Meet ShellFire- A Free VPN Service That Fights Internet Surveillance from the Ground Up
Florian Gattung and Max Behr were high school students when they founded ShellFire- A VPN service that specializes in IRC bouncers and DDoS protected voice servers. Right from the beginning, they believed that freedom and security on the internet is a fundamental right for everyone. In this article, they reveal some of their most advanced technologies, and offer some useful tips on how to choose a trustworthy VPN. Share
Please provide some background on the company: What's inspired you to start a VPN service initially?
We started ShellFire as a hosting company for IRC bouncers to provide protection to IRC users against hackers. We later added encrypted and DDoS protected voice servers to our product range. Being as privacy-oriented as we were right from the start, the decision to start offering a secure VPN access in 2010 seemed like a logical next step to us.
What measures do you take to keep outsiders as well as employees from looking at your clients' data?
We use state-of-the-art encryption for all our communications to make sure no data can be intercepted between our VPN servers and the users' devices. As we are a small company, only a handful of trusted employees have access to our user database. The fact that we do not keep any user logs and route large numbers of users through the same external IP address makes it impossible for us to successfully answer any request for information that we receive from law enforcement agencies. This would make it hard even for one of our own employees to effectively spy on a user, while we are pretty sure it could be done theoretically, we have never tried.
What is the ShellFire box and what are some of its advantages over a standard VPN setup?
In 2015, ShellFire started a crowdfunding campaign on Indiegogo that enabled us to create the ShellFire Box. The ShellFire Box is a tiny open source hardware router that is able to secure ALL devices at once through our VPN network. With the ShellFire Box, you can even connect devices that normally do not have any VPN functionalities (smart TVs, gaming consoles etc.). After connecting the ShellFire Box to your internet router, the connection is automatically set up and any device connected to the ShellFire Box' wifi or wired network is automatically secured. This means that even inexperienced users can effectively secure their entire network, circumvent censorship and access foreign video streams within just a few seconds.
We have been successfully shipping the ShellFire Box since September 2015. Meanwhile, our campaign on Indiegogo has received more than $100,000 from well over 1,000 backers from more than 60 countries!
What challenges have you encountered in your attempt to secure users data without keeping any logs?
The situation regarding data retention in Europe, and especially here in Germany, has been pretty chaotic over the past few years. For a brief period, German ISPs were forced to log their user's data before the law was declared unconstitutional by the German Federal Constitutional Court in 2010. Since then, no effective law has forced the ISPs to log any data, but the majority of them still do it. Despite the fact that the European Court of Justice has ruled mass data retention illegal in 2016, Germany is about to introduce a new law that will force ISPs to log all user data once again, starting in mid 2017. Since this new law only affects "real" ISPs and not VPN providers, it is not going to change anything to our practice of not logging anything, although we expect an increasing number of requests for information from law enforcement agencies, who are usually unaware of the fact that we are not an ISP.
What's the WebRTC function and why is it a risk to internet users? How does ShellFire protect its clients from WebRTC?
WebRTC is a standard implemented in modern browsers that enables a number of handy peer-to-peer communication features like video conferencing. A downside of WebRTC is that it gives any website the possibility of retrieving their visitors' true IP address, even if a VPN is being used. For this reason, we recommend that our users disable WebRTC completely if possible, or use special browser add-ons such as uBlock Origin, to prevent websites from retrieving their true IP address. ShellFire Box users are automatically protected because the fact that the VPN connection is being established by the router, and not the computer itself, prevents the leakage of the IP address through WebRTC.
What do you think about free VPN's? Can they be trusted, and do they impose a threat on paid VPN's?
Using a free VPN bears potential risks, but the same can be said about paid VPNs. There are of course companies that are trying to make their money elsewhere by providing free VPNs and then tracking their users and selling their data. A recent research paper by Australian scientists has identified a number of those; you can read a good summary about it here.
Providing a VPN service for free doesn't necessarily mean that the provider is trying to steal your data; we run a free service ourselves which we (obviously) have full trust in. In our case, the free service is mainly a way to help people who have no other possibility to access the internet safely and unrestricted. Of course it is also a handy way to promote our services to attract potential new paying customers, who can try our apps for free. While it gives everyone the possibility to access the internet without censorship and fear of government prosecution, we have to apply certain restrictions to our free service, like limited server choice and download speed.
We know that other companies are providing free services with less restriction, because they are able to "burn" the millions of dollars of venture capital that they received from investors in order to try and build up strong brands. We have never accepted funding payments other than from our ShellFire Box crowdfunding campaign and we did so for a good reason. It is and always will be our first goal to provide great service to our customers and not to please our investors, even if that means slowing down growth or not going for the "quick bucks" venture capitalists might offer.
The fact that ShellFire VPN Free and other free VPNs are being widely used, especially in countries with strong internet censorship, where many people do not have access to easy payment methods like PayPal, makes us really glad. We firmly believe that no government should have the right to decide which websites can be accessed by the public, or have the power to send the visitors of the "wrong" website to jail.
What factors should a user consider before choosing a VPN service provider?
Finding a trustworthy (free) VPN provider that will not log and surrender your data is no trivial task. Personally, I would avoid new companies without a "clean" track record, as well as providers which make it difficult to find out where they are located; websites with no valid imprint data should never be trusted! I would probably also avoid US based companies as I do not believe that the current legal situation in the US still allows them to keep their users' data safe from the feds.
While choosing a provider located in a shady Caribbean, Southeast Asian or Eastern European location might sound like a clever choice at first, the fact that these companies usually cannot be reached by any copyright complaint issued in the US also means they cannot be held responsible for misusing their users' personal data. In the end, choosing an EU based provider and mixing it up by using both Tor and VPN seems like the safest choice, but beware, many EU countries still force providers to keep logs!