News broke this week that VPN provider PureVPN is lying to consumers about how it keeps logs, specifically claiming it doesn’t log when it actually does. The story serves as an urgent reminder that research and common sense must be used in order to select a credible virtual private network (VPN) service.
The story involves a cyberstalker in the US named Ryan Lin who is accused of harassing, cyberbullying and hacking into his victim’s account. Local police were unable to catch a break in the case, as Mr. Lin used a combination of privacy tools to cover his tracks including Protonmail, TOR and VPN services. The case was passed to the FBI, who were subsequently able to recover a computer from Lin’s former employer and put together trace data which showed that Mr. Lin had been using PureVPN. The FBI then approached PureVPN to help in the investigation.
- Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a ‘connection’ and the total bandwidth used during this connection is called ‘bandwidth’. Connection and bandwidth are kept in record to maintain the quality of our service. This helps us understand the flow of traffic to specific servers so we could optimize them better.
- “We do NOT keep any logs that can identify or help in monitoring a user’s activity.”
- “That’s why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities.”
When compared to information cited in the FBI’s reporting on the criminal investigation, however, PureVPN’s claims appear to be false:
- “Further, records from PureVPN show that the same email accounts — Lin’s Gmail account and the teleprtfx Gmail account — were accessed from the same WANSecurity IP address.”
- PureVPN determined “that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time.”
So exactly how was the FBI (working with PureVPN) able to ascertain these details? The answer is simple – PureVPN logs, and their logs tell a story. The logs revealed how within the span of minutes, the same VPN IP address had logged into Lin’s real Gmail address, another Gmail address used for some of the threats, and a Rover.com account Lin created. PureVPN was later able to link the activity with Lin’s home and work IPs – which would have been impossible if they did not have any logs.
This latest incident again illustrates the importance of selecting a VPN provider you can trust. Although many providers promise “no logs,” it’s nearly impossible to run a VPN service without doing at least a minimal amount of logging, so be very wary of this claim. Additionally, providers who promise impossibilities like “complete anonymity” are probably stretching the truth elsewhere, as evidenced by what just happened with PureVPN. So far, there has been no comment from PureVPN as to the recent developments.