🌐 Website Issue | Redefine requirement on services Five Eyes under a Juristiction section #1437
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1437
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
These days I really don't think this specific services should be recommended or not recommended based upon the FVEY (Five Eyes).
The reason for this is, that even if you were to choose a country that was not in the FVEY there is nothing stopping FVEY states from "leaning" on said country that you have chosen for your services.
Additionally we can be sure FVEY is not the only intelligence gathering agreement in the world. I would think countries that align themselves with China or Russia might very well share information too.
A user needs to establish whether their usage is going to align with their state's policy. For example if I lived in
insert EU state with good privacy legislation
might be a better choice than something overseas.This argument comes up quite often in regard to DoH, VPN providers.
We should encourage the use of End to End encryption wherever possible, and if anonymity is required, the usage of Tor or other strong anonymity networks.
Rather then removing, it think we should keep it, but generalize. Tell people about loopsholes in the law and things like gag orders, and take the five eyes as an example of such an alliance.
I think this is a duplicate of https://github.com/privacytoolsIO/privacytools.io/issues/1387.
@Atavic commented on #1387:
Does having a law to monitor all internet traffic going through them or leaving the country violate this and turn into avoid? Sweden has since around 2008 and Finland has passed the later, while I think it's not in force yet. Or is it enough for secrecy of correspondence to exist legally?
Sorry that I am commenting so messily.
I think it really is subjective to the service. With email storage, sure that makes sense to pick a country with strong privacy legislation. Most incoming email is only transparently encrypted (unless the other person used PGP first), and even then the metadata is available. Countries with good privacy legislation do have legal intercept laws.
Encrypted email providers like Protonmail, Tutanota, Mailbox and Posteo will only protect the email if the legal intercept order comes after you received the mail.
Countries like Australia would be a terrible choice. Australia is a FVEY country but some of the other ones are not so bad. That being said, US/UK probably aren't good choices either as they only wish they could pass what Australia did. As it is IVPN, it is unclear where their office is. https://github.com/privacytoolsIO/privacytools.io/issues/1431
When I originally set the topic for this issue it was specifically aimed at VPN providers. With a VPN provider though, much of the traffic you're routing through them is going to be https anyway. As we move to TLS v1.3 and eSNI picking up the domains you're visiting is going to become less of an issue.
VPNs don't really provide that much protection against targeted surveillance either as it's likely law enforcement/spying agencies would get intercepts for the particular sites a user is accessing, particularly if they have an agreement under MLAT. We all know that VPNs will not protect you, if you're doing something that is considered universally a crime.
I also think it's subjective to where the user is located. If I were to live in China for example a VPN to practically anywhere not under Chinese influence would be a good idea. It is unlikely the FVEY country would "help" the Chinese government if I were a Uyghur or Hong Kong resident for example.
I guess the moral of the story is do business with a country that has laws that align best with your interests, and use E2EE whenever possible.
I think https://github.com/privacytoolsIO/privacytools.io/pull/1097#issuecomment-518189915 and https://github.com/privacytoolsIO/privacytools.io/pull/1097#issuecomment-518901151 is where we decided to ignore the eyes for encrypted DNS servers in case it's relevant here.
I think we should make a list of what laws (on privacy) which country has adopted, together with the “rule of law” information from the Worldwide Governance Indicators.
https://en.wikipedia.org/wiki/Worldwide_Governance_Indicators
I think maybe we should when redesigning this, research what countries are "good for privacy" and make the section about them.
Assuming the "eyes" are the only countries engaged in mass surveillance or that they cannot do that elsewhere seems a bit naïve.
Maybe this could just be a blog article.
We really only have a requirement that email providers operate in countries with good privacy legislation, in particular GDPR.
In the case of VPN servers, well just because the company doesn't reside in X country doesn't mean that government isn't monitoring what exits/enters their servers.
That's why the whole "eyes" thing in regard to VPN servers makes no sense whatsoever.
I have had some thought about how this article might look.
What I am leaning towards now is researching a number of countries which we deem to have "good privacy laws". We will create a criteria on what we consider "good privacy laws".
I think it's best to look at this in the context of email mostly, because in that scenario the provider is holding a lot of unencrypted data about their users. In regard to VPNs, it really just depends on where the servers are located.
VPN providers love to use "eyes agreements" in their marketing material - but this I feel is pointless. They shouldn't be keeping any data, so there shouldn't be anything to hand over (unlike email), where you'd obviously expect the provider to keep your email and there's also a persistent account that can be monitored.
At best a provider will always be able to disclose who is emailing you, and who you are emailing. There is no way to encrypt
To:
andFrom:
when it leaves their service.We should progress this by brainstorming what we consider to be good features of privacy legislation. A couple I can think of is exceptions to email metadata collection, GDPR (which clearly defines how and what data will be used for), etc.