About a week ago media reports came out that PureVPN, a VPN service provider helped the FBI to catch some cyberstalker in Massachusetts, USA.
Since then, we have heard nothing from PureVPN on its side of the story.
Now, PureVPN has finally spoken.
In its response, PureVPN has basically tried to respond to the criticism that the media has leveled against the VPN service provider.
After all, PureVPN is a VPN service provider.
And that means it should have protected the “caught cyberstalker’s” privacy regardless of the action the user took by using PureVPN’s services.
Instead, we saw that PureVPN helped the FBI to catch the cyberstalker.
Of course, there is no doubt about the fact that the cyberstalker probably deserved what came to him.
But that doesn’t another fact that PureVPN should not have logged his online activities.
We will give PureVPN credit for its response because it is quite a lengthy one.
In the response, as expected, PureVPN has reiterated the stance that the company never keeps user activity logs.
However, what the company does do often is log the original IP addresses of its customers who are accessing PureVPN services.
Table of Contents
PureVPN Helping The FBI To Catch A CyberStalker
In the early part of the month, that is October, law enforcement agencies arrested Ryan S. Lin.
A 24-year-old computer science graduate who lived in Newton, Massachusetts.
Law enforcement agencies arrested him on suspicion of carrying out a comprehensive cyberstalking campaign.
Against who?
Against another 24-year-old resident of Massachusetts.
His former female roommate.
Ryan S Lin also conducted the cyberstalking campaign against her family members and her friends.
The Department Of Justice Stance
The Department of Justice did the right thing by describing Lin’s cyberstalking offenses in detail.
It said that Lin carried out a multi-faceted computer cyberstalking and hacking campaign.
Lin had launched the campaign back in April of 2016.
Back then he hacked into his victim’s various online accounts.
Using those Lin also allegedly got hold of his victim’s personal photographs.
What’s more?
He also obtained other sensitive information about his victim’s sexual histories and medical records.
To top this “action” of his off, he distributed the information to several other people numbering in the hundreds.
The FBI did well to compile a huge list of information they found on Lin.
You can find more about Lin’s activities during those time periods here in our earlier report.
But even if we set aside Lin’s crimes, that shouldn’t take us away from PureVPN’s involvement.
PureVPN And Lin
Make no mistake:
Lin’s actions against his victim’s and her sensitive information must be considered both repugnant and significant.
But as mentioned before, that shouldn’t detract us from PureVPN’s role in the whole process.
Why did PureVPN get involved in the case in the first place?
This is something that has caused more controversy than the case itself.
As pointed out earlier as well, VPN service providers are supposed to protect your online activities.
Not share then with law enforcement agencies so that they can do the work on you.
The FBI Report
The FBI special agent also compiled a report about the case.
In the report, the FBI special agent revealed that PureVPN, a Hong Kong-based VPN service provider, kept logs on the user.
The FBI used these logs and hence PureVPN helped the law enforcement authorities to nab the alleged cyber stalker and criminal.
Let’s take a look at what the FBI special agent’s affidavit said.
It said a significant developed in the case involved PureVPN determining the IP address of the criminal.
PureVPN calculated that the same user accessed their service from two different originating IP addresses.
These two IP addresses belonged to Lin.
The two IP addresses consisted of the RCN IP addresses and the software company’s machine IP address where Lin worked.
Lin used the RCN IP address from his home where he lived at the time.
The other IP address, as mentioned before, belonged to a machine at the software company Lin worked at the time.
The Privacy Community
Again, we will mention again that everyone should consider what Lin did as reprehensible.
There is simply no room for cyberstalking in a decent online community.
But that doesn’t change the fact that the privacy community has some big questions about PureVPN as a privacy protection service.
The online privacy community showed its disappointment in the revelations.
And perhaps they are justified.
Afterall, PureVPN official website explicitly says that the company, PureVPN, carries no logs.
Generally speaking, people expect VPN service providers who say they don’t keep logs, to not keep logs.
They also expect these same VPN service providers to provide them with some form of anonymity.
That should hold true at least from premium VPN service providers.
And before this incident, no one would have disputed the fact that PureVPN ranked amongst the best VPN service providers.
Now, several days have passed since the initial furor.
And PureVPN has come out with its own response to all the critics in the online privacy community.
PureVPN Response.
As mentioned before as well, PureVPN response came in the form of a length official statement.
The company, PureVPN, began its response by reassuring the fact that the company did not keep any logs.
And that the company did not have any information on what websites its customers visited or viewed in any of their sessions.
Moreover, PureVPN clarified that the company did not know the content its users downloaded either.
PureVPN also made the statement that the company did not actually breach any of its Privacy Policy conditions.
PureVPN also said that it certainly didn’t try to breach its customer’s trust.
The company said it specifically did not,
- Keep browsing logs
- User’s browsing habits
- Any other piece of information.
- Share its customer’s data with other entities.
As you might expect, PureVPN did not address the real issue at the beginning of its official response.
But we’ll give it credit that at least PureVPN addressed half of the said problem.
Of course, PureVPN is going to say it time and time again that the company does not keep logs of user activity information.
That basically means, or should mean, that PureVPN has no idea which sites its customers visit.
Or what type of content they download.
PureVPN said in its statement that it did keep logs on the IP addresses of its users.
What does that mean?
Does PureVPN Keep Logs or Not?
This is indeed a tricky question.
And VPN service providers try to use this fact to their advantage.
PureVPN explicitly said in its response that the company did indeed keep IP address logs.
These are basically the IP addresses its customers used to access the company’s VPN service.
PureVPn said that given the appropriate circumstance, the company had the ability to match these to external activities.
How?
PureVPN said it thanked the logs that other web companies carried.
In other words, PureVPN didn’t keep any logs.
Other web companies did.
Let’s explain that a bit more.
PureVPN said in its response that Google Gmail service also kept logs.
And to illustrate the point, PureVPN gave Gmail’s example.
Gmail Also Keeps Logs So What Is The Problem Then?
PureVPN response said that every time a user visited a website the system automatically generated a network log.
Just to take an example, PureVPN gave the example of a particular user who logged into his/her Gmail account.
Each time the user accessed his/her Gmail account, the email service provider (Gmail) created a new network log.
Continuing on from that PureVPN said that if the user used a VPN service, Google’s Gmail network log would have information regarding the IP address that PureVPN provided to its user.
That makes up for half of the overall picture.
What about the other half?
PureVPN explained in its response that if someone asked Google about the user who accessed his/her account, Google would easily state that the person who used the said IP address actually accessed the account in question.
Hence, if the user used PureVPN to connect to the Gmail account, Google would spew out the PureVPN IP that the user used.
So, in such a situation, you must have an inquirer.
The Inquirer would do all the asking.
In our case, or actually Lin’s case, the Inquirer came in the form of the FBI.
PurevPN said, the FBI could then move forward by sharing timestamps with Google.
The FBI could also share network logs that they acquired from Google.
Then the FBI can ask to have people compare that information with the network logs that a VPN service provider maintained.
In Lin’s case, the VPN service provider came in the form of PureVPN.
Does PureVPN Response Make Sense?
We’ll get to that in a bit, but we have to say something that is more important.
What is it?
The thing is if PureVPN, a VPN service provider, really kept no logs, and by that, we mean literally zero-logs, it would not have the information to help the FBI with such kind of an inquiry.
Most of our readers could easily think back to last year when the FBI did something similar by approaching another VPN service:
Private Internet Access.
Back then the FBI asked Private Internet Access, a VPN service provider, for some information.
Since Private Internet Access really did not keep any logs, the company didn’t have anything to help the FBI with.
However, that doesn’t mean PureVPN is a fraud.
Well, at least, PureVPN has a good explanation for the problems that the company is facing right now.
PureVPN, in its official response, made it clear that the company indeed kept logs on user IP addresses.
PureVPN also kept information about each user’s timestamps.
This information could reveal when one of its customers logged to its services.
In other words, it didn’t really batter if PureVPN kept logs on the user or not.
Or what the online user did with PureVPN service in the online world.
The fact this, the third-party service would already know such information down to the exact second.
Continuing With Our Previous Example.
So basically Gmail knows a lot about what its users do with its service.
Gmail has information on when a user sends an email and when he/she receives an email.
For example, Gmail would know if a user sent his/her email to someone else at 10:00 am on Friday, November 16.
It would also know that the user did so via a PureVPN IP address.
Following from that, if the FBI approached PureVPN with questions about that user, then PureVPN could confirm that the user in question used the same IP address at the given time.
PureVPN also kept enough information to know the user’s home IP address.
In simple terms, both services can combine their logs that contain information about one IP address.
With such cooperation, they can reveal the identity of a user.
The concept is simple enough really.
So VPN Service Providers Are Useless?
No.
You just have to know which are the better ones.
This is the reason why it is very important for anyone wanting to use a VPN service provider to ask intelligent questions before buying a subscription package.
A good VPN service provider would keep absolutely no logs.
This is the first question you should ask before you sign up for a VPN service provider.
VPN service providers should not keep ANY logs that allow the VPN service to match an IP address and information in a timestamp to a particular user or users of its service.
And even if a VPN service provider does keep such information, you should ask for how long they keep the information in their records.
That can have a major impact on your privacy as well.
If a VPN service provider says yes that they do keep logs on incoming IP address and also keep information on associated timestamps, then you should trust such a VPN service provider.
Why?
Because keeping such information ends any user anonymity claims that the company might make.
There is no point in finding out more about other VPN service features such as number of servers, speed or advanced security features.
Of Course, VPN Service Providers Are More Than Just Logs
Just because a VPN service provider keeps logs doesn’t mean it is totally useless.
A VPN service could still give something even if it keeps some logs.
For example, a VPN service that keeps logs still has enough to protect you from spying agents such as your internet service provider and other government surveillance programs.
Moreover, VPN services that keep logs can get rid of annoyances such as throttling and/or site-blocking.
VPN services are important services for people who work in journalism.
Whistleblowers need some piece of technology to protect their work and their identity.
And for these purposes, a VPN service that keeps logs is totally useless.
So VPN services that keep logs are useless or useful only depending on the type of work a person does.
What Should The End User Do?
End users should spend the necessary time to study these controversial issues.
But the most important thing here is for people to actually read and then understand all the different VPN services’ privacy policy documents.
What About VPN Services? Don’t They Have To Do Something As Well?
Yes.
VPN service provider should make sure they are crystal clear about the kind of information they keep on their users.
If they don’t track their users’ browsing habits or downloading activities, then that is great.
But if they keep store timestamps and home IP addresses then that is not okay.
If they do, they have to make it clear to their customers and prospective customers.
Conclusion
VPN users have the responsibility to not use VPN services for evil purposes.
There are a ton of reasons why people would want to remain anonymous in the online world.
But don’t use that privilege to cyber stalk someone.
Or make threats against someone.
If a person uses VPN services to ruin other people’s lives, then perhaps that person deserves a VPN service like PureVPN.
The good thing is that even if VPN services don’t keep logs, the likes of FBI do have some very effective offline methods in order to catch online offenders.
And that seems to be the right way.
To read PureVPN full official response, go here.
Ugh, PureVPN. Betrayal.