Long post incoming:
I have been a user of PIA for several years and previously have had nothing but good things to say about it. Connections are fast, you have a wide variety of servers to choose from locally, regionally, nationally, and internationally. They're fairly cheap too.
But I'll probably be jumping ship.
On the negative side
Kape's acquisition of PIA. Kape was formerly an advertising company before 2018. Well, to be clear, they were a malware company, the opposite of their purported current focus. They were called Crossrider, and engaged in browser hijacking and malware bundling. I think in 2017 or 2018 they bought a Romanian VPN and a German VPN and say they have since pivoted to cybersecurity.
PIA executives (as expected) said that there will be no changes to their policy of putting customers' privacy first. But they're no longer in control of how that policy is enforced, and it will likely change significantly based on how CyberGhost's policy changed after Kape bought them.
Anyway, given the lies on which Crossrider (which became Kape, which will now change names to Private Internet) was built, it's hard to trust anything they say or put out. Kape's owner, Teddy Sagi, is a multibillionaire investor/real estate magnate. He and many business affiliates have close ties to the Israeli intelligence community and IDF. Sagi is a criminal (insider trading, fraud, bribery), and some of his other business ventures are involved in development of gambling software and credit card payment systems for said gambling software. He also owns at three other companies participating in the internet/mobile/ecommerce advertising space (Stucco Media, Glispa, and Mobfox).
Additionally, CyberGhost used to be a fair Romanian VPN. Then Kape acquired them. Then their ToS changed to allow them to share data for the purposes of investigation transgressions, criminal activity, or for tracking e.g. Facebook, Google and so on as referenced above. That's ABSURD to pay for a VPN that permits that. I don't want the IDF or CIA snooping on my data in connection with some unrelated "transgression." Period.
PIA's representative on Reddit said: "Kape’s commitment to adopting and upholding these principles, which has been the centerpiece of our fight since our creation, is the reason we ultimately decided to move forward. I understand the concerns being expressed in this thread and others, but please know, as a company and team, we would never make a deal that jeopardizes our users or our reputation without guarantees."
Unfortunately, a guarantee means nothing. If Kape decides they want to monetize or snoop, what's the penalty for breaking the guarantee? So despite what PIA says about their privacy policy, they no longer get to control that. Kape does.
Also:
ycombinator link
Also: PIA recently hired Mark Karpeles (of Mt Gox dis-fame) as their CTO before being acquired by Kape.
On the positive side
They are moving the desktop client to open source to allow people to see what they're doing and how.
They also claim to be moving to an internal roadmap where no one - not even Private Internet - has access to the servers through which the VPN flows.
Closing
I'll follow my grandmother on this one: "Hear what they say, but only trust what they do."
They can talk all they want about how they're still going to be focused on privacy. I hear them. But I'm not trusting them. I'll watch their actions and if they prove their worth, I may come back. But I suspect they'll fall into the same issues that CyberGhost did. PIA is now part of a group of companies owned by a criminal (bribery, fraud, insider trading) who runs gambling sites and credit card payment companies and advertising companies who purports to now care about "privacy." He and Kape are associated with / have ties to intelligence communities and military groups. The writing, to me, is on the wall.
I'm going to take a break from PIA for now, and try out Mullvad or something while others sort out whether PIA will continue to be reputable.
As one exchange on Reddit went:
PIAMichael (PIA CS Staff):
u/MrMayhem85,
Unfortunately, I'm unfamiliar with CyberGhost's policies regarding the collection or sharing of data, beyond what I've seen here. I do know this isn't nor has it ever been a PIA policy.
(link)
phraun:
The issue is that you no longer have the ability to enforce your policy. It's not up to you. You're not in control anymore. Maybe nothing changes for six months, or a year, but it's now only a matter of time.
This isn't something that PR fixes. The fact that this acquisition was on the table at all means that, even were it to be cancelled, I'm now in a position where I feel like I can't trust the leadership at PIA any longer.
Not interested. Hope it was worth it.