"VPN logs helped unmask alleged 'net stalker" is an alarming headline, as the whole point of using a virtual private network is to surf unnoticed.
First, let me be clear: Lin's alleged behavior is gross. He reportedly went to enormous lengths to harass and demoralize a woman. The police partnering with technology companies to arrest him is an example of the system working, and the fact that he was arrested shows how far we've come in regarding online activities as actual crimes. Just a few years ago, doxxing someone wouldn't have been included in a list of vile criminal activities. I hope anyone who would emulate his actions thinks better of it as a result.
With that aside, it seems clear that this man would have been arrested without the information acquired from PureVPN. The Register reports:
"The complaint revealed, he made a fundamental error by using a work computer for some of his campaign, and even though he'd been terminated and the OS reinstalled on the machine, there were footprints left behind for investigators to associate Lin with the 16-month campaign against Smith."
The report doesn't go into detail about what information was recovered from Lin's work computer, but its involvement is significant. Security researchers are always quick to point out that if you can obtain the target's device, you've effectively won.
Here's what The Register says investigators received from PureVPN:
"'Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses,' claim the Feds (allegedly, those IP addresses were at Lin's work and home addresses)."
It's easy to read that and assume that PureVPN, and perhaps all VPN companies, are monitoring users' activities and are willing to hand over logs to investigators. But I don't believe that's the case. To me, this sounds like PureVPN simply confirmed that its service was logged into by the same customer at two different IP addresses. Many VPNs record information about users' origins, usually for data routing reasons.
The article also says "records from PureVPN show that the same email accounts […] were accessed from the same WANSecurity IP address." That's more obtuse, but it doesn't sound like confirmation that PureVPN is monitoring user behavior. At most, PureVPN shared the originating IP address, the address the man connected from, and the IP address of the VPN server that user was using.
"We therefore have no record of your activities such as which software you used, which websites you visited, what content you downloaded, which apps you used, etc. after you connected to any of our servers. Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a ‘connection’ and the total bandwidth used during this connection is called ‘bandwidth’. Connection and bandwidth are kept in record to maintain the quality of our service."
“PureVPN is committed to freedom, and doesn't support crime, we will only share information with authorities having valid subpoenas, warrants, other legal documents or with alleged victims having clear proof of any such activity. […] When and if a competent court of law orders us or an alleged victim requests us (that we rigorously self-assess) to release some information, with proper evidence, that our services were used for any activity that you agreed not to indulge in when you agreed to our Terms of Service Agreement, then we will only present specific information about that specific activity only, provided we have the record of any such activity.”
In short, PureVPN will work with investigators who present them with a valid warrant. After assessing the warrant internally, PureVPN will decide whether or not to comply. It also says that it will only hand over information it has on hand—not that it will allow its networks to be used to spy on alleged criminals. Importantly, PureVPN is based in Hong Kong. For VPN users, this is actually pretty good because Hong Kong has no data retention laws, freeing PureVPN to decide what to store and for how long.
I'm not a legal expert, but it seems significant that a China-based company complied with American investigators. It suggests to me that the company cooperated based on the investigation's merits and were not legally obliged to do so, but that's speculation on my part.
To me, this sounds a lot like metadata. It's the date and time of the connection, and likely some information about the entering and exiting IP addresses. It is not, importantly, information about where users went from there. That means investigators had to get that information elsewhere and matched it up to whatever information was obtained from PureVPN.
None of this is to downplay the importance of metadata. The mass metadata collection by the NSA was offensive because of its scale and the fact that innocent people were affected. That doesn't seem to be the case here.
Are VPNs Trustworthy?
It's also very important to remember that no security tool is a magic bullet, and that a targeted attack or investigation will almost always be successful. VPNs are best at protecting your data from being intercepted on your local network and preventing your information from being swept in mass surveillance efforts. If investigators are already looking at you as a suspect, and have access to other evidence, these protections are already moot.
In the case of PureVPN, it doesn't appear that the company breached the trust of its users — not even Lin, who was allegedly using the service for criminal acts. I will be reaching out to the company for clarification (and will update as necessary), but to me this sounds like a best-case scenario. A criminal, a specific individual, was targeted for investigation, and a technology company handed over the limited information it had.
I don't want to come off as purely a PureVPN defender. Rather, I want a modicum of calm and understanding around security tools. The internet was not built with privacy and security in mind, which puts the onus on users to protect themselves. We can't be afraid of these tools, and we all must learn what they do, and how to best put them to use.