[HN Gopher] Rejecting data demands, ExpressVPN removes VPN serve...
___________________________________________________________________
Rejecting data demands, ExpressVPN removes VPN servers in India
Author : noufalibrahim
Score : 205 points
Date : 2022-06-02 10:18 UTC (12 hours ago)
(HTM) web link (www.expressvpn.com)
(TXT) w3m dump (www.expressvpn.com)
| deostroll wrote:
| Suppose a GoI website is geo-blocked such that only the citizens
| of India can access it.
|
| Now that a global vpn company has removed its servers out of
| India, does it mean its customers (while using that vpn service)
| is blocked from accessing the said website?
|
| Or is there some other implication here?
|
| Curious to know.
| EwanToo wrote:
| They'll register (or purchase) IP address blocks that are
| marked as Indian in the various GeoIP databases, then assign
| those IP addresses to servers hosted outside India.
| lizardactivist wrote:
| Owned by Kape, and only accepts data demands when they come from
| the U.S. or Israel.
|
| When it comes to VPNs, stick to the ones that are wholly owned,
| based, and operated in the EU.
| lapser wrote:
| > With virtual locations, the registered IP address matches the
| country you have chosen to connect to, while the server is
| physically located in another country.
|
| How does this work then? How can you have a Indian IP address,
| while the server is located in the UK?
| netsharc wrote:
| How does Geo-location from IP work anyway? From my knowledge
| it's just figuring out the ISP the IP-block is assigned to, and
| finding out the address of the ISP. But technically a computer
| anywhere in the world can have any IP? Or since I don't know
| anything about routing: are there routing rules that would
| think "This is an Indian IP, I'm going to forward this data
| towards India"?
| mulmen wrote:
| Cross reference with billing address? Your ISP knows where
| you live, and what IP you have. Do you trust them not to sell
| that data?
|
| Any delivery of anything on your phone at least goes to a
| nearby cell tower but probably exits on your IP from your
| wifi, and has your address as a requirement. Seems very easy.
|
| Uber Eats, Doordash, etc all know the address of your ip as a
| requirement to perform their services.
| jaywalk wrote:
| Any computer can't have any IP, but the routing rules have
| nothing to do with physical location. Routers advertise to
| their neighbors the IP block(s) that they serve.
|
| As a super high level example, your ISP's core router would
| advertise to other ISP's routers that it serves 10.123.x.x
| IPs, so any IP address in that block gets sent to that
| router. Then within your ISP, the router in your area would
| advertise that it serves 10.123.45.x, so it receives packets
| for IPs in that more specific block from the core router. So
| your IP would have to be within the 10.123.45.x block,
| because that's what the router serving you is assigned.
| petercooper wrote:
| I think it goes deeper than that. Even here in the UK with
| its heavily centralized PoPs it's possible for geolocation
| tools to narrow a consumer down to a specific town (my cable
| connection tends to get geolocated to a big town 20 miles
| from me though) so I assume databases of locations of PoPs
| are maintained somewhere too.
| [deleted]
| Jamie9912 wrote:
| ExpressVPN does this a lot for their "European" servers. If you
| ping them it ends up in the UK (as far as I can tell), even for
| their countries like Serbia and Montenegro
| bragr wrote:
| They must control ranges of "indian" IP addresses but announce
| BGP routes for them in Singapore and the UK. GeoIP says India,
| BGP takes you somewhere else. Easy peasy
| elij wrote:
| not true -- your prefix location is a BGP tag which is
| appended based on where you're physically connected (which T1
| carriers will do). Obviously you can get around it with an
| overlay network but you'll need some trivial PoP in India.
| ev1 wrote:
| Nah this is all just fake whois entries announced
| elsewhere. Has no connection to IN outside of that.
| elij wrote:
| interesting that they're having so much success with
| false RIPE/ARIN entries. Proper geolocation (as in with
| visiblity of most T1s) would trivially identify the
| origin of traffic.
| ev1 wrote:
| There is less success than you would expect, but it's
| mostly just there to tick a box, not really used much.
| stevewatson301 wrote:
| Fake WHOIS records, you can typically populate anything there.
| Some geolocation providers blindly trust the values that you
| put in there (for example, Maxmind); others do triangulation
| based on trace routes and ping times to deduce if the
| advertised location is actually correct (ipinfo, DB-IP).
| night-rider wrote:
| What if you spin up a VPS based in India and install
| OpenVPN/Wireguard on it? Surely they can't demand logs of a box
| you operate yourself?
| stevewatson301 wrote:
| The law that they're talking about also mandates cloud and
| server providers to maintain IP allocation histories and
| validate customer identities by way of KYCs.
| [deleted]
| jaywalk wrote:
| A lot of services (like Netflix) block datacenter IPs to
| prevent this sort of thing.
| 0des wrote:
| They'd tell the provider not you
| Renaud wrote:
| What makes you think you can operate in a country without
| obeying its laws, however detrimental to privacy they are ?
| antihero wrote:
| Disregard for laws. Can be good, can be bad, but never
| underestimate the empowerment of disobedience.
| hirako2000 wrote:
| I got some for you: - principles, and going as far as
| extending freedom even if you personally already benefit from
| it - civil desobedience is a thing, even though some stances
| are questionable.
|
| And, I thought the debate for more needs of privacy, and
| given the threats have been proven to even come from
| governments (snowden/NSA, pegasus), was settled, visibly it
| isn't if even on HN such argument is given in the context of
| such a clear subject. The overstepping body there is the
| government, not the busines imo.
| Aperocky wrote:
| > With a recent data law introduced in India requiring all
| VPN providers to store user information for at least five
| years
|
| By not being a VPN provider? A private VPN isn't hard to
| make.
| wonderbore wrote:
| Yeah but what's the point? A single-user VPN means all traffic
| is already attributable to them.
|
| If the intent is just to access the Indian web, then sure. I'm
| sure there are plenty other non-privacy-aware VPNs that let you
| do that though.
| danesparza wrote:
| Do you really think you operate the VPS host box in a foreign
| country? And you really think a foreign government doesn't have
| sovereignty over their own soil?
| [deleted]
| marcthe12 wrote:
| The law includes data request for owner and IP of VPSes too. So
| maybe no logs but the IP address and the VPS will be tied to
| your real identity anyway so no improvement
| 0daystock wrote:
| > Not only is it our policy that we would not accept logging, but
| we have also specifically designed our VPN servers to not be able
| to log, including by running in RAM.
|
| Do people really believe this bullshit? Empty claims of servers
| running "in memory" as a meaningful defense against surveillance?
| ntoskrnl wrote:
| Going diskless is not a complete defense (nothing is), but it
| still helps against certain attack vectors. Borrowing from
| Mullvad's blog post on the topic[1]:
|
| - If the computer is powered off, moved or confiscated, there
| is no data to retrieve.
|
| - Running the system in RAM does not prevent the possibility of
| logging. It does however minimise the risk of accidentally
| storing something that can later be retrieved.
|
| https://mullvad.net/en/blog/2022/1/12/diskless-infrastructur...
| Spooky23 wrote:
| Microsoft used to crow about this stuff a lot of with respect
| to O365. I remember getting a dirty look when I laughed at the
| rep.
|
| Their services terminate TLS locally for most tiers of service
| (Even with the "Government Community Cloud"), so you need to be
| careful and use VPNs in any scenario where a foreign interest
| may be interested in what your employees are up to.
| sodality2 wrote:
| Non-persistence of any data is a positive in terms of data at
| rest, how is that not a defense against surveillance?
| Regardless of the fact that it's not verifiable, assuming it
| were true, would it not be a good thing?
| 0daystock wrote:
| How is an anonymous, non-attributable, non-verifiable
| statement, from a company trying to sell you a product, worth
| anything? Why assume it's true when it is so contrary to even
| basic common sense, for anyone who has ever stood up a LAMP
| stack?
| sodality2 wrote:
| I don't mean to assume it's true to validate their
| advertising. For the sake of argument, if a server uses
| only a RAM disk, is that an improvement over having disks?
| Of course a network can still have sneaky equipment in
| between but that is still possible without RAM disks, so is
| it not beneficial to have a RAM disk?
|
| Please note that I am not arguing in favor of their
| advertising or to say that it is successfully avoiding
| surveillance. But, do you believe that no-disk boot,
| assuming it actually takes place, is a positive thing, or
| not?
|
| I admit I misconstrued your original comment to be a
| criticism of the technology rather than the fact that this
| VPN company advertises as such. Nonetheless I do think no-
| disk-boot is not useless as a technology and if you have
| any disagreement I would love to hear it, as someone who
| uses a VPN (not expressVPN) that says they use the same
| setup.
| 0daystock wrote:
| It depends entirely on the threat model. If three-letter
| agencies are the adversary, moving logging to RAM is
| unlikely to be a meaningful deterrent - they probably
| already have a root shell or direct access to the VM
| hypervisor. So if it doesn't protect against nation
| states, whom are we defending against? Another law
| enforcement agency raiding the server room and taking
| hard drives? But I thought ExpressVPN doesn't log
| anything, so why would that matter? Let's just be real
| and practical about what problem this is actually
| purported to solve, else we should call it theater
| because it's what it is.
| ImPostingOnHN wrote:
| the question was, is it better (than running off-disk),
| rather than "is it good enough for X"
|
| the answer is, yes. even an infintesimally smaller attack
| surface is better than an infinitesimally larger one, all
| other things being equal
| bragr wrote:
| Because it's pretty easy to set up a ready only server that
| runs off read only storage and that doesn't include any
| writable storage. The fact that it could be done doesn't
| really require extreme proof. They could still be lying but
| it's not a hard or unusual thing to do.
| throwaway0x7E6 wrote:
| these claims aren't necessarily empty, but pointless because
| ISPs still log everything, as they're required by law pretty
| much everywhere. it would require a bit more digging to
| through, but the data is still there - even with some clever
| routing with on-premise equipment, there's still more than
| enough data to deduce which inbound connection corresponds to
| which outbound connection
|
| if your threat model is three letters agencies, vpns and tor
| are a fig leaf
| cloutchaser wrote:
| I agree a VPN won't help against a three letter agency. But
| it will help against an ISP, who has a legal right to sell
| your browsing data in the US.
|
| This is one of the use cases for why you might want a VPN, if
| you trust a VPN company more than your ISP.
|
| A VPN is just paying for putting your trust in a VPN brand
| rather than an ISP brand. I don't see why that's such an
| offensive business to so many HN users.
| 0daystock wrote:
| > I don't see why that's such an offensive business to so
| many HN users.
|
| Because the assertion VPNs - apparently unlike every other
| ISP - do not log or monetize your data is simply laughable,
| especially as so many are based in third-world countries,
| set up by shell entities and have almost no accountability
| for any of their claims.
| cloutchaser wrote:
| Their entire business model is premised on the fact that
| they don't. If they ever were found to be, their hundred
| million dollar businesses (expressvpn) would vanish.
|
| When express has their servers seized in turkey, there
| was no usable data on them.
|
| I know you are super paranoid, but that still doesn't
| make my point wrong, or using a VPN wrong. Again, if you
| trust a vpn more than your ISP, that's pretty legitimate
| in many countries.
| jayrot wrote:
| I'm as generally skeptical as anyone, but I think you've
| seen that it's essentially impossible to rationally
| debate with someone who believes in a conspiracy to the
| point that evidence against it can just be dismissed as
| part of the conspiracy itself. It's frustrating.
|
| I certainly wouldn't trust my life to an unaudited VPN,
| but I think your two main points are pretty compelling --
| 1) the business model is of large VPN companies is based
| on trust. They have very explicit, business interest in
| not violating that trust. 2) in one case we know of, when
| seized, the servers didn't have actionable information on
| them.
|
| Does that mean every VPN company is trustworthy? Of
| course not. Does it mean that things could change at any
| time? Of course.
| 0daystock wrote:
| Your trust is based on baseless promises and one
| isolated, possibly even manufactured, incident. I find
| this to be super naive.
| cloutchaser wrote:
| You clearly have 0 trust in your life. Might want to work
| on that.
| dotnet00 wrote:
| You might as well just treat everything as manufactured
| then. Even this thread must just be manufactured by Big
| VPN.
| [deleted]
| dncornholio wrote:
| > Rest assured, our users will still be able to connect to VPN
| servers that will give them Indian IP addresses and allow them to
| access the internet as if they were located in India. These
| "virtual" India servers will instead be physically located in
| Singapore and the UK.
|
| Wondering why anyone is still using ip-based geolocation. The
| most popular use for VPN's is mocking your location to Steam and
| Netflix. Could be these players allow mock locations because it
| gives them revenue..
| hirako2000 wrote:
| Cat and mouse game seem to be nowhere near its end. And totally
| agree, businesses will happily play it forever.
|
| Why geo ip? Naivety/ignorance coupled with the outdated
| business logic that segmenting audiences to skim customers to
| the max will continue to be the winning strategy. It rarely
| come from within IT brainstorming, those in denial or sticking
| to short sighted green are the business strategists also being
| vaguely sold that controlling can be done (and to some degree
| yes it can be so long as consumers bases don't in their
| majority adopt privacy measures and moan when being
| unlegitimately denied access) On the more forgiving side, it
| does help easily monitor kiddy attacks altogether, if there is
| no market in Takjistan, why bother looking at false vs true
| positives coming from there, dumb scripts are dumb but can
| still be costly for the network management team.
| kevincox wrote:
| It seems pretty clear to me at least for the Netflix case.
|
| - Content providers care because they want to sell exclusive
| per-region licenses.
|
| - Netflix doesn't really care, in fact the may benefit from
| more content available to their users.
|
| The end result is that Netflix will do the bare minimum to keep
| the content providers satisfied.
|
| Steam is more of a concern because they have different prices
| per region. But IIRC they use your billing address, not your IP
| location which is harder to spoof.
| manquer wrote:
| That is also true for Netflix and they do care. Indian
| monthty subscription is much lower priced and starts ~2$ than
| U.S. that costs like $20[1]
|
| Geolocation is largely a feature in products and in licensing
| because there is big purchasing power difference between rich
| and poor countries.
|
| Netflix has been more tolerant in the past of region bypass
| than others for the same reason they didn't crackdown on
| password sharing but won't be in the future.
|
| [1] The actual prices we pay might vary in both countries
| depending on promotion and tie ups etc, but these are list
| prices of which those components would be applied.
| jorams wrote:
| > Wondering why anyone is still using ip-based geolocation
|
| I don't think there's a reasonable alternative. If you ask
| users for their location they can just lie, if you use the JS
| geolocation API they can trivially deny or spoof it. If you
| base it on billing address you're locking out people who are
| traveling, which seems unwanted (especially for long-term
| travel).
|
| So instead they end up playing a cat and mouse game to try to
| block VPNs.
| hklwarp wrote:
| ExpressVPN now belongs to Kape Technologies, which has a colorful
| history:
|
| https://www.cnet.com/tech/services-and-software/what-is-kape...
|
| https://www.reuters.com/technology/kape-technologies-buys-ex...
| paradite wrote:
| I assume all VPN providers as honeypots by default, until they
| are proven otherwise.
| jeroenhd wrote:
| Realistically, these things are mainly used to pirate and
| break the ToS of various websites ("Netflix from other
| countries", "buy games at cheaper rates"). With ISPs in some
| countries selling their customers' browsing data to
| advertisers, I don't think these shady VPN companies are much
| worse than not using them for a shockingly large amount of
| people.
|
| Mullvad seems to come out pretty clean whenever these shady
| VPN providers show up on the news again. Being able to use
| them by just transferring some crypto to the right address
| without even needing to enter a username or email address
| seems pretty good. If you ever forget your account number,
| you're out of a month's worth of service at most and can just
| generate a new account when needed. It's the only commercial
| VPN I put a moderate amount of trust in, even though I've
| never used their service.
| headmelted wrote:
| I see these posts, and my gut feeling is that Mullvad is
| probably fairly trustworthy at this moment in time, but the
| more word of their service spreads the more likely I would
| assume it is that they get approached by the type of
| government representatives you don't say no to.
|
| (I.e. I assume success to be a death knell for a service
| like this.)
|
| I'm not a customer, but I've considered it from a privacy
| perspective (in that I could just route general browsing
| through it to block a layer of data harvesting). The
| problem is that I don't know what authority they have to
| push back if pushed by the right actor (who inevitably will
| knock on the door at some point).
| jiveturkey wrote:
| > at this moment in time
|
| yup. So was The Great Suspender.
|
| This is why privacy is a one-way circuit breaker kind of
| system. Once you give your privacy away, you can never
| assume anything about how your data is used. No matter
| the entity, you simply cannot trust that they will hold
| your data secure and use it in your best interests. Even
| Apple, hell even Signal, has leaky bits and "side
| channels" that can, and you must assume _will_ , be
| subverted.
|
| VPN services are well off the mark in terms of privacy
| protection. That the ~~marketing~~ propaganda is so
| focused on the opposite is an abomination.
| TechieKid wrote:
| Sidechannels in Signal is news to me. Can you provide
| some keywords to search for, or any links?
| jiveturkey wrote:
| The contact discovery services leaks the fact that you
| are using Signal. It is not optional. It's clear why that
| is, so I won't spell it out.
| growwrkr6 wrote:
| They can get download records from Google or Apple to
| check for Signal downloads.
|
| So there's really no reason for Signal to try and hide
| one is merely using Signal. Best to focus on securing
| content.
| jiveturkey wrote:
| You are missing the attack vector here.
| steve_avery wrote:
| I assume you are talking about the chrome plugin "the
| great suspender"; I am not sure what controversy you
| refer to? What happened to it?
| ar_lan wrote:
| See https://github.com/greatsuspender/thegreatsuspender/i
| ssues/1...
| kaetemi wrote:
| I use VPN services because my ISPs routing has a strange
| habit of going the wrong way around the globe and making
| mystery detours through the US. Picking a good point in-
| between helps to get on less congested paths.
| Blackthorn wrote:
| I had this problem trying to do online gaming on
| Frontier. Their routing was both atrocious and
| mysterious. Using a VPN to get off their network ASAP
| made games playable.
| paradite wrote:
| I just pay for the most expensive ISP.
|
| Edit: Not sure why the downvotes but I don't live in the
| US, if that matters.
| badRNG wrote:
| What makes you think a more expensive ISP will go against
| their interests and refuse to maximize their profits by
| selling access to information that they are legally
| allowed to share? Are there expensive "privacy"-branded
| ISPs I'm not aware of?
| paradite wrote:
| I don't live in the US, but here's a link from eff:
|
| https://www.eff.org/deeplinks/2017/03/small-isps-oppose-
| cong...
| skinnymuch wrote:
| That doesn't mean anything. It's the same with Apple
| pretending to care about privacy right now while it is a
| competitive advantage.
| paradite wrote:
| Yes, you are right and I'm wrong.
| xeromal wrote:
| You're lucky if you live in an area with more than one
| ISP. lol
| bell-cot wrote:
| How could one prove otherwise? (Assuming you can't send in a
| 5 Eyes team to audit them, haven't hacked their management
| network, etc.)
| GordonS wrote:
| I think sending in a 5 Eyes team to audit them would result
| in the VPN provider becoming a honeypot even if they
| weren't before!
| passivate wrote:
| But what does proof even mean? They can pass any audit you
| throw at them, and then immediately switch to being bad
| actors.
| markovbot wrote:
| One can't really, which is why these absurd claims of "we
| wont monitor your traffic" should be assumed to be blatant
| falsehoods.
| cloutchaser wrote:
| If you want a decent sized paid VPN service, you are basically
| choosing between Nord and Kape now.
|
| Pepsi and Coca cola.
| xeromal wrote:
| What are the thoughts on PIA? I've used them for years
| without issue, but I'm sure they're harvesting my data. lol
| BlueTankEngine wrote:
| PIA has proven in court multiple times that they don't log.
| Everyone in this post worrying about Kape is probably not
| using their vpns for anything illegal in their
| jurisdiction, and are just obsessed with "privacy"
| poppytaker wrote:
| Has PIA proven in court not to log subsequent to being
| purchased?
| mehlmao wrote:
| They're owned by Kape. I switched to Proton once my 3-year
| plan ended.
| arosier wrote:
| Proton VPN - 70M+ signups across our products. Fairly decent
| size at this point.(disclaimer I work for Proton)
| WaxProlix wrote:
| Mullvad?
| cloutchaser wrote:
| "decent sized"
|
| Lots of small coke companies exist too, to use my analogy
| again.
| 2OEH8eoCRo0 wrote:
| Mullvad is not small.
| throwaway92394 wrote:
| Mullvad isn't small, and I'm not sure how Nord
| specifically compares, but its probaubly worth noting
| they mostly use 100TB, Tzulo, Quadranet, M247, and 31173.
| They use a bunch of others but not much.
|
| Mullvad for obvious reasons is used for less... wonderful
| usecases. It's not uncommon for websites to block you due
| to abuse from that exit. ASN blocking is rather common
| with mullvad too though that's less avoidable.
|
| I have less info on Nord, although I can see it has about
| 4x the ip's. No idea if they are more diverse network
| wise. Their accepted payment methods suck though.
| ThatMedicIsASpy wrote:
| I saw NordVPN ads in German TV. At this point I would say
| they invest all of their money into marketing - my reason
| for never ever buying their product. I haven't had any
| issues in terms of blocking on mullvad but my sample size
| is small since I don't change the servers that often.
| throwaway92394 wrote:
| Yeah my impression is they're all marketing and care
| relatively little about privacy. How you can claim to
| care about privacy but still require an email is beyond
| me.
| scoopertrooper wrote:
| Would you accept RC Cola?
|
| - A loyal Mullvad customer
| junon wrote:
| If mullvad is RC Cola then I'll switch immediately. Love
| that stuff.
| jchw wrote:
| True that. IIRC Mullvad was literally the world's largest
| Wireguard deployment until Cloudflare did Warp. Just
| because people haven't heard of it doesn't mean it's
| small. They just don't advertise on shitty podcasts, so
| it doesn't have the same brand recognition.
| 55555 wrote:
| VPN providers sell a highly commoditized product and so anything
| they can do to get good publicity is worth it.
| DarthNebo wrote:
| Wonder whether the government of India makes any demarcation
| between corporate VPN or personal VPNs? Or is it just consumer
| VPN services that need to comply.
|
| Everything from cloud vendors, ZScaler, Cisco AnyConnect are
| technically offering access to private networks with a mix of
| public internet &/or intranet
| gbil wrote:
| Usually such laws target consumer VPNs but I don't have more
| insights on this specific case
| tendstofortytwo wrote:
| Here's the specific order: https://www.cert-
| in.org.in/PDF/CERT-In_Directions_70B_28.04....
|
| Bottom of page 3 says:
|
| > Data Centres, Virtual Private Server (VPS) providers, Cloud
| Service providers and Virtual Private Network Service (VPN
| Service) providers, shall be required to register the
| following accurate information which must be maintained by
| them for a period of 5 years or longer duration as mandated
| by the law after any cancellation or withdrawal of the
| registration as the case may be:
|
| > a. Validated names of subscribers/customers hiring the
| services
|
| > b. Period of hire including dates
|
| > c. IPs allotted to / being used by the members
|
| > d. Email address and IP address and time stamp used at the
| time of registration / on-boarding
|
| > e. Purpose for hiring services
|
| > f. Validated address and contact numbers
|
| > g. Ownership pattern of the subscribers / customers hiring
| services
|
| Seems to me like it would target all of them. But I just
| searched for "VPN", didn't read the full document yet.
| pmontra wrote:
| What's an ownership pattern?
| padheyam wrote:
| After much hullabaloo from the industry, government has
| clarified that this order does not apply to corporate VPNs.
| randombits0 wrote:
| And BAM! I'm a corporation! Hey Sai, wanna be in my
| corporation?
| gumby wrote:
| I use a VPN service specifically to get around region locking.
| ExpressVPN has been pretty good in this regard though lately
| Netflix has stopped working.
|
| When I'm in a hotel or otherwise need to use a local wifi I use
| the VPN client to connect back to one of my own machines, not
| that I care a lot if Kape can see my traffic.
___________________________________________________________________
(page generated 2022-06-02 23:01 UTC)