Posted: 28th Jan, 2011 By: MarkJ

A
Swedish ISP that is also responsible for hosting
WikiLeaks,
Bahnhof, has this week triggered a fresh debate into
internet privacy by announcing its intention to avoid the new
European Data Retention Directive and stick all of its customers behind an effectively anonymous
Virtual Private Network (VPN).
Most VPN's act as private networks that piggyback the public internet and are traditionally used to help employees stay connected with their work while away from the office. They can also have many other uses, such as allowing virtual
Local Area Network (LAN) connections between users.
Crucially a good VPN will
encrypt your internet activity and provide a secure way of working, which is essential for office networks. As a by-product this also means that end-users are often able to surf the internet with relative anonymity, both from other surfers and your own ISP.
The move could of course present some problems for new UK and European
data retention and anti-piracy laws, the latter of which (
Digital Economy Act 2010) relies upon copyright owners being able to identify "
suspected"
unlawful file sharing p2p activity from publicly available IP details; a feat that is already extremely unreliable.
Bahnhof believes that by cloaking its users behind a VPN, admittedly not the cheapest of solutions, their connectivity logs would end up being both significantly smaller and useless for identifying end-user activity. Naturally we wanted to know what UK ISPs thought of this.
The Director of AAISP UK, Adrian Kennard, told ISPreview.co.uk:
"There are, of course, a whole string of loop holes.
I doubt you need to go to VPN as such. In fact, something ISPs will be doing anyway, carrier grade NAT, will create a similar anonymity as there is no requirement to log NAT sessions.
The data retention stuff is badly drafted and only means keeping what you already process for a year, not logging and new stuff. Even then it is a very narrow set of things to log, and some are badly worded at best. It is much more relevant for telephone call logging.
The DEA is the bigger issue. So far OFCOM say it will relate to the few big ISPs, but that threshold could so easily change, hence interest from ISPs of all sizes."
VPN is of course a
perfectly legitimate service, although some might rightly fear that following by Bahnhof's example could carry with it a number of
technical and political concerns. Indeed sometimes the very fear of being identified is what deters internet abusers from doing something bad in the first place.
Adrian Kennard continued:
"ISPs are not trying to encourage piracy, obviously, even if it does mean customers paying more for bandwidth. But ISPs are not police (not that "police" is relevant in most of these civil cases anyway). ISPs just want to get on with running a network and not be involved in a lot of paperwork and costs and bad will be caused by things like the DEA. IMHO."
It is perhaps a simple truth that, due to how the open internet works, end-users already have a multitude of ways in which they can stay anonymous while online (i.e. buying your own VPN, proxy servers etc.). However the
Chief Technology Officer (CTO) for business ISP Timico UK,
Trefor Davies, cautions that taking the VPN tunnel may not always be plain sailing.
Timico's CTO, Trefor Davies, added:
"It would be a pretty costly project for all ISPs to implement such a system. It would also bring with it risks – suddenly it becomes a lot easier for governments to start monitoring all your traffic because it all goes through a single point (or at least a few points) on the network. In the UK the Data Protection Act if applied to an ISP would also prevent them from offering such an anonymizing service because legally they would be obliged to provide the logs.
This doesn’t stop us from aspiring to a scenario where there is an internet out there which protects your right to privacy. Unfortunately, regardless of the technical issues involved, Big Government and Big Business are likely to get in the way. Governments love to control and business wants as much information about you as it can lay its hands on."
Simon Davies, IDNet UK's Director, told ISPreview.co.uk:
"We piloted this a while ago but found that most of our customers want a real, static, routable IP address. We may offer it as an opt-in for customers in the future which might appeal to those who are unable to migrate to IPv6."
At the extreme end of the spectrum AAISP suggests that one way to circumvent the problem set out by Timico might be to simply create a "
friendly society - a private club - and only provide services to the members of that club. Then we are not a public operator at all ... That would be a fun approach."
We expect to update this article in the near future as several other UK ISPs have also been asked for their feedback. So far most of the big providers have, understandably, declined to comment.
UPDATE 29th January 2011Comments from Entanet UK.
Darren Farnden, Head of Marketing at wholesale communications provider Entanet, said:
"Without reading the technical detail behind the Swedish ISP's use of a VPN to hide its customers, it doesn't seem a sensible step to take because it potentially focuses liability for any infringement directly onto the ISP. Why invite that sort of attention?
As a responsible communications provider, we don't advocate any steps to proactively create the ability to avoid the identification of parties who are deliberately committing acts of data piracy. In reality, as a CP focused in the main on serving business customers via a channel of partners, this really isn't an issue.
A few of our partners do serve non-business customers though and, where we receive notification from a rights holder of an alleged copyright infringement, we already communicate with the user by email. Secondary and tertiary notifications from the right holder result in further emails and ultimately blocked access. We don't however use any tools to monitor the user between notifications.
The DEA takes a similar step in requiring ISPs to write to alleged offenders when presented with a Court Order. The detail is well documented. What amazes us is the Government's latest announcement that it thinks it is 'fair to everyone' that ISPs pay for 25% of the costs of pursuing alleged offenders even though it acknowledges that 'rights holders will be the main beneficiaries'."