PureVPN Hands Over IPs to FBI to Catch Cyberstalker

[FrgMstr]

Generally when you use a paid-for VPN service, you would think that your data is kept private, but like we saw last week, that is not always the case. Torrent Freak has a very detailed write-up on everything that transpired. PureVPN coughed up the raw IP addresses of user(s) in order to catch a nasty cyberstalker. PureVPN has made a statement as to what exactly it did.

The Story Unfolds - We have a well-documented, proactive stance on cyberstalking. Several organizations have appreciated and applauded our stance in the recent past, which is a source of pride for us. Having said that, a recent cyber stalking incident was extensively reported in leading tech publications, where a certain individual was arrested on suspicion of masterminding a cyberstalking campaign against a young woman and her family.


While I think that all of us non-scumbags can get on the side of wanting to do away with predatory cyberstalking shitstains, it sort of makes you wonder what information will be coughed up next when you get called a cyberstaker by "accident."

Finally, VPN users should not be evil. There are plenty of good reasons to stay anonymous online but cyberstalking, death threats and ruining people’s lives are not included. Fortunately, the FBI have offline methods for catching this type of offender, and long may that continue.

 

[JosiahBradley]

Nothing is secure, nothing is private. We have to realize this in the world we live in today. We are powerless against nation states and if you do something to piss off the wrong people that's all she wrote. Trust no one.

 

[MavericK]

Definitely mixed feelings about this. If I pay for this service I would expect my information to be private as the name dictates. However, I also see the value in providing information to authorities to stop predators. Problem is, how far is this allowed to go? Does the RIAA get to start petitioning for user information? Because fuck that.

 

[Gigus Fire]

The internet was founded on anonymous access.

VPN service is basically used to hide your identity. Otherwise why bother using it? Any VPN service that maintains logs is operating against the reason people are buying their service.

Goodbye PureVPN.

 

[mord]

Well it's pretty clear a VPN company shouldn't share customer info for small infractions against the law. Only big ones like rape, murder, child abuse, drug trafficking, saying anything offensive (cause that's a hate crime), or treasonous activities like disagreeing with whichever party is running the government.

No, I'm not a paranoid whack job. The point I'm making is where do you draw the line, and who gets to draw it?

 

[Kongar]

Catching scumbags is good.
Keeping logs when your entire business revolves around not keeping logs - well good luck staying in business then...

 

[Madoc]

First they came for the cyber-stalkers, and I did not speak out --
Because I was not a cyber-stalker.

 

[masquap]

Reset my password from forever ago to specifically suggest people read Martin Niermoller's "First they came for the Socialists", but beaten to it!

 

[Azphira]

Remember the days when breach of trust like this would lead to the person being hung drawn and quartered?

But now we're civilized and have laws that the government, corporations, illegals and famous don't have to heed.

 

[Shotglass01]

Use a VPN they said!
You'll be anonymous they said!

 

[/dev/null]

The internet was founded on anonymous access.

VPN service is basically used to hide your identity. Otherwise why bother using it? Any VPN service that maintains logs is operating against the reason people are buying their service.

Goodbye PureVPN.

VPN Service is used to connect to endpoints together in a "Virtual Private Network". Nothing more, nothing less. VPN in no way hides your identity.

 

[Gigus Fire]

VPN Service is used to connect to endpoints together in a "Virtual Private Network". Nothing more, nothing less. VPN in no way hides your identity.

hiding your ip address hides your identity. VPN also encrypts the data from the source to the end point.
The only one who knows your identity in a VPN are the parties keeping logs.

 

[ChoGGi]

The internet was founded on anonymous access.

Somehow I think DARPA would disagree with you



Edit: heh I like purevpn's promise
We promise to deliver freedom, security and unparalleled privacy. And, we promise that we will never betray you by compromising on our promise.

 

[sfsuphysics]

Definitely mixed feelings about this. If I pay for this service I would expect my information to be private as the name dictates. However, I also see the value in providing information to authorities to stop predators. Problem is, how far is this allowed to go? Does the RIAA get to start petitioning for user information? Because fuck that.

So this is why even really bad people are protected by the Constitution, why they get a trial by jury of peers, why they are afforded the rights of those who are not bad people. Granted this is a private company, but damnit if that slope isn't slippery as all fuck.

IMO, if the VPN has a ToS that specifically outlies what activity they will turn your ass over for, i.e. kiddy porn, cyber stalking, etc then great, unfortunately many of them do so in a very generic way "if you do any illegal activities" although they often say they have the right to cancel your services, not that "we'll rat your ass out"

 

[/dev/null]

hiding your ip address hides your identity. VPN also encrypts the data from the source to the end point.
The only one who knows your identity in a VPN are the parties keeping logs.

This is completely incorrect. It encrypts the data from the source to the _VPN_ endpoint which isn't necessarily the endpoint of where the traffic is going. It does NOT encrypt the originating IP address for the the vpn tunnel itself, either. This is also assuming your "vpn provider" doesn't use some weak encryption or other protocol.

 

[Gigus Fire]

This is completely incorrect. It encrypts the data from the source to the _VPN_ endpoint which isn't necessarily the endpoint of where the traffic is going. It does NOT encrypt the originating IP address for the the vpn tunnel itself, either. This is also assuming your "vpn provider" doesn't use some weak encryption or other protocol.

sigh, from your connection to the vpn service it's encrypted. From the vpn outgoing ip to the destination it can be encrypted by https.
Besides man in the middle attacks for https and compromised ssl certs, it's more secured than what you can normally get.
The service provider for your vpn is always the weak point in being compromised.

 

[viper1152012]

So that would deter me from using pure and perhaps any others that do that shianigans.

Why do I pay u guys?

 

[/dev/null]

sigh, from your connection to the vpn service it's encrypted. From the vpn outgoing ip to the destination it can be encrypted by https.
Besides man in the middle attacks for https and compromised ssl certs, it's more secured than what you can normally get.
The service provider for your vpn is always the weak point in being compromised.

You -> VPN -> https server site is just encrypted twice. Two sets of remote people you have to trust completely.
You -> https site is encrypted once.
No practical difference except with VPN you get two layers of encryption but have 2 points of possible (trust) failure.

You -> VPN -> https only changes your "source ip" in the packet header, which is still very traceable even without the VPN providers help if the company looking at you (eg: law enforcement) is able to put taps &/or do some traffic analysis on either side of the vpn provider (inbound/outbound). They also do just what happened in this case and simply ask the vpn provider to give you up.

VPN buys you encrypted payload (which https does anyhow). It does not by any stretch of the imagination make you anonymous.

The real value of VPN is to make a Virtual Private Network for packet payload for _ALL_PROTOCOLS_ not just an already encrypted one. If you want to change your source ip address and be "anonymous" you'd be better off using TOR.

 

[velusip]

Well it's pretty clear a VPN company shouldn't share customer info for small infractions against the law. Only big ones like rape, murder, child abuse, drug trafficking, saying anything offensive (cause that's a hate crime), or treasonous activities like disagreeing with whichever party is running the government.

No, I'm not a paranoid whack job. The point I'm making is where do you draw the line, and who gets to draw it?

While I hear you, I think this line is clearly drawn at the moment the service is paid for. Citing PureVPN's service agreement we find "You specifically agree not to: Use our Website and/or Services to harm, threaten, 'stalk' or otherwise harass another person/business;".

The customer drew the line with their money, and then crossed it.

 

[Ultima99]

While I hear you, I think this line is clearly drawn at the moment the service is paid for. Citing PureVPN's service agreement we find "You specifically agree not to: Use our Website and/or Services to harm, threaten, 'stalk' or otherwise harass another person/business;".

The customer drew the line with their money, and then crossed it.

If you're a minority or gender non-binary they'll probably go easy on you for doing that stuff. After all, only straight white men can be racist and abuse their privilege and deserve to be punished.

 

[davethehedgehog]

PureVPN will pay for this themselves in loss of subscriptions I suspect. I don't use PureVPN, I use two others, ExpressVPN and PIA. I'm planning on taking a close look at their policies. What I don't understand is why keep any logs at all? Unless it's for this exact reason of course. I don't believe this whole "monitoring of network performance" bullshit. You don't need to log IP address for that whatsoever.

It's not that I think this scumbag should go free. He shouldn't, he's a scumbag. But to say they only keep network logs and that somehow keeps you private is bullshit. All the feds have to do is get the end site to cough up your IP and then tallying up your VPN->Direct IP is just a formality. It totally negates the idea of the VPN. Your traffic is already strongly encrypted with https (or should be), what's the point in encrypting it twice.

Lets say you're using a VPN for viewing porn that your own government deem illegal. That's not that crazy a thought since governments are cracking down on stuff that they shouldn't be these days. BDSM and rape fantasies for example. All the police need to do is get your IP, what's to stop PureVPN rolling over and giving up those IP addresses?

Something tells me it's going to be a depressing christmas for the peeps at PureVPN.

 

[gtigreg]

My friend is a big fan of mullvad.net , what are some of your thoughts?

 

[RanceJustice]

PureVPN is not one of those known to be primarily privacy/security focused and this kind of thing is exactly why they shouldn't be given our business. To many in the privacy community, "No logging" means exactly that - absolutely no logs kept beyond the bare minimum to provide service and those are anonymous and trashed ASAP. PureVPN meant it as "we don't watch what you're doing" and frankly, that's bullshit. I didn''t look at their site before, but at least now they're honest about the "No logging of your activities" - I'd rather have them be forthcoming than not, but this kind of behavior instantly excludes them from my patronage.

Regarding the particular case, the guy very well could be a scumbag, but frankly the way PureVPN handled it is worrisome. Now, EVERY legal VPN provider has to by law provide assistance to law enforcement if given a legit subpoena for their jurisdiction. What's really worrisome about this is that from my understanding, PureVPN is registered/located from a legal standpoint in Hong Kong - they volunteered to cooperate with the FBI - it wasn't like they got a legal HK or even Chinese subpoena locally! PureVPN had every right to terminate this guy's account if he was using their services for cyberstalking as its against their TOS, but to not only retain information but to voluntarily assist a government - a foreign government - without legal compulsion? Unacceptable. From the story reported on TorrentFreak (and the details linked to an earlier story with more info on the case) it wasn't like they would not have been able to build a case without PureVPN's info - he was the prime suspect because of real-world stalking stuff and he also made some tracks online ( and lo and behold, Google Chrome is involved).

I'm of the belief that a truly privacy/security focused VPN should have policies and tech that do as much to provide privacy and anonymity as possible while cooperating with authorities only when compelled by law (and minimally so). Otherwise, you open the floodgates to a host of problems. Sadly there are relatively few VPN providers today that operate anywhere near an ideal level, technically or in terms of policy . Worse, all of the high profile hacks and leaks have meant that lots of "joe users" are interested in a VPN for the first time (as well as things like regional blocking of streaming media) , leading lots of unscrupulous security theater VPN companies to pop into being.

I have been meaning to subscribe to a VPN again soon - this reminds me to do a "deep dive" into checking which are worthwhile. For those interested in VPN service, I suggest looking into CryptoStorm, AirVPN, Proxy.sh, the new ProtonVPN and a few others - check out privacytools.io . They have a good "starter" list, but not everything there is equal!

 

[bigboymuscles678]

Another really good site to compare VPN services is called That One Privacy Site- https://thatoneprivacysite.net/vpn-comparison-chart/ Great place that grades many different aspects of VPN providers. I personally use PIA right now just because its so quick and cheap but if I were more paranoid about my VPN provider Id probably use Mullvad

 

[daglesj]

So PureVPN wants creeps off their service.

 

[theBrownLlama]

even more worryingly is to what extent had this VPN provider assisted Chinese authorities. They wouldn't be so proud, or even allowed to comment on that though. And we all know of all these cases of 'enforced disappearances' in China. ( and also in the US. Just look up 'encouragement to return to their homeland' )

 

[nysmo]

hiding your ip address hides your identity. VPN also encrypts the data from the source to the end point.
The only one who knows your identity in a VPN are the parties keeping logs.

This is irrelevant. The purpose of encryption is not meant to hide identity but merely protect integrity. I can VPN to my corporate network, does that mean there's an inherent expectation that my identity is concealed when doing so? People started exploiting VPN's for their unique ability to hide their identity but this is just being results oriented, that is not the intent nor design of a VPN.

The only argument here is if PureVPN expressly stated that they dont collect connection logs. Being a VPN in no way implies that they do or should. Your own ISP could suddenly stop collecting logs and it'd have the same value as a VPN.

 

[Deleted member 184142]

You -> VPN -> https server site is just encrypted twice. Two sets of remote people you have to trust completely.
You -> https site is encrypted once.
No practical difference except with VPN you get two layers of encryption but have 2 points of possible (trust) failure.

You -> VPN -> https only changes your "source ip" in the packet header, which is still very traceable even without the VPN providers help if the company looking at you (eg: law enforcement) is able to put taps &/or do some traffic analysis on either side of the vpn provider (inbound/outbound). They also do just what happened in this case and simply ask the vpn provider to give you up.

VPN buys you encrypted payload (which https does anyhow). It does not by any stretch of the imagination make you anonymous.

The real value of VPN is to make a Virtual Private Network for packet payload for _ALL_PROTOCOLS_ not just an already encrypted one. If you want to change your source ip address and be "anonymous" you'd be better off using TOR.

All in all you need WAY more than just a VPN to be anonymous, you also need more than TOR, both however do play a role in it, along with browsing habits, browser settings and a host of other things. What I think people don't understand is there is being anonymous and there is being anonymous to people who are actually looking.

I TOTALLY agree about the trust thing and most VPNs don't give lots of details on this and even if they do, you just have to take them at their word, this also assumes that if some court order came across would they start logging your account even if they didn't keep logs as a normal function of business, they could always start. And TOR is a good resource, but the nodes are well known by government and is said with some work, possible to find out who and where the connection is coming from, another reason TOR should not be used without a VPN as well. Given enough time and resources, just about anyone can be tracked, even if you did everything just right, the question is are you worth that trouble to them?

 

[c3k]

I don't know enough about VPNs...but it seems like they're a solution for my needs. All I want is the ability to use the legitimate streaming services I've purchased when I have down-time in overseas locations. I cannot use Netflix if I'm outside the US. I'd like to...since I bought access to it. I don't expect privacy. It is the internet.

 

[Deleted member 184142]

I don't know enough about VPNs...but it seems like they're a solution for my needs. All I want is the ability to use the legitimate streaming services I've purchased when I have down-time in overseas locations. I cannot use Netflix if I'm outside the US. I'd like to...since I bought access to it. I don't expect privacy. It is the internet.

Netflix blocks VPNs.

Some might not be detected, but that is something you will want to make sure of first, and that can always change over night.

 

[jardows]

IMO, if the VPN has a ToS that specifically outlies what activity they will turn your ass over for, i.e. kiddy porn, cyber stalking, etc then great, unfortunately many of them do so in a very generic way "if you do any illegal activities" although they often say they have the right to cancel your services, not that "we'll rat your ass out"

Another problem is that what constitutes legal/illegal activity is constantly changing, as regulatory agencies have been given the power to redefine activities as legal or illegal. What I am doing today may be perfectly legal, but at the whim of a bureaucrat, be illegal tomorrow.

 

[Verge]

I guess i'm old, but what is a cyber stalker?

 

[Rahh]

The reasoning behind keeping logs is probably because they don't want creeps like this on their service. The problem with that obviously is that they're keeping logs now on everyone and their VPN is really not private at all. This is kind of like if the Government decides to monitor all of it's citizens just to find a couple of rotten eggs (to which their currently doing already). Is it worth it?

This country lost its Privacy long ago when we gave up giving fucks and just want everything spoon fed. Hear come the airplane!

 

[Gigus Fire]

This is irrelevant. The purpose of encryption is not meant to hide identity but merely protect integrity. I can VPN to my corporate network, does that mean there's an inherent expectation that my identity is concealed when doing so? People started exploiting VPN's for their unique ability to hide their identity but this is just being results oriented, that is not the intent nor design of a VPN.

The only argument here is if PureVPN expressly stated that they dont collect connection logs. Being a VPN in no way implies that they do or should. Your own ISP could suddenly stop collecting logs and it'd have the same value as a VPN.

The point of encryption is so that people can't read your packets. Period.
You log into the corporate network. They know your identity, same as when you log onto any vpn service. Your isp can only see that you connected to some endpoint but your packets are unreadable (without a lot of work) therefore they can't tell if you're accessing your work email or watching kiddie porn.

If you wanted only to protect integrity, there would be something else like a checksum used to verify authenticity. But to my knowledge there's no such thing.

Encryption by itself doesn't hide identity. A VPN is encryption with a different origination ip. The site you want to connect to can only see the VPN service's ip address. From that standpoint, it does indeed hide your identity for some part. There's practically no such network that allows you to be totally anonymous, not even TOR (with it's compromised nodes and the fact that each node records logs).

ISPs are compromised already. Even if they didn't collect logs, your packets would be readable as well.

 

[Gigus Fire]

You -> VPN -> https server site is just encrypted twice. Two sets of remote people you have to trust completely.
You -> https site is encrypted once.
No practical difference except with VPN you get two layers of encryption but have 2 points of possible (trust) failure.

You -> VPN -> https only changes your "source ip" in the packet header, which is still very traceable even without the VPN providers help if the company looking at you (eg: law enforcement) is able to put taps &/or do some traffic analysis on either side of the vpn provider (inbound/outbound). They also do just what happened in this case and simply ask the vpn provider to give you up.

VPN buys you encrypted payload (which https does anyhow). It does not by any stretch of the imagination make you anonymous.

The real value of VPN is to make a Virtual Private Network for packet payload for _ALL_PROTOCOLS_ not just an already encrypted one. If you want to change your source ip address and be "anonymous" you'd be better off using TOR.

Yeah no. The real value of a VPN is to hide your originating IP address so that you can seem to be from a different country for content filters (ex: netflix), bandwidth throttling (any service that throttles and or when there are bad primary interconnects), your ip being banned (any forums or service), and yes, hiding your ip (in the case of torrents for example).
At least those are the benefits for using a VPN service. For work or for home it's all about encrypting the data between the two endpoints. The level of security you get when using a public wifi/public network with a VPN can't be understated.

 

[Gigus Fire]

I guess i'm old, but what is a cyber stalker?

Someone who bothers someone who can't be bothered to block the person or shut off their computer/phone.
It's the old targeted prank caller.
There are varying degrees to which this happens. Unfortunately the details on what he/she actually did to warrant having their information sent to the authorities without them requesting it was missing from the article.

 

[nysmo]

he real value of a VPN is to hide your originating IP address so that you can seem to be from a different country for content filters

No no no and no. This is NOT the intent of a VPN. That is just a side effect given the design of a VPN.

 

[Gigus Fire]

No no no and no. This is NOT the intent of a VPN. That is just a side effect given the design of a VPN.

Regardless of intent, this is how they're being used and sold/marketed as. Bypassing content filters is a huge use of VPNs.

 

[RanceJustice]

VPNs can be used for a variety of reasons, but it is important to note that VPN provider services tend to advertise and highlight certain features. After all, there's a big difference between setting up a VPN into a company intranet or one's home server, versus buying VPN services from a provider - especially one that claims it will give you additional privacy/security/anonymity, keeps no logs, has many endpoints, and additional technology meant to obfuscate your activity.

 

[nysmo]

claims it will give you additional privacy/security/anonymity, keeps no logs, has many endpoints, and additional technology meant to obfuscate your activity.

This is a bit of a nisnomer though. People assume the definition of privacy is to pirate things. It's not. The privacy element of a VPN is meant to protect you from outside intruders, such as hackers. Thats why VPN's were created, to establish a secure tunnel to a specific network that cant be spied on by an outside attacker. A federal agency walking in the front door is an entirely different element.