Altius IT is a certified IT industry audit firm certified by the Information Systems Audit and Control Association (ISACA). In 2017, PureVPN contracted Altius IT to conduct the privacy no log audit. This was in line with PureVPN’s efforts at transparency. Auditing requires proof of proactive compliance and requires an independent auditing body for an industry standard and in-depth evaluation of PureVPN security and privacy. After two years, Altius submitted its audit findings, which PureVPN has since released to the public.
In the course of the audit, Altius IT examined PureVPN documents, user processes and system configurations to get an assurance that PureVPNs server configurations and logs individually or as a group, could identify a single user, or determine a person’s activity over the VPN service.
Privacy No Log Audit Findings
The Altius IT findings specify that on the dates of the review, they did not find any system configuration or log files that individually or in concert, could be used to identify a specific person or user’s activity while using PureVPN.
Connection Logs Information
- PureVPN also explicitly states that the VPN Connection logs do not contain the following data:
- customer source or origin IP
- customer VPN IP
- specific time then the customer connected to the server
- customer activities after connecting to the VPN server.
What is important about these two sets of data is that if a person or agency cannot identify a specific user given the connection log alone. In contrast, the information in the second set of data can identify users and their activities while using the VPN server. This set of data is customer-specific and if opened breaks the privacy agreement between PureVPN and the customer.
The Motivation for the Audit
Transparency is a necessary characteristic of a VPN service provider which provides anonymity to its customers. An audit is necessary to maintain transparency between the service provider and its customer. It is also a proactive procedure to ensure that security and privacy are maintained by PureVPN.
Additionally, at the time that the audit was contracted, PureVPN was under a cloud of doubt as to their use of connection logs and its contents. In 2017, PureVPN was asked by the FBI to cooperate in its investigation of a cyberstalking campaign done by a single person and customer of PureVPN. As a matter of policy, PureVPN provided the connection logs in the belief that the logs do not contain any information about the customers.
The Case of Ryan S. Lin
The FBI was working on a case brought up against Ryan S. Lin, who lived in Newton, Massachusetts. He was a suspect in an extensive cyberstalking campaign aimed at a woman who happened to be a former roommate. The 24-year old woman was not the only target of the cyberstalking. Also affected were her friends and immediate family. The attacks started in April 2016 when Lin started hacking the victim’s online accounts including emails, and obtained pictures and private information about her medical history and sexual activities, along with other private details.
Part of the campaign involved the distribution of the gathered information to hundreds of other people. It is also claimed that Lin created fake accounts with the victim’s contact details and soliciting sexual activity for those accounts. This resulted in men going to the victim’s address as a result of the solicitations.
According to the Acting United States Attorney William D. Weinreb, Lin used anonymizing online tools as well as social media to harass the victim, her friends and family. He had also used local schools and institutions to further the harassment campaign.
The FBI investigation used offline as well as online tools to investigate the case. The FBI was able to examine a computer that Lin had formerly used. Even though it had already been reformatted with Windows reinstalled, the FBI was still able to pick up pieces of information, including the use of Google Chrome in accessing Gmail, fragments of email bomb threats Lin may have made, proof that the victim’s Gmail account was accessed, and the use of PureVPN service.
Answering the Backlash
There was some backlash regarding the information which PureVPN retained. Critics argued that this was a possible invasion of privacy. However, the information in the PureVPN connection logs was the least amount of information which they can keep to operate their business. Using only the connection time, and length of connection is not enough to identify the user and their purpose. However, the FBI already had other pieces of information and only required a little more information to connect A to B. Without any information about the users, the connection logs provided the information needed to confirm that a suspect used anonymizing tools like VPN to harass a victim, her friends and family.
Get access to a secret offer and save 74% on regular pricing.