Re: Anonymize internet access

["Jeffrey F. Bloss" <jbloss () tampabay rr com>]

On Tuesday 27 September 2005 04:22 pm, Michael Painter wrote:

> > There's some indication that they have made false claims in the past. A
> > conversation in alt.privacy about a year ago  brought to light the fact
> > that at least some of their servers were located in Texas (I believe),
> > while they play on potential customers' fear of "Big Brother" by claiming
> > they're an off shore entity.

[snippage]

> Since I'm a customer of findnot.com, I asked them for comments on the
> above. They (quickly) replied with this:

I have no real desire to get into a long, protracted argument about any 
service, so I'll respond to this once, and try to speak in generalities where 
possible. 

First of all, someone, possibly not even an agent of Findnot, made the claim 
that their servers were located over seas. That claim was immediately 
discovered to be false, and that person was never disclaimed by Findnot as 
far as I know. In fact, someone claiming to be Findnot administration 
eventually replied with a statement that they were setting up servers over 
seas "this week". Draw your own conclusions.

Message-ID: <9f464ef2.0409060652.7b0113ee () posting google com>

This is also a good point to start looking through the twisted threads that 
made up that dispute, and begin to realize why I care nothing about 
duplicating it here. ;)

Findnot administration speaking:

> We do not keep logs at all, and won't. Is it harder to keep servers up and
> running that way? Sure it is, but it is possible we do it every day. Our

It's also possible to claim not to log, and log anyway. 

Within the realm of anonymity and privacy, claims are never enough. When 
you're dealing with security, you MUST be of the mind set that if some breach 
is possible, it's a reality. To think any other way is utter foolishness. 

If you saw a bare wire hanging from a tree, would you grab it simply because a 
random stranger claimed it was dead? Would you hold on to it indefinitely 
because that stranger said it always would be?

I hope not.

For this reason alone, no such "anonymity" service can be trusted. Their 
actual logging policies are irrelevant. They have the ability, and that is 
more than enough to negate any claim that they can provide any real 
anonymity at all.

> server location are not some big secret, you can check it out for yourself
> here:
>
> http://www.findnot.com/servers.html
>
> Our company IS an offshore entity, and we are not in a jurisdiction that

The location of an "entity" is totally meaningless beyond how it affects the 
security of its human owners. Their location might very well shield them from 
some legal actions, but what about their customers? 

The important thing for the consumer is where the company's servers are 
located. Most anonymity providers realize this. I believe it's what lead to 
the false claims made concerning Findnot.

> would compromise our privacy or yours. If we were forced to keep logs, we
> would move our server to another location. We demand control of the servers
> to suit our needs, and if we can't get it we move to another server
> provider.

This raises the issue of control. Since a company might be located in one 
place, and their servers located in another, it's absolutely impossible for 
that company to know if anything on their servers is logged or not. 

The people who actually own and administer the machines can, and most likely 
do, log anything they want. In fact, servers might live in countries that 
make logging mandatory as a matter of law. You'd be surprised at just how 
many countries do things that way. 

If you read the threads I pointed to above, you'll see that several people 
researched the locations of some specific servers and their governing laws. 
With disheartening results.

Some other points to consider...

A service provider knows who you are the second you connect.  If they know who 
you are, you're not anonymous. That much is simple math. They will tell you 
that you can sign up anonymously, and connect anonymously, but if you need to 
be anonymous to use their services, how can they make the false claim that 
you're anonymous with them alone? 

And if you're anonymous before you get to their servers, why would you give 
them any money for their anonymity services? ;)

Even if they don't log they can be forced to, or they can change their policy 
on a whim and without notice. They have that ability. They could take offense 
to something you do or say, or they could fall under the rule of law and be 
forced to give you up. Moving the server may not even be an option at that 
point. They could be under a gag order,  or they could very well be 
incarcerated with their server running apparently normally. Or their servers 
could be compromised, and they might not even know it.

The bottom line here is that if a service provider claims they will make you 
anonymous and/or untraceable, they're trying to sell you a big old industrial 
sized jar of snake oil. They have NO sound basis on which to make this claim, 
and you have NO concrete reason to place your trust in them. Quite to the 
contrary, you have every reason not to trust these types of services.

Pay your money if you want, and take your chances. That's entirely up to the 
individual. But before you do, consider the possibility that you can invest a 
little effort and most likely achieve a more real anonymity for free. Or shop 
around for a service provider with enough integrity to not try and mislead 
you into believing they can provide you with something they obviously can 
not. Those services are out there too...

Whatever you decide, remember that nothing is 100% fool proof. ;)

-- 
Hand crafted on September 27, 2005 at 16:42:01 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
                                  -Groucho Marx