Altius IT privacy no log audit report for PureVPN released showing that the VPN
service does not keep any information which can identify its customers.
Altius IT is a certified IT industry audit firm certified by the Information Systems Audit and
Control Association (ISACA). In 2017, PureVPN contracted Altius IT to conduct the
privacy no log audit.
This was in line with PureVPN’s efforts at transparency. Auditing requires proof of proactive
compliance and requires an independent auditing body for an industry standard and in-depth
evaluation of PureVPN security and privacy. After two years, Altius submitted its audit findings,
which PureVPN has since released to the public.
In the course of the audit, Altius IT examined PureVPN documents, user processes and system
configurations to get an assurance that PureVPNs server configurations and logs individually or as a
group, could identify a single user, or determine a person’s activity over the VPN service.
Privacy No Log Audit Findings
The Altius IT findings specify that on the dates of the review, they did not find any system
configuration or log files that individually or in concert, could be used to identify a
specific person or user’s activity while using PureVPN.
Connection Logs Information
Explicit in PureVPN’s Privacy Policy is a statement which specifies that they know the data that the
user connected to a specific VPN server or location, and which ISP was used to connect to the VPN.
PureVPN clarifies that this is the bare minimum that they required when a customer requests
assistance, solve connection problems, and also to resolve region-specific problems.
PureVPN also explicitly states that the VPN Connection logs do
not contain the following data:
customer source or origin IP
customer VPN IP
specific time then the customer connected to the server
customer activities after connecting to the VPN server.
What is important about these two sets of data is that if a person or agency cannot identify a
specific user given the connection log alone. In contrast, the information in the second set of data
can identify users and their activities while using the VPN server.
This set of data is customer-specific and if opened breaks the privacy agreement between PureVPN and
the customer.
The Motivation for the Audit
Transparency is a necessary characteristic of a VPN service
provider that provides anonymity to its customers. An audit is necessary to maintain
transparency between the service provider and its customer. It is also a proactive procedure to
ensure that security and privacy are maintained by PureVPN.
Additionally, at the time that the audit was contracted, PureVPN was under a cloud of doubt as to
their use of connection logs and their contents. In 2017, PureVPN was asked by the FBI to cooperate
in its investigation of a cyberstalking campaign done by a single person and customer of PureVPN.
As a matter of policy, PureVPN provided the connection logs in the belief that the logs do not
contain any information about the customers.p
The Case of Ryan S. Lin
The FBI was working on a case brought up against Ryan S. Lin, who lived in Newton,
Massachusetts. He was a suspect in an extensive cyberstalking campaign aimed at a woman who
happened to be a former roommate. The 24-year old woman was not the only target of the
cyberstalking.
Also affected were her friends and immediate family. The attacks started in April 2016 when
Lin started hacking the victim’s online accounts including emails, and obtained pictures and
private information about her medical history and sexual activities, along with other
private details.
The FBI was working on a case brought up against Ryan S. Lin, who lived in Newton,
Massachusetts. He was a suspect in an extensive cyberstalking campaign aimed at a woman who
happened to be a former roommate. The 24-year old woman was not the only target of the
cyberstalking.
Also affected were her friends and immediate family. The attacks started in April 2016 when
Lin started hacking the victim’s online accounts including emails, and obtained pictures and
private information about her medical history and sexual activities, along with other
private details.
FBI Investigation
The FBI investigation used offline as well as online tools to investigate the case. The
FBI was able to examine a computer that Lin had formerly used.
Even though it had already been reformatted with Windows reinstalled, the FBI was still
able to pick up pieces of information, including the use of Google Chrome in accessing
Gmail, fragments of email bomb threats Lin may have made, proof that the victim’s Gmail
account was accessed, and the use of PureVPN service.
The FBI reached out to PureVPN and requested a copy of the server logs. As a matter of
policy, VPN services provide access to whatever logs that they have. In some instances,
the VPN service does not have a copy of the requested log.
In the case of PureVPN, the FBI was able to get a copy of the connection logs. This
served as bridge information that connected the VPN access times with the time the
emails were sent. PureVPN connection logs did not have any information about the user IP
address and the destination IP address.
However, specific access times matched with those of emails sent. This was all the
evidence that the FBI needed.
Answering the Backlash
There was some backlash regarding the information which PureVPN retained. Critics argued that this
was a possible invasion of privacy.
However, the information in the PureVPN connection logs was the least amount of information that they
can keep to operate their business. Using only the connection time, and length of connection is not
enough to identify the user and their purpose.
However, the FBI already had other pieces of information and only required a little more information
to connect A to B. Without any information about the users, the connection logs provided the
information needed to confirm that a suspect used anonymizing tools like VPN to harass a victim, her
friends and family.
The Altius IT privacy no log audit was a proactive procedure to assure customers that their privacy
is secure with PureVPN.
