Policies

Depending on the product specifics, Cryptohippie Inc. has different client identification and usage logging policies. These policies are can only be modified on a per contract basis and on client request. Any such modification has to be communicated to the actual users of the installation.

Identification and usage logging policies are necessary to limit abuse of our products and services as well as to fulfill legal requirements. Usage logging is stored for maximum of 14 days, client identification information is deleted four weeks after the end of the contract.



VPN Hubs

No client identification or usage logging is required. Cryptohippie Inc. only collects system health information (processing load, RAM usage, total traffic volume, total bandwidth utilization, number of concurrent connections).

VPN Termination

No usage logging is required. However the client needs to identify with a verifiable ID when signing the contract. Cryptohippie Inc. furthermore collects system health information (processing load, RAM usage, total traffic volume, total bandwidth utilization, number of concurrent connections).

VPN Backbone

See VPN Termination.

LAS

For Location Agnostic Servers there are three possible scenarios:

  1. The LAS is accessible over the public Internet: Verifiable client identification is required. No usage logging.
  2. The LAS is accessible only over a client’s VPN Hub, Termination or backbone: No client identification, no usage logging.
  3. The LAS is accessible only over the central Cryptohippie Inc. VPN Backbone: Verifiable client identification is required. No usage logging.
Cryptohippie Inc. furthermore collects traffic usage information (total traffic volume, total bandwidth utilization).

Email smarthost

Verifiable client identification is required. Sent email are tagged with cryptographic one-time tokens to fight abuse. Decryption of anti-abuse tokens requires one auditor and one anonymous administrator.

Email anonymization

No client identification is required. No usage logging is conducted. However Cryptohippie Inc. collects traffic usage information (total traffic volume, total bandwidth utilization).

Privacy Guard Relay

No client identification or usage logging is required.

VPN Anonymization

No client identification or usage logging is required.

KH.OR: Onion Routing

No client identification or usage logging is required.

In case of law enforcement investigations concerning a serious crime, Cryptohippie Inc. can enable targeted logging modules (traps) that identify accounts that take a central part in serious crimes. Serious crimes are all crimes resulting in direct violence against people (terrorism, murder, kidnapping, child porn, rape, fraud). Requests by law enforcement are verified on a case-by-case basis and require court orders for Cryptohippie Inc. to cooperate.
Administration Processes

Because Cryptohippie Inc. relies heavily on anonymous administrators, we have developed a process to audit and oversee administration tasks. Using this process and technology, no single person can modify critical applications or configurations without the consent of another person. All processes thus require the consent of at least one publicly-known auditor and one anonymous administrator. This ensures that neither insider attacks nor external pressure can undermine our system security.

Our administration auditing process consists of four major components:

Comparative uploads

All uploaded binaries and configuration to a system are generated concurrently by two independent parties and then compared. If the two sets of data differ, the differences will be examined by both parties. As a result an agreed-upon patch is constructed and cryptographically signed by both parties. Only signed patches can be deployed to a system.

This method ensures that neither party can change critical binaries or configuration without the other party noticing.

Shell access monitoring

All direct shell access is conducted by the assigned anonymous administrator while an auditor supervises all keystrokes sent to the system. Actions not agreed upon by the auditor can be cancelled by him in real time. This ensures that no changes are made without both parties consenting.

Access key splitting

All cryptographic keys required for system access are split between the auditor and the administrator. This ensures that neither party can access the system on its own without supervision.

Filesystem monitoring

At least once a day all systems generate a cryptographically-secured report on all filesystem statuses and changes. This report then is reviewed both by the auditor and the anonymous administrator. Should any non-authorized or non-audited change occur, the system will be frozen by either party for review by both parties.


In addition to the above methods, all actions are logged in a cryptographically secure report that is sent to the client for further review.


© 2007 Cryptohippie Inc., Panama City, Republic of Panama