1) cryptostorm would still have the ip the isp assigned a user. mapping this ip to a real name is trivial. right?
2) The cryptostorm team decided to remain 'pseudoanonymous' at this point. The points they outline (privacy activists get constantly hassled and threatened) make sense but don't help me verify the integrity of the service. You saying that you spoke to them and that they are trustful doesn't do much either. Why should i trust them? I know in the end i should trust no one, but your argument boils down to cryptostorm being outside of FRA jurisdiction?
You could argue that iPredator is not a real crypto/security vpn service in the first place. I think they are using 128bit encryption which can be cracked if enough effort is put into it. They are just making it more difficult, eliminating 'drive by snooping'.
Lastly: no offense, but that website is not very trust-inducing. i know it shouldnt matter but still....
No, my argument boils down to "cryptostorm doesn't know who you are". They isolated their accounting (the part that has to collect money and ties an individual to an account) from their VPN service. They compartmented their operations from their business. So their customers are anonymous to them.
You purchase an access token (time limited from first use) from a third party (cryptostorm offers bulk rates for resellers). The entity which sells the tokens is based in a First Nation in Canada, meaning it has reduced legal attack surface. This entity is distinct and separate from cryptostorm.is the VPN service provider. They are compartmented and share no information. Neither one has sufficient information to link a specific individual to any activity.
That's the beauty of what they've done, they've made it so that you don't have to trust them. As I said, they could be compromised and log everything, it doesn't matter. They cannot tie an account to an individual. That's the problem that they solved. They removed trust from the equation.
Now, indeed, you should not use a VPN for anonymity. That is not what they are designed for and that is not what they are capable of providing. However, given that the cryptostorm VPN service can only know:
* you originating IP,
* your (anonymous) token ID, and
* the packet stream that exits their servers...
You can easily ensure a level of anonymity to your internet usage by accessing the VPN from an IP that is not associated with you (eg public library, coffee shop, etc). Provided you maintain discipline and never access it from an IP "owned" by you, they cannot know who you are.
I've spoken and written before about how VPNs are not tools for anonymity. A recent example is a "no logs" VPN used to catch a kid sending bomb threats to his school [0]. A VPN service is essentially just a proxy, and no single hop proxy is going to deter a nation state level actor. VPNs are tools for privacy, circumventing stupid IP restrictions, and evading (some) network access controls. They're not safe for robust clandestine activity.
I've spoken with them and they are competent, have been doing VPNs for years, and are passionate about privacy and security. That doesn't mean I trust them. The beauty of their architecture is that I don't have to.
1) cryptostorm would still have the ip the isp assigned a user. mapping this ip to a real name is trivial. right?
2) The cryptostorm team decided to remain 'pseudoanonymous' at this point. The points they outline (privacy activists get constantly hassled and threatened) make sense but don't help me verify the integrity of the service. You saying that you spoke to them and that they are trustful doesn't do much either. Why should i trust them? I know in the end i should trust no one, but your argument boils down to cryptostorm being outside of FRA jurisdiction?
You could argue that iPredator is not a real crypto/security vpn service in the first place. I think they are using 128bit encryption which can be cracked if enough effort is put into it. They are just making it more difficult, eliminating 'drive by snooping'.
Lastly: no offense, but that website is not very trust-inducing. i know it shouldnt matter but still....