it was used to upload elsewhere the database) we decided not to disclose the whole matter for at least 7 years. It’s one of those cases confirming that our servers do not store log, data or metadata of clients’ traffic.

(*) We may speculate that FBI was involved in a Canadian matter because the stolen database contained US citizens’ personal data"

Honestly good to hear. This is how all VPNs should handle user data.

@stillwater@lemm.ee
link
fedilink
English
261Y

Seven years is the standard government record retention period in Ontario, where the server was taken from.

What else has happened in the 7 years that they haven’t bothered to mention? Absolutely NOT handled well as timely disclosure is a key part of that.

RBG
link
fedilink
English
101Y

Exactly that. I don’t use that service but the past 7 years could have seen dozens of other events like this with less harmless outcome, and its clear they would not report these either.

Especially the way they snake around why they didnt disclose it. “We can only disclose now”. Why? They made it clear they didn’t receive a court order or anything that would prevent them. They specifically mention that it was only an informal phone call from a police department.

Such a strange comment.

Surely they kept it private because it’s bad for business. Then they randomly respond with this on a forum post?

crawley
link
fedilink
English
531Y

I dunno, if my VPN came out and said “heads up, one of our servers was seized and you have literally nothing to worry about because nothing is stored or logged on our servers,” that’s good news IMO. Obviously the best case scenario is not having it seized, but sometimes that’s not possible, and it’s a mark of a good VPN when the consequences to you of a server being seized are the same as if it wasn’t (i.e., none).

@Imprint9816@lemmy.dbzer0.com
creator
link
fedilink
English
27
edit-2
1Y

Yeah disclosure is always good its just odd the way they handled it

-no official post (yet)

-makes the announcement as a reply to a forum post even though they have a specific forum thread for this exact thing

-all of a sudden has a 7 year wait time on disclosures policy

-not written very professionally (i tend to assume english is a 2nd language for the staff but still as an orginization the staff should be a bit more refined).

I’m a user of airvpn. I like them but they do odd things like this, or being very obtuse about why they wont get audited.

@stillwater@lemm.ee
link
fedilink
English
5
edit-2
1Y

It probably wasn’t their timeline. Seven years is standard for gov record retention in Ontario.

I agree, if they said this 7 years ago…

@Imprint9816@lemmy.dbzer0.com
creator
link
fedilink
English
151Y

Yeah the whole thing is odd, especially since they disclosed it as a response instead of in the disclosure thread the first comment mentioned.

This is a “I’ve got bad news and I’ve got good news” type thing, right?

@OsrsNeedsF2P@lemmy.ml
link
fedilink
English
91Y

Yea. Seems odd they didn’t make a blog post, but seems like the situation was handled quite well.

Create a post

In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.

This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.


You can subscribe to this community from any Kbin or Lemmy instance:

Learn more…


Check out our website at privacyguides.org before asking your questions here. We’ve tried answering the common questions and recommendations there!

Want to get involved? The website is open-source on GitHub, and your help would be appreciated!


This community is the “official” Privacy Guides community on Lemmy, which can be verified here. Other “Privacy Guides” communities on other Lemmy servers are not moderated by this team or associated with the website.


Moderation Rules:

  1. We prefer posting about open-source software whenever possible.
  2. This is not the place for self-promotion if you are not listed on privacyguides.org. If you want to be listed, make a suggestion on our forum first.
  3. No soliciting engagement: Don’t ask for upvotes, follows, etc.
  4. Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
  5. Be civil, no violence, hate speech. Assume people here are posting in good faith.
  6. Don’t repost topics which have already been covered here.
  7. News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
  8. Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
  9. No help vampires: This is not a tech support subreddit, don’t abuse our community’s willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
  10. No misinformation: Extraordinary claims must be matched with evidence.
  11. Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
  12. General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.

Additional Resources:

  • 1 user online
  • 1 user / day
  • 5 users / week
  • 69 users / month
  • 650 users / 6 months
  • 1 subscriber
  • 664 Posts
  • 11.1K Comments
  • Modlog