Add to favourites
News Local and Global in your language
18th of October 2017

Technology



Did PureVPN Cross the Line?

"VPN logs helped unmask alleged 'net stalker" is an alarming headline, as the whole point of using a virtual private network is to surf unnoticed.

But as The Register reports, that's what happened with a man named Ryan Lin, who was arrested for cyberstalking his former roommate in part because Lin's VPN provider, PureVPN, assisted the feds in their investigation by handing over logs. That sounds bad, but in this case at least, PureVPN appears to have acted within its stated privacy policy. You can still trust VPNs as much as you ever did.

Opinions

First, let me be clear: Lin's alleged behavior is gross. He reportedly went to enormous lengths to harass and demoralize a woman. The police partnering with technology companies to arrest him is an example of the system working, and the fact that he was arrested shows how far we've come in regarding online activities as actual crimes. Just a few years ago, doxxing someone wouldn't have been included in a list of vile criminal activities. I hope anyone who would emulate his actions thinks better of it as a result.

With that aside, it seems clear that this man would have been arrested without the information acquired from PureVPN. The Register reports:

"The complaint revealed, he made a fundamental error by using a work computer for some of his campaign, and even though he'd been terminated and the OS reinstalled on the machine, there were footprints left behind for investigators to associate Lin with the 16-month campaign against Smith."

The report doesn't go into detail about what information was recovered from Lin's work computer, but its involvement is significant. Security researchers are always quick to point out that if you can obtain the target's device, you've effectively won.

Here's what The Register says investigators received from PureVPN:

"'Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses,' claim the Feds (allegedly, those IP addresses were at Lin's work and home addresses)."

It's easy to read that and assume that PureVPN, and perhaps all VPN companies, are monitoring users' activities and are willing to hand over logs to investigators. But I don't believe that's the case. To me, this sounds like PureVPN simply confirmed that its service was logged into by the same customer at two different IP addresses. Many VPNs record information about users' origins, usually for data routing reasons.

The article also says "records from PureVPN show that the same email accounts [...] were accessed from the same WANSecurity IP address." That's more obtuse, but it doesn't sound like confirmation that PureVPN is monitoring user behavior. At most, PureVPN shared the originating IP address, the address the man connected from, and the IP address of the VPN server that user was using.

In its privacy policy, PureVPN says a few important things.

"We therefore have no record of your activities such as which software you used, which websites you visited, what content you downloaded, which apps you used, etc. after you connected to any of our servers. Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a ‘connection’ and the total bandwidth used during this connection is called ‘bandwidth’. Connection and bandwidth are kept in record to maintain the quality of our service."

PureVPN's privacy policy makes two things clear. First, that the company does collect email addresses (it's part of your login and the company's billing system). It is not really a "no log" policy and makes no claim to be. It gathers information about connections on its network, but not the content of user activities. Second, the company appears to have information about which of its servers are accessed by customers.

PureVPN's privacy policy also has this to say on the subject of cooperating with investigations:

“PureVPN is committed to freedom, and doesn't support crime, we will only share information with authorities having valid subpoenas, warrants, other legal documents or with alleged victims having clear proof of any such activity. [...] When and if a competent court of law orders us or an alleged victim requests us (that we rigorously self-assess) to release some information, with proper evidence, that our services were used for any activity that you agreed not to indulge in when you agreed to our Terms of Service Agreement, then we will only present specific information about that specific activity only, provided we have the record of any such activity.”

In short, PureVPN will work with investigators who present them with a valid warrant. After assessing the warrant internally, PureVPN will decide whether or not to comply. It also says that it will only hand over information it has on hand—not that it will allow its networks to be used to spy on alleged criminals. Importantly, PureVPN is based in Hong Kong. For VPN users, this is actually pretty good because Hong Kong has no data retention laws, freeing PureVPN to decide what to store and for how long.

I'm not a legal expert, but it seems significant that a China-based company complied with American investigators. It suggests to me that the company cooperated based on the investigation's merits and were not legally obliged to do so, but that's speculation on my part.

To me, this sounds a lot like metadata. It's the date and time of the connection, and likely some information about the entering and exiting IP addresses. It is not, importantly, information about where users went from there. That means investigators had to get that information elsewhere and matched it up to whatever information was obtained from PureVPN.

None of this is to downplay the importance of metadata. The mass metadata collection by the NSA was offensive because of its scale and the fact that innocent people were affected. That doesn't seem to be the case here.

Are VPNs Trustworthy?

Make no mistake: When you use a VPN, you are trusting them with unprecedented access to your information. This is why I take it very seriously when a VPN company is accused of, or is, tampering with user data as it passes through the company's system. This is also why it's so important to read a company's privacy policy. If you can't find it or it's so complicated so as to be unreadable, that company may not be worth your time. A privacy policy is just words, of course, but we have to start somewhere.

It's also very important to remember that no security tool is a magic bullet, and that a targeted attack or investigation will almost always be successful. VPNs are best at protecting your data from being intercepted on your local network and preventing your information from being swept in mass surveillance efforts. If investigators are already looking at you as a suspect, and have access to other evidence, these protections are already moot.

In the case of PureVPN, it doesn't appear that the company breached the trust of its users — not even Lin, who was allegedly using the service for criminal acts. I will be reaching out to the company for clarification (and will update as necessary), but to me this sounds like a best-case scenario. A criminal, a specific individual, was targeted for investigation, and a technology company handed over the limited information it had.

I don't want to come off as purely a PureVPN defender. Rather, I want a modicum of calm and understanding around security tools. The internet was not built with privacy and security in mind, which puts the onus on users to protect themselves. We can't be afraid of these tools, and we all must learn what they do, and how to best put them to use.

Read More




Leave A Comment

More News

TechNewsWorld

PCMag.com Breaking News

PCWorld

TechCrunch

Thetechhacker

FOX News

SlashGear

Electrek

Ars Technica UK

Disclaimer and Notice:WorldProNews.com is not the owner of these news or any information published on this site.