✨ Feature Suggestion | VPN criteria: Adding infrastructure provider/ownership info to trust #1439

New Issue

jonah · 2019-10-28T02:14:50Z

djoate commented

2019-10-28 02:14:50 +00:00

(Migrated from github.com)

Description:

Our VPN criteria for trust: https://www.privacytools.io/providers/vpn/#criteria currently is as follows:

Trust

You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled.

Minimum to Qualify:

Public-facing leadership or ownership.

Best Case:

Public-facing leadership.

Frequent transparency reports.

Should we be also looking at whether the VPN provider is transparent about who owns their servers? We could probably put it under Best Case or make this point more obvious. (I'm under the impression that "or ownership" under Minimum to Qualify currently talks about company ownership and not server ownership.)

For example:

Mullvad had a recent blog post on updating their server list with provider and ownership details:

Our server list has been updated to contain the following two major additions:

Provider - The name of the hosting provider that we rent the server or server space from

Ownership - A flag describing if Mullvad owns or rents the server

With the updated server list in place, you as a customer can make a more informed decision about which server(s) you want to use. At the moment we have two kinds of servers, rented and hardware that we own ourselv

## Description: Our VPN criteria for trust: https://www.privacytools.io/providers/vpn/#criteria currently is as follows: >### Trust > >You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. > >**Minimum to Qualify:** >- Public-facing leadership or ownership. > >**Best Case:** >- Public-facing leadership. >- Frequent transparency reports. Should we be also looking at whether the VPN provider is transparent about who owns their servers? We could probably put it under Best Case or make this point more obvious. (I'm under the impression that "or ownership" under Minimum to Qualify currently talks about company ownership and not server ownership.) For example: Mullvad had a [recent blog post](https://mullvad.net/en/blog/2019/10/25/server-list-updated-provider-and-ownership/) on updating their server list with provider and ownership details: > Our [server list](https://mullvad.net/servers/) has been updated to contain the following two major additions: > > 1. Provider - The name of the hosting provider that we rent the server or server space from > 1. Ownership - A flag describing if Mullvad owns or rents the server > > With the updated server list in place, you as a customer can make a more informed decision about which server(s) you want to use. At the moment we have two kinds of servers, rented and hardware that we own ourselv

jonah commented

2019-10-29 20:13:08 +00:00

Do we know if anyone besides Mullvad does this? I would be happy to put that criteria under the best case but I don't think it needs to be a minimum requirement. Ultimately while the server owner does matter, the VPN provider is still 100% responsible for auditing the server/datacenter owners and securing their rented servers and networks. It should be on the end user to evaluate the VPN provider and their owners, which is why public ownership is a criteria. However, it should not be on the end user to evaluate everyone their provider rents from. That is the provider's job, NordVPN.

(I'm under the impression that "or ownership" under Minimum to Qualify currently talks about company ownership and not server ownership.)

Yes.

Mullvad had...

I hate (but also love, of course) how Mullvad appears to be virtually flawless and solves any even potential problems they have with their service like this one incredibly quickly and transparently. It makes them easy to recommend but it also sets the bar very high so we can't recommend anyone else. Makes it look like we're shilling Mullvad 😅 — But we can't do anything about that I guess, besides shame other providers into being better maybe lol!

Do we know if anyone besides Mullvad does this? I would be happy to put that criteria under the best case but I don't think it needs to be a minimum requirement. Ultimately while the server owner *does* matter, the VPN provider *is* still 100% responsible for auditing the server/datacenter owners and securing their rented servers and networks. It should be on the end user to evaluate the VPN provider and their owners, which is why public ownership is a criteria. However, it should *not* be on the end user to evaluate everyone their provider rents from. *That is the provider's job, NordVPN*. > (I'm under the impression that "or ownership" under Minimum to Qualify currently talks about company ownership and not server ownership.) Yes. > Mullvad had... I *hate* (but also love, of course) how Mullvad appears to be virtually flawless and solves any even *potential* problems they have with their service like this one incredibly quickly and transparently. It makes them easy to recommend but it also sets the bar very high so we can't recommend anyone else. Makes it look like we're shilling Mullvad 😅 — But we can't do anything about that I guess, besides shame other providers into being better maybe lol!

👍 1

This repo is archived. You cannot comment on issues.

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#1439