Slashdot Mirror
Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI (bleepingcomputer.com)
An anonymous reader writes:
"VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity," writes Bleeping Computer, "but a recent criminal case shows that at least some do store user activity logs." According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don't. The suspect is a 24-year-old man that hacked his roommate, published her private journal, made sexually explicit collages, sent threats to schools in the victim's name, and registered accounts on adult portals, sending men to the victim's house...
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."
And WANSecurity.
But the take-home lesson here shouldn't be that if you avoid those you're good. The lesson is that in the end, you're taking every provider's word for security. Certainly some are good and some aren't, but there is literally no way for you to be able to tell which ones are good.
That's not the reasoning. Some are surely trustworthy. The underlying problem is that you literally have no way to tell which ones those are.
That's all a VPN does for you , which is irrelevant to what Pure VPN says it does for others.
PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities .
Emphasis mine.
It little behooves the best of us to comment on the rest of us.
It also forces the security services to actively target you and expend some extra effort to get your data.
In some countries, e.g. the UK, ISPs are required to log and hand over such data pretty much on demand to the police, and of course you have outfits like GCHQ and the NSA doing mass surveillance.
A VPN increases to cost to spy on you from nearly zero to something that will discourage casual snooping and a lot of abuse. It's not perfect but it's a useful line of defence.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Most of the damning info came from a laptop, and all the VPNs did was confirm an IP address for his residence was used to connect to one of their IP addresses during the same time frame "someone" logged into both the victim's e-mail account and the abuser's e-mail account -- both from the same VPN address.
PureVPN lists what data it records and states it cooperates with investigations. The only thing I can find that they gave to investigators that wasn't explicitly stated in the TOS was that they gave the origin IP address for the connection. but... the TOS already says they store the name of the person on the account and connection times and bandwidth anyway, so that's pretty damning to begin with if requested by law enforcement.
Basically, Law Enforcement said:
"Hey we have a laptop with evidence that you have a VPN and have accessed both the victim's and the abuser's e-mail addresses. We just checked with the e-mail services and discovered a login to both from a VPN IP address within a short time period."
And the VPN provider upon court order said:
"That user was logged into our service from their residential IP address during that time and was connected to that same VPN IP address (along with many other users). Here's the amount of time they were on our system and the amount of bandwidth they used."
The VPN didn't rat out what site they went to -- but the sites they went to DID keep IP logs.
In short, the VPN service provided exactly what it said it would record and it just happened to correlate nicely with what the detectives found. It's not proof, but it's strong evidence.
Frankly, I'm a little surprised the victim's e-mail service allowed a connection to a VPN IP to begin with. I'm also surprised this moron thought that just because a VPN doesn't record every site you visit that the sites themselves wouldn't be recording every login and IP address along with cookies that might identify his specific hardware and/or tie into a social media profile or the like.
You could roll your own VPN by purchasing a VPS and routing your traffic through it but even that will only give you a little bit more privacy. At some point the data that you send will have to be decrypted in order to be sent out to the internet at large. Authorities can see the point at which the decryption is taking place and trace it back to that end-point IP address. It is a trivial matter to see who the IP address belongs to. The VPS provider could then be issued a subpoena to get your information. The whole VPN thing is really misunderstood. It's really a way to make it harder for an ISP to grab and monetize your browsing data or even a way to protect your identity on an untrusted network.
Special Agent in Charge of the Federal Bureau of Investigation, Boston Field Division. “This kind of behavior is not a prank, and it isn't harmless. He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession. No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today's arrest will deter others from engaging in similar criminal conduct.”
This jerk has degraded the trustworthiness of ALL bomb threat calls, ALL emergency distress calls. As incidents like this increase, as people figure out better ways to hide their tracks, more people will do such things. In the end the police and emergency services will take time to check veracity and trustworthiness of the caller before responding. False alarms will increase cost for all tax payers. Some stalking victims could actually be raped or violated due to such postings.
This guy is evil, he should be punished so severely others don't even fantasize doing such things.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
VPNs aren't meant to keep people anonymous.
Yes, this is exactly correct. VPNs don't disguise endpoints or decorrelate access times.
Personally, I use a VPN solely so that I don't have to worry quite as much when I'm connecting through WiFi access points that I don't control (open access points, workplace WiFi, etc.).
I'm not even trying to hide from my ISP (since, at some point, my datastream is going to be exposed to an ISP anyway -- at least this way, I know which one I'm exposed to). So, I don't use a third party VPN. I run my own VPN server, and my devices all use that.
Security is always a tradeoff, and others may not find this one acceptable for their situation and preferences. But it works for me.
My favorite definition of "virtual" is one I got in an advertising class talking about meaningless advertising words. Whenever you see "virtual", you can mentally replace it with "not in fact".
VPN services are nice if you want to pretend to be in another geographically location, but the claims of security are pure marketing. Incidentally, anybody that cares to find out knows that. And no VPN service that is run commercially can say "no" when the Feds want logs to be recorded and handed to them. Lavabit is an extremely rare exception (and just did anonymous email, not VPN) and it can be seen nicely in their case what happens after such a "no". The CEO is lucky to not end up in prison.
At this time, the only VPN service with actual security is Tor and even there, you anonymity can be compromised by attacks on the client or making mistake while using it. And, of course, a large-scale traffic analysis can break even Tor. The thing with Tor is however, that nobody that can break it will admit so for a mere cyberstalking case. It would have to be something really, really large for anybody to admit that they can compromise Tor itself.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I did quote directly from their privacy policy. No idea why you think I missed anything here, this is literally on their site.
If indeed "records" and "logs" are different legally (no idea whether they are), then "no logs of your activities" would not even be a lie. There would just be records of your log-ins and log-outs, but no logs. It is also possible, that the log-in and log-out does not count legally as "activity" within the context of the service. And to make the deception complete, "complete security" is a term without meaning, i.e. it gives you no assurances whatsoever.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That's not the reasoning. Some are surely trustworthy. The underlying problem is that you literally have no way to tell which ones those are.
The internet is not anonymous. Never has been, never will be unless the fundamental nature off it is changed, which will destroy the internet. The only thing that gives a person any sense of anonymity is the degree of the crime, and how badly they want to find you.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.