Cyberstalker Case Underscores VPNs Log Your Searches
In between spates of cyber-crime and accusations of official agencies overstepping their limits, debates on privacy online is a battle that isn’t going to be settled any time soon.
For some hawks of anonymity, VPNs have provided a cushion of comfort when surfing the web. PureVPN, a VPN provider which markets itself on protecting your activities online (‘We do NOT keep any logs that can identify or help in monitoring a user’s activity,’ the company boasts on its website), has given evidence in an FBI investigation on the harassment of a young woman. While there is absolutely no doubt that the firm has done the right thing, the news still might shock staunch defenders and practitioners of online privacy.
According to an FBI affidavit published by the US Department of Justice, 24 year-old Ryan Lin of Massachusetts is accused of harassing and cyber-stalking an unnamed woman – anonymised as Jennifer Smith – between April 2016 and his arrest on October 5th 2017. Authorities claim that Lin began his cyberstalking ‘campaign’ after moving in with Smith and her roommate. Shortly after, they allege that Lin gained access to a number of Smith’s personal devices and accounts, eased by the fact that she did not lock her door or password-protect her computer.
According to the affidavit, Lin’s campaign spanned months, and involved serious sexual and non-sexual harassment. Lin’s alleged activities include, in no particular order:
- Creating a collage of non-sexually explicit photos of Smith and sending the picture to her friends, classmates, teachers, co-workers, roommates, and family friends through spoofed emails to look like Smith was the sender
- Sent excerpts of Smith’s private journal to other persons, detailing her past medical, psychological and sexual history
- Created profiles under Smith’s name in online adult portals negotiating sexual activates with strangers, resulting in at least three individuals arriving at her residence
- Spoofed Smith’s identity to make bomb and other threats to local schools and lone individuals
To perpetrate his activities, Lin allegedly used encrypted email service ProtonMail, various VPN clients and Tor to conceal his identity. According to authorities, after the local police investigated Smith’s crimes for over one year, they called in the FBI for assistance. The Bureau got a hold of Lin’s old work computer which had been reformatted, but still carried evidence of Lin’s activities. This evidence included Google Chrome artefacts detailing that he had sent bomb threats against local schools and that Lin was using PureVPN’s client on the work computer.
The most conclusive evidence came from logs obtained from two VPN providers – PureVPN and WANSecurity. These logs disclosed that Lin, within minutes of conducting a spate of abuse, logged into his Gmail address, another Gmail account used for the same threats, and an account on pet-sitting service Rover.com which he used to discover Smith’s phone number. PureVPN was also able to link some abusive activities with Lin’s home and work IPs. The news might shock some PureVPN and similar client users, who use these services as a means to hide their identity.
Crucially, on the same page as PureVPN’s boast about not logging users’ activities, the company also declares that in legal cases it will hand over log-evidence to authorities. The company states: “It goes without saying that we will only do so in the best interest of our customers and our company. When and if a competent court of law orders us or an alleged victim requests us (that we rigorously self-assess) to release some information, with proper evidence, that our services were used for any activity that you agreed not to indulge in when you agreed to our Terms of Service Agreement, then we will only present specific information about that specific activity only, provided we have the record of any such activity.”
Special Agent in Charge Shaw commented on the extent of Lin’s abuse. Shaw said: “As alleged, Mr. Lin orchestrated an extensive, multi-faceted campaign of computer hacking and online harassment that caused a huge amount of angst, alarm, and unnecessary expenditure of limited law enforcement resources”.
The agent added: “This kind of behaviour is not a prank, and it isn’t harmless. He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession. No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today’s arrest will deter others from engaging in similar criminal conduct.”