US Man Arrested After Foreign VPN Provider Hands Over Logs

Jon Southurst
https://bitsonline.com
October 10, 2017

Logging practices at VPN providers are in the spotlight again, after PureVPN’s records were used to help arrest a U.S. man for stalking. That’s despite the company claiming not to keep logs or monitor what its customers do online.

Also read: Xapo Says It Will Support Both Chains After S2X Bitcoin Fork

Join the Bitsonline Telegram channel to get the latest Bitcoin, cryptocurrency, and tech news updates: https://t.me/bitsonline

VPNs, or virtual private networks, “tunnel” users’ internet connections through a different IP address, usually in another country. They’re useful for those bypassing local censorship or content restrictions, and ostensibly to make browsing more private.

Alleged Stalker’s Browsing Not as Private as He Thought

Ryan Lin, 24 of Massachusetts, got a harsh dose of reality when police arrested him for allegedly stalking his former roommate, Jennifer Smith (also 24).

Digital Footprint

Court documents quoted “records from PureVPN” that appeared to note logins from Lin’s Gmail address and the IP addresses he accessed their services from. There were two — which happened to be Lin’s home and workplace.

According to The Next Web, that appears to contradict what PureVPN promises in its privacy policy: “We Do Not monitor user activity nor do we keep any logs. We therefore have no record of your activities such as which software you used, which websites you visited, what content you downloaded, which apps you used, etc. after you connected to any of our servers.”

However that last sentence could be key — Lin’s IP would be visible to PureVPN at the moment he logged in, and the company appears to have retained that information. The policy adds that it collects information “including but not limited to” names, email addresses and phone numbers (for some countries).

Hong Kong-based PureVPN says it is located there “because there are No Mandatory Data Retention Laws” there. Notably, its policy also states:

Since PureVPN is committed to freedom, and doesn’t support crime, we will only share information with authorities having valid subpoenas, warrants, other legal documents or with alleged victims having clear proof of any such activity. It goes without saying that we will only do so in the best interest of our customers and our company.

What Crimes Are ‘Bad’ Enough for VPNs to Provide Logs?

TNW pointed out that Lin is accused of some pretty creepy cyberstalking activities. He allegedly accessed a P2P pet-sitting service his former roommate belonged to, sending messages to owners that their pets were dead. Other allegations include posting Smith’s sexually explicit photos and private journal entries online, and creating profiles in her name on a BDSM site.

If proven, Lin’s case probably fits PureVPN’s description of one requiring cooperation with authorities.

But that raises the question: Can a VPN provider decide whether a crime is heinous enough to warrant cooperation with law enforcement, or minor enough to ignore? Doing the latter may risk a legal fight with a foreign government authority.

European countries have some strict speech regulations, with some residents facing jail over social media posts classified as “hate speech”. The U.K. recently announced plans to jail people for up to 15 years simply for accessing “extremist political content”.

VPNs Often Suspected of Keeping Logs

The differences between connection and usage logs, data retention times and subtle wording of privacy policies can make a big difference — as Lin found to his detriment. Experienced netizens have long suspected most, if not all, VPN providers keep some kind of log. But how accurate is that?

Every year, website TorrentFreak sends a list of 12 questions pertaining to VPN user logs. The questions are designed specifically to get around clever policy wording. It then publishes the companies’ responses.

Top responder is Private Internet Access (PIN), which claims “We do not store logs relating to traffic, session, DNS or metadata. In other words, we do not log, period. Privacy is our policy.”

Indeed, PIN posted a short statement about this, right after Lin’s case became known:

Bitsonline asked Private Internet Access’ Caleb Chen for his thoughts. As well as pointing us to the statement above, he referred to a news item from March 2016 — where an FBI subpoena sent to the company turned up “no useful data”.

“That is what is supposed to happen if the VPN provider doesn’t have logs,” Chen said.

Ways to Make VPNs (Slightly) More Private

Whatever the details a VPN company retains, customers can add a degree of extra anonymity (though not a fail-safe one) by registering with one-off email addresses. Many VPN providers also accept bitcoin as payment, removing any direct identity link to the account.

Many users leave extensive data trails of their online activities though, and even experienced and security-conscious people occasionally blunder.