Cyberstalking Case Highlights How VPN Provider Claims About Not Keeping Logs Are Often False
from the privacy-panacea dept
When the Trump administration recently decided to gut consumer privacy protections for broadband, many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn't need privacy protections, since they could simply use a VPN to fully protect their online activity. But we've noted repeatedly that VPNs are not some kind of panacea, and in many instances you're simply shifting the potential for abuse from your ISP -- to a VPN provider that may not actually offer the privacy it claims.
Latest case in point: like many companies, a VPN provider by the name of PureVPN has been advertising for years on its website that it keeps no logs of user behavior:
"PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities."
But when the Department of Justice announced last Friday it had arrested a Massachusetts man by the name of Ryan Lin for stalking, one key component of the case involved using PureVPN logs to track his online activities. According to the DOJ complaint (pdf), the man in question engaged in a “multi-faceted campaign of computer hacking and cyberstalking”:
"It is alleged that Lin engaged in an extensive, multi-faceted campaign of computer hacking and cyberstalking that began in April 2016 and continued until the date of his arrest, against a 24-year-old female victim, her family, friends and institutions associated with her. Lin, the victim’s former roommate, allegedly hacked into the victim’s online accounts and devices, stealing private photographs, personally identifiable information, and private diary entries that contained highly sensitive details about her medical, psychological and sexual history. It is alleged that Lin then distributed the victim’s private photographs and diary entries to hundreds of others. "
Lin had apparently used Tor, PureVPN, and other tools to try and obscure his online footprints. In this instance, authorities seemed to already have enough brick and mortar evidence against Lin to build a case, but data from the logs Pure VPN supposedly doesn't collect helped contribute to the case against him:
"An affidavit submitted by Special Agent Jeffrey Williams in support of the criminal complaint against Lin provides most of the answers....“Artifacts indicated that PureVPN, a VPN service that was used repeatedly in the cyberstalking scheme, was installed on the computer,” the affidavit reads. From here the Special Agent’s report reveals that the FBI received cooperation from Hong Kong-based PureVPN.
“Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,” the agent’s affidavit reads.
It should go without saying that Lin's alleged behavior is abhorrent. That said, the case serves as an example of how the promises most VPNs make about not keeping logs can't really be trusted, something the company's users would have noticed if they'd dug a little deeper into the VPNs privacy policy, which details how the Hong Kong company does store IP addresses as well as connection duration, time and date. Ironically, Lin had taken to Twitter not that long ago to acknowledge that VPN promises on this front often aren't worth all that much:
"There is no such thing as a VPN that doesn’t keep logs,” Lin said. “If they can limit your connections or track bandwidth usage, they keep logs.”
Few will shed a tear over a stalker not heeding his own privacy and security advice. But as VPNs are also used by political dissidents, reporters, and millions of security-conscious individuals, it's worth remembering that the technology isn't the magic fairy privacy dust it's often portrayed as in media reports. And VPNs are not, as ISP lobbyists have claimed, a panacea for the slow but steady erosion of online privacy protections by companies looking to collect and sell every shred of personal data that's not nailed down.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, logs, privacy, ryan lin, vpn
Companies: purevpn
Reader Comments
Subscribe: RSS
View by: Time | Thread
In any case, PureVPN may suffer a blow now that people can't trust what it says anymore. At least it made into my own blacklist.
[ link to this | view in chronology ]
Re:
PureVPN probably will suffer a blow. There's no reason for them to not be completely transparent about everything they do. Also, once Lin violated the ToS by using PureVPN to harass somebody, PureVPN had no obligation to protect his privacy.
[ link to this | view in chronology ]
Re:
Those logs only answer the question was a person using the VPN at the times that other logs showed a connection from the VPN, but nobody can start with the VPN logs and work out where you went on the Internet. So without a suspect, and without activity recorded elsewhere, those logs do not give away anything more that you were online at a given time from a given IP address.
[ link to this | view in chronology ]
Re: Re:
There was a story a couple years back where a university student used TOR to email a bomb threat to cancel an exam. The university checked their logs, and only one person on campus was using TOR. He was arrested.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
In other words, the VPN logs only contained metadata.
This is a perfect example as to why it's so disingenuous when the Law Enforcement and Intelligence communities claim it's no big deal because they're only collecting metadata and not content.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
More details
For example, PureVPN's privacy policy clearly states: "Since PureVPN is committed to freedom, and doesn't support crime, we will only share information with authorities having valid subpoenas, warrants, other legal documents or with alleged victims having clear proof of any such activity."
There is more in the privacy policy about what they do log, which is connection time (which is tied to the user's account) and their bandwidth usage for "quality of service" reasons.
[ link to this | view in chronology ]
Re: More details
[ link to this | view in chronology ]
Re: Re: More details
PureVPN bans the use of their service for harassing others, for obscenity, to get around geoblocks, spamming, pirating, crawling websites, etc...
[ link to this | view in chronology ]
Re: Re: Re: More details
[ link to this | view in chronology ]
Re: Re: Re: Re: More details
So what's the point? Well, I use a similar service for when I'm connecting from a public WiFi hotspot or a hotel room. When AT&T was collecting the browsing habits of their customers, I can imagine some would choose to use a VPN for privacy reasons. Likewise, it was a good way to get away from Verizon's super cookies.
[ link to this | view in chronology ]
Re: Re: Re: Re: More details
[ link to this | view in chronology ]
Re: More details
[ link to this | view in chronology ]
Re: Re: More details
Still, if you are trusting your privacy and security to a third party, you should do your research. I don't trust my privacy and security to my ISP, so I didn't bother to read their privacy policy. I know they'd be happy to sell anything and everything about me to anyone willing to pay.
[ link to this | view in chronology ]
https://www.techdirt.com/articles/20151118/09211632855/daily-deal-purevpn-subscription.shtm l
[ link to this | view in chronology ]
Re:
That very ad even says "The products featured do not reflect endorsements by our editorial team."
[ link to this | view in chronology ]
Re: Re:
If I could adblock them altogether, I would.
[ link to this | view in chronology ]
PureVPN was recommended by TechDirt
Were you guys kidding ?
[ link to this | view in chronology ]
Re: PureVPN was recommended by TechDirt
[ link to this | view in chronology ]
Re: Re: PureVPN was recommended by TechDirt
I'm not really upset, I just think TD should have been upfront that they once recommended them.
[ link to this | view in chronology ]
Re: Re: Re: PureVPN was recommended by TechDirt
This is the piece most people miss - they fail to accurately determine what their threat model is, and then get upset when they pick the wrong countermeasure(s).
VPN's are not one-size-fits-all.
PureVPN is probably just fine if you're trying to hide your porn habit from your moderately technical partner/spouse/parent/child, hiding your job search from your boss, want to watch the newest episode of the Orville from a geo-restricted IP address, or just don't want Verizon selling your browsing history to a marketing firm.
If you're planning on doing something where subpoenas or warrants could get involved, VPN Platforms recommended by sites like Techdirt are probably not your best option. Additional research (from a location not trivially tied to you) is strongly recommended.
[ link to this | view in chronology ]
Re: Re: Re: Re: PureVPN was recommended by TechDirt
That's against PureVPN's terms of service.
[ link to this | view in chronology ]
Re: PureVPN was recommended by TechDirt
[ link to this | view in chronology ]
Re: PureVPN was recommended by TechDirt
[ link to this | view in chronology ]
Whether or not logs have to be kept depend on what country a server is locacted. If he had used a server in a country where server logs are not mandated by law, they would not have caught him, since PureVPN, and other VPN companies only have to follow the laws of the country where the SERVER is located.
This is why some want to ban VPNs, the USA cannot force a VPN company to logging on a server in a country where laws there do not require logging.
[ link to this | view in chronology ]
the amusing thing to me is people thinking this company is the only one to do this. consider this example as industry standard. if you blacklist this provider, blacklist them all.
if you really want to be free of oversight, follow bin laden's example except don't build a big house in an area of small houses. ie, if you have any connectivity at all to the rest of the known universe, you are a sitting duck along with the rest of us. behave accordingly.
[ link to this | view in chronology ]
"companies looking to collect and sell every shred personal data that's not nailed down"
But where's your "of" in that phrase?
Then, how do you "nail down" data? You're mis-using one of my faves. It's physical context that gives meaning.
You even violate Techdirt usage, that data has no "owner" and is infinitely duplicable with no possible loss to anyone.
[ link to this | view in chronology ]
Re: "companies looking to collect and sell every shred personal data that's not nailed down"
Iron Law: Any time that corporations get information that can be sold, it will be. Corporations are solely to gain money. Yes, I know I'm beyond minion's text: point is that little tidbits like this show that ALL you're told about "privacy" on teh internets is sheer hooey. You have no assurance and no control over what corporations are doing, yet still blindly trust.
Corporations offering services to "hide" are likely the MOST selling you out to "intelligence services", or even a front.
[ link to this | view in chronology ]
Re: Re: "companies looking to collect and sell every shred personal data that's not nailed down"
Have a DMCA vote. Brought to you by your favorite corporations!
[ link to this | view in chronology ]
Re: Re: "companies looking to collect and sell every shred personal data that's not nailed down"
[ link to this | view in chronology ]
Very informational piece
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
First, if you're using a VPN service from a different country, the FBI doesn't have as much influence.
If the company is in the US, the VPN service pretty much has to comply if they are able. If they can comply and they don't want to, they have to fight the court order. This has happened in the past when the court order is overly broad. For example, they shouldn't comply with an order asking for all users to be monitored.
If they can't comply with the court order, they better have a pretty good reason and a lawyer ready to present that argument to a cranky judge.
[ link to this | view in chronology ]
Re:
If and when I ever get the VPN service going I would like to start someday, I will ONLY comply with the laws of whatever country a server is in. I will only recognise court court orders from that country, and no other, and the Feds don't like that, they just KISS my ASS.
For example, I will never recognise US jurisdiction over a server in Australia. Unless they get an order from an Australian court, they just go take a long walk off a short pier. For servers in Australia, I will ONLY comply with Australian authorities, and if the United States government does not like they, they just go #&$*(#&(*$ themselves.
[ link to this | view in chronology ]
VPN's are a tool. Tools can build or destroy. You can't only look at the broken window while ignoring the entire house that was build with the same tools.
[ link to this | view in chronology ]
Sooner or later law enforcement will win the arms race, probably by limiting freedom for all.
See what's happening with copyright.
[ link to this | view in chronology ]
This is why...
[ link to this | view in chronology ]
Re: This is why...
Also, whatever server farm your VPN is at, you better be sure they colocation you are using allows VPNs. I know that HostGator, for sure, does not allow people using its services to run a VPN.
I now this because when I used to run an online radio station, I had a problem user on my website and is associated forums would just would not get the message that he was not welcome on my site, and when he circumvented the ban on him once, coming via HostGator, I raised hell about it, and HostGator terminated the account of the person who was running a proxy service using their server facilities.
[ link to this | view in chronology ]
With the company I want to start, the policy will be that when any employee leaves, that computer will be wiped with a progam like CyberScrub or KillDisk, before Windows gets reinstalled, so that anything illegal that employee might have done while working for me, will not come back to haunt the company,
This will prevent the Feds from being able to recover anything that might get myself, or anyone in the company from being sued or prosecuted from what that person might have done, while working for me.
It will be the policy, when an employee leaves the company to completely wipe the hard disk on any company computer or computers that person had access to, and then the operating and all programs get reinstalled.
If the Feds don't like what my company policies will be when employee working for me leaves, they just KISS my effing ASS.
[ link to this | view in chronology ]
Pure VPN has servers in San Francisco, and Los Angeles. If California secedes, they would no longer be subject to any warrants issued in the remaining United States.
Actually, if California does secede, the Feds will also not be able to enforce SESTA, if it becomes law, on several Internet giants, and their servers will be in California, and law enforcement in the remaining United States will no longer have jurisidiction over them. Googe, Facebook, CloudFlare, Apple, and YouTube are examples of California-based companies that will be able to say "kiss my ass" to the Feds, should California become an independent nation, there is NOTHING that the United States Government will be able to do about.
There will be no way to enforce SESTA, for example, on these companies, if California should break away from the United States. Since they would no longer be US companies, they would no longer have to comply with US laws.
[ link to this | view in chronology ]
Here's what truly got this cyberstalker caught...
[ link to this | view in chronology ]