News broke this month that a particularly scummy bloke in the USA had been arrested for harassing innocent women online. Nothing new there… Texan former judge Chris Dupuy is in disgrace after being charged for posting adverts for fictional sex-workers – using the contact details and photographs of two of his former girlfriends. Luckily police were able to track down the source of the adverts and Dupuy was arrested and bail set at $600,000. The low-life had already been removed from office in 2013 after he abused his position to retaliate against lawyers working for his ex-wife, among a litany of other offences.
So, a nasty piece of work got his comeuppance. Nice.
Umm… Why should I care?
Don’t worry, we’re not delving into the world of tabloid-fodder news for no reason. The fact is that beneath the surface of this story, there’s another thread which has huge implications for VPN users – so pay attention!
The really interesting part of the story is not the crime that took place, but the method used to catch the criminal. According to reports by the Houston Press, the lead investigator in the case “worked backwards from the ads to trace masked IP addresses in Venezuela, Colombia and Germany”. Those ‘masked IP addresses’, according to the report, were facilitated through the UK-based VPN provider HideMyAss!
So now we get to the meat of the story – while we’ve found no official word from HideMyAss on this case, the facts seem to strongly suggest that the VPN providers assisted police in tracking down one of their users. If this is in fact the case, it is a perfect illustration of the essential nature of VPN protection – namely that, while a VPN is a fantastic tool to hide your online activities from unwanted intruders, your VPN provider will always have access to certain information about your internet usage. Further, depending on the jurisdiction in which a VPN is based, this information may be stored and could potentially be used to identify you.
The jurisdiction of a VPN indicates which country its operation is primarily based in – and therefore which set of laws and regulations it is subject to. The reason this matters is that certain jurisdictions have laws regarding mandatory data retention which will dictate how much or little information any VPN provider is required to store about their customers. It follows that, should authorities such as the police have reasonable evidence that a specific crime has been committed using VPN protection, the provider in question may have no choice but to assist with any inquiry.
What data we collect: We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service.
Why we need this data: We do this so that we can monitor the performance of our Site, for example it enables us to sort server nodes by the number of users connected, to limit your account to one concurrent IP address per VPN connection (to prevent shared accounts), resource analytics (to carry out usage analysis for administrative purposes) and to prevent abuse and fraud. This data is stored on our system for between 2 and 3 months unless we are required, for legal reasons or under exceptional circumstances (including our own investigations of fraud or abuse), to retain this data for an extended period.
This is a fairly standard policy, and something similar will apply to any VPN based in a country with mandatory data retention. By contrast, providers based in areas without such rules, such as Hong Kong or Panama for instance, may keep no logs at all, or may store such data for a much shorter time.
So what’s the problem?
Let’s be clear: it is perfectly proper that any business, including VPNs, should use any information they hold in order to bring criminals to justice. The case above is an example of this in action, in which a criminal thought he could hide behind the protection provided by a VPN in order to harm innocent victims anonymously. Police had information showing that a specific and indisputable crime had taken place, and it appears that the VPN provider co-operated in order to catch the perpetrator and prevent further abuse from taking place. Job’s a good-un’.
Unfortunately though, not every case is so clear cut. There are grey areas, and it doesn’t take a lot of paranoia to see that the system could be abused. Would we be as sympathetic if, for example, a large corporation such as a record company used VPN logs to bring a civil copyright infringement case against a teenager for torrenting music, suing for £1000s in damages? In such a case there has been a clear breach of the law, and we can’t condone the actions of anyone using a VPN to share files illegally, but we also know that given the chance, big businesses have taken disproportionate actions against individuals. We know of no cases where VPN logs have been used in this way. So far.
We also know that in countries like the UK and USA, government agencies are pushing harder and harder to extend their surveillance powers. Targeting a single VPN user involved in a specific crime is one thing, but what would happen if VPN providers were forced to cooperate with wide-range, indiscriminate surveillance? The idea that such a VPN provides any true anonymity would be defeated.
So… You’re saying don’t use UK VPNs?
Not at all. We aren’t trying to discourage anyone from using a UK VPN – in fact there are a number, including HideMyAss, that we highly recommend. However it is important for any user to know exactly what you’re getting when you sign up with a particular provider.
The fact is that, although we don’t know of any major abuses of VPN logs that have taken place thus far, any VPN that keeps extensive activity logs has the potential to share those logs with others. We can hope that this would only happen in legitimate cases but there are no hard-and-fast guarantees. So, if you’re considering signing up with a VPN whose jurisdiction requires them to keep logs, you should be aware of what you’re signing up for.
UK VPNs can provide excellent standards of security from hacking, excellent location-spoofing, and excellent wifi protection, on top of a raft of other wonderful features. In fact some UK VPNs are among the best in the world on these fronts, and if that’s what you need from a VPN then you should seriously consider using them.
What UK VPNs can’t promise is guaranteed anonymity. Of course, we hope that none of our readers are seeking a VPN in order to carry out some criminal master plan. Anyone who does so is only giving fuel to those who want to remove everyone’s rights to anonymity. But we also don’t think there’s anything remotely criminal about seeking to protect your privacy as far as possible, and there are many great VPN providers out there that can go a long way towards doing so.
While current data-retention laws are in force though, UK VPNs – as well as those in any jurisdiction with similar laws – are simply limited as to how far that assurance of privacy will stretch.