Ryan Lin was just recently sentenced to 17 years in prison. He was sentenced for committing a range of crimes including cyberstalking, computer fraud and abuse, aggravated identity theft, and distribution of child pornography. These are all serious crimes that I in no way support or condone, but why am I particularly interested in the sentencing of this criminal?
Because he committed crimes using a VPN called PureVPN.
When Lin subscribed to PureVPN, the VPN service claimed to store no logs of users’ activity on its servers and as a result has nothing to offer should law enforcement come knocking. Color Lin surprised, however, when he was arrested by the FBI — thanks to the logs of his usage of PureVPN’s service that PureVPN turned over to the FBI.
Now, what Ryan Lin did is purely despicable, and he deserves every day he spends in jail. However, for every criminal like Lin using a VPN to perform criminal activities, there are a lot of innocent people who simply want to prevent anybody (including the government) from ever being able to track or eavesdrop on their activity. So when VPNs like PureVPN claim to keep no logs but actually have something to turn over when the government comes knocking at their door, they put real people at risk.
I’ve spent a huge part of my life working in cybersecurity, and I’ve reviewed pretty much every major VPN service that exists. Want to know what I think? Don’t ever sign up for a VPN simply based on claims they are making on their site (that’s called “marketing speak,” and almost anybody will make any claim just to get new users). Instead, pay very careful attention to the following five things:
1. The Jurisdiction of a VPN Service Provider
Perhaps the most important thing you should pay attention to before signing up to use any VPN service is the jurisdiction of the VPN service provider. The jurisdiction of a VPN service provider is more important than any claim of “not keeping logs.”
As far as jurisdiction is concerned, there are three key factors that matter:
A: Your own location and laws surrounding the use of VPNs.
B: The physical location of the VPN service provider you plan to use.
C: The server locations of the VPN service provider you plan to use.
You want to pay particular attention to the physical location of the VPN service provider you want to use as well as the server location of the VPN service, and you want to pay special attention to whether it is located in a Five Eyes jurisdiction, a Nine Eyes jurisdiction, or a 14 Eyes jurisdiction.
In Five Eyes countries, the law empowers intelligence agencies to access and share electronic data with other member nations depending on the circumstances. Five Eyes countries can force organizations to disclose any data and also demand that they don’t disclose this fact through gag orders. They are also generally some of the worst abusers of user privacy. In nine eyes countries, member nations can work together and access and share data with one another without regards for privacy laws in individual member countries — this is practically an extension of Five eyes, and practices are similar. 14 Eyes is an extension of Nine Eyes and with similar practices.
So essentially, you will be safer if you use a VPN that isn’t in a Five Eyes, Nine Eyes, or 14 Eyes jurisdiction. For example, while popular VPN service Private Internet Access is located in a Five Eyes member country (the U.S.), competitor NordVPN is not located in any Five Eyes, Nine Eyes, or 14 Eyes country. As a result, based on jurisdiction information, NordVPN could be said to be much safer than Private Internet Access.
Of course, deciding on which VPN service to use should be based on the strength of more than what jurisdiction a VPN service is in. You can also check for VPNs at VPNpro.
2. Access and Permissions Required
Another piece of information you want to pay special attention to when using a VPN service is the access and permissions required by the VPN service you are using. This is particularly important for mobile VPNs.
In my last article for HackRead, I mentioned the fact that some VPN services share and sell user data. In the original research referenced in my HackRead article, we discovered that a certain popular Android VPN required the following access:
A: Access to your device and app history
B: Access to read your phone status and identity
C: Access to read, modify and delete your phone media
D: Access to read your phone status and identity
E: Access to check your Google play license
F: Access to prevent your device from sleeping
Huge red flag! When a VPN requires access to read your phone status and identity, access to your app and device history, and access to your phone media, you know something is wrong — you’re in danger zone. Upon further investigation, we found that this Android VPN that wanted all of the above access is run by a Chinese big data company that specializes in gathering user data and selling it to the highest bidder.
3. The Company Behind the Service
One of the major factors to also pay attention to when deciding on a VPN service is the company behind the service? Is the VPN service run by a one-man operation with no track record or traceability, or is it run by a respected company with a track record for privacy advocacy? If your VPN service is a one-man operation, no matter the claims made by the VPN company… run! Since there isn’t much at stake for the operator of the VPN, the owner could bail at any time, or could even use your data for nefarious activities.
4. The Cost of the VPN Service
There is no free VPN. At the very least, expect that if you are not paying in dollars (or whatever your currency is) then you are paying in data.
In the HackRead article I referenced earlier, I established very clearly how pretty much all free VPN services (yes, all the big names!) are basically a data farm. In essence, if you are not paying to use the service, you are giving the VPN service provider carte blanche access to use your data as they see fit.
There are VPN services that offer free trials (for a limited time), or much-depreciated services (like data caps — TunnelBear quickly comes to mind), in hopes of you having an experience of their service and going with a premium plan. This is basic marketing and you have reduced risk with these. However, if a VPN service is promising you unlimited data at no cost… RUN!
5. DNS Leaks
One area very few VPN users pay little attention to that can make a whole lot of difference is the area of DNS leaks. If you are using a VPN service that leaks your DNS information, consider yourself not using a VPN at all — because tracing you will be as easy as ABC.
Not surprisingly, just a little extra research will have revealed the fact that the VPN service that turned over Ryan Lin’s data to the government has very lax privacy measures in place. For years they have been leaking DNS data, yet users not sensitive to this fact keep using them.
A simple Google search will reveal hundreds of resources that will help you reliably conduct a DNS leak test of your VPN service. Before relying on a VPN service for important activities, be sure to conduct a DNS leak test first. If there is a DNS leak, run as far as you can.
When you use a VPN service, we believe you want ultimate anonymity. While it can be difficult determining which VPN is reliable based on face value, we believe that you can’t go wrong if you pay attention to the above five things.
Image credit: Depositphotos