Im going to be offering a small vpn service to 200 odd expats as a side line business. It`s to allow them to access information they currently cant get due to geo-restrictions / censorship etc.

I`m concerned about users who may, against my terms of service, share illegal files through my vpn (something im very against!). My current setup will make it difficult but i cant rule out a nasty user finding a way to bypass (if anyone knows of a fool proof way to stamp out file sharing please tell).

I want to know how i can avoid being made responsible for any users illegal actions.

I know other companies offer vpn services and some are even dedicated to torrenting but they seem to be able to trade without facing lawsuits etc. Id like to know how. Can anyone help?

I want to know how i can avoid being made responsible for any users illegal actions.

Well, the easiest solution is very simple.

Keep no records.

In other words, even if you do get dragged into court regarding something... if your VPN server has no log files, no record of connections, or anything else other then just un/pw information... then there is no way you could ever be held responsible for anything.

(ie: There is no proof "you" were involved.)

So... set up your VPN to authenticate the user, and then don't store any details about what the user is doing. :)

I have a feelings that you are trying to mean VPS. Are you pointing VPS or VPN?

Are you worried for the 200 users uploading illegal files or worried for hackers who can use your network for transferring illegal files ?

Design a TOS/AUP that protects you from every way, and put all blame onto the clients.

When a client signs up to the service they must accept that if they do anything illegal they will take the punishment. You as the company just provide the service.

Well, the easiest solution is very simple.

Keep no records.




Thanks for the reply

Ive heard of this approach before but couldnt that be considered gross negligence?

Ive also heard "patrolling", whilst a good intention, can actually put you into a liable position.

I never intended to keep logs of webpages visited but did plan on keeping bandwith used, time connected for trouble shooting. Also it would help to identify a rogue user if movie company gave me times of the illegal filesharing. Or is that a bad idea too?

I have a feelings that you are trying to mean VPS. Are you pointing VPS or VPN?No I do mean VPN (Virtual Private Network)

Are you worried for the 200 users uploading illegal files or worried for hackers who can use your network for transferring illegal files ?

No just worried about the users who subscribe.

Design a TOS/AUP that protects you from every way, and put all blame onto the clients.

When a client signs up to the service they must accept that if they do anything illegal they will take the punishment. You as the company just provide the service.


I like this approach. But even if i say "if a user breaks the terms and does something illegal, they take the fall, i take no responsibility." will the law consider me innocent?

And in order to pass on the blame ill need to keep logs of useage (time and bandwidth) which goes against the advice of the first replier.

A decent terms of service will do the trick and also don't keep any logs that you don't need...
Sites like rapidshare, 4chan etc all host and traffic "dodgy" content but are covered by their ToS

Well, the easiest solution is very simple.

Keep no records.

In other words, even if you do get dragged into court regarding something... if your VPN server has no log files, no record of connections, or anything else other then just un/pw information... then there is no way you could ever be held responsible for anything.

(ie: There is no proof "you" were involved.)

So... set up your VPN to authenticate the user, and then don't store any details about what the user is doing. :)

Horrible advice. So, since you can't prove it WASNT you (since you have no logs) you will be liable for everything instead.

Have fun in jail.

I agree with Nerdie; bad idea. You'll be the only on the hook when they come looking and find illegal files.

That is just one risk. The overall concept has risk, I mean setting up a service specifically to evade geo-restrictions?

Let us know when he black helicopters arrive...

Well, the easiest solution is very simple.

Keep no records.

In other words, even if you do get dragged into court regarding something... if your VPN server has no log files, no record of connections, or anything else other then just un/pw information... then there is no way you could ever be held responsible for anything.

(ie: There is no proof "you" were involved.)

So... set up your VPN to authenticate the user, and then don't store any details about what the user is doing. :)

Yeah, don't do that - certainly not if you are in any of the Western countries that have inter-governmental treaties regarding law interchange.

Contract in a solicitor to specifically write your TOS. Its worth your time, seriously.

USA has ISP laws protecting you from liability. You must not allow it to go on once you are aware of the problem.

Make sure your Tos/AUP has a rock solid indemnification clause , also the idea of keeping no logs isn't too far off what the lawyers of the EFF recommend for all OSPs


From their White Paper Best Practices for Online Service Providers:
http://www.eff.org/wp/osp
"An OSP can keep its costs and risks down by setting clear policies about data retention. Under ordinary circumstances, there are no laws that require OSPs to retain personally identifiable information (PII) or activity logs about users, unless this information is subject to other government regulation (such as financial transactions) or the OSP has received a backup preservation request from the government.7 (http://www.eff.org/wp/osp#footnote7_zesh5o6) EFF believes that PII and activity logs about users should be kept only so long as it is operationally necessary"

No just worried about the users who subscribe.


It's not up to you to protect the users. If you are providing a legit service and one of your users is using it for illegal means, that's on them.

If you're an "ISP/Service Provider" in the US, which can have a really broad meaning, you are free from liability provided you do log users/times that access your service and comply with Subpoenas against your company.

If you don't keep any logs, you have no proof that it was you or your users
responsible for the infringement.