Failures

by Karl Bode


Filed Under:
doj, logs, privacy, ryan lin, vpn

Companies:
purevpn



Cyberstalking Case Highlights How VPN Provider Claims About Not Keeping Logs Are Often False

from the privacy-panacea dept

When the Trump administration recently decided to gut consumer privacy protections for broadband, many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn't need privacy protections, since they could simply use a VPN to fully protect their online activity. But we've noted repeatedly that VPNs are not some kind of panacea, and in many instances you're simply shifting the potential for abuse from your ISP -- to a VPN provider that may not actually offer the privacy it claims.

Latest case in point: like many companies, a VPN provider by the name of PureVPN has been advertising for years on its website that it keeps no logs of user behavior:

"PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities."

But when the Department of Justice announced last Friday it had arrested a Massachusetts man by the name of Ryan Lin for stalking, one key component of the case involved using PureVPN logs to track his online activities. According to the DOJ complaint (pdf), the man in question engaged in a “multi-faceted campaign of computer hacking and cyberstalking”:

"It is alleged that Lin engaged in an extensive, multi-faceted campaign of computer hacking and cyberstalking that began in April 2016 and continued until the date of his arrest, against a 24-year-old female victim, her family, friends and institutions associated with her. Lin, the victim’s former roommate, allegedly hacked into the victim’s online accounts and devices, stealing private photographs, personally identifiable information, and private diary entries that contained highly sensitive details about her medical, psychological and sexual history. It is alleged that Lin then distributed the victim’s private photographs and diary entries to hundreds of others. "

Lin had apparently used Tor, PureVPN, and other tools to try and obscure his online footprints. In this instance, authorities seemed to already have enough brick and mortar evidence against Lin to build a case, but data from the logs Pure VPN supposedly doesn't collect helped contribute to the case against him:

"An affidavit submitted by Special Agent Jeffrey Williams in support of the criminal complaint against Lin provides most of the answers....“Artifacts indicated that PureVPN, a VPN service that was used repeatedly in the cyberstalking scheme, was installed on the computer,” the affidavit reads. From here the Special Agent’s report reveals that the FBI received cooperation from Hong Kong-based PureVPN.

“Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,” the agent’s affidavit reads.

It should go without saying that Lin's alleged behavior is abhorrent. That said, the case serves as an example of how the promises most VPNs make about not keeping logs can't really be trusted, something the company's users would have noticed if they'd dug a little deeper into the VPNs privacy policy, which details how the Hong Kong company does store IP addresses as well as connection duration, time and date. Ironically, Lin had taken to Twitter not that long ago to acknowledge that VPN promises on this front often aren't worth all that much:

"There is no such thing as a VPN that doesn’t keep logs,” Lin said. “If they can limit your connections or track bandwidth usage, they keep logs.”

Few will shed a tear over a stalker not heeding his own privacy and security advice. But as VPNs are also used by political dissidents, reporters, and millions of security-conscious individuals, it's worth remembering that the technology isn't the magic fairy privacy dust it's often portrayed as in media reports. And VPNs are not, as ISP lobbyists have claimed, a panacea for the slow but steady erosion of online privacy protections by companies looking to collect and sell every shred of personal data that's not nailed down.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 10 Oct 2017 @ 6:17am

    VPNs can be a very important tool though. And you can build your own dedicated stuff if you don't trust any of the commercial ones.

    In any case, PureVPN may suffer a blow now that people can't trust what it says anymore. At least it made into my own blacklist.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2017 @ 7:01am

      Re:

      VPNs don't make you anonymous, they just hide your activities from your ISP and other parties that are between your computer and the VPN provider.

      PureVPN probably will suffer a blow. There's no reason for them to not be completely transparent about everything they do. Also, once Lin violated the ToS by using PureVPN to harass somebody, PureVPN had no obligation to protect his privacy.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2017 @ 7:33am

      Re:

      The VPN logs only showed when he was online, and from what IP addresses, and at what times. He was connected to his victims from their records that pointed back to his VPN. Note, the VPN could not give away where he had been on the Internet. So it looks like the VPN could not give away where on the net he went, but only allow a backtrack to him from other peoples logs giving times and what IP connected to them.

      Those logs only answer the question was a person using the VPN at the times that other logs showed a connection from the VPN, but nobody can start with the VPN logs and work out where you went on the Internet. So without a suspect, and without activity recorded elsewhere, those logs do not give away anything more that you were online at a given time from a given IP address.

      reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 10 Oct 2017 @ 8:13am

        Re: Re:

        Likewise your ISP's logs will at least show you connecting to a VPN service or TOR.

        There was a story a couple years back where a university student used TOR to email a bomb threat to cancel an exam. The university checked their logs, and only one person on campus was using TOR. He was arrested.

        reply to this | link to this | view in chronology ]

        • identicon
          asdffdsa, 10 Oct 2017 @ 11:16am

          Re: Re: Re:

          Tor actually has pluggable transports and bridge nodes for the purpose of hiding a tor connection. One of them tries to make a connection to tor look like a handshake with a google server.

          reply to this | link to this | view in chronology ]

      • icon
        sigalrm (profile), 10 Oct 2017 @ 9:29am

        Re: Re:

        The VPN logs only showed when he was online, and from what IP addresses, and at what times.

        In other words, the VPN logs only contained metadata.

        This is a perfect example as to why it's so disingenuous when the Law Enforcement and Intelligence communities claim it's no big deal because they're only collecting metadata and not content.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Hero, 10 Oct 2017 @ 6:43am

    More details

    I'd recommend you check out the Hacker News comments on the article to get more detail: https://news.ycombinator.com/item?id=15432827

    For example, PureVPN's privacy policy clearly states: "Since PureVPN is committed to freedom, and doesn't support crime, we will only share information with authorities having valid subpoenas, warrants, other legal documents or with alleged victims having clear proof of any such activity."

    There is more in the privacy policy about what they do log, which is connection time (which is tied to the user's account) and their bandwidth usage for "quality of service" reasons.

    reply to this | link to this | view in chronology ]

    • identicon
      kallethen, 10 Oct 2017 @ 6:56am

      Re: More details

      What this shows is that you should read those privacy policies if you are expecting to rely on them.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Oct 2017 @ 7:38am

        Re: Re: More details

        Also, read the terms of service. You have an obligation to adhere to the terms you agree to and if you don't, the VPN service doesn't really have any obligation to protect your privacy.

        PureVPN bans the use of their service for harassing others, for obscenity, to get around geoblocks, spamming, pirating, crawling websites, etc...

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Hero, 10 Oct 2017 @ 7:50am

          Re: Re: Re: More details

          So...then what's the point of PureVPN? To add latency?

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 10 Oct 2017 @ 11:08am

            Re: Re: Re: Re: More details

            All VPN services that I know of have similar ToS clauses.

            So what's the point? Well, I use a similar service for when I'm connecting from a public WiFi hotspot or a hotel room. When AT&T was collecting the browsing habits of their customers, I can imagine some would choose to use a VPN for privacy reasons. Likewise, it was a good way to get away from Verizon's super cookies.

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 10 Oct 2017 @ 3:27pm

            Re: Re: Re: Re: More details

            Also circumventing geoblocking, national ISP-level firewalls and mass corporate/state surveillance regimes. Safer P2P. Also businesses need VPNs for secure access to their networks.

            reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 10 Oct 2017 @ 8:05am

      Re: More details

      But they do use 'no logs' as a marketing strategy, it is (or was, not sure) on their site.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Hero, 10 Oct 2017 @ 8:37am

        Re: Re: More details

        Yes, I agree, they were misleading, especially by specifically emphasizing NOT keeping logs with an upper-case NOT.

        Still, if you are trusting your privacy and security to a third party, you should do your research. I don't trust my privacy and security to my ISP, so I didn't bother to read their privacy policy. I know they'd be happy to sell anything and everything about me to anyone willing to pay.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2017 @ 7:08am

    reply to this | link to this | view in chronology ]

    • icon
      wereisjessicahyde (profile), 10 Oct 2017 @ 9:26am

      Re:

      Techdirt doesn't recommend anything.

      That very ad even says "The products featured do not reflect endorsements by our editorial team."

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Oct 2017 @ 2:18pm

        Re: Re:

        The second I read "The products featured do not reflect endorsements by our editorial team." I ignored them as a matter of course.

        If I could adblock them altogether, I would.

        reply to this | link to this | view in chronology ]

  • identicon
    Jordan Chandler, 10 Oct 2017 @ 7:13am

    PureVPN was recommended by TechDirt

    I’m pretty sure I bought a lifetime subscription to PureVPN because it was recommended by TechDirt

    Were you guys kidding ?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2017 @ 7:57am

      Re: PureVPN was recommended by TechDirt

      I would have recommended PureVPN too if they said they don't keep logs. Personally, I think I you should sue PureVPN for your money back if the goal was complete privacy. Probably will be harder to sue if it was in the contract you agreed to but you should still have some standing if it was different then what was advertised. If it was for other reasons then PureVPN was doing its jobs as intended.

      reply to this | link to this | view in chronology ]

      • identicon
        Jordan Chandler, 10 Oct 2017 @ 8:11am

        Re: Re: PureVPN was recommended by TechDirt

        Fortunately, I just use it for hiding from my ISP and not for privacy.

        I'm not really upset, I just think TD should have been upfront that they once recommended them.

        reply to this | link to this | view in chronology ]

        • icon
          sigalrm (profile), 10 Oct 2017 @ 9:52am

          Re: Re: Re: PureVPN was recommended by TechDirt

          Fortunately, I just use it for hiding from my ISP and not for privacy.

          This is the piece most people miss - they fail to accurately determine what their threat model is, and then get upset when they pick the wrong countermeasure(s).

          VPN's are not one-size-fits-all.

          PureVPN is probably just fine if you're trying to hide your porn habit from your moderately technical partner/spouse/parent/child, hiding your job search from your boss, want to watch the newest episode of the Orville from a geo-restricted IP address, or just don't want Verizon selling your browsing history to a marketing firm.

          If you're planning on doing something where subpoenas or warrants could get involved, VPN Platforms recommended by sites like Techdirt are probably not your best option. Additional research (from a location not trivially tied to you) is strongly recommended.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 10 Oct 2017 @ 11:10am

            Re: Re: Re: Re: PureVPN was recommended by TechDirt

            > want to watch the newest episode of the Orville from a geo-restricted IP address

            That's against PureVPN's terms of service.

            reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 10 Oct 2017 @ 8:21am

      Re: PureVPN was recommended by TechDirt

      They did advertise 'no logs' and you had good reviews in other places. Besides TD doesn't choose themselves, it's another system. They try to keep it relevant to the audience though and there were points where they removed deals in the past.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2017 @ 2:20pm

      Re: PureVPN was recommended by TechDirt

      Why would you buy *anything* based solely on a recc' that was actually just a glorified advertisement?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2017 @ 7:17am

    It depends on what countries the servers he used are in. If the servers are in the UK, Canada, NZ, Russia, or Australia, the VPN company has to keep logs on those servers.

    Whether or not logs have to be kept depend on what country a server is locacted. If he had used a server in a country where server logs are not mandated by law, they would not have caught him, since PureVPN, and other VPN companies only have to follow the laws of the country where the SERVER is located.

    This is why some want to ban VPNs, the USA cannot force a VPN company to logging on a server in a country where laws there do not require logging.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2017 @ 7:24am

    the amusing thing to me is people thinking this company is the only one to do this. consider this example as industry standard. if you blacklist this provider, blacklist them all.

    if you really want to be free of oversight, follow bin laden's example except don't build a big house in an area of small houses. ie, if you have any connectivity at all to the rest of the known universe, you are a sitting duck along with the rest of us. behave accordingly.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2017 @ 8:05am

    "companies looking to collect and sell every shred personal data that's not nailed down"

    In short, "googles".

    But where's your "of" in that phrase?

    Then, how do you "nail down" data? You're mis-using one of my faves. It's physical context that gives meaning.

    You even violate Techdirt usage, that data has no "owner" and is infinitely duplicable with no possible loss to anyone.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2017 @ 8:06am

      Re: "companies looking to collect and sell every shred personal data that's not nailed down"

      Since when has Techdirt been worried about privacy on teh internets? ... Right, ONLY when it's not the biggest violators, you-know-which mega-corps.

      Iron Law: Any time that corporations get information that can be sold, it will be. Corporations are solely to gain money. Yes, I know I'm beyond minion's text: point is that little tidbits like this show that ALL you're told about "privacy" on teh internets is sheer hooey. You have no assurance and no control over what corporations are doing, yet still blindly trust.

      Corporations offering services to "hide" are likely the MOST selling you out to "intelligence services", or even a front.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Oct 2017 @ 9:00am

        Re: Re: "companies looking to collect and sell every shred personal data that's not nailed down"

        Like the way you blindly trust the RIAA.

        Have a DMCA vote. Brought to you by your favorite corporations!

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Oct 2017 @ 11:45am

        Re: Re: "companies looking to collect and sell every shred personal data that's not nailed down"

        Which TOS did you sign when you started using TOR you filthy pirate?

        reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Tanuja, 10 Oct 2017 @ 8:37am

    Very informational piece

    I really loved the way technical information was presented in an easy to understand language. I understood most of the things.

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 10 Oct 2017 @ 10:08am

    A VPN may not normally log activity, but what happens when the FBI shows up with a warrant ordering them to help the authorities identify one of their users? Sure, they may not have any past logs to help ID the person, but they can't refuse to turn on logging to catch the person the next time he uses the VPN to connect to a specific web site or share a particular file, can they?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2017 @ 1:18pm

      Re:

      The answer to that is complicated.

      First, if you're using a VPN service from a different country, the FBI doesn't have as much influence.

      If the company is in the US, the VPN service pretty much has to comply if they are able. If they can comply and they don't want to, they have to fight the court order. This has happened in the past when the court order is overly broad. For example, they shouldn't comply with an order asking for all users to be monitored.

      If they can't comply with the court order, they better have a pretty good reason and a lawyer ready to present that argument to a cranky judge.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2017 @ 10:13pm

      Re:

      If the servers used are not in the the Untied States, they are not subject to United States jurisdiction.

      If and when I ever get the VPN service going I would like to start someday, I will ONLY comply with the laws of whatever country a server is in. I will only recognise court court orders from that country, and no other, and the Feds don't like that, they just KISS my ASS.

      For example, I will never recognise US jurisdiction over a server in Australia. Unless they get an order from an Australian court, they just go take a long walk off a short pier. For servers in Australia, I will ONLY comply with Australian authorities, and if the United States government does not like they, they just go #&$*(#&(*$ themselves.

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 10 Oct 2017 @ 1:43pm

    *sits back and waits for the ZOMG VPNS ARE THE DEVIL'S PLAYTHINGS brigade*

    VPN's are a tool. Tools can build or destroy. You can't only look at the broken window while ignoring the entire house that was build with the same tools.

    reply to this | link to this | view in chronology ]

  • icon
    frank87 (profile), 10 Oct 2017 @ 2:30pm

    Fine law enforcement, but it shows you can't assume you can ignore bad laws because you can circumvent them with tor, bitcoin, vpn etc.
    Sooner or later law enforcement will win the arms race, probably by limiting freedom for all.
    See what's happening with copyright.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous VPN-Maker, 10 Oct 2017 @ 4:27pm

    This is why...

    This is why I made my own VPN and I know exactly what logs it keeps. It costs me about $6 a month and I have 600 Mbps throughput most of the time.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2017 @ 11:23pm

      Re: This is why...

      How did you that for only $6 a month. I thought you would have to put a server in a server farm, and pay a lot of money. How did you roll your own VPN for just $6 a month.

      Also, whatever server farm your VPN is at, you better be sure they colocation you are using allows VPNs. I know that HostGator, for sure, does not allow people using its services to run a VPN.

      I now this because when I used to run an online radio station, I had a problem user on my website and is associated forums would just would not get the message that he was not welcome on my site, and when he circumvented the ban on him once, coming via HostGator, I raised hell about it, and HostGator terminated the account of the person who was running a proxy service using their server facilities.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2017 @ 11:09pm

    As far as the Feds examining the one computer where he was previously employed, that company needs to have a policy of wiping the computer when an employee leaves

    With the company I want to start, the policy will be that when any employee leaves, that computer will be wiped with a progam like CyberScrub or KillDisk, before Windows gets reinstalled, so that anything illegal that employee might have done while working for me, will not come back to haunt the company,

    This will prevent the Feds from being able to recover anything that might get myself, or anyone in the company from being sued or prosecuted from what that person might have done, while working for me.

    It will be the policy, when an employee leaves the company to completely wipe the hard disk on any company computer or computers that person had access to, and then the operating and all programs get reinstalled.

    If the Feds don't like what my company policies will be when employee working for me leaves, they just KISS my effing ASS.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2017 @ 6:47am

    Here is another issue the Feds will have, if Calexit should passed, and California become an independent nation. Some of PureVPN's servers are in California, and will be NOT SUBJECT to US law, should California secede and become independent.

    Pure VPN has servers in San Francisco, and Los Angeles. If California secedes, they would no longer be subject to any warrants issued in the remaining United States.

    Actually, if California does secede, the Feds will also not be able to enforce SESTA, if it becomes law, on several Internet giants, and their servers will be in California, and law enforcement in the remaining United States will no longer have jurisidiction over them. Googe, Facebook, CloudFlare, Apple, and YouTube are examples of California-based companies that will be able to say "kiss my ass" to the Feds, should California become an independent nation, there is NOTHING that the United States Government will be able to do about.

    There will be no way to enforce SESTA, for example, on these companies, if California should break away from the United States. Since they would no longer be US companies, they would no longer have to comply with US laws.

    reply to this | link to this | view in chronology ]

  • identicon
    monique, 20 Oct 2017 @ 6:05pm

    Here's what truly got this cyberstalker caught...

    The female victim knew she had no enemies EXCEPT him. When the police asked her who could be harrassing her in this manner, his name was tops on the list. And knowing that he had a deep computing background just makes him the top suspect. So all law enforcement had to do is just follow the breadcrumbs.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.