PureVPN scrambles to defend itself against accusations of logging users
Last week it transpired that PureVPN had helped the FBI track down a cyberstalker from Massachusetts. This came as something of a surprise to other PureVPN users who were under the impression that using the service made them completely anonymous -- a belief strengthened by the company's assertion "We do NOT keep any logs that can identify or help in monitoring a user's activity."
Strictly speaking, this is true, but that's not to say that the company doesn’t maintain IP logs that can be used to identify users. The company does exactly this, logging IP addresses and timestamps, and this is how it helped the FBI. In a blog post, the company tries to explain this as it attempts to convince concerned users that it is not logging their activities.
In a fairly lengthy blog post entitled Setting the Record Straight: Addressing VPN Privacy and VPN Logs, PureVPN attempts to maintain -- or rescue -- its reputation, saying: "Fingers pointed towards PureVPN for all the wrong reasons. To avoid further confusion for our customers, and to prevent a skewed and false portrayal of PureVPN, we believe now is the right time to initiate communications."
The company clarifies that while it does not keep browsing logs that could be used to identify a user and their online activity, it does keep "network logs" which it says "are created and maintained to troubleshoot and optimize a service." PureVPN goes on to say:
Do Network Logs Expose You?
The answer is no. It is such by design. They simply can’t.
If I were to say that the entire picture is a glimpse of what you were doing online, network logs maintained by PureVPN make up no picture by themselves. They are just random numbers and reveal nothing. If a user intentionally indulges in attacking, hacking, abusing, threatening or other similar unanimously unethical activities (as also detailed in our Terms of Service) the victim (any organization providing a service online) of such attacks would then identify these instances in their network logs. If someone indulges in such activities and if an official complaint is filed, authorities then reach out to us with a valid court order or subpoena (in some cases alleged victims or authorities directly themselves) providing us the counterpart network logs from the attacked service's servers.
Insisting that it is opposed to surveillance operations such as PRISM, the company says it has done nothing wrong in providing information to the FBI:
PureVPN claims that it was "unfortunately dragged into this incident because of a lack of clarity on network logging mechanisms implemented throughout the industry," and it's not clear whether the company's statement will be enough to allay the fears of users who have become concerned that using the service they are not actually completely anonymous online.
Seeking to put the matter to bed once and for all, PureVPN stresses:
To confirm someone's real IP, two different set of Network Logs are required: one from the VPN provider and the other from the server where the IP visited, browsed or downloaded something. Any one set of Network Logs on its own is pretty much useless since it contains no valuable information. The two must be compared and verified for any link to be confirmed.
What does the company want you to take away from the issue?
Is this enough to satisfy you?