While I have worked to the best of my ability to make EzIsland a secure and private medium for internet communications, you as the user must be made aware of the potential risks involved in using EzIsland services. While the risks listed below may seem severe, they are no different than the risks of using any other internet service for communications. Unlike those providers, I won't try to obscure the risks behind pages of fine print that no one will ever read. After talking about the risks, I will then explain why you probably don't need to be too concerned with them and why you should, or shouldn't, trust EzIsland.
EzIsland services are offered to the user "as is." EzIsland makes no guarentee as to the quality, availability, timeliness, integrity, security, privacy or reliability of these services. Any data, encrypted or otherwise which is transmitted to EzIsland, including passwords, emails, chat messages, phone/video calls, VPN network traffic and IP addresses may be logged and stored on the EzIsland server. EzIsland makes no guarentee that this data is kept private to the user or that it remains availble to the user. In particular, EzIsland cannot guarentee that this data is preserved or kept private in the event of server hacking, court subpoena, system malfunction, or administrator negligence. By using EzIsland services, the user acknowledges that the server administrator will not be held liable for any damages incurred by such use and is aware that their data could be deleted or exposed at any time.
With all of that said, I will now explain why you probably don't need to worry about those risks. In order to run EzIsland, I rent what is called a virtual private server (VPS) from a hosting company named Linode. Due to the way I have configured the server, only Linode, Linode's service providers, and I, the server administrator, have direct access to the user data stored on EzIsland. Thus, to use EzIsland, you need to trust that Linode or their service providers will not snoop on their customer's data, and that I am competant enough to maintain the server securely and avoid intentionally reading, deleting, or modifying user data. Under normal circumstances, it is unlikely but not impossible that Linode and their service providers will read the data stored on the server. Nonetheless, Linode, their service providers, or myself may be obligated to read the data and release it to other agencies should such data be subpoenaed by a court.
In general, this level of trust is reasonable given that similar services provided by large corporations will intentionally read your data and sell it to advertisers. Even so, the degree to which you must trust me and Linode is greatly reduced when you use end-to-end encryption for transmitting your data. When using encryption, only you and the person you are transmitting the data to will be able to decrypt that information. While that data may be stored on the EzIsland server, it will be stored as encrypted using your local encryption keys. Thus even in the event of a hack, court subpoena, or other data exposure, your data will still be kept private provided that your local encryption keys are kept private or are deleted.
The following sections detail exactly what information is stored on the server for the various EzIsland services. Note that any emails, chat messages, or VoIP voice/video calls that are sent outside of EzIsland's network may be stored on the receiving server. If these messages are unencrypted, then there is no way to know how the receiving server stores or uses that data.
In order to facilitate the user login system, EzIsland stores username and password credential information in a database. The passwords however are not stored in plain text. Rather, the password is hashed using a cryptographically secure algorithm and the hash is stored in a database. A password cannot be recovered from its hash meaning that the stored hash cannot be used to log in to your email, chat, VoIP, or VPN services. Thus, if your user data from EzIsland is exposed for any reason, it will not reveal the password you used to sign in to EzIsland.
All emails sent to and from EzIsland are stored as is on the server. Thus, unencrypted emails can potentially be exposed should a hacker break in to the server or should a court subpoena those documents. However, if the user encrypts their emails using end-to-end encryption, then such emails would not be recoverable without the user's personal encryption keys. Details on how to encrypt emails are provided in the email section.
All chat messages sent to and from EzIsland's XMPP/Jabber service are also stored on the server as is. Thus, this data can be exposed in a hack or if it is subpoenaed by a court. However, if the user encrypts their chat messages using end-to-end encryption, then such messages would not be recoverable without the user's personal encryption keys. Details on how to encrypt emails are provided in the chat section. Note that images, voice, video and other non-text media sent through the XMPP/Jabber service are never encrypted and may be stored as is on the EzIsland server. To send encrypted video and voice media, you should use EzIsland's VoIP or email services.
While phone and video calls are relayed through the server, these calls are not recorded or otherwise stored on the server. Thus, it is unlikely that such information would be breached. For furhter security however, one may use end-to-end encryption to secure the data itself. Details on how to encrypt voice and video media streams are provided in the voice/video section. Note that text messages sent using the SIP VoIP protocol are never encrypted by EzIsland. To send encrypted messages, one should use the XMPP/Jabber service that EzIsland provides.
If you are using EzIsland to transmit or receive phone or video calls from the publically switched telephone network (PSTN), then such calls may be monitored, recorded, or otherwise tracked by governments, service providers, or other agents such as AT&T, T-mobile, Verizon, or Sprint. These calls are never encrypted end-to-end even if the call appears to be encrypted on the user's VoIP client. Further, in order to route these calls to the PSTN, EzIsland contracts with the SIP trunk provider Twilio and forwards these calls through Twilio's network. The way Twilio handles this data is unknown but it may involve recording it or otherwise storing information about it.
EzIsland does not store information about VPN traffic. Further, VPN traffic is always encrypted between your computer and the EzIsland server. However, data leaving the EzIsland server from the VPN is not automatically encrypted. For instance, if you visit a non-https website any traffic will be transferred in plain text between EzIsland and that site.
In order to offer these services, the EzIsland server must store metadata about your service use. This data is needed for the server to properly provide these services such as routing chat messages or VoIP streams. The metadata stored on EzIsland includes but is not limited to
This data can be exposed in the event of a hack or subpoena, and it can be used to reconstruct a record who users are communicating with but not necessarily what they are communicating.
EzIsland services are offered to users subject to reasonable use and may be revoked for a particular user if they do not abide by this reasonable use policy. In particular, users should not attempt to abuse EzIsland services. Abuse includes but is not limited to attempts to overload the server with traffic so as to deny service to other users, attempts to access illegal or copyrighted content over the VPN in such a way that it would implicate the system administrator, or attempts to hack or tamper with the server infrastructure or other user data.