Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI (bleepingcomputer.com)

Posted by EditorDavid on from the no-more-secrets dept.

An anonymous reader writes: "VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity," writes Bleeping Computer, "but a recent criminal case shows that at least some do store user activity logs." According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don't. The suspect is a 24-year-old man that hacked his roommate, published her private journal, made sexually explicit collages, sent threats to schools in the victim's name, and registered accounts on adult portals, sending men to the victim's house...
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."

6 of 212 comments (clear)

  1. Re: So by JohnFen · · Score: 4, Insightful

    And WANSecurity.

    But the take-home lesson here shouldn't be that if you avoid those you're good. The lesson is that in the end, you're taking every provider's word for security. Certainly some are good and some aren't, but there is literally no way for you to be able to tell which ones are good.

  2. Re:Good reminder by JohnFen · · Score: 4, Insightful

    That's not the reasoning. Some are surely trustworthy. The underlying problem is that you literally have no way to tell which ones those are.

  3. Re:Get a VPN they said ... by CaptainDork · · Score: 4, Informative

    That's all a VPN does for you , which is irrelevant to what Pure VPN says it does for others.

    PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities .

    Emphasis mine.

    --
    It little behooves the best of us to comment on the rest of us.
  4. Re:Get a VPN they said ... by AmiMoJo · · Score: 5, Insightful

    It also forces the security services to actively target you and expend some extra effort to get your data.

    In some countries, e.g. the UK, ISPs are required to log and hand over such data pretty much on demand to the police, and of course you have outfits like GCHQ and the NSA doing mass surveillance.

    A VPN increases to cost to spy on you from nearly zero to something that will discourage casual snooping and a lot of abuse. It's not perfect but it's a useful line of defence.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Misleading by Ramze · · Score: 5, Informative

    Most of the damning info came from a laptop, and all the VPNs did was confirm an IP address for his residence was used to connect to one of their IP addresses during the same time frame "someone" logged into both the victim's e-mail account and the abuser's e-mail account -- both from the same VPN address.

    PureVPN lists what data it records and states it cooperates with investigations. The only thing I can find that they gave to investigators that wasn't explicitly stated in the TOS was that they gave the origin IP address for the connection. but... the TOS already says they store the name of the person on the account and connection times and bandwidth anyway, so that's pretty damning to begin with if requested by law enforcement.

    Basically, Law Enforcement said:

    "Hey we have a laptop with evidence that you have a VPN and have accessed both the victim's and the abuser's e-mail addresses. We just checked with the e-mail services and discovered a login to both from a VPN IP address within a short time period."

    And the VPN provider upon court order said:

    "That user was logged into our service from their residential IP address during that time and was connected to that same VPN IP address (along with many other users). Here's the amount of time they were on our system and the amount of bandwidth they used."

    The VPN didn't rat out what site they went to -- but the sites they went to DID keep IP logs.

    In short, the VPN service provided exactly what it said it would record and it just happened to correlate nicely with what the detectives found. It's not proof, but it's strong evidence.

    Frankly, I'm a little surprised the victim's e-mail service allowed a connection to a VPN IP to begin with. I'm also surprised this moron thought that just because a VPN doesn't record every site you visit that the sites themselves wouldn't be recording every login and IP address along with cookies that might identify his specific hardware and/or tie into a social media profile or the like.

  6. Re:Good reminder by Ol+Olsoc · · Score: 4, Interesting

    That's not the reasoning. Some are surely trustworthy. The underlying problem is that you literally have no way to tell which ones those are.

    The internet is not anonymous. Never has been, never will be unless the fundamental nature off it is changed, which will destroy the internet. The only thing that gives a person any sense of anonymity is the degree of the crime, and how badly they want to find you.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.