Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI

An anonymous reader writes: "VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity," writes Bleeping Computer, "but a recent criminal case shows that at least some do store user activity logs." According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don't. The suspect is a 24-year-old man that hacked his roommate, published her private journal, made sexually explicit collages, sent threats to schools in the victim's name, and registered accounts on adult portals, sending men to the victim's house...
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."

Re:Get a VPN they said ...

[JohnFen]

VPNs aren't meant to keep people anonymous.

Yes, this is exactly correct. VPNs don't disguise endpoints or decorrelate access times.

Personally, I use a VPN solely so that I don't have to worry quite as much when I'm connecting through WiFi access points that I don't control (open access points, workplace WiFi, etc.).

I'm not even trying to hide from my ISP (since, at some point, my datastream is going to be exposed to an ISP anyway -- at least this way, I know which one I'm exposed to). So, I don't use a third party VPN. I run my own VPN server, and my devices all use that.

Security is always a tradeoff, and others may not find this one acceptable for their situation and preferences. But it works for me.

Re:Virtual

[JohnFen]

My favorite definition of "virtual" is one I got in an advertising class talking about meaningless advertising words. Whenever you see "virtual", you can mentally replace it with "not in fact".

VPN services are a pseudo-product, security-wise

[gweihir]

VPN services are nice if you want to pretend to be in another geographically location, but the claims of security are pure marketing. Incidentally, anybody that cares to find out knows that. And no VPN service that is run commercially can say "no" when the Feds want logs to be recorded and handed to them. Lavabit is an extremely rare exception (and just did anonymous email, not VPN) and it can be seen nicely in their case what happens after such a "no". The CEO is lucky to not end up in prison.

At this time, the only VPN service with actual security is Tor and even there, you anonymity can be compromised by attacks on the client or making mistake while using it. And, of course, a large-scale traffic analysis can break even Tor. The thing with Tor is however, that nobody that can break it will admit so for a mere cyberstalking case. It would have to be something really, really large for anybody to admit that they can compromise Tor itself.

Re:Good reminder

[Ol+Olsoc]

That's not the reasoning. Some are surely trustworthy. The underlying problem is that you literally have no way to tell which ones those are.

The internet is not anonymous. Never has been, never will be unless the fundamental nature off it is changed, which will destroy the internet. The only thing that gives a person any sense of anonymity is the degree of the crime, and how badly they want to find you.