DigitalOcean VPN Privacy, in light of recent political news.

March 8, 2017 1.4k views
VPN Ubuntu 16.04

This is sort of a general question to the DigitalOcean staff at large:

Given this piece of recent news:

Republican senators yesterday introduced legislation that would overturn new privacy rules for Internet service providers. If the Federal Communications Commission rules are eliminated, ISPs would not have to get consumers' explicit consent before selling or sharing Web browsing data and other private information with advertisers and other third parties.

and following it up by saying "It is time for permanent VPN's" .

Can anyone comment as to how DigitalOcean treats user-data from droplets that are being used as a VPN? If DO is my endpoint, then is/will my data be collected? Does DO still have a commitment to privacy in this case?

If so, then I think DO should have that clearly stated as a selling point. I have a hunch that VPN's are about to become very popular.

5 Answers
sierracircle March 8, 2017
Accepted Answer

@hansen

Yes, traffic is going in and out to DO is viewable to them and their ISPs - unless it's encrypted, which it would be in case of OpenVPN/SWAN/etc.
*
your ISP can't see anything but an encrypted VPN tunnel. DO (and their ISPs) will only be able to see traffic from DO to the final website, if it's non-HTTPS*

so that jibes with what I was thinking..using a droplet as an openVpn server essentially encrypts things up to DO (and their ISP)...so, going back to the first post:

ISPs would not have to get consumers' explicit consent before selling or sharing Web browsing data and other private information with advertisers and other third parties.

I would like to know if DO has plans to take advantage of this data to share/sell to advertisers and third parties, or does their dedication to privacy extend to using them as a VPS end-point

  • I'm pretty sure, without a doubt, that DO has no interest in selling of customer info. Otherwise they would have lost me (and probably many, many others).
    But let's see if we can get an official answer from one of the cofounders - @moisey can you make an official statement?

    • @hansen I am also 98.9% sure that DO would not get involved in that sort of activity (I would expect from companies like Comcast and ATT ) but I wanted to double-check before promoting the idea to my local clients.

      I have been very successful running my own openVPN servers from DO droplets and using open-source routers as clients. ..rock solid connection for over a year now.

      If our browsing data is to become fair game for ISP's, I would like to know DO/s stance

      • Official statement:

        We have not ever, nor will we ever, sell customer information to anyone, anywhere, anytime.

        Nor has this ever been considered or brought up by anyone at DigitalOcean. Ever.

        Thank you,
        Moisey

        • Thanks. That is exactly what I was hoping to hear.

          • I had to mark my own answer as accepted because @moisey 's answer was posted as a comment.
        • Cheers for DO! Only issue is, Can you say the same for your ISP?

@sierracircle

Just logged in to check the status of my ticket, as mentioned in my previous response, and here's the overview (thanks Ethan!)

1). We do not log customer traffic, we do log the volume of that traffic and know which IPs are assigned to Droplets, we do not "filter" traffic but we do have automated alerts in place to check for abuse based on a variety of factors (PPS, Bandwidth, etc.). If one of this alerts is tripped, we may then start filtering out / black holing traffic to protect the infrastructure from harm.

2). Specifically on the point of VPNs: we have no way to decrypt that traffic, even if we wanted to, which we don't. :) My advise if you are concerned about security has always been "encrypt everything everywhere", it is the safest bet to data security at all levels.

3). We actually go over a lot of what you are asking about, pertaining to what we do and don't collect here in our privacy policy. We then also have a Law Enforcement Guideline you can read over to see how someone would need to request information from the platform.

https://www.digitalocean.com/legal/privacy/

https://www.digitalocean.com/legal/enforcement/

As you can see there, we could give over the contents of a Droplet to abide a proper legal requests, but we couldn't decrypt any data on the drive (again, impossible for us to do).

@sierracircle

When it comes to Droplet access, DigitalOcean isn't able to physically login to your server from their end -- this is even more so the case when you're using SSH Keys instead of just a password.

If you lock the root user, create a sudo user, and then create a 4096 or 8192bit SSH Key for login, there's basically one way in unless somehow someone manages to crack a 4096 or 8192bit key. If someone has that much time, then you've got bigger issues -- that, or your server is hacked due to some sort of security issue stemming from packages or software in general being out of date.

Generally, the last issue isn't an issue if you stay up to date and if you're using SSH Keys, logging in using the console is no longer a valid option (with the root user locked).

In terms of logs, if logging is disabled on the VPN service, and the VPN is properly setup, encryption would be to and from the VPN and logs would not exist. With proper setup, this shouldn't be an issue either.

That being said, one other party plays a role and that'd be your ISP. Since encryption is two-way, they would have to physically intercept and decrypt the traffic. If SSL is correctly setup, this shouldn't be a concern either. It'd take far too many resources (which even at scale, your ISP doesn't have) to sift all data from all customers and then decrypt it.

If you're overly concerned, I'd recommend looking in to StrongSwan as a VPN. Of course, there are upsides and downsides to both (comparing StrongSwan and IKEv2/IPSEC to OpenVPN), so you'd have to find what you're most comfortable with. Both are, at the end of the day, secure ways to connect when you want sensitive data encrypted.

NOTE: Since there's some back and forth on whether 4096/8192bit keys are worth it, if you lean towards the side that sides with little gain being the result from their use, there's also elliptical curve cryptography. It all depends on what your SSH client will support (as not all support both RSA and ECC).

Hi @jtittle

Thanks for the reply.
I might not be wording this correctly, but my understanding is when you use a VPN, and the openVPN server is a DO Droplet, then DO becomes the endpoint.

So, with that in mind, is traffic coming to and from the DO endpoint viewable by DO? If so, do they have a privacy policy in place for that traffic?

I have my droplets locked down with decent security..ssh, iptables, etc...not really worried about that.

  • @sierracircle Yes, traffic is going in and out to DO is viewable to them and their ISPs - unless it's encrypted, which it would be in case of OpenVPN/SWAN/etc.

    Your encrypted VPN is end-to-end, so you're only encrypted from your machine to DO. Not from DO to whatever website you visit, but this is where HTTPS comes into play, since that will encrypt the connection even further from DO to the final website.

    All in all, your ISP can't see anything but an encrypted VPN tunnel. DO (and their ISPs) will only be able to see traffic from DO to the final website, if it's non-HTTPS.

  • @sierracircle

    The first thing to keep in mind is that a VPN is not a magic cure all for being completely anon. Given enough time and power (be it Government or otherwise), if someone wants to find out what's being done, they can.

    When you connect to a VPN, and it's properly setup so the your IP isn't being leaked, all traffic appears as if it's coming from the IP of the server hosting the VPN (or Droplet in this case).

    Your connection to the Droplet from your local PC/Mac could be logged, which could then be associated with the IP of your Droplet, though that's not specific to DigitalOcean. Any provider could do the same, including your ISP.

    So if 201.101.201.1 is your current IP address (as assigned by your ISP), they can see that you're connecting to 128.101.108.2 (fictitious Droplet IP) as could DigitalOcean.

    So what can they identify from that? They can tell that there is traffic coming from the address and that said traffic is encrypted. They'll most likely be able to tell that you're connecting to a VPN and they can most likely identify endpoints since the traffic is obviously originating from their IP range.

    The encrypted traffic could definitely be intercepted by someone in control over your physical connection, whether it's DigitalOcean or your ISP. Can they decrypt it? Maybe, maybe not. Will they? If two and two and put together and the result is that you're doing something illegal in the country you reside in, they may try.

    Disabling logs server-side, in such a case, won't matter. They're irrelevant and neither DO or your ISP needs them when they have network-level control.

    • Thanks for the response @jtittle ...not quite what I am after, but I see what you are saying.

      • @sierracircle

        To be more specific, RE: your previous comment, traffic to and from the Droplet is very much something that can be logged as it's traffic originating from their network. They can monitor who is connecting to and what is connecting from.

        The VPN, however, should be encrypting the connection between you and the Droplet as well as the connection from the Droplet out, where the endpoint is the final location.

        So, if you're connecting to a VPN from your PC/Mac, the connection looks like:

        PC/Mac <=> Droplet (VPN) <=> Endpoint (i.e. https://google.com).

        I'm not a DigitalOcean employee, so I can't comment directly on what DigitalOcean does, so I'll be using could in place of can or does in the following so that what I'm saying isn't misinterpreted.

        ...

        In the above:

        • Your ISP can log the connection to the Droplet.
        • Your ISP can determine that you're connecting to a VPN**
        • DigitalOcean could log the IP they assign to your Droplets.
        • DigitalOcean could log the connection from the Droplet to https://google.com.
        • DigitalOcean could log the amount of traffic sent/received (KB/MB/GB/TB).
        • DigitalOcean could filter incoming/outgoing traffic on your IP.

        ...

        Simply put, a VPN won't make you anonymous or give you free reign to browse w/o any repercussion, in the event you're actually doing something illegal (not that you are, just stating that to make it clear).

        ...

        That being said, there's a lot that could be done. If you're looking to use a VPN to be anonymous in the truest sense, there's just too many factors at play and many of them can eventually link back to you. A VPN is designed to increase privacy, not anonymity.

        ...

        ** This would be a given and relatively easy to determine, especially when they see that you've been connecting to a single IP for X Days or Months.

          • Your ISP can log the connection to the Droplet.
          • Your ISP can determine that you're connecting to a VPN**
          • DigitalOcean could log the IP they assign to your Droplets.
          • DigitalOcean could log the connection from the Droplet to https://google.com.
          • DigitalOcean could log the amount of traffic sent/received (KB/MB/GB/TB).
          • DigitalOcean could filter incoming/outgoing traffic on your IP.*

          **

          Got it! And thus my original inquiry into the privacy policy of DO regarding such things, especially in the light of the recent push by our caring and thoughtful Senators to allow ISP's to gather our browsing data.

          • @sierracircle

            I put a ticket in referencing this post so that I can get a more definite answer. Once I hear back, if their support team doesn't respond here directly, I'll share what I find out.

There is still the issue of DNS. In my freebsd droplet, they use google for DNS.

If someone wants to do a write up on strongswan on DO FreeBSD, I'd sure appreciate it. I'm sort of there. I can connect from my phone, but can't connect to the internet from DO. Strongswan is quite cryptic, but then again, most computer stuff is cryptic until you know it, then you can't understand why someone else finds it confusing. ;-)

Have another answer? Share your knowledge.