Some terms from the SurfEasy, Inc company, which is the VPN provider for this service[0]:
SurfEasy does not store users originating IP address when connected to our service and therefore cannot identify users when provided IP addresses of our servers. Additionally, SurfEasy cannot disclose information about the applications, services or websites our users consume while connected to our services; as SurfEasy does not store this information.
However, further down, you have this:
SurfEasy is required to comply with law enforcement where subpoenas, warrants or other legal documents have been provided. We may collect and disclose personal information, including your usage data, to governmental authorities or agencies, including law enforcement agencies, at their request or pursuant to a court order, subpoena or other legal process, if there is a good faith belief that such collection or disclosure is required by law.
At this point I'm not quite sure what to make of the above two combined together.
Isn't that fairly standard amongst the privacy respecting VPNs?
We store nothing / log nothing.
We'll comply with law enforcement as far as we're able (ie not at all beyond billing, email and perhaps bandwidth used).
So that seems to say they'll perhaps be able to tell when you were logged in, who you are + payment info, and perhaps volumes transferred. Where and on which ports? No clue officer.
My information is a couple of years out of date (I left in August 2013), but that would be hard(ish) for SurfEasy to do, and doing so would affect the entire system (all users), because we didn’t user-level pen-tapping capabilities into the system.
The proxy/VPN machines were designed to be disposable (to potentially cycle IP addresses for various reasons) and to record a minimum of information. It would have required non-trivial effort to make it so that we could do a pen-tap on just one individual given that they could end up on a different server each time. Additionally, I believe that the proxy/VPN machines had no information on the user's identity, just the device's identity (devices were given unique, derived identities when they were created; we could work that information backwards to some degree of accuracy with enough effort, precisely for LE purposes).
I don’t always use a proxy or VPN, but when I do, I trust what my former employer wrote precisely because I know what we didn’t do then, and didn’t believe would be right for us to do. Nothing I have heard from the SurfEasy team since suggests that this has changed.
I think this assumption is true of every VPN provider:
If the courts or intelligence services tell them to capture a username's data, or access to specific websites from all users, they will do it.
If the choice is between keep quiet and do it, or potentially get shutdown or arrested, you have to assume that almost everyone will do as they are told.
Is that a fair assumption? I guess at that point you are simply biding time because if it ever comes out or there is even just a suspicion that you are lying your business is dead as word spreads across the internet
As word spreads across the internet that... what? That you comply with the law?
Isn't it worse if word gets out that you deliberately evade legal compliance frameworks? When a bank is found to be skirting regulations around money laundering, the reaction is not typically 'good on them, standing up for our rights against the man!'.
Doesn't it then bring us to where we are with all other matters - wiretaps, breaking into a home with a search warrant?
Law enforcement has to get suspicion of a crime, probable cause, a warrant or what have you and be subject to all the assorted checks and balances the justice system has evolved.
That's vastly different to having all internet activity tied to an IP/account/person in vast, ever increasing, NSA/GCHQ/lots of other databases then going on a big back trawl every time a name comes up.
I've got a few questions, and their puffy news post doesn't answer them:
* Is this a real VPN service, or simply an HTTP/HTTPS proxy?
* Is DNS resolution also securely handled through the tunnel, or does this stay in the clear?
* What region(s) is their VPN service located in?
* Is it possible for other software to use this tunnel in any way?
Upon first reading, this doesn't seem very different from their old "accelerator proxies" which compressed HTTP traffic into a binary format, and reduced image detail/resolution, but with a new marketing spin and those old features removed or disabled.
Just installed it, and looks like you get, Canada, US, and Germany as options for the VPN. Tiny text below the enable button has this:
"Secure proxy provided by SurfEasy Inc., an Opera company based in Canada. By using the service you accept the Terms of Service.
VPN connects to other servers around the world so your connection speed might be affected."
My only gripe with it so far is the VPN is across all tabs, so I have to switch it off to access some of my office VPN sites
I am thinking that announcing this feature may be a tactic to win back consumer trust or in the least attract new customers who are not familiar with the potential buyout.
Opera has a long history of adding innovative browser features. There's no reason to think that this has some kind of ulterior motive related to a rumored sale.
Couple with native adblocking I'm very tempted to switch browsers (from FF) and probably do so when available. But it just sounds too good, what is the catch?
I switched to opera on Linux recently as Chrome and then Firefox had gotten a bit slow or unstable for me as of late. Have to say, I am very pleased. It's tidy, fast and integrates in pretty well on Linux. It's also featured packed without the agonizingly long startups Chrome was giving me.
I know they monetize with ads and such, but I haven't found them intrusive at all. I think one of their major sources is that they have a kind of Flipboard-esque feed of news articles on your home screen at the bottom. If that is where they do their advertising then it's a model of how to do it IMO. I've found that the articles it shows are genuinely things I want to read and it's not intrusive at all; in fact I'd miss it if it was gone.
I'm not a specialist, but you can start by researching how the Opera company makes money.
It would seem to me a possible future "catch" would be that they could charge selected advertisers to let their ads through...
"How Opera makes money"
Opera provides cloud-based mobile services and
solutions to operators, publishers and advertisers
and enables hundreds of millions of consumers, via
the Company's global cloud infrastructure, to
connect to the internet content and services that
matter most to them. Along those lines, Opera has
different revenue models, depending on the
customer type:
*Operators.*
Opera's revenue sources from this
hosted solution include active user fees, data
fees, NRE/development fees, hosting services,
advertising and maintenance, and support.
*Mobile consumers*
(via partnerships with search
providers and advertisers). The primary driver of
mobile consumer revenue is revenue from mobile
search, the Opera Mobile Store and active user
growth.
*Mobile publishers and advertisers.*
Revenue comes
from Opera's mobile advertising services and
technology solutions, offered to premium and
performance advertisers, ad agencies, publishers
and developers.
*Device OEMs.*
Revenue comes through license
agreements with a wide range of
consumer-electronic-device OEMs.
*Desktop consumers.*
Revenue comes primarily from
search and e-commerce partnerships.
Thanks, this same announcement says though that Opera now has Support for adding a personal ad blocker list. I don't think they would add this feature to just circumvent later, imho it would do more harm than good for their business.
If they don't want to push me using their other services putting their hands on and selling my data, while working on secure and anonymous browser that would be really nice. Sadly I don't see there is money in a product/service like that.
Add inherited from Chrome dev console and awesome logo! ;) I'm trying to use it as main browser today. Only annoying thing is [x] button on the left side of the tab.
The VPN is operated by "SurfEasy Inc., an Opera company based in Canada".
Just tested it and it worked flawlessly to watch a YouTube video that has been blocked in my country. [Edit: Netflix seems to block SurfEasy already. Sad.]
They didn’t exactly get a standing ovation the last time¹ they were mentioned on here though (for good reason… if they’re offering a service to help protect people’s privacy, it seems a bit odd that they’d opt to compromise said people’s privacy by having multiple trackers on their website).
I'd mainly be worried how said VPN is using the subscriber data and what is their policy on storing access logs. But even they promise to not track you how would one even hold them to account considering that they must have an interest in the data due to their adtech part of how the parent/sister Opera company makes its money.
BTW, apparently in order to purchase anything (e.g. to try out YouTube Red -- which checks your Google Payments data) you may still need a credit card matching the country.
This bit me when I tried purchasing foreign versions of games on Steam before (which pre-digital distribution was possible via imports but now tends to suffer from region locking).
As far as Steam is concerned I used Entropay for virtual pre-paid debit cards. I live in the middle east and it happily validated any US address. Entropay does take a 5% commission if you top-up with a credit/debit card however.
Data of course! Opera (the company) are one of the big players in mobile advertising. They have their own mobile ad platform [0], and a few years ago acquired a couple of agencies that specialise in mobile advertising [1].
If they can support a secure, adless, anonymous desktop browser for PR exposure by relying on the mobile version displaying ads I would be ok with that.
Or your provider, or Opera, or own server with VPN. For majority of people setting up own server is too complicated, so it's much better than nothing, especially when you are in place where you can use only non-secure wifi network.
As of now it's working in China. I'm able to access Facebook/Twitter/Youtube/Google without my normal vpn or ssh tunnel. Will be pretty useful if it stands up to the constant changes. Great work!
SurfEasy (the provider of the service) is a Canadian company, so it follows Canadian data privacy laws (which are pretty good; when I worked there, Michael Geist was an advisor).
If the traffic is encrypted then they wouldn't see into it, but it would go through their servers, so in worst case scenario you'd be surfing from behind the Great Chinese Firewall
The traffic is encrypted between you and the server. They control that server, where it gets decrypted to be sent out over the public internet (where it may be encrypted or not depending on the site). You've introduced a man in the middle. You must trust that man (but that man also already controls the source code for your browser, which can also see all your traffic).
Yes, but if you live somewhere that definitely surveils your communications or prevents you from accessing certain content, a VPN is a good way to browse as though you were physically located somewhere more permissive.
Ultimately, nothing. They could still aggregate your usage data, though, and not necessarily be out anything investment-wise, compared to using the Opera client proper.
There’s a few things that would (probably) stop this from working, but it is possible that the new Opera-based implementation is different than when we implemented it (the proxy version) as a custom Firefox browser back in 2011–2013.
Just tried out the developer version (http://www.opera.com/developer - built-in VPN and ad blocking is currently only available in the developer version of Opera). Both the ad blocking and the VPN works great in the few sites I tested. I especially love that turning the VPN on doesn't require any type of login.
"This is why we today have more engineers than ever before working on new features for our desktop browser."
Is this true or just PR BS? Because my understanding is that they had laid off most of the desktop browser team a few years ago and there were only a few left working on it.
Now they're based on Blink, so the they don't have to work on the core features of a browser engine. I imagine that means they have more engineers working on what they class "features for our desktop browser" as in user facing features, rather than W3C spec implementation.
Opera does still contribute quite a lot to blink/chromium (check out https://operasoftware.github.io/upstreamtools/ which lists them), though the gist of what you've said still stands.
They laid off most of their presto team but they did higher more for the new blink browser. It doesn't matter anyway I'm sure the Chinese buying would have given them a temporary revenue
The VPN is also in Canada, a https://en.wikipedia.org/wiki/Five_Eyes country, so in addition to selling your web history they'll also turn it over to any govt agency with no warrant or even notifying you.
An interesting angle is that this might prevent big companies, government agencies, schools etc to disallow just of opera if it was ever possible in the first place. Poor they'll just block the IPs with their usual web filter software and none of these promises behind true. Might work for private use in non-repressive countries, but anywhere else it will face the same blocking as any other VPN. Still a great initiative!
I think this is a great idea, in part because it makes it super easy for the less technically minded to secure their public internet traffic. It also brings VPNs and network security discussion more into the public eye.
I have been using this build today and like it. My only minor gripe is the selection of only 3 locations for the VPN. This one doesn't so far from what I see but then again, it is free.
They under-dimensioned the launch peak capacity. This is peculiar, I do know they have much, more more capacity than needed for in that terms of both servers and bandwidth. ;)
Probably they also have some heuristics that look closely at people who geoip in a different country than their billing records, and whose IP address seems to be in a colo rather than a DSL subscriber block.
>Probably they also have some heuristics that look closely at people who geoip in a different country than their billing records
I have paid for American Netflix for years and years but I'm forced now to watch Dutch Netflix because I live there. It's not based on where you pay but where you are.
This is why I would love to see a Visa card that anonymises you to corporations, but not necessarily the government - and available to those overseas. Don't suppose such a thing exists?
Edit: Scratch that. What I'd like is a high speed consumer cable account that I could proxy into.
What you need is a friend abroad and a raspberry pi.
I have a raspberry pi attached to the wall of a home which is not my own. It's in a country where I occasionally want to be (in a geoip sense of "be"). The rpi maintains a VPN connection to me, so I can reach it even though it's behind a NAT middlebox that knows nothing about it.
A danger is that stranger will abuse your connection to send spam or even worse things. And you might have a visit from police. Also, I'm sure, reselling your home connection is forbidden by your provider. So it's kind of grey zone.
Just buy a Visa or Amex gift card with cash. It's a normal credit card number you can use online and some of them can be reloaded. Sometimes not reloading is best, so your subscriptions won't auto-renew and you can cut your paper trail by opening a new account with a new credit (gift) card.
I am running a VPN on my own server to access content, and the server is on the same timezone.
I stopped my Netflix subscription a month ago because they started blocking me.
I would say the IP checking against datacenter block is the most plausible, but I also remember seeing a link on HN showing how to detect VPN usage through MTU size, so that could be a possibly more involved solution ...
It would probably be way too much work to implement on top of their infrastructure though, when IP block checking must be good enough.
If not already, probably soon. Being free and probably popular...this service will hit the radar for Netflix, Cloudflare captcha hell, etc, in fairly short order.
Better online privacy? Ridiculous!!! It is just a honeypot. As the most notorious company which good at stealing people's privacy, in China no one trust Qihoo360 (opera is acquired by Qihoo360). Qihoo360 is the pet and lackey of Chinese communist party. Go to hell!
Ridiculous!!! It is just a honeypot. As the most notorious company in China, no one trust Qihoo360 (opera is acquired by Qihoo360). Qihoo360 is the pet and lackey of Chinese communist party. Go to hell!
Really? I am all for it, but in 2016 putting an extra server in the middle of my request isn't really a game changer. Brave is leading the charge with extensions as a service, and I love them for it. However, I just can't see it being profitable. Brave can def make money, but I don't think people care about privacy. The other usecases make sense, but between opera or brave (both totally unknown companies to non tech crowd) Brave would for sure win that.
In Opera's case, one more person would get "all" the data. In all other cases, 1-3 companies get all the data. So it's good, I just can't call it a game changer.
SurfEasy does not store users originating IP address when connected to our service and therefore cannot identify users when provided IP addresses of our servers. Additionally, SurfEasy cannot disclose information about the applications, services or websites our users consume while connected to our services; as SurfEasy does not store this information.
However, further down, you have this:
SurfEasy is required to comply with law enforcement where subpoenas, warrants or other legal documents have been provided. We may collect and disclose personal information, including your usage data, to governmental authorities or agencies, including law enforcement agencies, at their request or pursuant to a court order, subpoena or other legal process, if there is a good faith belief that such collection or disclosure is required by law.
At this point I'm not quite sure what to make of the above two combined together.
[0]: https://www.surfeasy.com/privacy_policy/