Cyberstalking Case Highlights How VPN Provider Claims About Not Keeping Logs Are Often False

from the privacy-panacea dept

When the Trump administration recently decided to gut consumer privacy protections for broadband, many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn’t need privacy protections, since they could simply use a VPN to fully protect their online activity. But we’ve noted repeatedly that VPNs are not some kind of panacea, and in many instances you’re simply shifting the potential for abuse from your ISP — to a VPN provider that may not actually offer the privacy it claims.

Latest case in point: like many companies, a VPN provider by the name of PureVPN has been advertising for years on its website that it keeps no logs of user behavior:

“PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That’s why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities.”

But when the Department of Justice announced last Friday it had arrested a Massachusetts man by the name of Ryan Lin for stalking, one key component of the case involved using PureVPN logs to track his online activities. According to the DOJ complaint (pdf), the man in question engaged in a ?multi-faceted campaign of computer hacking and cyberstalking?:

“It is alleged that Lin engaged in an extensive, multi-faceted campaign of computer hacking and cyberstalking that began in April 2016 and continued until the date of his arrest, against a 24-year-old female victim, her family, friends and institutions associated with her. Lin, the victim?s former roommate, allegedly hacked into the victim?s online accounts and devices, stealing private photographs, personally identifiable information, and private diary entries that contained highly sensitive details about her medical, psychological and sexual history. It is alleged that Lin then distributed the victim?s private photographs and diary entries to hundreds of others. ”

Lin had apparently used Tor, PureVPN, and other tools to try and obscure his online footprints. In this instance, authorities seemed to already have enough brick and mortar evidence against Lin to build a case, but data from the logs Pure VPN supposedly doesn’t collect helped contribute to the case against him:

“An affidavit submitted by Special Agent Jeffrey Williams in support of the criminal complaint against Lin provides most of the answers….?Artifacts indicated that PureVPN, a VPN service that was used repeatedly in the cyberstalking scheme, was installed on the computer,? the affidavit reads. From here the Special Agent?s report reveals that the FBI received cooperation from Hong Kong-based PureVPN.

?Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,? the agent?s affidavit reads.

It should go without saying that Lin’s alleged behavior is abhorrent. That said, the case serves as an example of how the promises most VPNs make about not keeping logs can’t really be trusted, something the company’s users would have noticed if they’d dug a little deeper into the VPNs privacy policy, which details how the Hong Kong company does store IP addresses as well as connection duration, time and date. Ironically, Lin had taken to Twitter not that long ago to acknowledge that VPN promises on this front often aren’t worth all that much:

“There is no such thing as a VPN that doesn?t keep logs,? Lin said. ?If they can limit your connections or track bandwidth usage, they keep logs.?

Few will shed a tear over a stalker not heeding his own privacy and security advice. But as VPNs are also used by political dissidents, reporters, and millions of security-conscious individuals, it’s worth remembering that the technology isn’t the magic fairy privacy dust it’s often portrayed as in media reports. And VPNs are not, as ISP lobbyists have claimed, a panacea for the slow but steady erosion of online privacy protections by companies looking to collect and sell every shred of personal data that’s not nailed down.

Filed Under: , , , ,
Companies: purevpn

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cyberstalking Case Highlights How VPN Provider Claims About Not Keeping Logs Are Often False”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

VPNs don’t make you anonymous, they just hide your activities from your ISP and other parties that are between your computer and the VPN provider.

PureVPN probably will suffer a blow. There’s no reason for them to not be completely transparent about everything they do. Also, once Lin violated the ToS by using PureVPN to harass somebody, PureVPN had no obligation to protect his privacy.

Anonymous Coward says:

Re: Re:

The VPN logs only showed when he was online, and from what IP addresses, and at what times. He was connected to his victims from their records that pointed back to his VPN. Note, the VPN could not give away where he had been on the Internet. So it looks like the VPN could not give away where on the net he went, but only allow a backtrack to him from other peoples logs giving times and what IP connected to them.

Those logs only answer the question was a person using the VPN at the times that other logs showed a connection from the VPN, but nobody can start with the VPN logs and work out where you went on the Internet. So without a suspect, and without activity recorded elsewhere, those logs do not give away anything more that you were online at a given time from a given IP address.

sigalrm (profile) says:

Re: Re: Re:

The VPN logs only showed when he was online, and from what IP addresses, and at what times.

In other words, the VPN logs only contained metadata.

This is a perfect example as to why it’s so disingenuous when the Law Enforcement and Intelligence communities claim it’s no big deal because they’re only collecting metadata and not content.

Anonymous Hero says:

More details

I’d recommend you check out the Hacker News comments on the article to get more detail:

For example, PureVPN’s privacy policy clearly states: “Since PureVPN is committed to freedom, and doesn’t support crime, we will only share information with authorities having valid subpoenas, warrants, other legal documents or with alleged victims having clear proof of any such activity.”

There is more in the privacy policy about what they do log, which is connection time (which is tied to the user’s account) and their bandwidth usage for “quality of service” reasons.

Anonymous Coward says:

Re: Re: More details

Also, read the terms of service. You have an obligation to adhere to the terms you agree to and if you don’t, the VPN service doesn’t really have any obligation to protect your privacy.

PureVPN bans the use of their service for harassing others, for obscenity, to get around geoblocks, spamming, pirating, crawling websites, etc…

Anonymous Coward says:

Re: Re: Re:2 More details

All VPN services that I know of have similar ToS clauses.

So what’s the point? Well, I use a similar service for when I’m connecting from a public WiFi hotspot or a hotel room. When AT&T was collecting the browsing habits of their customers, I can imagine some would choose to use a VPN for privacy reasons. Likewise, it was a good way to get away from Verizon’s super cookies.

Anonymous Hero says:

Re: Re: More details

Yes, I agree, they were misleading, especially by specifically emphasizing NOT keeping logs with an upper-case NOT.

Still, if you are trusting your privacy and security to a third party, you should do your research. I don’t trust my privacy and security to my ISP, so I didn’t bother to read their privacy policy. I know they’d be happy to sell anything and everything about me to anyone willing to pay.

Anonymous Coward says:

Re: PureVPN was recommended by TechDirt

I would have recommended PureVPN too if they said they don’t keep logs. Personally, I think I you should sue PureVPN for your money back if the goal was complete privacy. Probably will be harder to sue if it was in the contract you agreed to but you should still have some standing if it was different then what was advertised. If it was for other reasons then PureVPN was doing its jobs as intended.

sigalrm (profile) says:

Re: Re: Re: PureVPN was recommended by TechDirt

Fortunately, I just use it for hiding from my ISP and not for privacy.

This is the piece most people miss – they fail to accurately determine what their threat model is, and then get upset when they pick the wrong countermeasure(s).

VPN’s are not one-size-fits-all.

PureVPN is probably just fine if you’re trying to hide your porn habit from your moderately technical partner/spouse/parent/child, hiding your job search from your boss, want to watch the newest episode of the Orville from a geo-restricted IP address, or just don’t want Verizon selling your browsing history to a marketing firm.

If you’re planning on doing something where subpoenas or warrants could get involved, VPN Platforms recommended by sites like Techdirt are probably not your best option. Additional research (from a location not trivially tied to you) is strongly recommended.

Anonymous Coward says:

It depends on what countries the servers he used are in. If the servers are in the UK, Canada, NZ, Russia, or Australia, the VPN company has to keep logs on those servers.

Whether or not logs have to be kept depend on what country a server is locacted. If he had used a server in a country where server logs are not mandated by law, they would not have caught him, since PureVPN, and other VPN companies only have to follow the laws of the country where the SERVER is located.

This is why some want to ban VPNs, the USA cannot force a VPN company to logging on a server in a country where laws there do not require logging.

Anonymous Coward says:

the amusing thing to me is people thinking this company is the only one to do this. consider this example as industry standard. if you blacklist this provider, blacklist them all.

if you really want to be free of oversight, follow bin laden’s example except don’t build a big house in an area of small houses. ie, if you have any connectivity at all to the rest of the known universe, you are a sitting duck along with the rest of us. behave accordingly.

Anonymous Coward says:

"companies looking to collect and sell every shred personal data that's not nailed down"

In short, “googles”.

But where’s your “of” in that phrase?

Then, how do you “nail down” data? You’re mis-using one of my faves. It’s physical context that gives meaning.

You even violate Techdirt usage, that data has no “owner” and is infinitely duplicable with no possible loss to anyone.

Anonymous Coward says:

Re: "companies looking to collect and sell every shred personal data that's not nailed down"

Since when has Techdirt been worried about privacy on teh internets? … Right, ONLY when it’s not the biggest violators, you-know-which mega-corps.

Iron Law: Any time that corporations get information that can be sold, it will be. Corporations are solely to gain money. Yes, I know I’m beyond minion’s text: point is that little tidbits like this show that ALL you’re told about “privacy” on teh internets is sheer hooey. You have no assurance and no control over what corporations are doing, yet still blindly trust.

Corporations offering services to “hide” are likely the MOST selling you out to “intelligence services”, or even a front.

Rekrul says:

A VPN may not normally log activity, but what happens when the FBI shows up with a warrant ordering them to help the authorities identify one of their users? Sure, they may not have any past logs to help ID the person, but they can’t refuse to turn on logging to catch the person the next time he uses the VPN to connect to a specific web site or share a particular file, can they?

Anonymous Coward says:

Re: Re:

The answer to that is complicated.

First, if you’re using a VPN service from a different country, the FBI doesn’t have as much influence.

If the company is in the US, the VPN service pretty much has to comply if they are able. If they can comply and they don’t want to, they have to fight the court order. This has happened in the past when the court order is overly broad. For example, they shouldn’t comply with an order asking for all users to be monitored.

If they can’t comply with the court order, they better have a pretty good reason and a lawyer ready to present that argument to a cranky judge.

Anonymous Coward says:

Re: Re:

If the servers used are not in the the Untied States, they are not subject to United States jurisdiction.

If and when I ever get the VPN service going I would like to start someday, I will ONLY comply with the laws of whatever country a server is in. I will only recognise court court orders from that country, and no other, and the Feds don’t like that, they just KISS my ASS.

For example, I will never recognise US jurisdiction over a server in Australia. Unless they get an order from an Australian court, they just go take a long walk off a short pier. For servers in Australia, I will ONLY comply with Australian authorities, and if the United States government does not like they, they just go #&$(#&($ themselves.

Anonymous Coward says:

Re: This is why...

How did you that for only $6 a month. I thought you would have to put a server in a server farm, and pay a lot of money. How did you roll your own VPN for just $6 a month.

Also, whatever server farm your VPN is at, you better be sure they colocation you are using allows VPNs. I know that HostGator, for sure, does not allow people using its services to run a VPN.

I now this because when I used to run an online radio station, I had a problem user on my website and is associated forums would just would not get the message that he was not welcome on my site, and when he circumvented the ban on him once, coming via HostGator, I raised hell about it, and HostGator terminated the account of the person who was running a proxy service using their server facilities.

Anonymous Coward says:

As far as the Feds examining the one computer where he was previously employed, that company needs to have a policy of wiping the computer when an employee leaves

With the company I want to start, the policy will be that when any employee leaves, that computer will be wiped with a progam like CyberScrub or KillDisk, before Windows gets reinstalled, so that anything illegal that employee might have done while working for me, will not come back to haunt the company,

This will prevent the Feds from being able to recover anything that might get myself, or anyone in the company from being sued or prosecuted from what that person might have done, while working for me.

It will be the policy, when an employee leaves the company to completely wipe the hard disk on any company computer or computers that person had access to, and then the operating and all programs get reinstalled.

If the Feds don’t like what my company policies will be when employee working for me leaves, they just KISS my effing ASS.

Anonymous Coward says:

Here is another issue the Feds will have, if Calexit should passed, and California become an independent nation. Some of PureVPN’s servers are in California, and will be NOT SUBJECT to US law, should California secede and become independent.

Pure VPN has servers in San Francisco, and Los Angeles. If California secedes, they would no longer be subject to any warrants issued in the remaining United States.

Actually, if California does secede, the Feds will also not be able to enforce SESTA, if it becomes law, on several Internet giants, and their servers will be in California, and law enforcement in the remaining United States will no longer have jurisidiction over them. Googe, Facebook, CloudFlare, Apple, and YouTube are examples of California-based companies that will be able to say “kiss my ass” to the Feds, should California become an independent nation, there is NOTHING that the United States Government will be able to do about.

There will be no way to enforce SESTA, for example, on these companies, if California should break away from the United States. Since they would no longer be US companies, they would no longer have to comply with US laws.

monique says:

Here's what truly got this cyberstalker caught...

The female victim knew she had no enemies EXCEPT him. When the police asked her who could be harrassing her in this manner, his name was tops on the list. And knowing that he had a deep computing background just makes him the top suspect. So all law enforcement had to do is just follow the breadcrumbs.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...