From a cynical perspective, this is a market opportunity for VPN services. As were Snowdon's leaks, which hugely expanded the VPN service industry.
And indeed, using VPN services (let alone nested VPN chains and Tor) largely obviates risks from these bills. Without cooperation from the VPN service, gathering sufficient information for a warrant is problematic.
But I wonder. Might the US regulate using VPN services, as authoritarian regimes already do?
Doesn’t the language of this bill mean that US based VPN services will be forced to provide their encryption keys to the government to allow to decrypt their traffic ?
Perhaps so. But then, nobody who seriously cares would ever use a US-based VPN service ;) And even for US-based VPN services, I gather that a warrant would be required, and that'd be hard with no information about what the VPN link had been used for.
Presumably a warrant can be obtained if criminal activity is traced back to a specific VPN provider.
Of course that's already the case as far as I understand (ex LavaBit). I also don't see how VPNs would be affected since they already have access to all your traffic anyway - no backdoor is necessary.
It depends who you mean by "they". VPN services certainly have access to users' data. But it'd be commercial suicide to cooperate with authorities. HideMyAss lost considerable market share after it came it that they had pwned someone from LulzSec.
Still, it's prudent to assume that any VPN provider will give you up. And that's why I recommend using nested VPN chains. With three different VPN services, it'd be nontrvial for adversaries to obtain enough data.
Most secure would be Qubes VMs. I use pfSense VMs in VBox. So nested VBox internal networks (yes, multiple NAT) leads produces nested VPN chains.
Also, you can include a Debian VM running Tor and OpenVPN in a chain. You configure OpenVPN in TCP mode with "socks-proxy 127.0.0.1 9050". So you can route through 2-3 VPNs, then Tor, and then 1-2 more VPNs.
Or you can include a Debian VM that crudely emulates Tor (very crudely) by periodically switching among random chains of multiple VPNs.[0]
The issue with multihop is that it's all from the same provider. In the event that they were legally forced to log their network by an abusive local government it wouldn't help you. It might be sufficient to frustrate an adversary that only managed to compromise their operations at a single data center though.
I question the wisdom of placing Tor in the middle of a VPN chain. By routing your traffic back into a VPN account that's linked to you it seems like you would lose most of the benefits that Tor provides.
* A single VPN means that the provider could link your primary ISP provided IP to your browsing history if they so chose.
* Chaining two VPNs means that neither provider can correlate your IP to your browsing history on their own. However the terminating VPN can obviously link your traffic to your payment details. Also obviously a criminal investigation involving warrants is still a serious threat.
* Chaining one or more VPNs into Tor means that you can rely on the above guarantees as a fallback in the highly unlikely event that an adversary manages to directly compromise Tor. It also hides the fact that you are using Tor from anyone that snoops your traffic at the ISP level. The latter might be very important in some jurisdictions.
* In the end, even if you only use Tor without a VPN the biggest threat to your anonymity is probably your own OpSec (or lack thereof). Ross Ulbricht is a prime example of the fact that you only have to slip up once. Related to that, it's important to be aware of all the ways that modern software and hardware leaks potentially identifying information (ie fingerprinting).
Hey, that's pretty much exactly what I would have said :) And the language is similar enough that we could be the same person ;) Except that I use sentence fragments. And of course, the fact that we aren't.
That's a good point about using Tor in VPN chains. If you want to do that, you must ensure that you're anonymized as well as possible from those VPN services. When I do that, I use Tor (Whonix) via nested VPN chains. And I pay with Bitcoin that's been mixed multiple times, using different mixing services, and with each mix in a different Whonix instance. And I start with Bitcoin that's not linked to my meatspace identity.
And indeed, using VPN services (let alone nested VPN chains and Tor) largely obviates risks from these bills. Without cooperation from the VPN service, gathering sufficient information for a warrant is problematic.
But I wonder. Might the US regulate using VPN services, as authoritarian regimes already do?