PureVPN, a Hong Kong-based VPN service provider, handed over its extensive user logs to the FBI and aided in tracking down an Internet stalker by revealing his IP address.
On October 6th, the Department of Justice announced the arrest of one Ryan Lin, a 24-year old man from Newton, Massachusetts, charged with cyber-stalking his former roommate.
According to the official complaint filed with the Massachusetts District Court, Lin led a stalking campaign against one Jennifer Smith, which included doxxing (exposing her passwords to several online accounts), going through her personal journal and sending private information to her email contacts, posting private photos suggesting they were of Smith (although the face was omitted), posting Smith’s fake profiles on websites dedicated to sexual fetishes, prostitution, and other sexual acrobatics, sending bomb, rape, and death threats, sending lewd images to her family, and tricking her friend into calling the police at her home address.
FBI officials stated that Lin utilized various online privacy services, including VPNs, Tor (to hide his IP address), anonymized international texting services, and private offshore email providers. His essential error was using his work computer for a part of his stalking campaign. Even though he reinstalled the OS, there were still enough footprints left for a successful investigation. Lin’s campaign against Smith lasted for 16 months.
The main clues discovered by the investigation include records provided by PureVPN, which indicated that the same email accounts (teleptfx Gmail account and Lin’s Gmail account) were used from the same WANSecurity IP address. The FBI stated that PureVPN was able to determine access to its service by the same customer with two originating IP addresses (allegedly from work and home). According to Lin’s tweets, he was perfectly aware of the risk of data monitoring and recording by VPN providers. He also tweeted a critique of IPVanish, claiming that all VPNs keep logs:
“There is no such thing as a VPN that doesn’t keep logs. If they can limit your connections or track bandwidth usage, they keep logs.”
If Lin is declared guilty, he will have to spend up to 5 years in prison, followed by up to 3 years of supervised release.
So, PureVPN succeeded where the FBI failed. It tracked Lin’s IP address, allowing the Federal Bureau to make the arrest. Its privacy policy clearly states that the company will hand over user data to the authorities when provided with a valid warrant, subpoena, and other legal documents. Provided, of course, it possesses logs of the requested user activity.