Just to advise anyone looking for a VPN for private web browsing, it just came to my attention that the “Hide My Ass” service is openly cooperating with law enforcement. That meaning, as soon as the police, or any other agency send them a letter (“court order”) asking them to hand over user data logged in their supposedly paid private and secure services and servers, they will promptly hand over all they have.

When you sign for a VPN service, the VPN service becomes your Internet Service Provider from then on.  You pay for privacy and security, and if a service like this not only logs but hands the information over, it is of no use for privacy, even if it was being offered free.

hidemyass.com website

According to a post in their own blog, http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/ ,

We have received concerns by users that our VPN service was utilized by a member or members of the hacktivist group ‘lulzsec’. Lulzsec have been ALLEGEDLY been responsible for a number of high profile cases.

It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed about various VPN services they use, and it became apparent that some members were using our service. No action was taken, after all there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using. At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the above cases. As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).

Our VPN service and VPN services in general are not designed to be used to commit illegal activity. It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences. This includes certain hardcore privacy services which claim you will never be identified, these types of services that do not cooperate are more likely to have their entire VPN network monitored and tapped by law enforcement, thus affecting all legitimate customers.

21:05 edit: Why do we log the above^ information? Being able to locate abusive users is imperative for the survival of operating a VPN service, if you can not take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn. The main type of logging is session logging – this is simply logging when a customer connects and disconnects from the server, this identifies who was connected to X IP address at X time, this is what we do and all we do. Some providers choose not to do session logging and instead try to locate the abusive customer by using the intelligence from the complaint, for example if someone hacks XYZ.com they may monitor traffic to XYZ.com and log which customers have a connection to this website. Ask yourself this: if a provider claims not to do any form of logging, but is able to locate abusive customers, how are they able to do this without any form of logging?

22:05 edit: Regarding censorship bypassing, some have stated it is hypocritical for us to claim we do not allow illegal activity, and then claim our service is used in some countries to bypass censorship illegally. Again we follow UK law, there isn’t a law that prohibits the use of Egyptians gaining access to blocked websites such as Twitter, even if there is one in Egypt … though there are certainly laws regarding the hacking of government and corporate systems.

All in all, I would say that this is Hide My Ass gone to the bin, as I can not imagine anyone giving them a cent for privacy after this incident – only made worse by their very own response to the same – or in its turn, to any other similar services in the UK.

Update 28.9.2011: A thread about the subject was started in the Full Disclosure mailing list, with the main points being,

Though HMA claims they complied with a court order, it looks as if
they facilitated a law enforcement request. The US and the FBI have no
jurisdiction in the UK.

And the guy wasnt even a part of lulzsec.

Oh i agree it is still a terrible precedent to be set.. I dont even know
where, legally, i stand anymore…
It is rather disturbing, nomatter WHO it was laurela.
I am all for the hatred against the VPN provs, and this is not just
happening here, and i made a BIG statement about this, and privacy, in my
channel on efnet, first as i saw it.

Then saw a torrentfreak feed,of someone who was an owner of a huge torrent
site, was handed to authorities, not by the hoster, no… but by the
frigging payment handler, ie paypal or alertpay most likely.

This is not good, it makes a grey could now over what is ‘anon’ and what
isnt. and thats a bad thing for us all.
To much fraud is causing this, thats plain and simple.Abusing places like
Sony, and, major banks, only make the authorities turn to politics, whom in
turn can bully with federal and state laws of ANY country, i think this is
the dangerous part wich is affecting lulzsec members or whoever was apart of
it, and, i mean efnet is no recruiting grounds for decent hkrs.
Simple as that, you know it, maybe thru word of mouth ok, but not alone by
being in channels but that network, is one federal hideout now..and, that is
every channel, if it is not being spied (yea they have a module
m_spychannel.c or similar, wich, they actually had without realising, asked
a friend, to code for them.
This was rejected by me/her,but i believe they have the module running now.
And, we can only hope that the greater common sense will prevail and
hopefully, places will be forced to prove anonymity in some way, wether
that be by showing people email interaction with requester’s of peoples
info, or anything simple even, wich would be then a standard for VPN, I do
not use them but, if i bought anonymous vpn, id expect exactly that,without
political interaction and grey areas about who and what is now legal and not
legal on the internet, on chatrooms, and on even websites.

What really concerns me is that vpn providers might give
over logs to oppressive regimes. TOR is starting to look better and better.