In 2017, the FBI apprehended a man in Massachusetts on suspicion of cyberstalking his former roommate. Also included in the personal cyberstalking campaign were friends and immediate family of the victim.
Catching a Cyberstalker
The FBI apprehended Ryan S. Lin of Newton, Massachusetts on his extensive cyberstalking campaign. One of the tools he used was PureVPN, which is based in Hong Kong. In Hong Kong, VPN companies are not obligated to keep user logs but this did not stop the FBI from requesting for any server logs that PureVPN has.
has to make sure that no single user hogs the bandwidth. This is a barebones log which contains only the user’s IP address, the time a connection was made to the VPN server, and the total bandwidth used.
On its own, the PureVPN logs is not enough to identify any user. However, the FBI already had logs for the email access time which they requested from Gmail. The gmail logs and the VPN service connection log can be matched together to confirm what the suspect was doing.
It is important to note, that Lin was already under investigation. The FBI had already worked on Lin’s desktop to gather what information they can. It was relatively easy for the FBI to get his email address, and ask the email provider for their logs. Their logs matched the time when Lin accessed his mail via VPN.
There was no need for any other information from the VPN service. The only thing they had was the originating IP address, and the time it was used.
To Catch a CyberStalker
There was some backlash against PureVPN with the disclosure that they had logs. It was not clear to critics that the logs are necessary for quality assurance purposes. At the same time, it was also not properly explained that the FBI used other data sources. In most instances, the backlash was due to inadequate information. The critics did not bother to investigate the extent of PureVPN participation nor about the roles of other internet services. The FBI knew Lin’s email address and they were also able to get logs from Gmail. It was only necessary to tie in the data flow and the time when these email accounts were used.
After the investigation and the ensuing media backlash, PureVPN contracted Altius, a 3rd party internet audit firm to audit the PureVPN security systems and privacy policies. Founded in 1993, Altius staff members have done more than 1,000 audits and assessments. The clients were not limited to IT companies. It has experts in different IT fields including network security, assessment, security consulting sevices, and others. It has maintained certifications including the Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Systems Security Professional (CISSP).
The auditors stated that they “did not find any evidence of system configurations or system or service log files that are independently, or collectively, could lead to identifying a specific person or the person’s activity when using PureVPN service.” The certification effectively validates PureVPN as a No-Log VPN.
PureVPN has proven that they can barely identify the user from the data that they store. The FBI investigators have also explained that the bulk of the information that they gathered from servers was not from PureVPN. They have also shown that the PureVPN data is used only as supporting proof to the email server information. Alone, the PureVPN connection information is useless, however, when related to the email server logs, the email information makes sense.
The Altius audit took 2 years before the findings were announced. This is a testament to the thorough job by the independent audit firm. The findings and No-Log VPN certification is proof that PureVPN is serious about the security and privacy of their customers.
for a limited time only
the fastest vpn