purevpn logs audit

PureVPN Logs Audit Released

Altius IT is a certified IT industry audit firm certified by the Information Systems Audit and Control Association (ISACA). In 2017, PureVPN contracted Altius IT to conduct the privacy no log audit. This was in line with PureVPN’s efforts at transparency. Auditing requires proof of proactive compliance and requires an independent auditing body for an industry standard and in-depth evaluation of PureVPN security and privacy. After two years, Altius submitted its audit findings, which PureVPN has since released to the public.

In the course of the audit, Altius IT examined PureVPN documents, user processes and system configurations to get an assurance that PureVPNs server configurations and logs individually or as a group, could identify a single user, or determine a person’s activity over the VPN service.

Privacy No Log Audit Findings

The Altius IT findings specify that on the dates of the review, they did not find any system configuration or log files that individually or in concert, could be used to identify a specific person or user’s activity while using PureVPN.

Connection Logs Information

Explicit in PureVPN’s Privacy Policy is a statement which specifies that they know the data that the user connected to a specific VPN server or location, and which ISP was used to connect to the VPN. PureVPN clarifies that this is the bare minimum that they required when a customer requests assistance, solve connection problems, and also to resolve region-specific problems.

  • PureVPN also explicitly states that the VPN Connection logs do not contain the following data:
  • customer source or origin IP
  • customer VPN IP
  • specific time then the customer connected to the server
  • customer activities after connecting to the VPN server.

What is important about these two sets of data is that if a person or agency cannot identify a specific user given the connection log alone. In contrast, the information in the second set of data can identify users and their activities while using the VPN server. This set of data is customer-specific and if opened breaks the privacy agreement between PureVPN and the customer.

The Motivation for the Audit

Transparency is a necessary characteristic of a VPN service provider which provides anonymity to its customers. An audit is necessary to maintain transparency between the service provider and its customer. It is also a proactive procedure to ensure that security and privacy are maintained by PureVPN.

Additionally, at the time that the audit was contracted, PureVPN was under a cloud of doubt as to their use of connection logs and its contents. In 2017, PureVPN was asked by the FBI to cooperate in its investigation of a cyberstalking campaign done by a single person and customer of PureVPN. As a matter of policy, PureVPN provided the connection logs in the belief that the logs do not contain any information about the customers.

The Case of Ryan S. Lin

The FBI was working on a case brought up against Ryan S. Lin, who lived in Newton, Massachusetts. He was a suspect in an extensive cyberstalking campaign aimed at a woman who happened to be a former roommate. The 24-year old woman was not the only target of the cyberstalking. Also affected were her friends and immediate family. The attacks started in April 2016 when Lin started hacking the victim’s online accounts including emails, and obtained pictures and private information about her medical history and sexual activities, along with other private details.

Part of the campaign involved the distribution of the gathered information to hundreds of other people. It is also claimed that Lin created fake accounts with the victim’s contact details and soliciting sexual activity for those accounts. This resulted in men going to the victim’s address as a result of the solicitations.

Logs

According to the Acting United States Attorney William D. Weinreb, Lin used anonymizing online tools as well as social media to harass the victim, her friends and family. He had also used local schools and institutions to further the harassment campaign.

FBI Investigation

The FBI investigation used offline as well as online tools to investigate the case. The FBI was able to examine a computer that Lin had formerly used. Even though it had already been reformatted with Windows reinstalled, the FBI was still able to pick up pieces of information, including the use of Google Chrome in accessing Gmail, fragments of email bomb threats Lin may have made, proof that the victim’s Gmail account was accessed, and the use of PureVPN service.

 The FBI reached out to PureVPN and requested a copy of the server logs. As a matter of policy, VPN services provide access to whatever logs that they have. In some instances, the VPN service does not have a copy of the requested log. In the case of PureVPN, the FBI was able to get a copy of the connection logs. This served as bridge information which connected the VPN access times with the time the emails were sent. PureVPN connection logs did not have any information about the user IP address and the destination IP address. However, specific access times matched with those of emails sent. This was all the evidence that the FBI needed.

Answering the Backlash

There was some backlash regarding the information which PureVPN retained. Critics argued that this was a possible invasion of privacy. However, the information in the PureVPN connection logs was the least amount of information which they can keep to operate their business. Using only the connection time, and length of connection is not enough to identify the user and their purpose. However, the FBI already had other pieces of information and only required a little more information to connect A to B. Without any information about the users, the connection logs provided the information needed to confirm that a suspect used anonymizing tools like VPN to harass a victim, her friends and family.

The Altius IT privacy no log audit was a proactive procedure to assure customers that their privacy is secure with PureVPN.

Get access to a secret offer and save 74% on regular pricing.


Scroll to top