🌐 Website Issue | Redefine requirement on services Five Eyes under a Juristiction section #1437

New Issue

2019-10-28T01:41:20Z

dngray commented

2019-10-28 01:41:20 +00:00

(Migrated from github.com)

Description

These days I really don't think this specific services should be recommended or not recommended based upon the FVEY (Five Eyes).

The reason for this is, that even if you were to choose a country that was not in the FVEY there is nothing stopping FVEY states from "leaning" on said country that you have chosen for your services.

Additionally we can be sure FVEY is not the only intelligence gathering agreement in the world. I would think countries that align themselves with China or Russia might very well share information too.

A user needs to establish whether their usage is going to align with their state's policy. For example if I lived in insert EU state with good privacy legislation might be a better choice than something overseas.

This argument comes up quite often in regard to DoH, VPN providers.

We should encourage the use of End to End encryption wherever possible, and if anonymity is required, the usage of Tor or other strong anonymity networks.

## Description These days I really don't think this specific services should be recommended or not recommended based upon the FVEY [(Five Eyes)](https://en.wikipedia.org/wiki/Five_Eyes). The reason for this is, that even if you were to choose a country that was not in the FVEY there is nothing stopping FVEY states from "leaning" on said country that you have chosen for your services. Additionally we can be sure FVEY is not the only intelligence gathering agreement in the world. I would think countries that align themselves with China or Russia might very well share information too. A user needs to establish whether their usage is going to align with their state's policy. For example if I lived in `insert EU state with good privacy legislation` might be a better choice than something overseas. This argument comes up quite often in regard to DoH, VPN providers. - https://github.com/privacytoolsIO/privacytools.io/issues/1428 - https://github.com/privacytoolsIO/privacytools.io/issues/1395#issuecomment-540905268 - https://github.com/privacytoolsIO/privacytools.io/issues/1431 - https://github.com/privacytools/privacytools.io/issues/1915 We should encourage the use of [End to End encryption](https://en.wikipedia.org/wiki/End-to-end_encryption) wherever possible, and if anonymity is required, the usage of Tor or other strong anonymity networks.

blacklight447 commented

2019-10-28 06:03:21 +00:00

(Migrated from github.com)

Rather then removing, it think we should keep it, but generalize. Tell people about loopsholes in the law and things like gag orders, and take the five eyes as an example of such an alliance.

👍 2

Mikaela commented

2019-10-28 07:22:36 +00:00

(Migrated from github.com)

I think this is a duplicate of https://github.com/privacytoolsIO/privacytools.io/issues/1387.

Mikaela commented

2019-10-28 07:24:11 +00:00

(Migrated from github.com)

@Atavic commented on #1387:

Electrospaces blog has good info on UKUSA, 5-Eyes etc.

There's a page about fourteen-eyes that could be revamped with the info provided.

I got it from Cryptome.

@Atavic commented on #1387: > Electrospaces blog has good info on [UKUSA](https://electrospaces.blogspot.com/search?q=ukusa), [5-Eyes](https://electrospaces.blogspot.com/2019/09/from-9-eyes-to-14-eyes-afghanistan.html) etc. > > There's a [page about fourteen-eyes](https://github.com/privacytoolsIO/privacytools.io/blob/48fd518cb781944bb1472bdc13daf14f88d94423/_includes/sections/fourteen-eyes.html) that could be revamped with the info provided. > > I got it from [Cryptome](https://cryptome.org/).

Mikaela commented

2019-10-28 07:27:46 +00:00

(Migrated from github.com)

in insert EU state with good privacy legislation

Does having a law to monitor all internet traffic going through them or leaving the country violate this and turn into avoid? Sweden has since around 2008 and Finland has passed the later, while I think it's not in force yet. Or is it enough for secrecy of correspondence to exist legally?

Sorry that I am commenting so messily.

> `in insert EU state with good privacy legislation` Does having a law to monitor all internet traffic going through them or leaving the country violate this and turn into avoid? Sweden has since around 2008 and Finland has passed the later, while I think it's not in force yet. Or is it enough for secrecy of correspondence to exist legally? Sorry that I am commenting so messily.

dngray commented

2019-10-28 08:39:41 +00:00

(Migrated from github.com)

I think it really is subjective to the service. With email storage, sure that makes sense to pick a country with strong privacy legislation. Most incoming email is only transparently encrypted (unless the other person used PGP first), and even then the metadata is available. Countries with good privacy legislation do have legal intercept laws.

Encrypted email providers like Protonmail, Tutanota, Mailbox and Posteo will only protect the email if the legal intercept order comes after you received the mail.

Countries like Australia would be a terrible choice. Australia is a FVEY country but some of the other ones are not so bad. That being said, US/UK probably aren't good choices either as they only wish they could pass what Australia did. As it is IVPN, it is unclear where their office is. https://github.com/privacytoolsIO/privacytools.io/issues/1431

When I originally set the topic for this issue it was specifically aimed at VPN providers. With a VPN provider though, much of the traffic you're routing through them is going to be https anyway. As we move to TLS v1.3 and eSNI picking up the domains you're visiting is going to become less of an issue.

VPNs don't really provide that much protection against targeted surveillance either as it's likely law enforcement/spying agencies would get intercepts for the particular sites a user is accessing, particularly if they have an agreement under MLAT. We all know that VPNs will not protect you, if you're doing something that is considered universally a crime.

I also think it's subjective to where the user is located. If I were to live in China for example a VPN to practically anywhere not under Chinese influence would be a good idea. It is unlikely the FVEY country would "help" the Chinese government if I were a Uyghur or Hong Kong resident for example.

I guess the moral of the story is do business with a country that has laws that align best with your interests, and use E2EE whenever possible.

I think it really is subjective to the service. With email storage, sure that makes sense to pick a country with strong privacy legislation. Most incoming email is **only** transparently encrypted (unless the other person used PGP first), and even then the metadata is available. Countries with good privacy legislation do have legal intercept laws. Encrypted email providers like [Protonmail](https://protonmail.com/blog/zero-access-encryption), [Tutanota](https://tutanota.com/blog/posts/first-search-encrypted-data), [Mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox) and [Posteo](https://posteo.de/en/site/encryption#cryptomailstorage) will only protect the email if the legal intercept order comes *after* you received the mail. Countries [like Australia](https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/) would be a terrible choice. Australia is a FVEY country but some of the other ones are not so bad. That being said, [US/UK](https://www.eff.org/deeplinks/2019/10/open-letter-governments-us-uk-and-australia-facebook-all-out-attack-encryption) probably aren't good choices either as they only wish they could pass what Australia did. As it is IVPN, it is unclear where their office is. https://github.com/privacytoolsIO/privacytools.io/issues/1431 When I originally set the topic for this issue it was **specifically aimed at VPN providers**. With a VPN provider though, much of the traffic you're routing through them is going to be https anyway. As we move to TLS v1.3 and [eSNI](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/) picking up the domains you're visiting is going to become less of an issue. VPNs don't really provide that much protection against targeted surveillance either as it's likely law enforcement/spying agencies would get intercepts for the particular sites a user is accessing, particularly if they have an agreement under [MLAT](https://en.wikipedia.org/wiki/Mutual_legal_assistance_treaty). We all know that VPNs will not protect you, if you're doing something that is considered *universally* a crime. I also think it's subjective to where the user is located. If I were to live in China for example a VPN to practically anywhere not under Chinese influence would be a good idea. It is unlikely the FVEY country would "help" the Chinese government if I were a Uyghur or Hong Kong resident for example. I guess the moral of the story is do business with a country that has laws that align best with your interests, and use E2EE whenever possible.

👍 1

Mikaela commented

2019-10-28 22:46:20 +00:00

(Migrated from github.com)

I think https://github.com/privacytoolsIO/privacytools.io/pull/1097#issuecomment-518189915 and https://github.com/privacytoolsIO/privacytools.io/pull/1097#issuecomment-518901151 is where we decided to ignore the eyes for encrypted DNS servers in case it's relevant here.

GrimPixel commented

2019-10-29 22:32:12 +00:00

(Migrated from github.com)

I think we should make a list of what laws (on privacy) which country has adopted, together with the “rule of law” information from the Worldwide Governance Indicators.

https://en.wikipedia.org/wiki/Worldwide_Governance_Indicators

I think we should make a list of what laws (on privacy) which country has adopted, together with the “rule of law” information from the Worldwide Governance Indicators. https://en.wikipedia.org/wiki/Worldwide_Governance_Indicators

dngray commented

2019-11-29 12:20:22 +00:00

(Migrated from github.com)

I think maybe we should when redesigning this, research what countries are "good for privacy" and make the section about them.

Assuming the "eyes" are the only countries engaged in mass surveillance or that they cannot do that elsewhere seems a bit naïve.

I think maybe we should when redesigning this, research what countries are "good for privacy" and make the section about them. Assuming the "eyes" are the only countries engaged in mass surveillance or that they cannot do that elsewhere seems a bit naïve.

dngray commented

2020-03-27 04:43:35 +00:00

(Migrated from github.com)

Maybe this could just be a blog article.

We really only have a requirement that email providers operate in countries with good privacy legislation, in particular GDPR.

In the case of VPN servers, well just because the company doesn't reside in X country doesn't mean that government isn't monitoring what exits/enters their servers.

That's why the whole "eyes" thing in regard to VPN servers makes no sense whatsoever.

Maybe this could just be a blog article. We really only have a requirement that email providers operate in countries with good privacy legislation, in particular GDPR. In the case of VPN servers, well just because the company doesn't reside in X country doesn't mean that government isn't monitoring what exits/enters their servers. That's why the whole "eyes" thing in regard to VPN servers makes no sense whatsoever.

dngray commented

2020-04-23 09:12:52 +00:00

(Migrated from github.com)

I have had some thought about how this article might look.

What I am leaning towards now is researching a number of countries which we deem to have "good privacy laws". We will create a criteria on what we consider "good privacy laws".

I think it's best to look at this in the context of email mostly, because in that scenario the provider is holding a lot of unencrypted data about their users. In regard to VPNs, it really just depends on where the servers are located.

VPN providers love to use "eyes agreements" in their marketing material - but this I feel is pointless. They shouldn't be keeping any data, so there shouldn't be anything to hand over (unlike email), where you'd obviously expect the provider to keep your email and there's also a persistent account that can be monitored.

At best a provider will always be able to disclose who is emailing you, and who you are emailing. There is no way to encrypt To: and From: when it leaves their service.

We should progress this by brainstorming what we consider to be good features of privacy legislation. A couple I can think of is exceptions to email metadata collection, GDPR (which clearly defines how and what data will be used for), etc.

I have had some thought about how this article might look. What I am leaning towards now is researching a number of countries which we deem to have "good privacy laws". We will create a criteria on what we consider "good privacy laws". I think it's best to look at this in the context of email mostly, because in that scenario the provider is holding a lot of unencrypted data about their users. In regard to VPNs, it really just depends on where the servers are located. VPN providers love to use "eyes agreements" in their marketing material - but this I feel is pointless. They shouldn't be keeping any data, so there shouldn't be anything to hand over (unlike email), where you'd obviously expect the provider to keep your email and there's also a persistent account that can be monitored. At best a provider will always be able to disclose who is emailing you, and who you are emailing. There is no way to encrypt `To:` and `From:` when it leaves their service. We should progress this by brainstorming what we consider to be good features of privacy legislation. A couple I can think of is exceptions to email metadata collection, GDPR (which clearly defines how and what data will be used for), etc.

👍 1

This repo is archived. You cannot comment on issues.