Purevpn Log Audit

In 2017, the FBI apprehended a man in Massachusetts on suspicion of cyberstalking his former roommate. Also included in the personal cyberstalking campaign were friends and immediate family of the victim.

Catching a Cyberstalker

The FBI apprehended Ryan S. Lin of Newton, Massachusetts on his extensive cyberstalking campaign. One of the tools he used was PureVPN, which is based in Hong Kong. In Hong Kong, VPN companies are not obligated to keep user logs but this did not stop the FBI from requesting for any server logs that PureVPN has.

As it was the FBI’s job to request for the logs, it was also PureVPN’s responsibility to forward any data that they have. The only information that PureVPN was able to provide was the server connection log. PureVPN has stated in their privacy policy that, although they do not maintain any log which can be used to identify a particular user, they do maintain a connection log.

PureVPN Policy

According to the privacy policy, in order to maintain good quality of service to all its subscribers, it
has to make sure that no single user hogs the bandwidth. This is a barebones log which contains only the user’s IP address, the time a connection was made to the VPN server, and the total bandwidth used.

On its own, the PureVPN logs is not enough to identify any user. However, the FBI already had logs for the email access time which they requested from Gmail. The gmail logs and the VPN service connection log can be matched together to confirm what the suspect was doing.

It is important to note, that Lin was already under investigation. The FBI had already worked on Lin’s desktop to gather what information they can. It was relatively easy for the FBI to get his email address, and ask the email provider for their logs. Their logs matched the time when Lin accessed his mail via VPN.

There was no need for any other information from the VPN service. The only thing they had was the originating IP address, and the time it was used.

Cyberstalking

To Catch a CyberStalker

There was some backlash against PureVPN with the disclosure that they had logs. It was not clear to critics that the logs are necessary for quality assurance purposes. At the same time, it was also not properly explained that the FBI used other data sources. In most instances, the backlash was due to inadequate information. The critics did not bother to investigate the extent of PureVPN participation nor about the roles of other internet services. The FBI knew Lin’s email address and they were also able to get logs from Gmail. It was only necessary to tie in the data flow and the time when these email accounts were used.

After the investigation and the ensuing media backlash, PureVPN contracted Altius, a 3rd  party internet audit firm to audit the PureVPN security systems and privacy policies. Founded in 1993, Altius staff members have done more than 1,000 audits and assessments. The clients were not limited to IT companies. It has experts in different IT fields including network security, assessment, security consulting sevices, and others. It has maintained certifications including the Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Controls (CRISC),  and Certified Information Systems Security Professional (CISSP).

The auditors stated that they “did not find any evidence of system configurations or system or service log files that are independently, or collectively, could lead to identifying a specific person or the person’s activity when using PureVPN service.” The certification effectively validates PureVPN as a No-Log VPN.

Conclusion

VPN is a service which provides anonymity for its clients. Part of its marketing is the promise and guarantee that it keeps the minimum amount of data. Balancing this privacy policy is the need to provide quality service for all subscribers. This requires that every login is monitored for bandwidth, which in turns requires the retention of connection time. These are the absolute minimum data which PureVPN keeps for analysis. It does not require the identity of the user, only a a unique identifier for each connection. In this instance, the identifier is the IP address.

PureVPN has proven that they can barely identify the user from the data that they store. The FBI investigators have also explained that the bulk of the information that they gathered from servers was not from PureVPN. They have also shown that the PureVPN data is used only as supporting proof to the email server information. Alone, the PureVPN connection information is useless, however, when related to the email server logs, the email information makes sense.

The Altius audit took 2 years before the findings were announced. This is a testament to the thorough job by the independent audit firm. The findings and No-Log VPN certification is proof that PureVPN is serious about the security and privacy of their customers.

EXCLUSIVE DEAL

80% OFF

for a limited time only

the fastest vpn