Skip to content

PayPal are Tracking your IP – Did you see any warnings that “PAYPAL are TRACKING your IP?”

10/04/2013

As you may have noticed, Paypal have terminated my account due to my use of a high security VPN – on the grounds that it’s a security risk.  Paypal consider  use of a VPN as a breach of their terms and conditions. Which is interesting, now that I’ve accidentally discovered that they’re tracking us.   Geolocation tracking is an insidious form of surveillance.  Yet they will have the audacity to argue that an open wifi in a coffee shop is not a breach of security.  Now, ask yourself which has greatest security.. the open WIFI or the Ultra secure VPN?  So what’s really going on here…

Thanks for the 50 comments from yesterday.  Here’s an overview of what you need to consider with IP tracking by Paypal:

Paypal are tracking your IP.

There’s Data Retention on your IP – which in effect allows them to track your movements and whereabouts – and acts as a surveillance tool.

If you use a VPN, they will terminate your account – as a breach of “Security”.  I wonder how many Paypal users know that they’re being tracked?

I certainly never gave my consent to tracking by PayPal.  I wonder what other purposes they use your IP for.. and whether they resell or aggregate that data for third parties such as Councils, police and the tax man?

I wonder if their IP tracking of customers is a Data protection breach ?

Their data retention of users IP’s is in effect a tracking device.   Does the ICO even know what they ‘re doing… without informed consent.  I saw no notice “PAYPAL are tracking this IP”… did you?

So many questions…

***************************

This is how it came to my attention

Paypal Terminated my account because use of a VPN is against their terms and conditions

https://uwnthesis.wordpress.com/2013/04/08/paypal-terminated-my-account-because-use-of-a-vpn-is-against-their-terms-and-conditions/

*****OPENVPN Geek Stuff*****

I use OpenVPN – which was designed to run in Russia and China to thwart state surveillance.    I use a VPN provider that’s dedicated to privacy – and works to support journalists and civil rights activists.  And I’m terminated due to “security”.  ummh. You can smell the baloney from a mile away.

OpenVPN – with total regards to the awesome book OPENVPN – Building and Integrating Virtual Private Networks by Markus Feilner.

Step 1 – Create the STATIC KEY – SYMMETRIC ENCRYPTION

Symmetric means the same key is used to encrypt and decrypt (Paypal might not know this).

OpenVPN mix and matches several encryption systems – so this is just stage 1 of security.

Static key

Step 2 – Secret Key stops Handshake hiccups

Each pair on the Client/Server has their own key.  This is important – as you can’t knock on the door of OpenVPN and start the SSL handshake (as with normal SSL handshakes) without those key codes.  A standard SSL handshake is weak… it can be “tripped up”.  These keycodes prevent that little hiccup.

It’s like Fort Knox.  You’ve got rings of protection…. interwoven for maximum security (well as safe as you can get without leaving the country). So here’s the sample config file jobby.

sample config

dev tap = creating the virtual ethernet subnet.  Remember those “virtual ethernet devices” that I said OpenVPN used?

OH LOOK – PRETTY PICTURES.

tunnel

Virtual Network Cards

Remember those virtual networks… created out of thin air.  We’ll here a sample config for them.  The 2 ip’s are set up…. so that the virtual cards can chat to each other – but no-one else.

networds

SUBNET MASK – CIDR 4 HOSTS

On an actual VPN the subnet mask will usually be set to allow 4 hosts.

cidr

What does a subnet mask of  255.255.255.252 mean?  This allows 4 hosts maximum.

.0 = Network ID

.255 = Broadcast ID

.1 = the Client side of the VPN

.2 = The Server side of VPN

So we’re a little short on IP’s.  Which is a cunning plan from the VPN providers.

Super Secret Spy thingy

Did you notice that SUPER SECRET SPY Key thingy in the virtual network card diagram?  Yeah.  Good innit.

X509 Certificates – that old chestnut of security.

SSL and the PKI instructure are well dodgy.  Daily we see reports of stolen MI6, CIA, MOSSAD certificates to go along with the Google, Yahoo and Microsoft automatic update certificates.  Some CA’s have been hacked to next Thursday and back.. some say around 20% of the Internet works with compromised CA certificates.  And yet it’s preached by those who like the idea of a central authority.  Which with a draconian employer, might not be Plan A – as they’d have your key codes. AHHHRRR.  Penny dropped for you has it.  What took you so long :)

So using an X509 certificate is probably not all that it’s cracked up to be.  OpenVPN can and does use it as an extra ring of security.  But we can use it in a super sneaky way.

KEY GENERATION – PARTY FOR 2

We can generate the keys… This  is strictly just me and you.  No one else is invited to our party.  Asymmetrical – uses 2 keys.  One key ENCRYPTS the other key DECRYPTS.

key

Clearly don’t use 1024 as a key size.  Use the longest you can, without hitting performance.

Building the CA

CA

Remember, this is a party for just me and you.  No one else is invited.

Super Secret KEYS

Of course, open wifi’s are much higher security than any of these… if you listen to Paypal.

keys

I guess their IP tracking is popular in democracies like China.

I wonder if their IP tracking of customers is a Data protection breach within Europe?  Their data retention of users IP’s is in effect a tracking device.  Is this legal?  Does the ICO even know what they ‘re doing… and that they terminate accounts that use VPN – which bypasses their IP tracking.

So many questions…

https://uwnthesis.wordpress.com/2013/04/08/paypal-terminated-my-account-because-use-of-a-vpn-is-against-their-terms-and-conditions/

Full credit to Markus for his OpenVPN book

http://www.amazon.co.uk/OpenVPN-Building-Integrating-Virtual-Networks/dp/190481185X/ref=sr_1_1?s=books&ie=UTF8&qid=1365621087&sr=1-1

About these ads
6 Comments
  1. jimmy permalink

    i know they track you, this has being going on since ebay took over paypal, both ebay and paypal which is one company in 2 different names, has been tracking ebay users and paypay users, all this time.
    Drop paypal and ebay, and sign up with other sites that sell product, i quit useing paypal and ebay becasue they are chargeing about 27% off your total profits, which makes no sense, ebay and paypal are going back to the days of old, when many starting suing both companys for fraud

    • Hi Jimmy.

      They’re basically tracking us and if they don’t like where you login from… terminate your account. 0/10 for customer service there! Then have the barefaced cheek to state it’s terminated as a breach of their terms. I never saw any notice that Paypal were tracking IP’s and terminating VPN’s. It’s pretty disportional as a response. I could be traveling for a job…

      I agree with your advice. It’s gotta be done – Tracking of IP’s is pretty serious surveillance – without a court order to do so.

      There is no justification for paypal to track and retain IP’s and then pick and choose which IP’s they accept – or terminate accounts for VPN’s they don’t like.

      I’ve asked for my emails records etc to be deleted. Lets see how long they put that off. If they leave my email accounts open, then it’ll be prone to hacking. So formal complaint to ICO here we come.

  2. Beauty School Dropout permalink

    You have been quickly brought into the realm of large corporate control freaks. They love to do things like re-define the meaning of words on the fly to meet hidden corporate agendas or even hiding illegal corporate activity under the guise of intellectual property or terms and conditions. Many times these things make no sense when analysed logically.

    Don’t think this is limited to corporations. Governments love to behave this way as well. That’s why they partner so well with criminal corporations to implement tyranny. Companies are also a lot like governments in that they do many illegal activities and then wait to get sued to stop doing it. Why not, they’ll just pass the costs of losing on to their customers anyway.

    You’ve already learned an important lesson on how the pyramid works to control and monitor the slaves. You can also think logically and critically. It may help you receive your degree but many in the pyramid won’t like these traits unless your serve your master. You can submit and comply like a good slave in your attempt to ascend up the pyramid or help the slaves to destroy it and choose a better path for all mankind.

    Choose your path wisely

    Peace and Love

    • Hi Beauty,

      Thank you so much – that was a wonderful comment.

      Did you know that Data mining was invented as a military tool to hunt down Chinese activists in the US?
      It was shut down for privacy breaches, as it was illegal under US law.

      This tracking or “marketing data” is lightly regulated – when in fact it was in origin a military tool for hunting down dissidents.
      We don’t allow companies to sell nuclear weapons in an unregulated fashion – yet this is allowed in secret (well until Paypal terminated my account for use of a VPN).

      I appreciate your comment about the control pyramids at work – and how it will upset many. This is true, and you’re the second person to say that to me.. so there is a resonance happening. My passion is to support the EU, Data Protection, Anti data collection, anti data retention and aggregation all the way. Why?

      Data Retention destroys peoples lives. That destruction is what has to be weighed up against companynprofit. The EU found a quarter of people had their CV’s binned and couldn’t get a job because of their Facebook profile. People aren’t making a connection between “unemployment and facebook”. When in all likelihood, it will destroy their earning capacity for the rest of their lives, unless the EU wins the “Right to be forgotten”.

      If you’re poor, disabled etc – this will really impact on your life chances. Therefore my path is set. Hopefully my passion means that I can’t be corrupted.

      • BSD permalink

        No, I wasn’t aware of the origin. Thanks for sharing.

        The vast majority of people are clueless, ignorant and sometimes complete fools when it comes to their rights to privacy or even common sense about data use and retention. They will sign away anything and read nothing, especially for a free gift or a few Euros. I’m glad you are aware and active to protect these invaluable rights for yourself and others.

        There a so few that work to protect rights I am always amazed at the level of willful ignorance of the slaves around the globe. In a way you are like the small percentage of Patriots in the colonies that fought for the rights and freedoms of the vast majority who were clueless and willing to live under the tyranny of the crown.

        You have chosen an excellent cause. You will find yourself up against governments and corporations that will hate what you do. They will do anything to stop you because you are preventing them from making money off of monetizing or obtaining influence or control through the use of this information. In the US you would be labeled as a threat or even far worse for attempting to fight for or protect rights. In the EU you may have more success. But that is only for now.

        A few helpful suggestions based on experience. Use extreme caution if you work with an existing organization. Start your own organization whenever possible. Partner with other organizations and people when necessary only after thoroughly investigating them. Educating others on their rights will be invaluable to you in your fight. Never underestimate your opponents.

        I sincerely wish you all the best in your endeavor.

        Peace

      • The fact that data mining has always been a military tool, is worrying, as this tool has escaped into society. Marketing data is basically unregulated, which is how Google and Co, are making money – by selling the surveillance back to governments, divorce lawyers, councils.

        Landau advises us that monitoring, is a bit like vaccinations… a high percentage of the population need to be vaccinated – this is true for surveillance studies. Around 80% of the civilian population have to be under surveillance at any one time.

        The concept was illegal at the time, has always been illegal, but hey, lets give it away to marketing companies… let the surveillance be carried out by the back door. Ordinary people won’t realise it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 119 other followers

%d bloggers like this: