VPN providers that do not log - how do they locate abuse?

Hello,

How do you think VPN providers that claim to not log customer activity (such as session times) combat abusive users? Let's face it abuse levels are high when you run anonymity networks and there is a lot of abuse such as SPAM (not just SMTP spam but blog/forum/web mail). The underlying ISP's VPN providers use to host their servers have TOS's that prohibit the likes of SPAM from being sent, and VPN providers must maintain a good relationship with the ISP's they use to ensure they do not lose their server contracts. Simply ignoring SPAM complaints will lead to server disconnections. Sure there are some VPN providers who run their own networks, but the majority of 'non-log' providers don't; that said continual complaints will start to filter through to their upstream providers.

I put this question to a number of VPN providers who do not log, in particular Astrill and Witopia, and both claim to have this 'top secret' method of being able to locate abuse without logging customer sessions, they of course wouldn't tell me what kind of methods but assured me they were able to locate abuse. This worries me. How do you think a provider can identify abuse if they are not logging? It sounds to me they may be sniffing customers connections.

 

This is what the WiTopia site says:

 

Contradiction? They claim they do not log data that is directly attributable to any individual customer, but they then state they are able to identify customers based on a mysterious 'laborious matching process'. Tell me what this 'laborious matching process' is if they do not log any data. How do you locate an abusive customer based on a complaint, if you 'do not monitor, capture, or store logs that are directly attributable to any individual customer'. Sounds very fishy to me. I guess this is what I'm getting at, providers claiming to not log your data are somehow able to identify you when abuse occurs?!

 

I wondered this too, brap.

 

It depends on what country the VPN-service is based in. Take me for instance, I live in Sweden (thank god for the privacy laws we have here!). There's no laws telling the VPN-providers to actually log all actions made by a specific users, so most of them doesn't log anything. You could happily commit any crime possible, without the chance of getting caught (obviously, this is the bad part about being able to stay completely anonymous).

Right now, I'm on a 2048-bit encrypted VPN solution with a throughput of 80 Mbit and response times to servers are just delayed by 3-5 ms!

To stay on topic again - if the VPN provider is located in a country where they're forced to log (like the US), then they put that in small letters somewhere and advertise that they won't hand out your personal information to anyone... except when someone's breaking the law. Because, if they aren't, they're the ones committing a crime.

 

Sweden is part of the EU, European data retention laws apply there too.

There are very few VPNs that do not log if any, some VPNs block SMTP and certain ports to make mass spamming and DDoS using their server impossible, I also believe some VPNs lie when they say they do not log anything. Assume everyone logs because you have no way of knowing if it is truth or not anyways.

I signed up with a very well known big brand VPN provider to sell their services, after earning $100 in 2 months I claimed the payment and they replied to me that they had no money in their account and can not pay, they have been messing around with me for over a month making up all kind of excuses (credit card bounced, wait a week, forgot deadline, etc), what has caught me off guard is that this is a big brand VPN that has been around for years and has dozens of servers, I would imagine they make thousands of $ a month, I am not going to name them because I still have a little hope to solve the situation and naming them sure won't, it just proves what a scumbags they are, and I wouldn't trust a single VPN provider about telling the truth on logs, including well known brands.

 

Regarding Sweden...
http://en.wikipedia.org/wiki/Titan_traffic_database

And for comparison...
http://en.wikipedia.org/wiki/Telecommunications_data_retention

I think it would be best to avoid EU-based companies and servers altogether, esp. if you are in the EU.

 

From Mullvad:

http://mullvad.net/en/faq.php

 

I don't think you understood what I'm getting at; I'm referring to providers that state they do NOT log - how do they combat abuse? They will get people who signup to spam blogs, forums, etc and they can't simply ignore this. The providers who do not log and state they can locate abusive customers are obviously not telling the truth and are doing some form of logging.

If a provider does not log but claims they can locate abusive customers, how are they doing this if they are not already logging? Picture 1000 people on the same IP address.

I would be very weary of providers who do not log at all, it's very naive to think they can operate a VPN network without putting a stop to certain types of abuse and doing some forms of logging.

 

The VPN-providers don't combat with abuse in Sweden (most of them at least). They neglect abuse and simply provide a solution to stay anonymous. Their opinion is that it's up to the user to stay on the 'legal' side, not theirs.

 

Sweden is currently being prosecuted about this since we're not obeying the EU laws. Sweden refuses to log what EU demans at this very moment. Most VPN providers in Sweden _does not_ log anything except e-mail and username, both which you can make up one yourself in order to stay completely anonymous.

 

First of all, the use of VPNs for SPAM and other forms of abuse is not as big an issue as you think it is. Sure, a spammer may be able to successfully send out one or two rounds of spam to a bunch of forums via VPN, but since a VPN uses a static IP, it becomes useless as soon as the IP gets blacklisted by webmasters and various anti-spam databases. That's why most spammers have been known to prefer using disposable IP addresses like open proxies and botnets.

As far as your main question about how the non-logging VPN providers deal with abuse, there are a number of ways:

1. If the abuse is limited to a specific site or service, the provider can block access to that particular resource. Obviously, if it involved a common site like Youtube, such action would adversely affect all users of that VPN... but if it were something more obscure, then the abuse could be thwarted effectively without having to give up the identity of the culprit.

2. If the VPN provider assigns static port numbers to each customer for port forwarding, they can easily pinpoint where the abuse is originating from. As long as that port number is associated with a specific user account (not dynamically assigned), they can terminate your service without necessarily knowing your real identity.

3. Some providers implement proactive anti-spam mechanisms, like blocking certain protocols or port numbers that are known for abuse. Others use traffic shaping (similar to some ISPs) to weed out or throttle "bad" traffic.

4. Some data centers that provide the web hosting for VPNs are notoriously more tolerant than others. As long as the VPN provider is a good source of revenue for them and the bills continue to get paid, many are willing to shrug off the occasional DMCA notice or SPAM complaint.

Also, keep in mind that a VPN's T.O.S. is often created on the advice of a lawyer for various liability reasons, but that doesn't necessarily that the list of "do's" and "don'ts" are actually enforceable in a real-world scenario. A VPN provider who is serious about protecting the privacy of its users has to be willing to accept that there's always going to be a few "bad apples" amongst the majority of well-intentioned users, and as such, must be financially and strategically prepared to deal with the inevitable risks of running that type of business.

 

Can you give me an example of such Swedish VPN? Around two years ago when I emailed Relakks (A Swedish VPN) to enquire about how long they keep logs for, I was told that they keep them for 30 days, and that was before data retention laws were passed in the EU I think.

 

Relakks only keeps a log on your username and your e-mail for 30 days. If you register under a good nickname and with an e-mail which can't be connected to your real name, you're safe with Relakks. But you asked for a VPN-provider (Swedish) which provides an even tighter security policy;

https://www.anonine.com/en

Their Open-VPN solution is simply out of this world. I've had an uptime for over 46 days with it (had to reboot after that due to Windows Update).

 

And, hopefully you pay for it with a fake credit card to mask your indentity!

Best regards,

KOR!

 

I see people say don't use VPN's based in the US, or Europe for certain reasons (privacy). Well, that eliminates virtually every VPN service I've seen. You have to draw the line somewhere.

I think I am going to steer clear of US based ones, but draw the line there. I'd like to even avoid using US servers, but perhaps that's the reason for my frequent disconnects? If I have to use a US server to solve this problem, then so be it.

 

Do you mean a prepaid card? I've seen it recommended to do this, and it certainly makes sense to me from a privacy standpoint.

But I just looked up "prepaid credit card", and every card I've seen states that it's really a debit card, not a credit card. Would they accept these? Can somebody recommend a specific card to use for this purpose, and provide a link where I can purchase it? I'd be extremely grateful.

I see a huge rack of various cards in Walmart where I check out. Are any of them ideal for this purpose? And if so, which one(s)?

 

Yeah, I guess to even get a prepaid credit card you probably have to go through steps to verify your information is correct from what I'm reading... rendering it quite moot. May as well just pay with a regular credit card.

I do like that Mullvad accepts straight cash. Use an email account that can't be linked to your real name, and there's a way to protect your privacy. It's just too bad that I'm having connectivity issues using them through OpenVPN, and can't get a trial to work to see if their client solves this issue... as it says it's expired as soon as I try to connect the first time.

 

what about the vanilla visa gift cards? I think you can just buy it with cash at checkout..and then pay for ur subscriptions with that..

 

Yes, you can even purchase them at Walmart in the vending machines. After check out, turn right, then turn left and you will be staring right at the vending machine.

Best regards,

KOR!

 

Can you please send some of that extra cash in a large brown vanilla envelope to Red Cross.

Best regards,

KOR!

P.S. Mark it as gift from Uncle KOR!

 

Steve from Xerobank has discussed this. Xerobank, if I remember correctly, has software installed in their system that is designed to detect malicious activity. The system is not logging, nor does it know the identity of the user, but there are evidently certain types of activity that are indicative of abuse, like massive spamming or certain types of hacking etc... So if some activity throws up a red flag, then they would have to look at it live, in real time, to see if something bad is going on.

At this point, if I understood correctly, they are still not interested in specifically who it is. Just what is going on. If everything comes up clean, then any data that is looked at for that period of time of examination is destroyed. But if it comes up bad, if it turns out that someone is using their services to run a bunch of botnets or spamming or whatever, they will cancel the account.

Another scenario would be if a law enforcement agency contacted them about some illegal activity. They (LE) would be required to provide a lot of specific info and jump through some hoops to prove that it is not just some kind of fishing expedition. http://ip.xerobank.com/company/leo/ Then if their complaint is considered to be legit, they (Xerobank) would have to try to monitor the activity live, based on the specific details provided by LE, to see if anything bad is going on. The last time that Steve posted about this, as of that time, no Xerobank user's identity had ever been compromised.

I seriously doubt that people who are up to anything really evil or bad would use a VPN like Xerobank. Especially terrorists or anything like that. But if someone did try to use Xerobank for something really bad like that, I for one would hope that Xerobank could identify and stop them. After all, isn't the the entire purpose of a service like Xerobank to further protect and facilitate individual freedoms? People who commit terrorist acts or mass murder or who hack into other people's computers to commit horrendous crimes destroy the freedom of others. They are the enemies of freedom of speech, press, privacy, and safety etc.

Xerobank's TOS are, if I remember correctly, based on the Universal Declaration of Human Rights. https://www.un.org/en/documents/udhr/

But when Steve says that they do not log, and that they do not have to log because of the way they are set up, I believe him. And I think he is one of the most dedicated and sincere people that I know of that advocate for privacy and anonymity. So when it comes to a question like "how do I know I can trust a VPN service to not log me"?... I think you pretty much have to rely on the people involved in running the service and their associations, as well as by their speech. Steve is a well known member of Hacktivismo http://www.hacktivismo.com/about/index.php. Kyle Williams was already very well known for creating the JanusVM before he joined their team. Cryptohippie is evidently a trusted service too. As for any of the others, I just don't know. I do believe that it is possible though to identify certain types of malicious activity without logging. But the examples above are the only ones that I am aware of.

 

So from what I understand, they do not log, but they do log if law enforcement ask them to. For example if someone is hacking a well known website x.com, they will log/intercept traffic data relating to this website in an attempt to identify the abusive user. However if multiple users are accessing this website, it could mean legitimate user traffic is intercepted.

 

Well if it's continual abuse then it's possible to catch the person in the act, rather than by going by past complaints.

 

Isn't it possible, like an evil TOR exit node, for a VPN provider to monitor their exit node traffic?
Since the Provider assigns you your identity wouldn't that make it easier for them to trace their users at the exit node?