Cyberstalking Case Highlights How VPN Provider Claims About Not Keeping Logs Are Often False

from the privacy-panacea dept

Tue, Oct 10th 2017 6:30am — Karl Bode

When the Trump administration recently decided to gut consumer privacy protections for broadband, many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn't need privacy protections, since they could simply use a VPN to fully protect their online activity. But we've noted repeatedly that VPNs are not some kind of panacea, and in many instances you're simply shifting the potential for abuse from your ISP -- to a VPN provider that may not actually offer the privacy it claims.

Latest case in point: like many companies, a VPN provider by the name of PureVPN has been advertising for years on its website that it keeps no logs of user behavior:

"PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities."

But when the Department of Justice announced last Friday it had arrested a Massachusetts man by the name of Ryan Lin for stalking, one key component of the case involved using PureVPN logs to track his online activities. According to the DOJ complaint (pdf), the man in question engaged in a “multi-faceted campaign of computer hacking and cyberstalking”:

"It is alleged that Lin engaged in an extensive, multi-faceted campaign of computer hacking and cyberstalking that began in April 2016 and continued until the date of his arrest, against a 24-year-old female victim, her family, friends and institutions associated with her. Lin, the victim’s former roommate, allegedly hacked into the victim’s online accounts and devices, stealing private photographs, personally identifiable information, and private diary entries that contained highly sensitive details about her medical, psychological and sexual history. It is alleged that Lin then distributed the victim’s private photographs and diary entries to hundreds of others. "

Lin had apparently used Tor, PureVPN, and other tools to try and obscure his online footprints. In this instance, authorities seemed to already have enough brick and mortar evidence against Lin to build a case, but data from the logs Pure VPN supposedly doesn't collect helped contribute to the case against him:

"An affidavit submitted by Special Agent Jeffrey Williams in support of the criminal complaint against Lin provides most of the answers....“Artifacts indicated that PureVPN, a VPN service that was used repeatedly in the cyberstalking scheme, was installed on the computer,” the affidavit reads. From here the Special Agent’s report reveals that the FBI received cooperation from Hong Kong-based PureVPN.

“Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,” the agent’s affidavit reads.

It should go without saying that Lin's alleged behavior is abhorrent. That said, the case serves as an example of how the promises most VPNs make about not keeping logs can't really be trusted, something the company's users would have noticed if they'd dug a little deeper into the VPNs privacy policy, which details how the Hong Kong company does store IP addresses as well as connection duration, time and date. Ironically, Lin had taken to Twitter not that long ago to acknowledge that VPN promises on this front often aren't worth all that much:

"There is no such thing as a VPN that doesn’t keep logs,” Lin said. “If they can limit your connections or track bandwidth usage, they keep logs.”

Few will shed a tear over a stalker not heeding his own privacy and security advice. But as VPNs are also used by political dissidents, reporters, and millions of security-conscious individuals, it's worth remembering that the technology isn't the magic fairy privacy dust it's often portrayed as in media reports. And VPNs are not, as ISP lobbyists have claimed, a panacea for the slow but steady erosion of online privacy protections by companies looking to collect and sell every shred of personal data that's not nailed down.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, logs, privacy, ryan lin, vpn
Companies: purevpn

42 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 10 Oct 2017 @ 6:17am

VPNs can be a very important tool though. And you can build your own dedicated stuff if you don't trust any of the commercial ones.

In any case, PureVPN may suffer a blow now that people can't trust what it says anymore. At least it made into my own blacklist.
[ link to this | view in chronology ]
- Anonymous Coward, 10 Oct 2017 @ 7:01am
  
  Re:
  VPNs don't make you anonymous, they just hide your activities from your ISP and other parties that are between your computer and the VPN provider.
  
  PureVPN probably will suffer a blow. There's no reason for them to not be completely transparent about everything they do. Also, once Lin violated the ToS by using PureVPN to harass somebody, PureVPN had no obligation to protect his privacy.
  [ link to this | view in chronology ]
- Anonymous Coward, 10 Oct 2017 @ 7:33am
  
  Re:
  The VPN logs only showed when he was online, and from what IP addresses, and at what times. He was connected to his victims from their records that pointed back to his VPN. Note, the VPN could not give away where he had been on the Internet. So it looks like the VPN could not give away where on the net he went, but only allow a backtrack to him from other peoples logs giving times and what IP connected to them.
  
  Those logs only answer the question was a person using the VPN at the times that other logs showed a connection from the VPN, but nobody can start with the VPN logs and work out where you went on the Internet. So without a suspect, and without activity recorded elsewhere, those logs do not give away anything more that you were online at a given time from a given IP address.
  [ link to this | view in chronology ]
  - Roger Strong (profile), 10 Oct 2017 @ 8:13am
    
    Re: Re:
    Likewise your ISP's logs will at least show you connecting to a VPN service or TOR.
    
    There was a story a couple years back where a university student used TOR to email a bomb threat to cancel an exam. The university checked their logs, and only one person on campus was using TOR. He was arrested.
    [ link to this | view in chronology ]
    - asdffdsa, 10 Oct 2017 @ 11:16am
      
      Re: Re: Re:
      Tor actually has pluggable transports and bridge nodes for the purpose of hiding a tor connection. One of them tries to make a connection to tor look like a handshake with a google server.
      [ link to this | view in chronology ]
  - sigalrm (profile), 10 Oct 2017 @ 9:29am
    
    Re: Re:
    
    The VPN logs only showed when he was online, and from what IP addresses, and at what times.
    
    In other words, the VPN logs only contained metadata.
    
    This is a perfect example as to why it's so disingenuous when the Law Enforcement and Intelligence communities claim it's no big deal because they're only collecting metadata and not content.
    [ link to this | view in chronology ]
  - roo, 1 Jan 2018 @ 7:49am
    
    Re: Re:
    I'm glad Ryan Lin was relentlessly harassing a woman. I don't even think they needed that much info from the vpn because the investigators got a hold of two of his machines.
    [ link to this | view in chronology ]
Anonymous Hero, 10 Oct 2017 @ 6:43am

More details
I'd recommend you check out the Hacker News comments on the article to get more detail: https://news.ycombinator.com/item?id=15432827

For example, PureVPN's privacy policy clearly states: "Since PureVPN is committed to freedom, and doesn't support crime, we will only share information with authorities having valid subpoenas, warrants, other legal documents or with alleged victims having clear proof of any such activity."

There is more in the privacy policy about what they do log, which is connection time (which is tied to the user's account) and their bandwidth usage for "quality of service" reasons.
[ link to this | view in chronology ]
- kallethen, 10 Oct 2017 @ 6:56am
  
  Re: More details
  What this shows is that you should read those privacy policies if you are expecting to rely on them.
  [ link to this | view in chronology ]
  - Anonymous Coward, 10 Oct 2017 @ 7:38am
    
    Re: Re: More details
    Also, read the terms of service. You have an obligation to adhere to the terms you agree to and if you don't, the VPN service doesn't really have any obligation to protect your privacy.
    
    PureVPN bans the use of their service for harassing others, for obscenity, to get around geoblocks, spamming, pirating, crawling websites, etc...
    [ link to this | view in chronology ]
    - Anonymous Hero, 10 Oct 2017 @ 7:50am
      
      Re: Re: Re: More details
      So...then what's the point of PureVPN? To add latency?
      [ link to this | view in chronology ]
      - Anonymous Coward, 10 Oct 2017 @ 11:08am
        
        Re: Re: Re: Re: More details
        All VPN services that I know of have similar ToS clauses.
        
        So what's the point? Well, I use a similar service for when I'm connecting from a public WiFi hotspot or a hotel room. When AT&T was collecting the browsing habits of their customers, I can imagine some would choose to use a VPN for privacy reasons. Likewise, it was a good way to get away from Verizon's super cookies.
        [ link to this | view in chronology ]
      - Anonymous Coward, 10 Oct 2017 @ 3:27pm
        
        Re: Re: Re: Re: More details
        Also circumventing geoblocking, national ISP-level firewalls and mass corporate/state surveillance regimes. Safer P2P. Also businesses need VPNs for secure access to their networks.
        [ link to this | view in chronology ]
- Ninja (profile), 10 Oct 2017 @ 8:05am
  
  Re: More details
  But they do use 'no logs' as a marketing strategy, it is (or was, not sure) on their site.
  [ link to this | view in chronology ]
  - Anonymous Hero, 10 Oct 2017 @ 8:37am
    
    Re: Re: More details
    Yes, I agree, they were misleading, especially by specifically emphasizing NOT keeping logs with an upper-case NOT.
    
    Still, if you are trusting your privacy and security to a third party, you should do your research. I don't trust my privacy and security to my ISP, so I didn't bother to read their privacy policy. I know they'd be happy to sell anything and everything about me to anyone willing to pay.
    [ link to this | view in chronology ]
Anonymous Coward, 10 Oct 2017 @ 7:08am

Thanks for recommending such great products, TechDirt!

https://www.techdirt.com/articles/20151118/09211632855/daily-deal-purevpn-subscription.shtm l
[ link to this | view in chronology ]
- wereisjessicahyde (profile), 10 Oct 2017 @ 9:26am
  
  Re:
  Techdirt doesn't recommend anything.
  
  That very ad even says "The products featured do not reflect endorsements by our editorial team."
  [ link to this | view in chronology ]
  - Anonymous Coward, 10 Oct 2017 @ 2:18pm
    
    Re: Re:
    The second I read "The products featured do not reflect endorsements by our editorial team." I ignored them as a matter of course.
    
    If I could adblock them altogether, I would.
    [ link to this | view in chronology ]
Jordan Chandler, 10 Oct 2017 @ 7:13am

PureVPN was recommended by TechDirt
I’m pretty sure I bought a lifetime subscription to PureVPN because it was recommended by TechDirt

Were you guys kidding ?
[ link to this | view in chronology ]
- Anonymous Coward, 10 Oct 2017 @ 7:57am
  
  Re: PureVPN was recommended by TechDirt
  I would have recommended PureVPN too if they said they don't keep logs. Personally, I think I you should sue PureVPN for your money back if the goal was complete privacy. Probably will be harder to sue if it was in the contract you agreed to but you should still have some standing if it was different then what was advertised. If it was for other reasons then PureVPN was doing its jobs as intended.
  [ link to this | view in chronology ]
  - Jordan Chandler, 10 Oct 2017 @ 8:11am
    
    Re: Re: PureVPN was recommended by TechDirt
    Fortunately, I just use it for hiding from my ISP and not for privacy.
    
    I'm not really upset, I just think TD should have been upfront that they once recommended them.
    [ link to this | view in chronology ]
    - sigalrm (profile), 10 Oct 2017 @ 9:52am
      
      Re: Re: Re: PureVPN was recommended by TechDirt
      
      Fortunately, I just use it for hiding from my ISP and not for privacy.
      
      This is the piece most people miss - they fail to accurately determine what their threat model is, and then get upset when they pick the wrong countermeasure(s).
      
      VPN's are not one-size-fits-all.
      
      PureVPN is probably just fine if you're trying to hide your porn habit from your moderately technical partner/spouse/parent/child, hiding your job search from your boss, want to watch the newest episode of the Orville from a geo-restricted IP address, or just don't want Verizon selling your browsing history to a marketing firm.
      
      If you're planning on doing something where subpoenas or warrants could get involved, VPN Platforms recommended by sites like Techdirt are probably not your best option. Additional research (from a location not trivially tied to you) is strongly recommended.
      [ link to this | view in chronology ]
      - Anonymous Coward, 10 Oct 2017 @ 11:10am
        
        Re: Re: Re: Re: PureVPN was recommended by TechDirt
        > want to watch the newest episode of the Orville from a geo-restricted IP address
        
        That's against PureVPN's terms of service.
        [ link to this | view in chronology ]
- Ninja (profile), 10 Oct 2017 @ 8:21am
  
  Re: PureVPN was recommended by TechDirt
  They did advertise 'no logs' and you had good reviews in other places. Besides TD doesn't choose themselves, it's another system. They try to keep it relevant to the audience though and there were points where they removed deals in the past.
  [ link to this | view in chronology ]
- Anonymous Coward, 10 Oct 2017 @ 2:20pm
  
  Re: PureVPN was recommended by TechDirt
  Why would you buy *anything* based solely on a recc' that was actually just a glorified advertisement?
  [ link to this | view in chronology ]
Anonymous Coward, 10 Oct 2017 @ 7:17am

It depends on what countries the servers he used are in. If the servers are in the UK, Canada, NZ, Russia, or Australia, the VPN company has to keep logs on those servers.

Whether or not logs have to be kept depend on what country a server is locacted. If he had used a server in a country where server logs are not mandated by law, they would not have caught him, since PureVPN, and other VPN companies only have to follow the laws of the country where the SERVER is located.

This is why some want to ban VPNs, the USA cannot force a VPN company to logging on a server in a country where laws there do not require logging.
[ link to this | view in chronology ]
Anonymous Coward, 10 Oct 2017 @ 7:24am

the amusing thing to me is people thinking this company is the only one to do this. consider this example as industry standard. if you blacklist this provider, blacklist them all.

if you really want to be free of oversight, follow bin laden's example except don't build a big house in an area of small houses. ie, if you have any connectivity at all to the rest of the known universe, you are a sitting duck along with the rest of us. behave accordingly.
[ link to this | view in chronology ]
Anonymous Coward, 10 Oct 2017 @ 8:05am

"companies looking to collect and sell every shred personal data that's not nailed down"
In short, "googles".

But where's your "of" in that phrase?

Then, how do you "nail down" data? You're mis-using one of my faves. It's physical context that gives meaning.

You even violate Techdirt usage, that data has no "owner" and is infinitely duplicable with no possible loss to anyone.
[ link to this | view in chronology ]
- This comment has been flagged by the community. Click here to show it
  
  Anonymous Coward, 10 Oct 2017 @ 8:06am
  
  Re: "companies looking to collect and sell every shred personal data that's not nailed down"
  Since when has Techdirt been worried about privacy on teh internets? ... Right, ONLY when it's not the biggest violators, you-know-which mega-corps.
  
  Iron Law: Any time that corporations get information that can be sold, it will be. Corporations are solely to gain money. Yes, I know I'm beyond minion's text: point is that little tidbits like this show that ALL you're told about "privacy" on teh internets is sheer hooey. You have no assurance and no control over what corporations are doing, yet still blindly trust.
  
  Corporations offering services to "hide" are likely the MOST selling you out to "intelligence services", or even a front.
  [ link to this | view in chronology ]
  - Anonymous Coward, 10 Oct 2017 @ 9:00am
    
    Re: Re: "companies looking to collect and sell every shred personal data that's not nailed down"
    Like the way you blindly trust the RIAA.
    
    Have a DMCA vote. Brought to you by your favorite corporations!
    [ link to this | view in chronology ]
  - Anonymous Coward, 10 Oct 2017 @ 11:45am
    
    Re: Re: "companies looking to collect and sell every shred personal data that's not nailed down"
    Which TOS did you sign when you started using TOR you filthy pirate?
    [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Tanuja, 10 Oct 2017 @ 8:37am

Very informational piece
I really loved the way technical information was presented in an easy to understand language. I understood most of the things.
[ link to this | view in chronology ]
Rekrul, 10 Oct 2017 @ 10:08am

A VPN may not normally log activity, but what happens when the FBI shows up with a warrant ordering them to help the authorities identify one of their users? Sure, they may not have any past logs to help ID the person, but they can't refuse to turn on logging to catch the person the next time he uses the VPN to connect to a specific web site or share a particular file, can they?
[ link to this | view in chronology ]
- Anonymous Coward, 10 Oct 2017 @ 1:18pm
  
  Re:
  The answer to that is complicated.
  
  First, if you're using a VPN service from a different country, the FBI doesn't have as much influence.
  
  If the company is in the US, the VPN service pretty much has to comply if they are able. If they can comply and they don't want to, they have to fight the court order. This has happened in the past when the court order is overly broad. For example, they shouldn't comply with an order asking for all users to be monitored.
  
  If they can't comply with the court order, they better have a pretty good reason and a lawyer ready to present that argument to a cranky judge.
  [ link to this | view in chronology ]
- Anonymous Coward, 10 Oct 2017 @ 10:13pm
  
  Re:
  If the servers used are not in the the Untied States, they are not subject to United States jurisdiction.
  
  If and when I ever get the VPN service going I would like to start someday, I will ONLY comply with the laws of whatever country a server is in. I will only recognise court court orders from that country, and no other, and the Feds don't like that, they just KISS my ASS.
  
  For example, I will never recognise US jurisdiction over a server in Australia. Unless they get an order from an Australian court, they just go take a long walk off a short pier. For servers in Australia, I will ONLY comply with Australian authorities, and if the United States government does not like they, they just go #&$*(#&(*$ themselves.
  [ link to this | view in chronology ]
That Anonymous Coward (profile), 10 Oct 2017 @ 1:43pm

*sits back and waits for the ZOMG VPNS ARE THE DEVIL'S PLAYTHINGS brigade*

VPN's are a tool. Tools can build or destroy. You can't only look at the broken window while ignoring the entire house that was build with the same tools.
[ link to this | view in chronology ]
frank87 (profile), 10 Oct 2017 @ 2:30pm

Fine law enforcement, but it shows you can't assume you can ignore bad laws because you can circumvent them with tor, bitcoin, vpn etc.
Sooner or later law enforcement will win the arms race, probably by limiting freedom for all.
See what's happening with copyright.
[ link to this | view in chronology ]
Anonymous VPN-Maker, 10 Oct 2017 @ 4:27pm

This is why...
This is why I made my own VPN and I know exactly what logs it keeps. It costs me about $6 a month and I have 600 Mbps throughput most of the time.
[ link to this | view in chronology ]
- Anonymous Coward, 10 Oct 2017 @ 11:23pm
  
  Re: This is why...
  How did you that for only $6 a month. I thought you would have to put a server in a server farm, and pay a lot of money. How did you roll your own VPN for just $6 a month.
  
  Also, whatever server farm your VPN is at, you better be sure they colocation you are using allows VPNs. I know that HostGator, for sure, does not allow people using its services to run a VPN.
  
  I now this because when I used to run an online radio station, I had a problem user on my website and is associated forums would just would not get the message that he was not welcome on my site, and when he circumvented the ban on him once, coming via HostGator, I raised hell about it, and HostGator terminated the account of the person who was running a proxy service using their server facilities.
  [ link to this | view in chronology ]
Anonymous Coward, 10 Oct 2017 @ 11:09pm

As far as the Feds examining the one computer where he was previously employed, that company needs to have a policy of wiping the computer when an employee leaves

With the company I want to start, the policy will be that when any employee leaves, that computer will be wiped with a progam like CyberScrub or KillDisk, before Windows gets reinstalled, so that anything illegal that employee might have done while working for me, will not come back to haunt the company,

This will prevent the Feds from being able to recover anything that might get myself, or anyone in the company from being sued or prosecuted from what that person might have done, while working for me.

It will be the policy, when an employee leaves the company to completely wipe the hard disk on any company computer or computers that person had access to, and then the operating and all programs get reinstalled.

If the Feds don't like what my company policies will be when employee working for me leaves, they just KISS my effing ASS.
[ link to this | view in chronology ]
Anonymous Coward, 11 Oct 2017 @ 6:47am

Here is another issue the Feds will have, if Calexit should passed, and California become an independent nation. Some of PureVPN's servers are in California, and will be NOT SUBJECT to US law, should California secede and become independent.

Pure VPN has servers in San Francisco, and Los Angeles. If California secedes, they would no longer be subject to any warrants issued in the remaining United States.

Actually, if California does secede, the Feds will also not be able to enforce SESTA, if it becomes law, on several Internet giants, and their servers will be in California, and law enforcement in the remaining United States will no longer have jurisidiction over them. Googe, Facebook, CloudFlare, Apple, and YouTube are examples of California-based companies that will be able to say "kiss my ass" to the Feds, should California become an independent nation, there is NOTHING that the United States Government will be able to do about.

There will be no way to enforce SESTA, for example, on these companies, if California should break away from the United States. Since they would no longer be US companies, they would no longer have to comply with US laws.
[ link to this | view in chronology ]
monique, 20 Oct 2017 @ 6:05pm

Here's what truly got this cyberstalker caught...
The female victim knew she had no enemies EXCEPT him. When the police asked her who could be harrassing her in this manner, his name was tops on the list. And knowing that he had a deep computing background just makes him the top suspect. So all law enforcement had to do is just follow the breadcrumbs.
[ link to this | view in chronology ]