While VPN providers are expected to act in accordance with the law, is there also room for them to apply their own sets of moral standards in judging who and who should not be monitored? That's the issue we explore today with VPN provider Proxy.sh, who last weekend and despite their no-logging policy decided to monitor and identify one of their users accused of harassment by a third party.

When signing up to a VPN provider many users hope that they can use those services in complete privacy, free from the prying eyes of their ISP, aggressive governments and commercially motivated corporations.

There are many different VPN providers to choose from and endless configuration, pricing and location issues to consider. Those aside, current attitudes suggest that going with one that claims a zero logging policy, where it’s impossible to link any activity with a particular user, is a good starting point for a selection.

Proxy.sh is one such provider, but last weekend the company openly announced that it would install the Wireshark network monitoring tool on one of its servers in order to identify an individual who had been accused of harassing someone’s daughter. Surprised that the company would do so without a court order, on Monday TorrentFreak published an article on the topic.

We contacted Proxy.sh for comment and it soon become clear that they were unhappy with our general position that monitoring a user without a court order isn’t something that a VPN service should engage in. After discussing the matter with them all week we’d like to present our findings.

It’s an interesting situation in which legalities are important but the company’s ethical policy holds the real power. Interestingly and despite placing restrictions where other VPNs do not, Proxy.sh maintains that their policy makes users more secure, not less. The issues could be extremely important for users of all VPNs, no matter which provider they choose.

Brief background to last Saturday’s decision to monitor a user

Proxy.sh received a complaint “from a desperate family, with support of its lawyer and a third party IT expert” that a user of Proxy.sh was allegedly using Proxy.sh’s Illinois server 1 to “harass” a female.

“We were given backup of a rootkit-infected Android mobile with logs about one of our network’s node. Information retrieved via the rootkit-infected mobile was then utilized to harass the minor,” Proxy.sh told TorrentFreak.

The decision to monitor

In response to the complaint, Proxy.sh activated its “ethical policy” which forbids, among other things, racist, drug-related and pornographic activity, pedophilia and politically and/or religiously sensitive conduct. Proxy.sh say that in order to qualify as a breach the activity in question must be physically or morally harmful to an individual, not a company or corporation.

In Proxy.sh’s view the alleged activity against the female amounted to an ethical policy breach and without any court order it began monitoring a US-based server to identify the alleged perpetrator. In a matter of hours the alleged hacker apologized and Proxy.sh shutdown their monitoring.

The Ethical Policy and where the line is drawn

Given that Proxy.sh is setting standards by which users need to abide or risk being monitored in the event of a complaint, we dug a little bit deeper. Is porn banned if someone is ‘harmed’ by it? What defines harm? Are objectionable religious or political views a risky prospect? Where is the line drawn and how are users expected to know?

It turns out that porn is acceptable and what Proxy.sh meant to say is that they ban videos depicting “the death of a person, or snuff movie.” It’s not clear, gore fans, whether torrenting Faces of Death is out of the question.

On the religious front we posed a situation that affected TorrentFreak earlier this year when we reported on porn downloads taking place in the Vatican, a piece which apparently offended some residents of Northern Ireland. Is that outlawed too?

“With your story on the Vatican, we would be against your activity if you quoted the name of the guy who downloaded porn, and subsequently suggested action should be taken against him. As long as you have kept it general and with respect for all individuals, this is no problem for us,” Proxy.sh explained.

So we get the general idea – Proxy.sh isn’t going to sit around and do nothing if customers of their service hurt individuals. But the question is this – as a service provider and carrier of information, should they be getting involved at all and are they doing so based on the mere allegations of third parties?

How easy is it to have a user monitored?

“First of all, you need to get in touch with a lawyer to characterize the crime in a legal context. Then, you need to get in touch with a forensic IT expert who can gather evidences of your misfortune (in computer meaning). Then you all three need to get in touch with us to report a complaint,” the company explains.

Based on the above it’s far from clear how someone can carry out a religious or politically damaging ‘crime’, much less gather and present proof of it, but it seems that at the least there is some overlap in Proxy.sh’s ethical policy and the law, although in what country’s legal system (possibly ProxyLand’s) remains a blur.

However, with these gray areas identified we asked the company this – does its ethical policy create uncertainty as to what is acceptable behavior when compared to a provider that doesn’t try to govern use of their services other than in accordance with a specified country’s law?

“Of course. There has always been some uncertainty in policies and terms. We do not think we are an exception here and we are happy that you take the time with us to define them more in depth. All the people who have got in touch with us with questions about our terms or policy know that we have always answered transparently and as openly as possible to make them even more understanding on case-by-case basis. It is actually good policy before you turn to any VPN provider, to come and ask it precise questions you need answers for.”

In any event, if a third party complaint passes muster the company is openly prepared to monitor the alleged perpetrator’s VPN connection. That said, Proxy.sh says it will transparently announce that event on its website, something other providers do not.

Is transparency on monitoring better than complete silence?

“Of course. We are sons of anarcho-capitalism. We believe in the sovereignty and self-consciousness of individuals, not of those of States or other entities such as agencies or corporations. We also especially value transparency. We believe this is what terribly lacks in today’s world,” Proxy.sh says.

“Here at Proxy.sh we offer users the full choice of both knowing and deciding to opt out (or simply switching to another node part of our network) when an intervention needs to take place. We do not believe this choice should be left only to governments and VPN suppliers themselves, but rather to the entire customer-base; in other words, to everyone involved.”

Just because you can, does it follow that you should?

In addition to all the wonderful people online there are obviously some hateful individuals too. But is it a service provider’s job to appoint itself judge and jury over their behavior, no matter how objectionable? How does Proxy.sh respond to people who say that as a privacy service provider they should simply keep out of their customers’ business?

“This is a very good question and actually the onus behind our move. To us, a service provider that acts in a jurisdiction where law enforcement is of quality should not feel responsible for interfering with any ethical or legal matter, as the jurisdiction in which it operates is supposed to provide all the necessities. I am thinking here of the United States of course who can through subpoenas directly access the infrastructures of the businesses incorporated in its economy,” the company says.

“On the other side, a service provider that acts in a jurisdiction where law enforcement may unfortunately not be of quality (for various reasons and by various aspects), should in turn feel responsible for interfering with some ethical or legal matters, to prevent the loophole it uses to avoid legislation it finds unacceptable (e.g. DMCA) from being turned into one that avoids pretty much any sort of legislation.”

Conclusions

Aside from setting up your own VPN service, Proxy.sh says that realistically VPN users have a couple of choices.

“You now face two options: choose a provider that tells you when it will intervene on its network (even though you can’t be 100% sure it will actually tell you all the time), or choose one that actually never tells you anything.

“I don’t know about you, but for me I actually prefer one that at least keeps me updated about some, especially when one states that he does keep me updated about all of them,” Proxy.sh concludes.

The big question is this – what are customers happy with?

A VPN provider who states clearly no logs and no monitoring/logging but may or may not be forced behind the scenes to do so anyway? Or one that claims no logs, some monitoring/logging based on ethics, but promises to keep people informed?

Would customers prefer it if their VPN provider took the stance of a mere carrier and kept out of their business completely, or would subscribers be more happy knowing that their provider is taking an ethical responsibility for the data flowing through their networks in order to reduce harm?

The decision, is yours….