I'm very interested to see how some VPN providers react to this. For a zero logs VPN provider, if such a thing can really exist, how big of a problem is this? Presumably many customers pay with a debit/credit card already so there's some PII on file? Usage remains the same? Surely savvy people can just use their existing VPN to buy a VPN from outside the UK.
Of course, we're sliding quite rapidly down that slippery slope here so I'm sure logging and easier government tracking would be next. The justifications will get weaker and even more lacking in supporting evidence for their implementation.
> Presumably many customers pay with a debit/credit card already so there's some PII on file?
Yes. But I think most of the zero logs providers will remove the identifiable payments details after a certain about of time. e.g. Mullvad have a specific policy relating to what is stored and retention time (I am not affiliated with Mullvad, I just use their service).
I believe a whole host of VPN providers have no real need to comply with this amendment if it passes the Commons.
The providers are structured in a way that makes forcing compliance difficult and have built their whole business model around this. NordVPN is registered in Panama for example and Mullvad lets you send cash in the mail and doesn't store any user details (even a hashed email).
It'll be interesting to see how & who reacts if it does pass.
> Now more than ever, trusting a US jurisdiction VPN provider ? No thanks !
The whole point of Obscura is you aren't trusting any single company. A Swedish company and an American company would need to collude to cause a problem. Unless you know something I don't?
> The whole point of Obscura is you aren't trusting any single company.
First, Mullvad's infrastructure has been independently audited.
Mullvad integrity has also tested as proven by a legal case where they were subject to a search warrant when someone was trying to claim copyright infringement.
As far as I can tell, Obscura has not had anywhere near the same scrutiny.
Second, obscura is the first hop is it not ?
Therefore it may well "only" relay the traffic to the exit node but it is still a relay and hence open to SIGINT analysis by the US.
I would have thought therefore using Mullvad's built-in multi-hop mode on their audited platform would be the wiser decision ?
Hence why Mullvad is being used as the exit point.
You have full e2ee between yourself and Mullvad but crucially Mullvad don't know who your IP. Five eyes are already doing SIGINT on behalf of both the US and the UK government before my connection even reaches Obscura so I lose nothing but potentially gain privacy.
How is it you think a single company (Mullvad) having access to my IP and what I am browsing is less secure than splitting it up amongst multiple providers one of which being Mullvad with that audited platform you talk about?
If I wanted Tor on top I'd layer it on top too but that would still be a single point of failure.
It's open source which means I can trust having the app installed if I build from source (or I can just use Wireguard directly). I then know I'm directly connected to a Mullvad Wireguard node by checking the public key here: https://mullvad.net/en/servers
Other than Wireguard protocol being broken there is no way for Obscura to snoop presuming I check the public key. I'm not saying I trust Obscura, I'm saying with their model I don't need to trust them which is vastly superior. Nor do I need to trust Mullvad.
You keep hand waving around that Obscura are somehow untrustworthy but you have steadfastly refused to address the fact that their model does not require trust. If you trust Mullvad (which you are claiming to) please show an attack that would work to breach this model. You can't.
Sadly if you look at how the law is drafted its setup to catch companies that have a significant UK base not just those that advertise here. It is highly likely for compliance reasons (as we saw with imgur and others) that they will simply block the UK themselves.
Of course, we're sliding quite rapidly down that slippery slope here so I'm sure logging and easier government tracking would be next. The justifications will get weaker and even more lacking in supporting evidence for their implementation.