
PureVPN Logs Helped FBI Net Alleged Cyberstalker - sparklemarkle
https://torrentfreak.com/purevpn-logs-helped-fbi-net-alleged-cyberstalker-171009/
======
nikcub
The criminal complaint has a lot more information[0] in what is a much deeper
and involved story that this headline doesn't really do justice to. Lin had
stalked her in person for over a year with a host of incidents - the affidavit
is almost 30 pages long and the story is stunning.

She had a laptop in her room with no login and a file containing passwords.
The accused stole all of her account details and taunted her in person using
information she had written in a private journal that she hadn't shared with
anybody.

He was also using his work computer to access her iCloud, Google Drive, etc.
and then send bomb threats, child porn, personal diary entries and sexually
explicit photos to her contacts, school and family.

After he was fired he wanted access to that computer, which his employer
refused. They reformatted the drive but the FBI picked it up and found all of
these artifacts on that machine (including the PureVPN software and account).

This is a case where the FBI have started with a suspect and then worked
backwards to build a criminal complaint. In those cases it is much easier to
look at his financial records, find that he paid for a VPN service, subpoena
the VPN provider for account records, and then link that VPN account and
service with IP access as another data point for the criminal complaint.

In this case it was even easier - they had the VPN provider and account
details, along with a host of other evidence, on his computer.

This isn't a case of starting with an IP address and then working back through
a haystack to find a suspect - but rather affirming a link that was suspected,
and found, to exist.

He didn't compartmentalize his real identity from his psycho stalker identity,
and this combined with the accused horrible real-world behavior is what lead
to his arrest.

[0] [https://www.justice.gov/opa/press-
release/file/1001841/downl...](https://www.justice.gov/opa/press-
release/file/1001841/download)

~~~
ransom1538
Thanks for that link, it's interesting to see how the fbi operates. What
always confuses me is how liberally the feds use "Wire Fraud" 1343\. In the
report I don't see evidence of Lin trying to obtain money fraudulently through
the internet cabling. But over and over I see "Wire Fraud" 1343 tacked on if
there is any computer abuse type charges. It must be _super_ easy to get a
conviction of Wire Fraud (/ impossible to defend yourself).

~~~
tinus_hn
Wire fraud requires either a ‘scheme to defraud’ or ‘obtaining money or
property by fraudulent pretenses’. So the money part is not required.

If proven it’s just an easy way to get higher sentences and thus more leverage
in making plea deals.

~~~
ransom1538
"Whoever, having devised or intending to devise any scheme or artifice to
defraud, or for obtaining money or property by means of false or fraudulent
pretenses, representations, or promises, transmits or causes to be transmitted
by means of wire, radio, or television communication in interstate or foreign
commerce, any"

It must be for property or money. I am not following. When did Lin try to gain
money or property using fraud? It just doesn't make sense to 'throw on wire
fraud' \- the charge in the US is more serious than rape or kidnapping.

[https://www.law.cornell.edu/uscode/text/18/1343](https://www.law.cornell.edu/uscode/text/18/1343)

~~~
JumpCrisscross
It’s a criminal complaint. Also, “having devised or intending to devise any
scheme or artifice to defraud, or for obtaining money or property by means of
false or fraudulent pretenses” parses as a “any scheme or artifice to defraud”
_or_ the obtaining of money or property. The three part test is intent, a
“wire” ( _i.e._ Internet) communication and that “or” test. He intentionally
logged into her Internet accounts, and sent emails from them, while
fraudulently claiming to be her.

 _Disclaimer: I am not a lawyer. This is not legal advice nor advice of any
kind. Do not commit wire fraud._

------
tristanj
Better article with plausible explanation of how he was tracked:
[https://torrentfreak.com/purevpn-logs-helped-fbi-net-
alleged...](https://torrentfreak.com/purevpn-logs-helped-fbi-net-alleged-
cyberstalker-171009/)

> PureVPN's Privacy Policy: We do NOT keep any logs that can identify or help
> in monitoring a user's activity.

> TorrentFreak: However, if one drills down into the PureVPN privacy policy
> proper, one sees the following:

> _Our servers automatically record the time at which you connect to any of
> our servers. From here on forward, we do not keep any records of anything
> that could associate any specific activity to a specific user. The time when
> a successful connection is made with our servers is counted as a
> ‘connection’ and the total bandwidth used during this connection is called
> ‘bandwidth’. Connection and bandwidth are kept in record to maintain the
> quality of our service. This helps us understand the flow of traffic to
> specific servers so we could optimize them better._

> TorrentFreak: This seems to match what the FBI says - almost. [followed by
> further explanation]

~~~
ericfrederich
Thanks for that link. I currently use IPVanish. Maybe I should switch since
this guy who got caught was publicly criticizing them.

~~~
m3rc
The VPN he was using honestly would have been fine to protect you from drag-
net style surveillance, but he was specifically targeted by the FBI. By the
time the FBI opens a case against you you're most likely totally fucked,
regardless of what software you use.

------
jaclaz
>even though this had been formatted after his employment was terminated, the
FBI was still able to gather data from the hard drive.

Usual misinformation, the company only reinstalled the Windows Operating
System (clearly without reformatting the volume(s)), as in the affidavit:

regmedia.co.uk/2017/10/08/lin_complaint_pacer.pdf

(point 37, page 16).

Also, according to the affidavit, what actually comes out from PureVPN is only
that the same user connected to them from two different IP's, corresponding to
home/work of the suspect. (point 52, page 22)

And that some traces of use of PureVPN were found in (the unallocated space
of) the work computer. (point 58, page 24)

Simplified, IMHO 99% (maybe 99.99%) of the case is based on non-PureVPN
derived evidence.

~~~
roywiggins
Are you sure reinstalling Windows doesn't involve reformatting? Reformatting
doesn't usually mean you zero out the drive.

~~~
Crosseye_Jack
If you try and install Windows onto a drive that Windows is already installed
on and basically just click though next though the installation process then
setup will tell you:

> "If the partition you've chosen contains files from a previous Windows
> installation, these files will be moved to a folder named Windows.old"

If you then click OK Setup will then create a Windows.old folder, move the old
Windows dir, user dir to Windows.old and then install as normal.

If you delete the existing partition during the setup (or its a fresh drive),
Setup needs to create a new partition(s) and will do it automatically if you
wish, after which it will do a quick format.

EDIT: Reading the pdf they point too it states that the OS was reinstalled,
leading to data deletion but they were able to find various artifacts in
unallocated space. So they may or may not of formated the drive, but most
likely at least delete the partition, but even a full format doesn't zero out
the drive (unless you give format.exe the /p: argument).

~~~
jaclaz
>but even a full format doesn't zero out the drive (unless you give format.exe
the /p: argument).

A "normal", "full" format will wipe the volume, the /P command is implied
unless /Q is specified (since Vista, but previous versions didn't have the /P
at all), the /P:count parameter is to add (why?) to do it a number of times,
using _random_ characters:

[https://ss64.com/nt/format.html](https://ss64.com/nt/format.html)

>/P:count Zero every sector on the volume. After that, the volume will be
overwritten "count" times using a different random number each time. If
"count" is zero, no additional overwrites are made after zeroing every sector.
This switch is ignored when /Q is specified.

More clear here:

[https://www.lifewire.com/format-
command-2618091](https://www.lifewire.com/format-command-2618091)

>/p:count = This format command option writes zeros to every sector of the
drive: once. If you specify a count, a different random number will be written
to the entire drive that many times after the zero writing is complete. You
can not use the /p option with the /q option. Beginning in Windows Vista, /p
is assumed unless you use /q [KB941961].

~~~
Crosseye_Jack
I stand corrected, I was going off [https://technet.microsoft.com/en-
us/library/cc730730(v=ws.11...](https://technet.microsoft.com/en-
us/library/cc730730\(v=ws.11\).aspx) which doesn't state that /p is implied
unless /q is given. But yeah that lifewire link gave the KB number to the
change of behaviour notice
[https://support.microsoft.com/help/941961/](https://support.microsoft.com/help/941961/)

~~~
jaclaz
Yep, no prob, I also posted a link to that kb above (but maybe it was posted
after your post and went above your reply because it was a direct reply to
roywiggins' post).

Anyway, I wanted to also highlight how since the company where he worked was
specifically a "software company" (I mean not a mom and pop shop around the
corner or similar) the IT guys over there should have wiped the disk anyway,
possibly using the SecureErase ATA command (that wipes also not normally
accessible disk areas), it should be "standard" procedure.

------
Santosh83
The fundamental structure of the Internet is not designed for anonymity.
That's why this is ultimately a losing battle. Strong anonymity needs a
different network structure and transport protocols, and trusted, open
hardware and software stacks from the ground up. A chink anywhere can be used
to insert malware and track/target users. The existing networks and stacks are
impossibly hard to secure and plug all the holes.

~~~
eternalban
> The fundamental structure of the Internet is not designed for anonymity.

Precisely so. It would not have been approved for general public use if that
was not the case.

------
lyk
Can user account information really be called "logs?" This article mislead me
into thinking PureVPN kept activity logs, but the end of the article makes it
sound like they just store an email address. Did I misread?

~~~
jstanley
I read it to mean that he accessed his GMail account while using PureVPN,
which really raises more questions than it answers because PureVPN should have
no way to know which GMail account is being accessed, regardless of what logs
they keep.

~~~
lyk
Or, you know, Google told the authorities. All I see is that PureVPN keeps the
user's email on file.

~~~
snark42
> All I see is that PureVPN keeps the user's email on file.

Also login time, connecting IP and logout time. So no traffic is stored, just
that you logged in and were connected for X amount of time.

------
grumpybear
My question is was the information from PureVPN like the statement says, or
was it misworded and about his use of the vpn? Were there actually logs or did
they match up his IP address after finding PureVPN on the computer and
obtaining the accessing IP from Google and putting them together?

~~~
giancarlostoro
All you suggest is likely it. The logs show time connected, how long and how
much bandwidth. If they knew the IP in question and timeframe based on how the
VPN keeps logs they can ask Google a very precise question about access from
said IP and find out that they indeed were connected at x time from x IP. I
imagine with warants and all.

------
mwulfe
This is an email response to daily beast journo joseph cox (former vice)
[https://twitter.com/josephfcox/status/916321986174996480](https://twitter.com/josephfcox/status/916321986174996480)

Even if they acted on a subpoena, it means they had the logs nonetheless.
Which still makes them liars and they are deceiving their customers.

I believe choosing a trustworthy vpn is an actual challenge.

The fact that this nut-job called Ryan Lin got caught is fantastic. But I want
to choose if a company has data about me or not. What if the data exchange
doesn't happen with FBI, but with malicious individuals.

I use [https://protonvpn.com](https://protonvpn.com) and I trust it. A
transparent team with an already successful product (protonmail) working
towards making privacy the norm. A group of scientists, not hackers or liars.

------
rqs
> he is alleged to have used Tor, anonymized online testing services and
> PureVPN in an attempt to protect his identity

Well, VPN can protect your privacy up to a certain degree. If you go over it,
there are always methods to dig you out, especially FBI is the one hunting.

The only possible way to protect your privacy is use anonymous services like
Tor etc. But even those services can't guarantee 100% anonymity as there are
still have way to compromise them.

So, I guess just don't broke the law then.

~~~
m3rc
"especially if the FBI is the one hunting" is very true. Even using TOR, I
remember a college student who made a bomb threat over TOR to get out of a
test and got caught because they were able to see the activity on the TOR
network during the time the threat was made and traced it back to his dorm.

~~~
godelski
I thought they found him because he was the only one on the campus network
accessing TOR at the time of the bomb threat. Which really says nothing about
TOR or anything else because they saw input and output, the middle might as
well be a black box. And if you really don't suspect a real bomb, and know the
traffic came through TOR, the first thing I would look for is which students
used TOR and which students had tests that day. Pretty easy to narrow that
down.

~~~
m3rc
Sure, which was exactly my point. There are a multitude of external pieces of
data that can be used to track you down if the people going after you have the
resources.

------
jstanley
> Further, records from PureVPN show that the same email accounts -- Lin's
> Gmail account and the teleprtfx Gmail account -- were accessed from the same
> WANSecurity IP address.

How would PureVPN records be able to show which GMail account he was
accessing? This will all be HTTPS.

~~~
sleepychu
If the FBI compel logs from Google, I think they can line up the accesses.

------
tvaughan
"Rather, I think the account matching described in the affidavit says the FBI
could have identified which VPNs Lin used via orders to Google, Facebook, and
other tech companies, and using that, obtained a pen register on PureVPN
collecting prospective traffic. I don’t think what is shown proves that FBI
obtained historic logs (though it doesn’t disprove it either)."

Source: [https://www.emptywheel.net/2017/10/09/purevpn-doesnt-need-
to...](https://www.emptywheel.net/2017/10/09/purevpn-doesnt-need-to-keep-logs-
given-how-many-google-keeps/)

------
cheez
It could be a case of they were court ordered to keep only his logs, like a
wire tap.

~~~
jstanley
That still seems to be at odds with "We do NOT keep any logs that can identify
or help in monitoring a user's activity."

If they were ordered to keep some logs, they should say "We do NOT keep any
logs that can identify or help in monitoring a user's activity, except in the
event that we have been ordered to do so."

~~~
EwanToo
I've had a quick look, the privacy policy at [https://www.purevpn.com/privacy-
policy.php](https://www.purevpn.com/privacy-policy.php) says:

    
    
      Since PureVPN is committed to freedom, and doesn't support crime,
      we will only share information with authorities having valid subpoenas,
      warrants, other legal documents or with alleged victims having clear proof of any such activity.
    

So I think it's likely they would link connection records back to individual
users, and if you did that enough times (perhaps only 2 or 3 occurances?),
you'd know which individual user was responsible without any detailed logs?

------
aaron695
Sounds like they didn't get if from logs but from re-constructing a hard disk?

IE they had a suspect, went to their employer, they gave over a laptop and
found evidence from info on the hard disk.

PureVPN doesn't/can't guarantee you own computer doesn't log stuff in memory
cache etc on the harddisk.

Somethings missing here.

[edit]

51\. specifically states how other VPN's were used to track him, then
generically says in 52. PureVPN was also used. Fits well with tristanj's
comment.

[https://regmedia.co.uk/2017/10/08/lin_complaint_pacer.pdf](https://regmedia.co.uk/2017/10/08/lin_complaint_pacer.pdf)

------
tryingagainbro
another article : _" Police in Waltham say they have identified the man
responsible for a series of bomb threats that have terrified and frustrated
the city for months."_
[http://www.bostonmagazine.com/news/blog/2017/10/06/ryan-
lin-...](http://www.bostonmagazine.com/news/blog/2017/10/06/ryan-lin-waltham-
bomb-threats/)

Looks like he forced the FBI to unleash hell. Let's not forget parallel
construction [https://www.reuters.com/article/us-dea-sod/exclusive-u-s-
dir...](https://www.reuters.com/article/us-dea-sod/exclusive-u-s-directs-
agents-to-cover-up-program-used-to-investigate-americans-
idUSBRE97409R20130805) with the NSA and other intel agencies: "It's him, now
go find evidence that will hold up in court"

------
dylz
PureVPN has a history of shilling and questionable business practices:
[https://badcode.pro/blog/ivacy-and-purevpn-rather-
questionab...](https://badcode.pro/blog/ivacy-and-purevpn-rather-questionable)

------
mindcrash
Main rule in operational security: Things you do not own AND can not be
audited can not be trusted.

In this case: run your own VPN endpoint on a security hardened BSD or Linux
box with your own hardware (preferably in your own rackspace or at a hosting
location which is trustworthy)

You are welcome.

~~~
snark42
> run your own VPN endpoint on a security hardened BSD or Linux box with your
> own hardware

In another country where you paid with bitcoin or prepaid credit cards,
otherwise the IP's assigned to that hosted server will be associated with you
and offer zero protection from an FBI raid.

------
sleepychu
It'll be interesting to see what PureVPN's response (if any) is to this story.

Seems like they've straight up lied about their capabilities.

~~~
fhood
Nope, article states that their privacy policy pretty much is in line with the
info the FBI got. Headline is misleading.

------
crypt1d
Good riddance.

That said, there are always some logs. The VPN provider may not keep session
logs, but their upstream could easily log connections to the PureVPN boxes.
You can use the upstream log to cross reference with gmail account accesses of
potential suspects and you can establish a link.

Not to mention that no US based company is going to fight a subpoena/gag order
from the US authorities for a lowlife online stalker.

edit: I see now that PureVPN is based out of Hong Kong, so the statement about
subpoena may not apply.

------
brink
I left PureVPN 2 years ago because of their logging policy.

~~~
danielrmay
What do you use now?

~~~
brink
I started using Private Internet Access after they got booted out of Russia
due to their 0 logs policy.

------
gressquel
well all I learned from this article is not to use PureVPN. In fact, i don't
usually trust any VPN servers.

------
jk2323
Obligatory:

[https://thatoneprivacysite.net/vpn-comparison-
chart/](https://thatoneprivacysite.net/vpn-comparison-chart/)

I heard good things about [https://vcp.ovpn.to/](https://vcp.ovpn.to/) but I
doubt that I will work in China. But if you don't need a VPN in China I would
go with ovpn.

------
Feniks
Using a VPN based in the US seems contradictory.

That said F stalkers, I won't cry if they catch him/her.

~~~
nihonde
It can be useful to avoid geographic restrictions on content, for example, but
is a pretty terrible idea from a privacy perspective.

------
sitepodmatt
In their Windows client PureVPN's default setting for a long time was 'No
encryption'. The company had some fast servers but technically they were never
privacy savvy, far from it.

------
bronlund
[https://my.purevpn.com/cancellationrequest](https://my.purevpn.com/cancellationrequest)

~~~
bronlund
"Your cancellation request has been submitted " %]

------
Rjevski
I am actually pleasantly surprised by this, stalkers can go to hell.

~~~
hellofunk
I think you are conflating two different issues. Yes bad people are bad and
should be punished. Does that mean that good people don't get what they think
they are getting when buying services (if in fact that's what happened here)?

~~~
quuquuquu
_insert emotional defense instead of logic here_

Sadly, we live in a world where too often, emotion and reactionary tendencies
guide people's opinions.

Scarily, these opinions often become law.

And since too many of these people hold power, the only solution I can see is
to blend in or hide.

~~~
marindez
That's one way to put it.

Another way is: there are two options. Either we have strong anonimity on the
Internet, or the authorities have the power to catch criminals. Which one do
you think would win in a vote?

~~~
Chris2048
false dichotomy.

~~~
marindez
How do you catch criminals like these (in this article) if you have strong
anonimity?

~~~
Santosh83
You can't. Any network having strong anonymity needs to have zero negative
effects on the real world by design. The Internet is not that. It is
inextricably intertwined with huge areas of our 'real' world. So strong
anonymity on the Internet will never happen, politically. At most there'll be
some subnet like Tor or Freenet and even those aren't immune from legislation.

------
vectorEQ
could have obtained 'records' live instead of from logs... vpn provider can
easy break your crypto if they need to, mitm you and get cleartext 'records'
from live data. that being said, i think most vpn providers log because they
are forced to do so by law. if you dont want your vpn provder to play along
with fbi or nsa, try a russian one or so... they will cooperate with other
agencies though ^^...

probarbly some lame story will come back if any , by purevpn, as if fbi did
some mitms from their services / on their services, they would probarbly not
be allowed to speak of the details of how this was done and what was done..

purpose of vpn is to hide your location mainly, if u want it to protect u from
your countries agencies, don't pick one in your own country and be very
specific on what one you chose... >.> seems like a case of poor choice and
awareness on the user's part more than the vpn provider, who is probarbly
unable to stop these kind of intrustions by the agencies without getting taken
down...

~~~
donquichotte
> vpn provider can easy break your crypto if they need to, mitm you and get
> cleartext 'records' from live data.

Could you elaborate on that? I'm going to China soon and don't know if I
should trust commercial VPN providers. I was under the impression that if I
use SSL/TLS it's impossible to MITM my connection.

~~~
pawelkomarnicki
Didn't China just recently ban VPNs?

~~~
parito
They "ban" them for the last 20 years, but it's like baning encryption. Cat is
already out of the bag.

