Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI

An anonymous reader writes: "VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity," writes Bleeping Computer, "but a recent criminal case shows that at least some do store user activity logs." According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don't. The suspect is a 24-year-old man that hacked his roommate, published her private journal, made sexually explicit collages, sent threats to schools in the victim's name, and registered accounts on adult portals, sending men to the victim's house...
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."

Good reminder

[JohnFen]

This is a good reminder that you shouldn't put much faith in the claims made by service providers.

Re:Good reminder

[JohnFen]

That's not the reasoning. Some are surely trustworthy. The underlying problem is that you literally have no way to tell which ones those are.

Re:Good reminder

[sdinfoserv]

There NO VPNs beyond the reach of the US spy infrastructure. Those who refuse the private, closed door court room orders are locked up or if they have scruples, just skuddle their products and walk away.
Examples; LavaBit & the original axcrypt

Re:Good reminder

[ganjadude]

trust....but verify

Re:Good reminder

[50000BTU_barbecue]

One website scammed me, so all websites cannot be trusted. Therefore, to show I trust all websites, I shall disable all firewalls.

Re:Good reminder

[JohnFen]

The more you can verify, the less you need to rely on trust. But how do you verify that a VPN provider is well-behaved?

Re:Good reminder

[gweihir]

Service providers routinely have incentives to overstate the quality of their product. Perverted incentives, brought to you by capitalism. End even extreme lies can often stay undetected for a long time, see, e.g. the current nice example with diesel cars. In actual reality, at the very least, a careful check of the plausibility of such claims is necessary and almost universally you find the product is nowhere near as good as claimed. This case here is no exception.

Of course, it is quite possible that the VPN provider in question only started keeping logs after being served with a court-order and may only handed records over that concerned this particular user. But court-orders are easy to get for all kinds of things, so any claims of anonymity from a VPN provider basically is "unless you do anything that is illegal or pisses off people powerful enough".

Re:Good reminder

[HiThere]

It's interesting that you would post that as "Anonymous Coward". I trust you realize that this is not actually anonymous, but only harder to trace.

Slashdot doesn't actually pretend to offer true anonymity. Don't be fooled by the visible handle.

Re:Good reminder

[93+Escort+Wagon]

This is a good reminder that you shouldn't put much faith in the claims made by service providers.

From PureVPN provider's privacy policy (linked in TFS):

"Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a “connection” and the total bandwidth used during this connection is called “bandwidth”. Connection and bandwidth are kept in record to maintain the quality of our service."

These connection logs are what law enforcement used, in conjunction with information pulled from the creep's work computer and from logs obtained from Google (Gmail) and others.

I'm not feeling the outrage.

Re:Good reminder

[fahrbot-bot]

The more you can verify, the less you need to rely on trust. But how do you verify that a VPN provider is well-behaved?

Simple: (a) Register with multiple VPN providers. (b) Make threats against the President using different aliases through different VPNs. (c) See who the Secret Service comes looking for.

Re:Good reminder

[TWX]

Replace "Service providers" with sellers, and it's been accurate since the dawn of humanity.

Anyone selling has incentive to make as much sales as possible, and that includes immoral or dishonest means if those means do not lead to far less sales. For businesses theoretically operating within the law this is why it's important to have groups like the consumer products safety commission and the federal trade commission, because businesses will go through whatever steps are necessary to protect themselves up-to and including hiding their bad behavior from the public to deny the public the ability to do research on them.

For entities that operate in grey-areas of law or illegally, there's generally no good way to verify. Caveat emptor, buyer beware. Hell, that VPN service could even be a wholly-owned subsidiary of the FBI and you could be spending your $7.99 per month to be specifically logged and investigated for everything that you do on the Internet. You don't really have any way of verifying that. And an argument that the FBI facilitated you gaining access to illegal content would probably ring hollow as they did not compel you to do it, you sought to do it and made the mistake of who to trust in the process.

In my opinion the only thing that private VPN services are good for is getting around workplace Internet filtering, to access otherwise-legal things that work may block. But in this day and age with cell phones with data plans, there's no need to incur the risk of being fired if the workplace discovers one circumventing their filtering through their own network on their own computers. Besides, aren't you supposed to be working?

Re:Good reminder

[JohnFen]

I'm not feeling the outrage.

I'm not even upset, let alone outraged.

Re:Good reminder

[gweihir]

I have given up getting exceptions for Internet access via customer laptops (I do IT security consulting). Instead I have an unlimited mobile data-plan and bring my own laptop in addition. This is quite often needed to get the information I need to do my work.

Re:Good reminder

[johanw]

AND you are stupid enough to use a VPN provider in the same country where you piss off the police.

Re:Good reminder

[Ol+Olsoc]

That's not the reasoning. Some are surely trustworthy. The underlying problem is that you literally have no way to tell which ones those are.

The internet is not anonymous. Never has been, never will be unless the fundamental nature off it is changed, which will destroy the internet. The only thing that gives a person any sense of anonymity is the degree of the crime, and how badly they want to find you.

Re:Good reminder

[Ol+Olsoc]

I'm not feeling the outrage.

I'm not even upset, let alone outraged.

I'm glad they caught the assole, who is both a criminal, and stupid.

Re:Good reminder

[gweihir]

You probably never heard of Interpol...

Re:Good reminder

[mentil]

So he was found out by metadata? This is perhaps a good reason why govt. should require a warrant to get ahold of it.

Re:Good reminder

[e432776]

Good reminder indeed. Second reminder from this story: Don't be an unmitigated creep and cyber stalker. Jus sayin.

Re: Good reminder

[Ol+Olsoc]

That's true. I use a vpn to help my privacy, but have no expectation that it would help me if i commited a serious crime. If you do, there's a good chance you'll be caught, thankfully.

Yup. Protecting your privacy on line is very sensible. I do what I can also. Where there can be confusion is the concept of of privacy, and anonymity. Some folks get a little confused, thinking that anonymity is privacy. and vice versa.

Re:Good reminder

[Lord+Flipper]

you shouldn't put much faith in the claims made by service providers

Depends on the provider. People need to do some research.

It is not rocket science.

Also, people who are up to clearly nasty behavior also need to make sure they don't start logging into their "normal" sites (facebook, banks, anything connected to GOOG...etc.) while using their vpn. "Shared IPs" might mitigate a bit of risk, but the enemy is perfectly capable of connecting a tagged browser with whatever IP their VPN assigns them.

User Error is at the root of... what? 95% of the fuckups? who knows. I've seen a total of one DMCA-related 'warming' or whatever... since Napster days. Like I said, it isn't rocket science but the onus is clearly on the user to play head's up.

Re:Good reminder

[JohnFen]

People need to do some research.

What can you research that would tell you whether a VPN provider is being forthright about their security practices?

It is not rocket science.

True, it's more like mind-reading or voodoo.

Re:Good reminder

[david_thornley]

No US-based VPN provider is going to protect your privacy against a US search warrant. Not and stay in business, anyway. The only way they can protect the client is to not keep log information. (After the Patriot Act, the American Library Association issued a strong recommendation that libraries not keep any information on who checked out what in the past, all records to be discarded when an item is returned.)

So, you have to know what sort of log data the provider keeps to judge how well the provider will protect your privacy.

Re:Good reminder

[david_thornley]

Perhaps, but search warrants are easy for law enforcement to get given probable cause (and, unfortunately, sometimes easy to get without it).

Re:Good reminder

[Lord+Flipper]

Okay so you're a know-nothing. Congratulations! Meanwhile, I continue to use my VPN, one of 4 that I rotate through, over the last eight years, with zero interference. Just lucky, I guess,, huh, fuckhead?

Get a VPN they said ...

[CaptainDork]

... you'll be anonymous, they said.

I'm bookmarking this article for reference material for the VPN fanbois.

Re:Get a VPN they said ...

[sdinfoserv]

All a VPN really does is prevent your local ISP provider from monetizing your surfing habits. Which is enough for me.

Re:Get a VPN they said ...

[Gravis+Zero]

Get a VPN they said ... you'll be anonymous, they said.

You will be anonymous until the VPN gets a warrant for specific information.

If you want to be entirely anonymous then you will need to set up proxies using multiple hacked IoT devices in nations that will not cooperate.

Re:Get a VPN they said ...

[CaptainDork]

That's all a VPN does for you , which is irrelevant to what Pure VPN says it does for others.

PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities .

Emphasis mine.

Re:Get a VPN they said ...

[CaptainDork]

If you want to be entirely anonymous then you will need to set up proxies using multiple hacked IoT devices in nations that will not cooperate.

So say you.

Where do you publish your guarantee, and how do we know you're not outright lying like Pure VPN is?

Re:Get a VPN they said ...

[JohnFen]

Except that, according to TFA, Pure is lying when they say that.

Re:Get a VPN they said ...

[AmiMoJo]

It also forces the security services to actively target you and expend some extra effort to get your data.

In some countries, e.g. the UK, ISPs are required to log and hand over such data pretty much on demand to the police, and of course you have outfits like GCHQ and the NSA doing mass surveillance.

A VPN increases to cost to spy on you from nearly zero to something that will discourage casual snooping and a lot of abuse. It's not perfect but it's a useful line of defence.

Re:Get a VPN they said ...

[Ramze]

VPNs aren't meant to keep people anonymous. They just obscure the origin IP address enough to where an average site may not know for certain who is visiting and law enforcement would have to request account connection details -- time and origin of connection, user name, actual name, length of time of connection, bandwidth usage, etc. Sure, VPNs don't usually record what sites you visit, but the sites themselves keep detailed logs that include the IP address of the VPN used... which in this situation correlates well with the VPN's logs. It's strong evidence, but not proof.

People often don't realize that advertisers love creating profiles of people -- and tracking cookies are great for creating, tracking, and linking profiles so that no matter where one logs in from -- even a VPN -- you can be identified... if only by the user/agent string and hardware you're using to access the web.

This moron logged into the victim's e-mail address and the abuser's email address within moments of each other from the SAME IP address on the VPN. If that VPN shows he logged into their service and was assigned that IP address just before accessing them and logged out shortly after accessing both, that's pretty damning.

PureVPN didn't lie about what it records... but, it didn't have to record much other than the connection info and bandwidth use to correlate strongly with what the investigators already knew from inspecting a laptop and contacting the 2 e-mail services.

Re:Get a VPN they said ...

[JohnFen]

VPNs aren't meant to keep people anonymous.

Yes, this is exactly correct. VPNs don't disguise endpoints or decorrelate access times.

Personally, I use a VPN solely so that I don't have to worry quite as much when I'm connecting through WiFi access points that I don't control (open access points, workplace WiFi, etc.).

I'm not even trying to hide from my ISP (since, at some point, my datastream is going to be exposed to an ISP anyway -- at least this way, I know which one I'm exposed to). So, I don't use a third party VPN. I run my own VPN server, and my devices all use that.

Security is always a tradeoff, and others may not find this one acceptable for their situation and preferences. But it works for me.

Re:Get a VPN they said ...

[CaptainDork]

Precisely.

Which leads to the next question: Are other or all VPN providers lying?

Re:Get a VPN they said ...

[JohnFen]

Indeed. I think it's safe to assume three things: some are lying, some are honest, and we can't really distinguish between the two.

Re:Get a VPN they said ...

[hey!]

Cyberstalking generally isn't something that people who are good at thinking things through and restricting their behaviors accordingly do.

Re:Get a VPN they said ...

[CaptainDork]

VPNs aren't meant to keep people anonymous.

Really? From their site:.

Anonymity: PureVPN replaces your real IP with one of our abundant IPs, allowing you to use the internet freely whilst remaining completely invisible.

Re:Get a VPN they said ...

[qbast]

You can't verify their claims in any way so assume they do.

Re:Get a VPN they said ...

[CaptainDork]

Agreed.

And I would add that people who think they can outsmart other people are not clever enough to do so.

Re:Get a VPN they said ...

[JohnFen]

people who think they can outsmart other people are not clever enough to do so.

Well, they can outsmart some people, but yes. If you really think you're the smartest one in the room, then your comeuppance is only a matter of time -- and usually, not very much time.

Re:Get a VPN they said ...

[CaptainDork]

Agree.

I've been at this for over 30 years and I've found that the best way to avoid capture is to refrain from risky behaviour.

There's a lot that I could do, (as can you), but I know there are people like us who can catch people like us.

Re:Get a VPN they said ...

[JohnFen]

That's just Pure being deceptive. The point that VPNs aren't designed to keep you anonymous is true regardless of what they say.

Re:Get a VPN they said ...

[CaptainDork]

True. However, the uninformed will jump all over that statement by PureVPN and run with it.

I think deceptive trade practices should apply, but predict that a lot of sites would be quickly editing their narrative.

Re:Get a VPN they said ...

[HiThere]

Well, you can't really assert that any are honest, unless you consider deceptive phrasing honest. There's a small amount of evidence that those which actually are honest are regularly put out of business by government officials.

So you can rephrase that as: some are lying, some may be honest, and we can't really distinguish between the two. But the honest ones may be an empty set.

Re:Get a VPN they said ...

[HiThere]

"The moron" believed the promises made on the services web page. There seem to be a lot of people here that accept deceptive phraseology as honest, but it's interesting that many of them post as Anonymous Coward. One might almost think someone has hired a reputation management company.

That said, I agree with your statements about the design of VPNs. But that's not saying what the company that's selling the service promises. And the promise *could* be essentially correct, if they actually never saved the logs from RAM to disk. Which is possible, but unlikely...and currently proven false in the case of PureVPN...or whatever its name is.

Re:Get a VPN they said ...

[SvnLyrBrto]

Well... even if you genuinely are the smartest person in the room, the second and third smartest people in the room, working together, are smarter than you. Only a few people in the world are ever so much smarter than everyone else as to leave any potential rival in the dust. Those people tend to wind up having elements or units of measurement named after them.

Re:Get a VPN they said ...

[tlhIngan]

Indeed. I think it's safe to assume three things: some are lying, some are honest, and we can't really distinguish between the two.

Here's the truth.

ALL VPN PROVIDERS LOG. All of them. They have to.

The question is how long they retain that log.

Why do they log? Easy - they need to maintain accounting information - after all, you can't log into a VPN service more than N times (N = dependent on provider - some allow one connection each per type - PPTP, OpenVPN, etc, others allow only one connection in total, others may allow two or more connections).. So obviously if you're logged in (hint: logged), there's a log entry in some database somewhere - you're logged into some VPN server.

If they don't log, they won't survive because you can buy one account and share it with all your friends.

Oh, and while you're on, they log you connection information - which server and for how long. Also, while you're logged in, your username and final VPN server IP is associated with each other.

MOST good providers will, upon disconnecting, delete that log entry, so there is no longer any association between you and the VPN IP address you were using.

Also, there is something called a "Real Time DMCA" - you can collect copyright notices in real time.

So here are the tips for using a VPN properly:

1) NEVER use any sort of "port forward" function on the VPN. There is nothing that will identify you quicker than a port forward that is now an association between your activity, your account, your computer and you. Sorry, but since a listening port is associated with a target user's PC (i.e., yours), this is a really good way to identify a user (real time DMCA).

2) NEVER use a server that isn't busy. Real Time DMCA notices do not have to be delivered if the VPN provider cannot positively identify a user. If there is more than one user on a VPN server, it is no longer practical to identify which user did the activity. The activity will include source and destination ports, so if you're rotating your connections quickly, then the identifiers will be stale. (Another reason to not use port forwarding)

3) ALWAYS reconnect periodically. Once a day at least - it helps you avoid identification because it will rotate your outgoing IP on a regular basis as well as reset your VPN provider's log. DMCA requests will fail if you're not connected when they arrive. If you're especially paranoid, reconnect hourly.

So don't use PureVPN

Alright then.

Re:So don't use PureVPN

[CaptainDork]

Pure VPN says, in writing, that they do not log.

What VPN would you suggest, and how do you know they actually do what they say they do ... in writing?

Re:So don't use PureVPN

[Mashiki]

What VPN would you suggest, and how do you know they actually do what they say they do ... in writing?

PIA. They've also been tested in court as keeping no logs at all.

Re:So don't use PureVPN

[CaptainDork]

I appreciate your response, supported by a reference link.

Thanks.

Re:So don't use PureVPN

[gweihir]

Actually, they say "Our servers automatically record the time at which you connect to any of our servers." My guess would hence be that, legally, they do not log, but they do keep records.

Re:So don't use PureVPN

[CaptainDork]

Apparently, you missed my earlier post where I copy/paste directly from PureVPN:

PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities .

Re:So don't use PureVPN

[gweihir]

I did quote directly from their privacy policy. No idea why you think I missed anything here, this is literally on their site.

If indeed "records" and "logs" are different legally (no idea whether they are), then "no logs of your activities" would not even be a lie. There would just be records of your log-ins and log-outs, but no logs. It is also possible, that the log-in and log-out does not count legally as "activity" within the context of the service. And to make the deception complete, "complete security" is a term without meaning, i.e. it gives you no assurances whatsoever.

Re:So don't use PureVPN

[CaptainDork]

It's not complicated, OK?

Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI

Re: So don't use PureVPN

[Brockmire]

Holy fuck, you think all headlines on the Internet are true and accurate? There's ample just on /. that are wrong and misleading. You might have heard of a thing called "click bait"? Fuck, you should change your nick to Captain fucking Dumb

Re: So don't use PureVPN

[CaptainDork]

PROTIP:

Xanax, when taken as directed, is a safe and effective palindrome. ~ © 2017 CaptainDork

Re:So don't use PureVPN

[will_die]

I use expressvpn, more expensive but I mainly use it to change my location to show me in the USA and they are speedier for watching videos.
If you do a search for reviews there are lots around and purevpn is usually ranked very low because people testing the security either could not or they leaked data in their software.

Re:So don't use PureVPN

[gweihir]

That is what some journalist wrote. They actually shared records with the FBI. The question is whether legally, that is a difference.

Re: So

[JohnFen]

And WANSecurity.

But the take-home lesson here shouldn't be that if you avoid those you're good. The lesson is that in the end, you're taking every provider's word for security. Certainly some are good and some aren't, but there is literally no way for you to be able to tell which ones are good.

Vendors used

[will_die]

VPN vendors were PureVPN and WANSecurity.
He also used a secure email and Tor but no indication that logs or info was pulled from those.

--For the karma whoring.

Re:Vendors used

[Swave+An+deBwoner]

You need to read further into the document:

Information Sharing and Disclosure

PureVPN specifically chose Hong Kong (HK) for its headquarter because there are "No Mandatory Data Retention Laws" in Hong Kong We are therefore, not legally obliged to store user data and share it with anyone.

Since PureVPN is committed to freedom, and doesn't support crime, we will only share information with authorities having valid subpoenas, warrants, other legal documents or with alleged victims having clear proof of any such activity. It goes without saying that we will only do so in the best interest of our customers and our company. When and if a competent court of law orders us or an alleged victim requests us (that we rigorously self-assess) to release some information, with proper evidence, that our services were used for any activity that you agreed not to indulge in when you agreed to our Terms of Service Agreement, then we will only present specific information about that specific activity only, provided we have the record of any such activity.

Personally I am glad that there are ways to connect malicious activities like this to the malefactor. The guy is getting what he deserves.

Re:Vendors used

[JohnFen]

The guy is getting what he deserves.

I'm glad that this scumbag got caught.

But at the same time, it's important to remind people that they may not be as secure as they're assuming, so that innocent people don't get caught out.

Re:Vendors used

Personally I am glad that there are ways to connect malicious activities like this to the malefactor. The guy is getting what he deserves.

It's easy to agree this guy is a scum bag. The concern always comes back around to whistleblowers, unfavorable speech, etc. We're already in a surveillance society that chills free speech. I know what that guy did goes beyond voicing a dissenting opinion.

My hope for the world is that the general level of personal integrity rises. If that happened a lot of these problems would go away. I know wishing doesn't make it so, but I think that is the answer to a lot of these social woes. It's up to each of you to find it within yourselves to deal with your demons/issues. Even if you can take advantage of someone in some situation you face daily, is that right? Right now it seems like most people are only interested in whatever personal advantage they can achieve in a situation using whatever kind of lying/bending of the truth, omission, etc. The only way things will get better is if people live with integrity and view the world more wholistically to try and take actions that benefit everyone rather than only themselves.

The thing I worry about is:

1) the company wants you to believe you are 100% anonymous and nothing you do through their service will be tracked back to you but it's not really true, but we'll say it to take your money

2) because the gov has such wide reaching power to put traces and track down people as the public environment gets more and more divisive and hostile you need to conform or face repercussions.

3) it's not even the gov you have to worry about if you express an unpopular opinion, mob rule and moderation systems will make sure you're suppressed.

There's a risk here that you can have total centralization of control, media, information flow. If you voice decent you disappear in the night. I know that doesn't directly correlate to what this guy did but it does correlate to the use of VPN tech to try and express yourself or express an idea without fear of the regime/mafia in power ruining your life for asking questions or suggesting something that doesn't follow their agenda. IMO even with the bad actors, we should have access to strong encryption and anonymizing tech. The people who seek power and complete control over us will gladly take any example of a bad actor behaving badly to trumpet far and wide why the people aren't allowed and can't be trusted to have such things. In the mean time it's very convenient for the existing regime that they have as much control as possible.

Re:Vendors used

[gweihir]

Tor has no logs. This has been tested and verified, also bu diverse law-enforcement agencies, time and again. That does not make Tor absolutely secure, large traffic analysis, insecure user behavior and zero-days in the browser (or failure to update) can still de-anonymize Tor users though. The Tor project has a nice collection of documents on these things.

Re:Let's not forget creimer....

[Megol]

Please don't post your sexual fantasies. There are forums where that may be appropriate but this isn't one.

VPN safe if you used established ones

https://torrentfreak.com/vpn-s...

Never heard of these VPN services, but if you stick to VPNs that have been reviewed and tested for privacy over the years they are fine. See above link for good reviews..noticed PUREVPN was never reviewed?

Re:VPN safe if you used established ones

[JohnFen]

That list doesn't really mean anything, though. All they've done is ask providers questions and ranked them according to the provided answers. There has been no independent verification of the provider's practices or technical security, so there's no way to tell if the answers were complete and honest.

Re:VPN safe if you used established ones

[CaptainDork]

How do you know that reviewed VPNs don't keep logs?

PureVPN makes no privacy warranty

I just looked over PureVPN's site and policies and they make no claim about logging one way or the other. Which means that they log everything.

VPNs are really only ever intended for general purpose anonymity any how. If you are compelled to engage in illegal activity you should be using non-repudiable uplinks and not those you pay for with your credit card then use everyday to log in to your email and the rest of your heavily logged web accounts.

Re:PureVPN makes no privacy warranty

[JohnFen]

I just looked over PureVPN's site and policies and they make no claim about logging one way or the other.

Not true. TFA links to Pure's page where they specifically claim that they do not log your activities. That page has even been quoted a couple of times by other commenters.

Re:PureVPN makes no privacy warranty

[CaptainDork]

... they make no claim about logging one way or the other.

You just blew it in an obvious way.

PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities .

Emphasis mine.

Shame on you.

Misleading

[Ramze]

Most of the damning info came from a laptop, and all the VPNs did was confirm an IP address for his residence was used to connect to one of their IP addresses during the same time frame "someone" logged into both the victim's e-mail account and the abuser's e-mail account -- both from the same VPN address.

PureVPN lists what data it records and states it cooperates with investigations. The only thing I can find that they gave to investigators that wasn't explicitly stated in the TOS was that they gave the origin IP address for the connection. but... the TOS already says they store the name of the person on the account and connection times and bandwidth anyway, so that's pretty damning to begin with if requested by law enforcement.

Basically, Law Enforcement said:

"Hey we have a laptop with evidence that you have a VPN and have accessed both the victim's and the abuser's e-mail addresses. We just checked with the e-mail services and discovered a login to both from a VPN IP address within a short time period."

And the VPN provider upon court order said:

"That user was logged into our service from their residential IP address during that time and was connected to that same VPN IP address (along with many other users). Here's the amount of time they were on our system and the amount of bandwidth they used."

The VPN didn't rat out what site they went to -- but the sites they went to DID keep IP logs.

In short, the VPN service provided exactly what it said it would record and it just happened to correlate nicely with what the detectives found. It's not proof, but it's strong evidence.

Frankly, I'm a little surprised the victim's e-mail service allowed a connection to a VPN IP to begin with. I'm also surprised this moron thought that just because a VPN doesn't record every site you visit that the sites themselves wouldn't be recording every login and IP address along with cookies that might identify his specific hardware and/or tie into a social media profile or the like.

Re:Misleading

[JohnFen]

Yes, this is a good and important point.

Encrypting your actual payload data is insufficient (metadata is often just as revealing as payload data). That's why the more skilled hackers and criminals use multiple VPNs along with services that decorrelate access times.

Re:Misleading

[p.g.king]

It's tricky wording. That sentence qualifies itself with after you connected to any of our servers. i.e. we do log the connection, just not what you do with it.

Re:Misleading

[gweihir]

Entirely plausible. They would not record actual traffic, that would probably have them go out of business. Connection time and user name is almost always enough to identify the user if you have a few more of these. And then you can get a search-warrant.

In the end, this person just violated too many of the rules to stay anonymous online.

Re:Misleading

[gweihir]

They do not keep any logs, but they do "automatically record the time at which you connect to any of our servers". Probably, in legalese, records and logs are different things.

When there is enough activity, these logs.... pardon me, "records", are quite enough to identify a single user. As they claim to have 10M users, having as little as 10 or so observed malicious actions may already be enough to filter the potential users down to a number small enough to check individually whether they plausibly could be the attacker.

Re: Misleading

But based on that VPN's ToS they should have gave up the times and bandwidth for his account, but NOT his origin IP Address. If VPNs give out origin IP addresses it removes half the point of a VPN in the first place.

Re:Misleading

[misexistentialist]

and that's why you use 7 proxies, kids

Roll your own

[DaMattster]

You could roll your own VPN by purchasing a VPS and routing your traffic through it but even that will only give you a little bit more privacy. At some point the data that you send will have to be decrypted in order to be sent out to the internet at large. Authorities can see the point at which the decryption is taking place and trace it back to that end-point IP address. It is a trivial matter to see who the IP address belongs to. The VPS provider could then be issued a subpoena to get your information. The whole VPN thing is really misunderstood. It's really a way to make it harder for an ISP to grab and monetize your browsing data or even a way to protect your identity on an untrusted network.

Re:Roll your own

[Ayano]

The internet is forever, you can't really disappear on the grid as much as one would like to believe. You can hide, but you'll be found in time.

The best defense is not to do dumb stuff in the first place.

Re:Roll your own

[JohnFen]

The best defense is not to do dumb stuff in the first place.

That doesn't protect you from other entities doing dumb or abusive stuff, though.

She is not the only victim here.

[140Mandak262Jamuna]

Special Agent in Charge of the Federal Bureau of Investigation, Boston Field Division. “This kind of behavior is not a prank, and it isn't harmless. He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession. No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today's arrest will deter others from engaging in similar criminal conduct.”

This jerk has degraded the trustworthiness of ALL bomb threat calls, ALL emergency distress calls. As incidents like this increase, as people figure out better ways to hide their tracks, more people will do such things. In the end the police and emergency services will take time to check veracity and trustworthiness of the caller before responding. False alarms will increase cost for all tax payers. Some stalking victims could actually be raped or violated due to such postings.

This guy is evil, he should be punished so severely others don't even fantasize doing such things.

Re:She is not the only victim here.

[Yosho]

This guy is evil, he should be punished so severely others don't even fantasize doing such things.

Unfortunately, severely punishing somebody for a crime has a negligible effect on discouraging anybody else from committing the same crime. I guarantee that at no point did this person ever think, "I wonder what happened to others who have stalked and harassed people? What's my risk vs. reward ratio here?"

Re:She is not the only victim here.

[140Mandak262Jamuna]

Unfortunately, severely punishing somebody for a crime has a negligible effect on discouraging anybody else from committing the same crime. I guarantee that at no point did this person ever think, "I wonder what happened to others who have stalked and harassed people? What's my risk vs. reward ratio here?"

Then, pray tell, what would have non-negligible deterrent effect?

Are you claiming people don't fear punishment or getting caught at all?

Re:She is not the only victim here.

[JohnFen]

Citing "deterrence" is very often a thin disguise over the real intent: vengeance.

Re:She is not the only victim here.

[140Mandak262Jamuna]

Whats wrong with vengeance? As long as the target of vengeance deserved it, As long as the amount of vengeance is comparable to the amount of affront, I see nothing wrong in vengeance.

You, of course, retain the right to refrain from vengeance. You have the right not to file charges when you are the victim.

You also have the right to tell other victims to give up vengeance, not to file charges and practice universal love.

And they have the right to ask you to go fly a kite.

Re:She is not the only victim here.

[Impy+the+Impiuos+Imp]

No, "we as a society" decided no such thing. We punish people in jail, and execute murderers. You can rephrase those things, but they are vengeance nevertheless.

Re:She is not the only victim here.

[Yosho]

No, "we as a society" decided no such thing. We punish people in jail, and execute murderers. You can rephrase those things, but they are vengeance nevertheless.

And the rest of the civilized world outside of the USA considers the USA's prison system to be barbaric and abusive, so there's that.

Most people who have actually taken the time to think about it agree that the purpose of incarceration is to either reform criminals into productive members of society or to separate out the ones who can't be reformed so that they can't cause any more harm. Prioritizing revenge is primitive, bloodthirsty, and doesn't actually make anything better.

Re:She is not the only victim here.

[Yosho]

Are you claiming people don't fear punishment or getting caught at all?

No, the fear of punishment is a deterrent, but the degree of punishment is almost irrelevant,
  and "making an example" out of somebody has no effect at all. (although it's entertaining how when the subject of gun control comes up, gun nuts will insist that in that particular case, gun control laws won't have any effect at all...)

Then, pray tell, what would have non-negligible deterrent effect?

Unfortunately, there isn't a single, easy answer to that. You'd need to investigate the criminal's history and motives to determine what caused them to think their actions were reasonable in the first place and address that.

Re:She is not the only victim here.

[140Mandak262Jamuna]

No. We did not decide vengeance is a bad thing. We agreed private vengeance is a bad thing. We created a formal process to take vengeance, we agreed to give up our right to seek personal vengeance, with the understanding the State with all its power and glory will take vengeance on our behalf.

Don't confuse it with US Constitution and 1776. Not even the Magna Carta. State taking our the monopoly to mete out vengeance is at least 5000 years old, possibly older.

Fore people, Kalahari bushmen and some tribes of South America are the few remnants that survived into recorded history where they practiced individual pursuit of vengeance and justice. That system would not scale, and would not work beyond extended kinship and tribal bonds.

Early religious texts give us clues about how the transformation took place from private vengeance to the formal practice of filing grievances and taking revenge through the collective action of peer groups.

You have lived in such a peaceful and placid place all your life you probably truly believe in the power of love and all vengeance is bad. But not punishing the rule breakers will have very serious consequences to the stability of the society. Game theory would mar you as a "universal cooperator, a free rider in the society made peaceful by other actors who punished defection".

Re:She is not the only victim here.

[green1]

Studies have shown that the thing that makes people think twice is the perception that they'll be caught, and not the severity of the punishment. From that stand point the publicity around punishing someone helps, but giving them a stiffer sentence does not. (Note I said perception that they'll be caught rather than likelihood of being caught, because the 2 are not really related)

It also doesn't help that the human mind tends to think in terms of exceptionalism, people always think they're smarter than the person who screwed up and got caught, and that those specific circumstances would never apply to them.

As an example, of a surprising way this can be applied though, a jurisdiction that took police resources away from major crimes (murder, rape, etc) and focused instead on minor infractions (jaywalking, graffiti, etc) saw a reduction in the major crimes. It's hypothesized that this was due to the fact that the police were far more visible dealing with that sort of thing than they ever are behind the scenes investigating the major crimes. (To catch someone jaywalking you have to have police on the street watching for it, to catch a murderer its usually lots of research behind a desk or at crime scenes out of the public eye) leading to the perception that the police were "everywhere" and that you'd be caught if you committed any crime.

Re:She is not the only victim here.

[JohnFen]

Whats wrong with vengeance?

A "justice system" is supposed to result in justice. Vengeance isn't justice, it's emotional expression.

Re:She is not the only victim here.

[SvnLyrBrto]

Have bomb threat calls EVER been considered trustworthy? When I was in college in the '90s, most professors included wording in their syllabuses to the effect that exams would most definitely NOT be cancelled or postponed in the event of a bomb threat; and gave a meeetup point elsewhere on campus where we would be expected to show up and take our exams in the event that a bomb threat was called in for the building in which our exam was scheduled. That would indicate to me that, by that point in time about two decades ago, there were so many phony bomb threats going around that pretty much everyone knew they were BS; and that they'd go through the motions just in case, but they were considered to be no big deal.

Re:She is not the only victim here.

[kaatochacha]

Interesting references.

Re: So

[Freischutz]

And WANSecurity.

But the take-home lesson here shouldn't be that if you avoid those you're good. The lesson is that in the end, you're taking every provider's word for security. Certainly some are good and some aren't, but there is literally no way for you to be able to tell which ones are good.

I'd primarily use a VPN provider to make life harder for the RIAA, MPAA, Sony, HBO, and the rest of that ilk and to make it harder for them to identify me and then sue me for damages because they themselves forced me to torrent their movies and music because of their own artificial trade barriers (and I'd preferably use a VPN service headquartered in Europe to make it that little bit harder since most of these corps are US based which significantly increases the legal complexities). I have no delusions about a simple VPN service shielding me from a determined FBI/CIA/MI6/BND/FSB/NSA/DGSE effort to identify me. If those guys really want you, they are going to get you, just ask Osama.

Right to Privacy has Limits

[Ayano]

Sure you can write disparaging remarks, insult other people anonymously; but the moment you start performing malicious actions causing deliberate targeted harm, that mask can come off mighty fast.

Re:Right to Privacy has Limits

[Ayano]

Dig up your own wire AC. You're eventually going to be using utilities or sending data over a medium you have no control over, technology can't solve every problem, that's a common misconception and why so many start ups in tech fail as they can't realize it.

Virtual

[petoPerceptum]

Adj.
1 almost or nearly as described, but not completely or according to strict definition.

Re:Virtual

[JohnFen]

My favorite definition of "virtual" is one I got in an advertising class talking about meaningless advertising words. Whenever you see "virtual", you can mentally replace it with "not in fact".

Re:Idiot deserves to get arrested.

[140Mandak262Jamuna]

I feel very bad making such an inane joke about a serious matter.

Down vote this post to oblivion, please.

So wait a sec

[SlaveToTheGrind]

Something doesn't sound quite right about this. From TFA:

The logs showed how within the span of minutes the same VPN IP address had logged into Lin's real Gmail address, another Gmail address used for some of the threats, and a Rover.com account Lin created to discover Smith's real phone number.

Gmail has forced HTTPS since 2014. What are we being asked to believe here?

Re:So wait a sec

HTTPS has absolutely no relevance here.[Layer 7] The point is the correlation of the same IP[Layer 3] being used for each of these accounts with x minutes. Suggesting that the same person is using all of these services.

Re:So wait a sec

[JohnFen]

Perhaps that the feds issued a search warrant to get the Gmail logs?

Re:So wait a sec

[SlaveToTheGrind]

That would be a fine explanation if there were three different services used by three different URLs. But here we're talking about two different Gmail accounts. What information would the VPN service have about what specific Gmail account the customer was accessing through that IP address?

Re:So wait a sec

[SlaveToTheGrind]

That's certainly possible, but it just reinforces my point. If they had the Gmail logs, they wouldn't need anything from PureVPN but the IP address association for the customer's session (which PureVPN's privacy policy by my read doesn't explicitly exclude from logging). Activity logs showing that particular session accessed Gmail, without actual account information, might perhaps reinforce what the Gmail logs already showed, but wouldn't independently show anything.

And if it wasn't necessary for PureVPN to have logged activity for the feds to connect these dots, Occam would strongly suggest that PureVPN indeed follows its published privacy practices and doesn't log activity, and this article suggesting otherwise was at best poorly researched/written and at worst simply FUD.

Re:So wait a sec

[vux984]

As I read it:

google would provided the documentation that both accounts A and account B were accessed from a particular ip address one after another from the same computer based on browser strings etc.

the vpn service is only confirming that suspect X was in fact connected to the vpn service at the time.

VPN services are a pseudo-product, security-wise

[gweihir]

VPN services are nice if you want to pretend to be in another geographically location, but the claims of security are pure marketing. Incidentally, anybody that cares to find out knows that. And no VPN service that is run commercially can say "no" when the Feds want logs to be recorded and handed to them. Lavabit is an extremely rare exception (and just did anonymous email, not VPN) and it can be seen nicely in their case what happens after such a "no". The CEO is lucky to not end up in prison.

At this time, the only VPN service with actual security is Tor and even there, you anonymity can be compromised by attacks on the client or making mistake while using it. And, of course, a large-scale traffic analysis can break even Tor. The thing with Tor is however, that nobody that can break it will admit so for a mere cyberstalking case. It would have to be something really, really large for anybody to admit that they can compromise Tor itself.

Re:So

[gweihir]

None. Anybody sane already knows VPNs are not secure if anybody can get a court-order against them. All the others are to dumb to care.

Re:What kind of dumbass uses VPN?

[HiThere]

If you depend on Tor you better not get the Feds after you. It's *probably* safe against anyone else, but, IIRC, the Feds were reported own enough of the exit nodes to track you. That was a few years ago, but I doubt they've decreased their penetration.

Still, it's probably more secure than a VPN is even designed to be.

But do note all the "probably"s in my comments. And recall that Google is working hard on getting a quantum computer to perform well. (And it's not the only gang so working.) So almost all of the security in use on the internet has to be considered temporary. The only exceptions, currently, are one time pads and anything that doesn't get recorded (and how can you tell). But "temporary" may mean 10 years, and it may mean 20 years. That's long enough for many purposes. (I consider widespread use within less than 10 years quite unlikely.)

GOOD!

[XXongo]

Excellent. I'm glad they nailed him.

This guy was a major asshole. I hope when he gets out, his terms of parole include "never allowed to touch a computer for any reason."

Re:GOOD!

[johanw]

Now the detection metghod is ready to bust anyone who is illegally downloading the new Stsr Trek Discovery epuisodes.

Re: So

[TWX]

That's proxies. Not VPN providers.

And seven wasn't enough, remember?

Re: So

[west]

because they themselves forced me to torrent their movies and music

By the time my son was five, he already understood that the "he forced me to do it" defense is, unless someone literally has a gun to your head, a cowardly lie.

Time to take responsibility for your own actions. It's what adults do.

Re:VPN services are a pseudo-product, security-wis

[thegarbz]

And no VPN service that is run commercially can say "no" when the Feds want logs to be recorded and handed to them.

Sure they can. By "feds" I'm assuming you one of America's three letter agencies. The reality is that there are many countries in the world who don't play America's bullshit game.

the real litmus test of privacy is

[mapkinase]

does your VPN (website, Tor network, etc) hosts child pornography, Islamic State glorification materials, bomb making manuals?

If yes, then the website is private.

Re: So

[amxcoder]

As a PureVPN lifetime customer, this is disappointing on PureVPN's side. At least it sounds like they didn't rat out the traffic, but did origin IP address, which is pretty damning in most cases.

I would also like to point out, that PureVPN was being sold right here on the Slashdot site for lifetime memebership for quite a while (maybe still). That is the offer that I grabbed a year or two ago. While I use it mostly to protect my privacy when using open hotspots or hotel/shared wifi connections, and also occasionally for torrents (legal linux ISO's only!), that I think it would still be fairly reliable for this, however it's never good to know that if you've been targeted, there is enough info to use against you being logged.

bummer. At least I knew this was a possibility and am not shocked, just more disappointed.

Re: Use proxies vs. VPN bs then

[Brockmire]

You are openly violating the rules and terms of Slashdot. You're not welcome. Fuck off and find some other site to spam. Now fuck off.

Re: Mocking NK

[Brockmire]

You can just say Trump.

Re:VPN services are a pseudo-product, security-wis

[gweihir]

Good luck with that. Sure, in some countries they may just shoot you if you refuse to hand over the logs, but in most countries refusing a court order will get you just under threat of being locked up. This "bullshit game" is played all over the globe.

Re:VPN services are a pseudo-product, security-wis

[thegarbz]

Sure, in some countries they may just shoot you if you refuse to hand over the logs

No you misunderstand. Most countries don't give a flying fuck about the USA or USA problems, and especially don't give a flying fuck about the moaning of the USA corporate welfare.

The point of VPN endpoints is to appear somewhere outside the reach of those trying to persecute you. A Chinese person will be just fine using a Ukrainian VPN with a Swedish endpoint to escape from China's watch, regardless of how much is logged. Likewise the USA can't even get basic enforcement against known criminals in other countries, let alone persecute someone using a foreign VPN service with an even more foreign endpoint.

Not every corporation or country is beholden to the not-as-far-reaching-as-you-think eyes of the USA's TLAs. You just need to not commit a crime in the country where your VPN is hosted or end-pointed. That is pretty easy to do. Bonus points if you pick a country that actively hates the one you're trying to avoid.

Re:VPN services are a pseudo-product, security-wis

[gweihir]

Well, good luck with that.

Re:What kind of dumbass uses VPN?

[david_thornley]

I've been told, by people who appear to know what they're talking about, that quantum computers are limited in what they can do. For example, they can cut the effective key length for a cipher in half, but not more. That would mean that AES-256 is invulnerable to brute-force attacks using quantum computers (at least using only the current resources of the entire Solar System).

Re:VPN services are a pseudo-product, security-wis

[thegarbz]

Cheers.

Re: Mocking NK

[Sebby]

Except he's not the only one - his cronies are doing his bidding as well