News has emerged this week that proves PureVPN is lying to consumers about how it keeps logs. The story serves as an urgent reminder that great care must be taken to select a credible Virtual Private Network (VPN) service.
The story surrounds the case of a cyberstalker from Newton, Massachusetts. Ryan Lin, 24, is accused of cyberbullying, harassing, and regularly hacking multiple accounts belonging to a 24-year-old woman referred to in the case as Jennifer Smith (not the victim’s real name).
The nauseating list of crimes includes accessing Apple iCloud to steal the victim’s personal photos and then later create a collage of Smith alongside random explicit photos. After finishing the vile creation, Mr Lin went on to disseminate it via email to a number of Smith’s friends and contacts (including one minor). The emails were spoofed to make them seem like they came from Smith herself.
As if that wasn’t enough, the accused went on to send excerpts from Smith’s private journal to several of her contacts. Those highly personal journal entries contained details about her psychological, medical, and sexual history.
Mr Lin also started accounts with adult online services in Smith’s name. Using those falsified accounts, Mr Lin searched for people wishing to engage in extreme sexual fantasies such as BDSM, gangbang, and rape. At least three people came to Miss Smith’s abode looking for her in response to those fake solicitations.
The full list of abusive exploitations carried out by Mr Lin is horrific, degrading, and damned right deplorable. The harassment caused Smith to move out of her home. According to the affidavit, the abusive campaign continued long after that time.
Local police attempted to follow up on Miss Smith’s complaints and allegations for nearly a year. Unfortunately for the police, Mr Lin was using a combination of Protonmail, Tor, and VPN services to cover his steps and conceal his identity. For this reason, local police decided to call in the FBI to help solve the case.
After recovering a computer from Lin’s former employer, the FBI was able to uncover a number of digital artifacts that allowed them to form a case for the prosecution. These included traces of data that showed that Lin had been using PureVPN. With the knowledge that Lin had used PureVPN, the FBI decided to approach the VPN firm for information.
So, how was PureVPN able to reveal that Mr Lin’s VPN IP address had logged into his Gmail address, along with another Gmail address used to harass Smith? How was PureVPN able to confirm that Lin used a Rover.com account to discover Smith's real phone number? Finally, how was PureVPN able to link criminal activity to Lin's home and work IP addresses?
Here is how it unfolded:
The FBI got suspected IP addresses from Gmail and Rover.com. Those IP addresses were confirmed to belong to PureVPN. The FBI then approached PureVPN to tell them which VPN IP addresses were suspected in these crimes - as well as Lin’s real IP address.
At that point, PureVPN was able to check to see if Lin’s home address had logged on to the suspected VPN IP addresses just before the times given to the FBI by Gmail and Rover.com. The VPN connection time stamps instantly revealed that Mr Lin’s real IP address had indeed used the VPN at those times.
On this occasion, the authorities, the victim - and society as a whole - can feel thankful that not only was Mr Lin using a VPN known to be particularly useless for guarding people’s privacy, but also for PureVPN’s willingness to help with the FBI’s investigation.
Anyone with even a semblance of empathy for the victim will be glad that Mr Lin has been caught. Personally, I hope that Mr Lin is punished with the entire weight of the criminal justice system.
A VPN for Privacy
Despite my relief that Lin will be prosecuted, I am left in the somewhat awkward position of having to explain why consumers should avoid using lousy VPNs if they truly care about their digital privacy.
Privacy tools such as VPNs are just that: tools. The best analogy I can think of for comparison is that of a getaway car. Criminals can make use of a car to make their getaway after robbing a bank. Does that make cars (and those who use them) inherently evil? Of course not. At the end of the day, most tools can be used for good or bad ends. VPN services are no different.
Privacy is a fundamental human right that must be defended at all costs. Especially nowadays, when overreaching governments and their agencies invade the digital privacy of their electorate en masse.
The majority of citizens don't deserve to be stripped of their right to privacy because of the repulsive actions of a minority. VPNs give people the power and ability to stop Internet Service Providers (ISPs) and governments from overstepping an important boundary. Without VPNs (and encryption in general), private communication is vulnerable to attack. And if it can be attacked by one party, it can be attacked by another.
PureVPN - What This Case Tells Us
This case, however, is the first time that concrete evidence has emerged that proves PureVPN is keeping more detailed logs about its subscribers than it claims. In addition, the case serves to reinforce that any VPN that keeps connection time stamps - alongside customer IP addresses - can never be considered private (a point that we always make when reviewing VPN providers). While on this occasion we may feel like celebrating that fact that the perpetrator will face justice, there can be no doubt that this event puts a big black mark next to PureVPN’s already disreputable name.
This VPN lies about having DNS leak protection and lies about the way that it keeps connection logs. I wouldn’t be surprised if it also lied about the level of encryption that it is providing. Our reviewer was unable to get encryption implementation details from the VPN’s technical team: a sure sign that the encryption is weak.
If you care about your digital footprint, the message is loud and clear: PureVPN (and other VPNs that keep timestamps with IP addresses) should be avoided at all costs. Why? Because if PureVPN is willing to help the US government, one has to ask the question: What is stopping it from helping more unsavory political regimes from mounting similar time correlation attacks to link VPN users to censored or banned content, which could get them in trouble?
Opinions are the writer's own.
Title image credit: PureVPN logo from review.
Image credits: Photographee.eu/shutterstock.com, zendograph/shutterstock.com, iQoncept/Shutterstock.com