Private Internet Access ‘no user logs’ policy tested in another hacker case

Private Internet Access Black Friday

Private Internet Access (PIA) has found itself involved in another online hacking case where, once again, it’s no user logs claim has been tested in court.

The case in question is that of Ross M Colby, a software engineer from California who is accused of two felonies and three misdemeanours in relation to the shutting down of a news website, Almanac Online and illegally accessing email accounts linked to that site and its parent company Embarcadero Media.

IP Address evidence proving crucial

Colby trial, which is taking place in a San Jose federal court, heard yesterday from his housemate, who claimed that Colby had told him he had hacked a newspaper website, but said he didn’t believe him at the time because Colby was prone to making boastful claims which were usually untrue.

However, further evidence suggests that Colby was indeed behind the claim. The FBI presented evidence that an IP Address associated with Colby’s residence in San Francisco had been used to access email accounts of several Embarcadero Media IT employees.

They also showed that the IP Address of a small café, the Flying Pig Bistro, which is situated close to his home and which Colby frequented, had also been used for this purpose.

Another IP Address which was used to access email accounts of Embarcadero employees was linked to the home of Colby’s father, John Colby. He has given evidence to the trial that his son visited him for around 10 days at the time these hacks were supposed to have taken place.

PIA-owned IP Address use under scrutiny

However, much of the focus of the trial has been on multiple times that these email accounts were accessed using IP Addresses owned by PIA.

PIA was represented at the trial in the guise of their operating company, London Trust Media. General counsel John Allan Arsenault told the court that PIA intentionally does not retain logs of user’s internet activity. They, therefore, cannot produce online activity reports about users in response to subpoenas from law enforcement or others.

The court heard that because PIA accepts anonymous payment methods such as cryptocurrency, the only record they have about any account holder is the email address they registered their account with.

Arsenault confirmed that PIA had searched their records for two email accounts associated with Colby, which were given to them by the FBI. He confirmed there was no record of an account using either of these email addresses.

But as he explained to the court, this didn’t mean that Colby hadn’t used PIA. “Someone could create a throw-away [email] account to subscribe to us,” he explained. In other words, it is perfectly possible to use PIA completely anonymously.

Arsenault did confirm that at least three Private Internet Access-owned IP addresses had been used to access email accounts related to Embarcadero Media employees. The court also heard that some of the dates when this happened coincided with dates that IP Addresses linked to Colby had been doing the same thing.

But crucially, because of PIA’s rock-solid no user logs policy, he could not confirm that Colby was the user who had accessed these email accounts using PIA’s IP Addresses.

FBI seemingly ignorant about shared IP Addresses

The case also heard one piece of dangerously flawed evidence presented by FBI special agent Frazier, as he tried to imply that Colby must have been using a PIA account.

Under examination from Prosecutor Joe Springsteen, the agent was asked if a private IP Address (such as one owned by a VPN company) was used to access a personal account and then the same IP Address was used shortly afterwards to commit a criminal offence, this was significant.

Frazier replied that “If a suspect used an IP address to conduct criminal activity and then personal activity it would indicate that the person was the same individual.”

However, this is demonstrably not true. Many VPNs, including PIA, use shared IP Addresses. This means that multiple users can be using the same IP Address at any one time.

As a result, it is impossible to prove that the same user who accesses a personal account using that IP Address is the same one who uses it to commit a criminal offence shortly afterwards.

This point does not seem to have been made in the trial of Colby (based on the report we have read) and while there does seem to be a body of evidence against him already, it is to be hoped that Colby is not convicted on the bases of this false premise.

The trial continues, but for VPN users, the message to take away from it is clear. When PIA claims to keep absolutely no user logs, there is no question that they are telling the truth.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *