OK Ghosties, time to try something new.
This year we are committing to releasing a transparency report every three months, including a monthly breakdown of the numbers.
You can still find our yearly numbers and plenty of other details in our Transparency Report section, but more regular updates will appear here at the Privacy Hub.
We have two aims in mind with this new approach:
- To be even more transparent, allowing you to see how the numbers unfold over the year
- To reveal the numbers while they are most relevant, rather than waiting until some are almost a year old
Some of you may be asking, “What is a transparency report?” and “What numbers are you talking about here?”
Well, here’s everything you need to know.
What is a transparency report?
Transparency reporting is the act of companies openly declaring data related to requests by governments and law enforcement agencies for information. These requests usually involve:
- User data
- Removal of content
- Intellectual property takedowns
Companies voluntarily began publishing transparency reports to demonstrate that they uphold user rights.
Major players publishing transparency reports
Google, Apple, Amazon, Microsoft, Adobe, Facebook, Twitter, Reddit, Yahoo, WordPress; the list goes on and on.
You name it, and if it’s a major player in today’s digital economy, the chances are they’re publishing a transparency report.
The method first came to light with Google’s debut transparency report in 2010, which focused mainly on government requests for user data and content takedowns.
However, the rest of the tech industry was not genuinely committed to transparency reporting until Edward Snowden’s revelations in 2013 regarding NSA surveillance. Disclosing these global surveillance documents triggered a crisis in confidence with regards to how companies were handling private user data.
In response to the backlash, almost all major online service providers began publishing more detailed breakdowns of the demands for data made by governments and law enforcement agencies.
And then, following a lot of political pressure from internet companies and privacy advocates, we saw the arrival of transparency reforms written into the USA FREEDOM Act of 2015.
If you’re interested in seeing who does what, and who does it best, the Electronic Frontier Foundation publishes a fantastic report every year called ‘Who Has Your Back?’. It assesses big tech companies on their policies and transparency in reporting.
Transparency in the VPN industry
Using a VPN is a great way to protect yourself on the internet. But it’s crucial to know whether your VPN provider keeps tabs on you.
Surprising as it may be, many popular VPNs log your browsing history, your IP address and much more. Some go as far as selling this data off to advertisers as well.
At CyberGhost, we keep no logs. Never have. Never will.
Back in 2011, we were also the first ones in the VPN industry to release a transparency report. And our dedication to being open and honest with every one of our Ghosties is just as strong now as it was then.
Transparency is not just a tradition we’re very fond of. It’s a duty we feel compelled to fulfill.
That’s why, in our 2018 report, we began including a lot more than you’d typically expect. Now you can:
- See the number of DMCA complaints, malware activity flags, and police requests that we get
- Check out key statistics about our infrastructure
- Find out more about us, the people behind CyberGhost VPN
And this year, we’re going one step further by publishing the number of legal requests we receive in each quarter, right here on the Privacy Hub.
Q1 2019 numbers
Over the first three months of 2019, we received 22,595 legal requests from various law firms, website owners, app developers, police departments and law enforcement agencies at CyberGhost VPN.
We generally break these down into three types of request: DMCA complaints, malicious activity flags, and police requests.
Most of the time, the DMCA complaints we receive are related to copyrighted material that has been illegally shared via a CyberGhost IP; prompting law firms to get in touch with us on behalf of the relevant production companies.
In Q1, we saw a total of 18,972 DMCA complaints, making up 84% of the total requests received.
Malicious activity flags
The complaints we receive that fall into this group generally come from website owners or app developers. They relate to DDoS, botnets, scams, log-in attempts, or automated emails being sent from CyberGhost IPs.
The number of Malicious activity flags we received in Q1 was 3,602, which is just under 16% of the total requests.
We get police requests from various law enforcement agencies or police departments requesting logs for an IP linked to an investigation or case. These requests are usually received by the data centers we work with around the world, and then get forwarded to us at CyberGhost HQ.
The number of Police requests submitted to us in Q1 was just 21, less than 1% of the total number of requests. We consistently get a low number of police reports, with less than 100 issued to us in the three years of 2016, 2017, and 2018 combined. And that’s despite an ever-expanding Ghostie community that today is made up of more than 30 million users worldwide.
CyberGhost HQ: outside the Five Eyes, Nine Eyes and Fourteen Eyes
The Five Eyes alliance began as an intelligence-sharing agreement between the US and the UK, born out of World War 2 and the Atlantic Charter, which set out the Allied vision of a post-war world.
In 1946, a secret treaty was sealed as the UK-USA Agreement. Then, the next 10 years saw, Canada, Australia, and New Zealand each joining up to complete the alliance.
Confirmation has been made with regards to the existence of both the Nine Eyes and Fourteen Eyes alliances, although the ties are not understood to be as closely woven as the Five Eyes.
Since these networks exist with the sole purpose of dealing out data to all of those involved, there’s a high chance that if your information is accessed by one country, it will end up being shared with the others.
Here is a brief breakdown of the countries involved in each of the three intelligence sharing alliances:
Thankfully, we’re Romania-based. Not only do we fall outside the intelligence agreements illustrated above; but we’re also under no obligation from the Romanian law to store data.
We can fully and truly honor our strict No Logs policy. This means we’re unable to comply with any requests, even if they are legally binding.
No need to worry about any of the data centers we work with either. They are not able to cooperate with the authorities either.
If the data centers receive any reports or complaints, they just forward them to us.
For every single legal request that we receive, directly or via a data center, we have a clear procedure in place to explain that we’re not monitoring any of our users and we’re not logging any data.
Therefore, we’re unable to provide any user information.
Meet the team
Giving users a window into how things look behind the scenes is far from standard practice in the VPN industry. Faceless or anonymous profiles publish most of the blog posts, articles, and guides you find. All while claiming to champion transparency.
But we’re always looking for ways to reach higher and lead by example.
Besides, as Ghosties, it’s simply in our nature to be more see-through. What more can we say?
That’s why every piece we post here on the Privacy Hub is attributed to the team member who wrote it.
You can also visit the CyberGhost YouTube channel, with great content on internet privacy, online security, and digital freedom. Get subscribed and check out our latest videos!
Finally, keep an eye on our Instagram page for regular updates on life at CyberGhost HQ, including our weekly Happy Fridays in the basement, as well as our occasional ping pong and FIFA© tournaments.
A call for transparency in tech
Things have come a long way since 2010 when Google released its very first transparency report. But governments around the world are still hell-bent on obtaining user data.
For example, in March 2019, notes on a private security briefing revealed the extent of government overreach when requesting information, as well as the pushback from tech companies.
One of the tech companies present at the meeting had been issued with a demand for the names and physical addresses of 58 million app users.
Now, the government in question here may well have been legitimately trying to track a suspected terrorist cell, but the number of users it was requesting data on was double the population of its own country.
Unsurprisingly, the request was rejected. However, it does illustrate how eager governments and law enforcement agencies are to get their hands on large quantities of information.
Some states in the US are looking at ways to improve things.
Florida laid the groundwork with the California Consumer Privacy Act of 2018. Taking inspiration from the General Data Protection Regulation introduced by the European Union, the legislation granted consumers in the state a selection of new rights, including:
- The right to be informed about what personal data companies have collected and why
- The right to access collected personal data in a “readily useable format”
- The right to opt out of the sale of personal data
- The right to request the deletion of collected personal data
And more recently, Utah became the first US state to take steps toward protecting private electronic data held by third parties, making government access without a warrant no longer possible.
But things can still be drastically improved.
We trust them with it all. But they can be legally required to hand it over.
That’s why here at CyberGhost VPN, now more than ever, we advocate a standard transparency report for use across the tech industry.
Standardized reporting: it’s the way to go
Making side-by-side comparisons on what kind of data has been demanded and how often it’s requested is pretty complicated, as things stand.
A standardized report would enable contrasts to be made across the data of various companies.
Highlighting relevant data in an accessible way for users should always be the key aim of any transparency report. For example, a company may choose to place heavier emphasis on the total number of data requests they receive.
This generally makes for better PR than if an equal focus was on how many requests they comply with, the reasons why they comply, and how many users were affected by the compliance with those requests.
Limiting this kind of bias is something we can achieve through a standard industry transparency report, since it would ensure that what gets reported is done so with a much fairer weighting.
We believe the standardized report should include, as a minimum:
- Statistical data highlighting the total number of legal requests received and the reasons why
- Data to be clearly split into requests for user information, requests for content removal, and intellectual property takedowns
- The number of legal requests complied with
- The number of users directly affected by each request complied with
So, we invite the Global Network Initiative, Electronic Frontier Foundation, Privacy International, and other organizations to mediate and work together with all willing tech and telecom companies to agree on a standardized report.
We are also looking forward to collaborating with other like-minded companies to ensure a standard on transparency reports can be reached. We’re eager to work with those who share our belief that a change really can be made based on a commitment to honesty and openness throughout the tech industry and digital economy.
If that’s you, get in touch!
Here at CyberGhost, we have never stored or logged any information on our Ghosties. We know how important it is that you are able to trust us.
Throughout the rest of 2019, we will continue to report the number of legal requests we receive every three months.
Striving to be as transparent as possible, while providing the best service for each and every Ghostie, is at the core of everything we do at the CyberGhost HQ.
Until next time, stay safe and secure.