In 2014, police arrested a man and effectively took control of his torrent site unblocking proxy. Worryingly, it now transpires that people still have their browsers configured to use it. With Immunicity.org now back in the hands of anti-censorship activists, we learn that around 33,000 users were trying to proxy traffic through a police-controlled domain.

In July 2013 a new anti-censorship service arrived on the scene. Targeted at users who found VPNs too expensive and Tor too slow, Immunicity provided free access to a wide range of blocked websites.

A year later and with support from Hollywood, City of London Police arrested Immunicity’s then 20-year-old operator. He’s still on police bail facing an uncertain future.

For many months the Immunicity website remained online but with a very much changed appearance. Gone was the advice on how to unblock sites such as The Pirate Bay to be replaced by a City of London Police banner explaining that the site was under criminal investigation.

Police previously admitted that they’d been logging traffic to that site (and many other seized sites for that matter) but recent developments indicate that they could’ve had access to more than straightforward visits to the Immunicity website. Here’s how.

Central to the Immunicity system was providing its users with access to a Proxy Auto-Config (PAC) file. Browsers are easily configured to use PAC files and in just a couple of minutes Immunicity users were able to download a custom PAC and begin opening blocked sites via the Immunicity.org domain.

However, police took effective control of that domain when they arrested its owner last year and while former users might have been disappointed that the service no longer worked as advertised, thousands left their browsers configured to continue using it. How do we know that? Well, the UK Police Intellectual Property Crime Unit no longer has control of the domain.

At the end of August activists from Brass Horn Communications, a non-profit entity which operates Tor exits and other anti-censorship systems such as Packetflagon, managed to obtain the Immunicity domain. Until three days ago it displayed a modified version of the famous police seizure notice.

Speaking with TorrentFreak the operator of Brass Horn Communications says that since taking over the Immunicity domain it has become apparent that tens of thousands of former Immunicity users failed to remove the service’s PAC file from their browsers. This means that even after the police took control of Immunicity.org they continued to direct their traffic to the seized domain.

“More than a year [after the police raid] there were over 33k unique addresses still surrendering control of their operating systems / browsers (plus Steam, OS updates, OCSP / CRL requests etc) over to the Immunicity Proxy Auto-Config file,” he reveals.

“The Police (or another malicious actor had they acquired the domain) could have done a lot of damage.”

We asked Brass Horn’s spokesperson about the best and worst case scenarios for the users whose browsers continued to access the Immunicity PAC file. The best case is that nothing happened, the worst is more complicated.

“We know that the Police were monitoring the access logs of the seized domains so in theory they could simply have monitored everyone who requested the PAC file and recorded that,” he explains.

“But they could have also published a PAC file that sent *all* traffic through a proxy under their control and gathered metadata. They would have been able to alter HTTP content in flight and monitor which IPs were going to which websites, even if they were over SSL. Granted they couldn’t see which URL was being visited but that’s besides the point.”

Brass Horn’s operator says people should be aware that while routing their traffic through third parties has the ability to decrease censorship efforts, there are always security considerations to keep in mind.

“People need to be aware of the risks of PAC proxies, VPNs etc (e.g. all their traffic is at the whim of the VPN / Proxy operator). With that said, Brass Horn Communications won’t surrender any domains and will be publishing DNSSEC records, TLSA DNS records and long lived HSTS headers to hopefully break any seizures from having an effect.”

For now, however, Immunicity is in safe hands. Nevertheless, its new operator is advising former users to immediately delve into their browser settings to disable access to the old PAC file.

Full instructions on how to create and install a new PAC file are provided at Immunicity.org, which is now a fully operational PacketFlagon site-unblocking shard.