Did PureVPN Cross the Line?

"VPN logs helped unmask alleged 'net stalker" is an alarming headline, as the whole indicate of using a virtual individual network is to surf unnoticed.

Simply as The Register reports, that'southward what happened with a human being named Ryan Lin, who was arrested for cyberstalking his onetime roommate in part because Lin's VPN provider, PureVPN, assisted the feds in their investigation past handing over logs. That sounds bad, but in this case at least, PureVPN appears to have acted within its stated privacy policy. You can still trust VPNs every bit much as yous ever did.

HTML MODULE 4010

First, let me exist articulate: Lin'south declared behavior is gross. He reportedly went to enormous lengths to harass and demoralize a woman. The law partnering with applied science companies to arrest him is an example of the organization working, and the fact that he was arrested shows how far we've come in regarding online activities equally actual crimes. Just a few years agone, doxxing someone wouldn't take been included in a list of vile criminal activities. I hope anyone who would emulate his actions thinks better of it as a result.

With that aside, it seems articulate that this man would have been arrested without the information acquired from PureVPN. The Register reports:

"The complaint revealed, he made a fundamental error by using a work computer for some of his entrada, and even though he'd been terminated and the OS reinstalled on the car, there were footprints left behind for investigators to associate Lin with the 16-month campaign against Smith."

The report doesn't become into detail near what information was recovered from Lin's work calculator, merely its involvement is significant. Security researchers are ever quick to betoken out that if you can obtain the target's device, you've effectively won.

Here'southward what The Annals says investigators received from PureVPN:

"'Significantly, PureVPN was able to decide that their service was accessed by the aforementioned customer from two originating IP addresses,' merits the Feds (allegedly, those IP addresses were at Lin'south work and home addresses)."

It'south easy to read that and assume that PureVPN, and perchance all VPN companies, are monitoring users' activities and are willing to hand over logs to investigators. But I don't believe that's the case. To me, this sounds like PureVPN simply confirmed that its service was logged into by the same client at 2 unlike IP addresses. Many VPNs record information about users' origins, usually for information routing reasons.

The article as well says "records from PureVPN show that the same email accounts [...] were accessed from the aforementioned WANSecurity IP address." That's more obtuse, just information technology doesn't sound like confirmation that PureVPN is monitoring user behavior. At most, PureVPN shared the originating IP address, the address the human being connected from, and the IP address of the VPN server that user was using.

In its privacy policy, PureVPN says a few of import things.

"We therefore have no record of your activities such as which software you used, which websites you lot visited, what content you downloaded, which apps you used, etc. after yous connected to whatever of our servers. Our servers automatically record the time at which you connect to any of our servers. From here on forward, we practise not continue whatever records of anything that could associate any specific activity to a specific user. The fourth dimension when a successful connection is made with our servers is counted equally a 'connection' and the total bandwidth used during this connection is called 'bandwidth'. Connexion and bandwidth are kept in record to maintain the quality of our service."

PureVPN's privacy policy makes two things clear. First, that the company does collect e-mail addresses (it'south office of your login and the company's billing organization). It is non really a "no log" policy and makes no claim to be. It gathers data about connections on its network, but non the content of user activities. Second, the company appears to have information about which of its servers are accessed by customers.

PureVPN's privacy policy also has this to say on the subject of cooperating with investigations:

"PureVPN is committed to freedom, and doesn't support offense, we will only share information with government having valid subpoenas, warrants, other legal documents or with alleged victims having articulate proof of any such action. [...] When and if a competent court of constabulary orders united states of america or an alleged victim requests united states of america (that nosotros rigorously self-appraise) to release some information, with proper evidence, that our services were used for whatsoever activity that you agreed not to indulge in when yous agreed to our Terms of Service Agreement, and then nosotros will but present specific data near that specific activity only, provided nosotros take the record of whatever such action."

In brusk, PureVPN will piece of work with investigators who present them with a valid warrant. After assessing the warrant internally, PureVPN volition decide whether or not to comply. It too says that it volition only hand over data information technology has on hand—not that information technology will allow its networks to exist used to spy on alleged criminals. Importantly, PureVPN is based in Hong Kong. For VPN users, this is actually pretty good considering Hong Kong has no data memory laws, freeing PureVPN to make up one's mind what to store and for how long.

I'thou not a legal good, but information technology seems significant that a Communist china-based visitor complied with American investigators. Information technology suggests to me that the company cooperated based on the investigation'southward merits and were non legally obliged to do so, merely that's speculation on my function.

To me, this sounds a lot like metadata. It'southward the date and time of the connection, and likely some information well-nigh the inbound and exiting IP addresses. It is not, importantly, information near where users went from there. That means investigators had to get that data elsewhere and matched it up to whatsoever information was obtained from PureVPN.

None of this is to downplay the importance of metadata. The mass metadata collection by the NSA was offensive because of its scale and the fact that innocent people were affected. That doesn't seem to be the case here.

Are VPNs Trustworthy?

Make no mistake: When you lot use a VPN, you are trusting them with unprecedented access to your information. This is why I accept information technology very seriously when a VPN company is accused of, or is, tampering with user information every bit information technology passes through the visitor's system. This is also why information technology's and then important to read a company'south privacy policy. If you tin't find information technology or it'south then complicated so every bit to be unreadable, that company may not exist worth your time. A privacy policy is just words, of course, but we take to showtime somewhere.

It'due south also very important to remember that no security tool is a magic bullet, and that a targeted attack or investigation will almost ever exist successful. VPNs are all-time at protecting your data from being intercepted on your local network and preventing your information from being swept in mass surveillance efforts. If investigators are already looking at y'all as a suspect, and have admission to other prove, these protections are already moot.

In the case of PureVPN, it doesn't appear that the visitor breached the trust of its users — not fifty-fifty Lin, who was allegedly using the service for criminal acts. I will be reaching out to the visitor for clarification (and will update as necessary), merely to me this sounds like a best-case scenario. A criminal, a specific individual, was targeted for investigation, and a technology company handed over the express data information technology had.

I don't want to come off as purely a PureVPN defender. Rather, I want a modicum of calm and understanding around security tools. The net was not congenital with privacy and security in mind, which puts the onus on users to protect themselves. Nosotros can't exist afraid of these tools, and we all must learn what they do, and how to best put them to use.

Source: https://sea.pcmag.com/opinion/17816/did-purevpn-cross-the-line

Posted by: collinsjamet1980.blogspot.com

Share this post