HACKER Q&A
📣 amdbcg

How should an ISP prove to a consumer they do not spy or use data badly?


I have ties to an American telecommunications company and one question I heard raised to leadership was how to prove to customers that spying and bad data handling was not present. Internal procedures are prone to non-trust. I'm curious if public procedures and checklists / verifications by a third party for the FCC standards (to be written) would be appropriate? FCC is a trusted government body. I don't think there are standards /tests and scoring around privacy, data protection, and standards to follow. Should there be? GDPR happened for the EU, California has some sort of protections. what would the standards look like? What protections would be put into place?

  👤 pogue Accepted Answer ✓
All you can do is put it in your privacy policy and advertise to people exactly how private are you.

Here's what TorrentFreak asks all their providers of VPN services that claim good privacy or spy on user data.

1. Do you keep (or share with third parties) ANY data that would allow you to match an IP-address and a timestamp to a current or former user of your service? If so, exactly what information do you hold/share and for how long?

2. What is the name under which your company is incorporated (+ parent companies, if applicable) and under which jurisdiction does your company operate?

3. What tools are used to monitor and mitigate abuse of your service, including limits on concurrent connections if these are enforced?

4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?

6. What steps would be taken in the event a court orders your company to identify an active or former user of your service? How would your company respond to a court order that requires you to log activity for a user going forward? Have these scenarios ever played out in the past?

7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? Do you provide port forwarding services? Are any ports blocked?

8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?

9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

10. Do you provide tools such as “kill switches” if a connection drops and DNS/IPv6 leak protection? Do you support Dual Stack IPv4/IPv6 functionality?

11. Are any of your VPN servers hosted by third parties? If so, what measures do you take to prevent those partners from snooping on any inbound and/or outbound traffic? Do you use your own DNS servers?

12. In which countries are your servers physically located? Do you offer virtual locations?

Also, if you're really private you can offer a canary whereby you post a piece of text on your website and update it every month and if one month it isn't updated, we can assume you got a FISA warrant. https://en.wikipedia.org/wiki/Canary_trap