Logging practices at VPN providers are in the spotlight again, after PureVPN’s records were used to help arrest a U.S. man for stalking. That’s despite the company claiming not to keep logs or monitor what its customers do online.
VPNs, or virtual private networks, “tunnel” users’ internet connections through a different IP address, usually in another country. They’re useful for those bypassing local censorship or content restrictions, and ostensibly to make browsing more private.
Alleged Stalker’s Browsing Not as Private as He Thought
Ryan Lin, 24 of Massachusetts, got a harsh dose of reality when police arrested him for allegedly stalking his former roommate, Jennifer Smith (also 24).
Court documents quoted “records from PureVPN” that appeared to note logins from Lin’s Gmail address and the IP addresses he accessed their services from. There were two — which happened to be Lin’s home and workplace.
However that last sentence could be key — Lin’s IP would be visible to PureVPN at the moment he logged in, and the company appears to have retained that information. The policy adds that it collects information “including but not limited to” names, email addresses and phone numbers (for some countries).
Hong Kong-based PureVPN says it is located there “because there are No Mandatory Data Retention Laws” there. Notably, its policy also states:
Since PureVPN is committed to freedom, and doesn’t support crime, we will only share information with authorities having valid subpoenas, warrants, other legal documents or with alleged victims having clear proof of any such activity. It goes without saying that we will only do so in the best interest of our customers and our company.
What Crimes Are ‘Bad’ Enough for VPNs to Provide Logs?
TNW pointed out that Lin is accused of some pretty creepy cyberstalking activities. He allegedly accessed a P2P pet-sitting service his former roommate belonged to, sending messages to owners that their pets were dead. Other allegations include posting Smith’s sexually explicit photos and private journal entries online, and creating profiles in her name on a BDSM site.
If proven, Lin’s case probably fits PureVPN’s description of one requiring cooperation with authorities.
But that raises the question: Can a VPN provider decide whether a crime is heinous enough to warrant cooperation with law enforcement, or minor enough to ignore? Doing the latter may risk a legal fight with a foreign government authority.
European countries have some strict speech regulations, with some residents facing jail over social media posts classified as “hate speech”. The U.K. recently announced plans to jail people for up to 15 years simply for accessing “extremist political content”.
VPNs Often Suspected of Keeping Logs
The differences between connection and usage logs, data retention times and subtle wording of privacy policies can make a big difference — as Lin found to his detriment. Experienced netizens have long suspected most, if not all, VPN providers keep some kind of log. But how accurate is that?
Every year, website TorrentFreak sends a list of 12 questions pertaining to VPN user logs. The questions are designed specifically to get around clever policy wording. It then publishes the companies’ responses.
Top responder is Private Internet Access(PIA), which claims “We do not store logs relating to traffic, session, DNS or metadata. In other words, we do not log, period. Privacy is our policy.”
Indeed, PIN posted a short statement about this, right after Lin’s case became known:
Bitsonline asked Private Internet Access’ Caleb Chen for his thoughts. As well as pointing us to the statement above, he referred to a news item from March 2016 — where an FBI subpoena sent to the company turned up “no useful data”.
“That is what is supposed to happen if the VPN provider doesn’t have logs,” Chen said.
Ways to Make VPNs (Slightly) More Private
Whatever the details a VPN company retains, customers can add a degree of extra anonymity (though not a fail-safe one) by registering with one-off email addresses. Many VPN providers also accept bitcoin as payment, removing any direct identity link to the account.
Many users leave extensive data trails of their online activities though, and even experienced and security-conscious people occasionally blunder.
Images via Private Internet Access, Pixabay, PublicDomainPictures.net