A news report from TorrentFreak this week delved into the often-murky world of VPN logs. One well-known provider found themselves caught in a tangled legal web.
While we all expect our providers to keep no logs, unfortunately, this is not the case and a legal issue in Finland involving FREEDOM VPN acts as a stark reminder of this.
According to a recent report, Finland's National Bureau of Investigation helped investigate an alleged crime in early 2019.
The Bureau was helping one of Germany's investigations, and it believed that a Finnish-based VPN service, known as FREEDOME VPN, run by F-Secure, would be able to help with the investigation.
The Bureau did not waste any time, and it simply seized logging data that the VPN kept stored on its servers. What followed was a lengthy legal process, which finally ended only days ago.
As a conclusion to the process, the Helsinki Court of Appeal ruled that the Bureau had no right to seize the logs and that it did so illegally. It also ordered that the confiscated files must be destroyed.
The most important thing for VPN users
Now, as many likely know, using a VPN is mostly done either for extra privacy online, or for bypassing online obstacles, as mentioned earlier. However, regardless of the reason why someone uses a VPN, they should always remember to use VPNs that do not keep logs.
Security experts have been recommending this for years and years, as services that do keep logs could either sell them, or worse – go through something like this, and have their reputation destroyed if the word gets out that they have information about their users.
Fortunately for FREEDOME VPN users, Finland is not a member of the 5/9/14 Eyes Surveillance Alliance, which immediately makes it better for information privacy than its neighbour, Norway.
This case further proves that the country is actually more privacy-friendly than most, since the court ordered the destruction of the logs.
However, the fact that the Bureau was simply able to come to the F-Secure VPN's door and seize the data is concerning, and a very real reason why those who turn to VPN for help need to choose a privacy-friendly service carefully.
The simple truth is that any logs that exist can be targeted. This time, it was by the government agency. However, it could have easily been hackers who targeted the VPN in search of users' data.
In any event, the customer logs would have been compromised.
FREEDOME does not log the users' browsing activity, fortunately, although it does create and store connection logs. And, as witnessed, it will hand over such data if the authorities request it. Of course, this is normal for any reputable firm.
However, it is still not good for the users of their services.
It should also be noted that F-Secure attempted to have the logs seizure overturned rather quickly, claiming that the seized data needs to be classified as ‘confidential communication'.
According to the company, the Bureau had the right only to request logging data concerning their suspect. However, the agency took much more than that, which eventually led to the court decision that the data should be completely destroyed.
What data does FREEDOME VPN keep?
As the court case has revealed, the VPN service did keep data such as IP addresses, the device ID of devices used to access and use the VPN, start and end time of every connection, session ID, and the amount of data that the user has used.
Other services claim to store much less and while reputable third parties have audited some, it is impossible for users to self-verify this.
While the logged data does not show what websites the suspect may have accessed, and it really only confirms that the suspect is a VPN user, which is not illegal. The Bureau was actually interested in connection timestamps and the amount of used data.
F-Secure's expert noted that even such data could be helpful in obtaining evidence against the suspect.
FREEDOME VPN keeps all the mentioned data logged for around 90 days, after which it gets automatically deleted.
The initial ruling against the Bureau came from the district court. However, it was the Bureau itself that took the case to the Helsinki Court of Appeal, as it was not satisfied with the district court's decision.
Unfortunately for them, the Helsinki Court of Appeal decided to support the lower court's decision to have the log data destroyed.
Another case as a reminder to choose VPN services carefully and always ‘err on the side that logs may be kept and any illegal activities could come back to bite you.