1. Introduction
During the course of its normal business activities of VPN research, Top10VPN, which is owned and operated by PrivacyCo Ltd (“we”, “our” or “us”), sometimes discovers private data from VPN services exposed publicly. This data is accessible to anyone looking in the right place, with no need for specialized tools or equipment. Following principles of responsible disclosure, we seek to bring the exposure of this VPN user data to the attention of affected parties such that the impacted individuals may take steps to protect themselves against fraud, identity theft and other forms of attack, including threats to life and liberty from security services in authoritarian regimes.
When VPN service providers respond positively and promptly to such disclosures, remedying any defects and closing breaches, the data concerned is placed out of the reach of those with malicious intent. In this way we seek to avoid and reduce the inevitable leak of personal data onto the dark web, underground forums and communities where it could be curated, traded and used to systematically exploit the data subjects. Additionally, we seek to prevent personal data of VPN users from falling into the hands of authoritarian regimes, who could use it to punish suspected dissent.
This public policy is to ensure that organizations we disclose to can understand our processes and the motivations behind our processes when dealing with VPN data breach disclosures.
To contact us in relation to our discovery and disclosure practice, email: research@top10vpn.com.
1.1 Primary Objectives
This policy sets out our approach to disclosing data breaches to VPN service providers and the public. It governs all such VPN data breaches, wherever discovered, worldwide.
The primary objectives are:
- The lawful, timely discovery of datasets containing personal information of VPN users disclosed publicly in error, inadvertently or maliciously.
- The protection of the rights of individuals, in particular the right to privacy enshrined in data protection legislation internationally. Privacy is a fundamental human right in accordance with the UN Declaration of Human Rights, we seek to protect it.
- Timely and consistent communication with VPN service providers found to be suffering from a data breach, however caused.
- The application of fair and ethical standards, which balance the rights of individuals and organizations. We aim to encourage VPN service providers to create a more secure VPN industry where data rights are upheld and the security and correct handling of individuals’ data is performed in a transparent and informative way.
- We will strongly encourage VPN service providers to be transparent with impacted individuals as to the extent and content of the information breached. We retain the right to inform impacted parties should this not take place or be deemed inaccurate.
- Adherence to the letter and spirit of legislation protecting personal data and the rights of individuals.
1.2 Reasons to Disclose
In all cases, it is our duty to disclose a breach privately if possible (to the organization responsible for the dataset) and publicly. The rationale for dual disclosure is set out below.
1.2.1 Private Disclosure
It is inevitable and demonstrable that personal information regarding VPN users will sometimes be made publicly available in a manner not intended by the organization or individual holding the dataset. Disclosing such discoveries directly to the organization or individual concerned enables them to take all necessary remedial action.
We value cooperation and collaboration with breached VPN service providers. Irrespective of the nature of communication during private disclosure, we are committed to honest and transparent disclosure and will not make false or misleading statements about the organization or individual concerned, nor the events that transpire throughout this process.
The preferred outcome will always be:
- We privately disclose the breach to the impacted VPN service provider.
- The organization or individual providing the VPN service fixes the breach in a timely manner, in accordance with the rights of the individuals impacted to minimize the time that the data is exposed to the public.
- Top10VPN and the organization mutually agree to public disclosure.
1.2.2 Public Disclosure
As well as disclosing breaches to the organization concerned, we publish public disclosure notifications of VPN service data breaches via our www.top10vpn.com website. There are several reasons for this:
- Public disclosure assists in bringing the breach to the attention of affected VPN users, preferably with the cooperation of the organization concerned.
- When it is impossible to identify the organization responsible for the dataset, public disclosure brings a far wider pool (potentially including affected individuals) into identification efforts.
- Where VPN service providers have failed to respond adequately to private disclosure in accordance with the primary objectives laid out at the start of this document, public disclosure has been seen to incentivise appropriate behavior in the wider community.
- We believe wholeheartedly in transparency of our operations. Individuals’ privacy must be protected and their trust earned.
- Public disclosure raises awareness and scrutiny of VPN data breaches. This is a vital contributor to global efforts to ensure appropriate care is taken to secure VPN user data and protect the rights of individual VPN users.
- Public disclosure helps prevent false information about the nature of the breach from spreading, whether this be intentional to harm the organization involved, PrivacyCo itself or its employees, to target individuals, or simply an accidental misinterpretation of events.
Additionally, we urge breached VPN service providers to issue their own public disclosure notices.
2. Policy
2.1 Principles
- Discovery activities are lawful and limited to publicly accessible services.
- So far as practicable while working to best protect the impacted individuals, we limit our own view of breached data.
- Discovery activities are not to affect or interfere with the normal operation and use of the systems and data involved.
- The data protection principle of minimisation is observed.
- Disclosure will be as timely as resources permit.
- Private disclosure will precede public disclosure wherever feasible.
- Disclosure and discovery are not financially motivated. Bribery will not be tolerated.
- Third parties may be engaged in the pursuit of a satisfactory outcome.
2.2 Discovery and Disclosure
- Any breach may already have been or could soon be discovered by those with malicious intent. With time being of the essence, we will carry out responsible disclosure as expeditiously as circumstances and resources permit.
- Our discovery methodology will at all times be limited to tools and processes capable of discovering publicly available information with no credentials or authorisation required for access. For the avoidance of doubt, we do not engage in reverse engineering, cracking, brute force password attacks or other ‘black hat’ techniques.
- On discovering a potential breach, we will take such steps as are necessary to satisfy itself that this is a breach of personal data. This includes spot-checking elements within the dataset to confirm its nature and content.
- We will make reasonable efforts to discover the identity of the organization or individual to whom the breached dataset belongs.
- We will make reasonable efforts to bring the fact of a breach to the attention of the organization or individual identified (if any) as the owner of the breached dataset.
- We will not request financial compensation for its disclosure; neither will it accept payment in return for suppressing information about the breach.
- In these efforts, we may engage the assistance of reputable and/or official third parties, such as security researchers, lawyers, media, or law enforcement agencies.
- We will not retain or publish data from breaches, except such redacted information as is required to demonstrate the fact and circumstances of the breach. This may include retaining or publishing, for example, screenshots with personal information obscured.
- On notifying a VPN service provider of a data breach, we will wait a reasonable period before publicly disclosing the fact of the breach. The length of that waiting period will depend on factors such as the responsiveness of the notified VPN service provider, the sensitivity of the data in the breach, the scope of the breach, the prominence of the VPN service provider, and the risk to individuals, and will normally be in a range of 7 to 30 days.
- If, in our view, the VPN service provider fails to act sufficiently swiftly or adequately, or fails to notify affected individuals appropriately, or if it is not possible to identify the owner of the data, in the interest of protecting those individuals, we will publicly announce the details of the breach. These details will, where possible, include the identity of the VPN service provider, the type of VPN user data breached, the technology affected, the length of time the dataset was exposed and the number of individuals affected.
- Where the VPN service provider’s response is appropriate, we will work with them to develop mutually-acceptable public notices of breach. This is on the basis that we will always favor full disclosure, for the protection of the rights of the individuals affected.
2.3 Breached VPN Service Providers
- Upon contact from us, VPN service providers are expected to respond positively, with all due speed.
- The waiting period following disclosure permits the VPN service provider to satisfy itself of the fact of the breach and the veracity of our warnings, and to take such technical measures as are necessary to close the breach swiftly and to notify affected individuals.
- The VPN service provider should without unreasonable delay notify affected individuals of the breach.
- The VPN service provider is advised to disclose the breach publicly, incorporating assurances in relation to remediation and process improvement. Experience demonstrates that this enhances consumer confidence and is not to be feared, whilst attempts to conceal the extent of a breach are usually counterproductive.
- In its own notice of breach, the VPN service provider should give due and prominent acknowledgement of our efforts in bringing the breach to its attention.
2.4 Process
The process will vary with each incident, depending on the particular circumstances. The following is a representative model process:
- We discover VPN user data publicly available and establish that this is likely an inadvertent or malicious breach.
- We identify the owner of the breach dataset.
- We contact the organization or individual concerned, through officially published communication channels, with brief information, requesting appropriate contact details for further discussion.
- In the event the VPN service provider responds positively, we will establish secure communication channels and provide full details about the breach.
- If the organization or individual does not respond, successive communication attempts will follow an escalating pattern.
- The VPN service provider will expeditiously close the breach and inform affected individuals.
- PrivacyCo and the VPN service provider will communicate further to discuss respective public disclosure notices.
- Both parties issue their public notices.