When law enforcement knocks on a VPN’s door, what happens?
Virtual Private Networks (VPNs) are fast becoming one of the last refuges for internet users who want to ensure their web browsing is kept private. This year barely a week has gone by without unpopular, anti-online privacy, legislation, pushed by powerful entertainment industry lobbies, making headlines. Either that or leaks on government plans for increased surveillance of citizens, defended by sexed-up threats from pedophiles and terrorists. If current trends continue, it’s looking more and more likely that VPN usage will break out from its current niche and start to capture the attention of more mainstream spheres.
This was brought into sharp focus around a year ago when a member of hacking group Lulzsec was handed over to the authorities. Lulzsec member ‘Recursion’ used UK-based VPN HideMyAss to hack News Corp and Sony, among others. What Recursion didn’t know was that HideMyAss keeps logs of IP addresses and timestamps. All it took was a UK court order to compel HideMyAss to hand over the data and Recursion (real name Cody Kretsinger) was delivered to the FBI.
Obviously no VPN wants criminal activity to take place on its service. But what’s the point of using a VPN if they retain enough of your personal data to facilitate your identification in the real world? What’s the difference between a copyright holder forcing an ISP to identify you based on unsubstantiated allegations of copyright theft, and that same court order being applied to a VPN? Yet that’s exactly the kind of threat many big name VPNs expose their customers to. Last year TorrentFreak posted a great round-up of VPNs who retain customer data and those who don’t. If a VPN retains your data then it has no option other than to comply with court orders to hand it over.
When the authorities come knocking
All VPNs have the ability to track users and log their data. We approach this issue by using a non-persistent log stored in memory that is automatically wiped every 10 minutes. That time window gives us the ability to troubleshoot any connection issues that may appear, but after 10 minutes no trace of activity is stored. Obviously we, like all other VPNs, are compelled to abide by the law. But unless the authorities make a request within 10 minutes of the timestamp (incredibly unlikely), there’s absolutely nothing we can do to help them, as the data they need no longer exists.
What about stuff like billing and customer registration details? We don’t require your name or physical address, just an email address– nothing else. If you pay with PayPal then we have to store your PayPal subscription ID but there’s no way of linking any of your connection related data to your payment details because it doesn’t exist. So in effect, your privacy is ensured and there’s no way that anyone can find out what you do online. At the very most you can only be identified as a customer through your email address or PayPal subscription ID.