News broke in my homeland of Australia today that the Australian Federal Police (AFP) attempted to identify the sources of Guardian Australia journalist Paul Farrel by accessing his so-called metadata. Without a warrant.
Australia recently passed controversial legislation regarding the retention of metadata. Other jurisdictions have overturned similar legislation after finding it unconstitutional or ineffective.
A late amendment to the Australian legislation provides some protection for journalists, but it’s tough to know if I’d personally be covered. My day job is running an analyst and consulting firm, and while I have an I-visa that allows me to do foreign media work in the USA, I’m a freelancer.
That’s the context in which an offer from VPN provider hide.me for a free subscription piqued my interest. What are the options for avoiding my data being retained?
Like the trope in old movies where hackers “bounce the signal” around and make it harder to trace the call, a VPN–or Virtual Private Network–is a way to make your internet traffic appear as if it’s coming from a different place in the world. That can be handy for accessing geo-blocked content, like if I want to watch the ads during SuperBowl 50. If I watch the local re-broadcast, I get local ads, but with a VPN, I can make it look like I’m watching the stream from wherever my exit point is, such as, say, downtown San Jose.
There are plenty of VPN providers around, but they’re tricky to evaluate. Various [entity display=”security” type=”section” active=”false” key=”/security” natural_id=”channel_3section_21″]security[/entity] companies offer VPN style products, F-Secure’s Freedome appears to be well-regarded, but it’s not cheap, and there are many lists attempting to compare them. I can say that the hide.me service did work for most situations, but connecting to endpoints in the USA was much harder than endpoints in Hong Kong, the Netherlands, or Canada. It uses OpenVPN as the driving software, which is OpenSource and generally well regarded, but it can be tricky to correctly configure.
But there’s no clear, independent audit standard that the claims made by a provider such as “we don’t store logs” are actually true. Depending on your specific situation, you could be placing a lot of trust in a third party to do what they say. What if they don’t really delete data or don’t do it properly, like Ashley Madison?
A VPN isn’t the entire solution, either, because I use my cellphone a lot. Some VPN providers offer an app that make traffic from your phone go through the VPN as well, but that doesn’t help in my Australian situation, because the connection to the mobile phone towers to send and receive the data would be stored and retained. Local journo Will Ockenden made his own metadata available in a fascinating–and scary–look at just how much you can find out about someone using this data.