If you have access to court records in the netherlands, look up the case of the Dutch KPN blackmailer from a few years ago. He got caught because he used NordVPN instead of only using Tor. NordVPN gave everything they had on him, which led to his conviction.
As a rule, if a VPN is hosted in Europe/North America, you need to assume that they log.
I was under the impression the KPN attacker merely used a single-hop VPN service from his KPN connection and the investigators managed to correlate traffic-flows.
Unfortunately Google is failing me right now. There was a case within the last few years where someone was convicted because their VPN provider was sharing raw traffic (not logs) with the government. If anyone knows what I'm referring to, please chime in.
But given the existence of Room 641A[0], and other extra-judicial mass surveillance, I am confident in my assertion. Moreover, the explosion of VPN companies with large marketing budgets over the past few years has always made me suspicious.
NordVPN says they don't collect logs, but then it came out that they send information to law enforcement. So the big question is what information is being sent to law enforcement. Despite what NordVPN maintains, it seems like they do keep incriminating data about their users.
Maybe the vast majority of big companies listed on stock markets work for the govt, and the price of a CEO or board member keeping quiet is the income and wealth gained from these stock market listed entities?
What does raw traffic that is not in the form of logs look like? Maybe you mean that they are streaming logs in real-time rather than sending log files in batches periodically?
You don't mean sharing raw traffic as in forwarding actual requests, I wouldn't think?
It could be either mirroring all the traffic to an agency-provided black box, or sending just NetFlow (or sFlow) metadata about the traffic.
And if someone thinks the first option is not realistic - this is how almost every ISP in Russia works (search for SORM-2 and SORM-3 for more detail, typically traffic is mirrored at ISP's border gateway(s)). Sure, Russia or China wouldn't be great examples, but the point is that it's technically possible, even at scale, and all the real problems are in the meatspace (legal enforcement or coercion).
> You don't mean sharing raw traffic as in forwarding actual requests, I wouldn't think?
The usual method is either to use a splitter or switch configuration to mirror traffic to another interface, attached to a machine running packet capture/analysis tools.
So one way you can identify VPN traffic is to slow the vpn connection temporarily between the target and the VPN server, whilst observing the connections coming out of the VPN server, spot the slow connection coming out, you then its possible to identify where the VPN traffic is heading! Its just traffic shaping.
Think of it as just monitoring vehicle movements on a road network which cross borders, you cant see the contents of the vehicle, but you can see where they are heading back and forth multiple times, and thus work out what they are upto, even if the destination is a cloud server!
The article also shows that the network carriers, land line and mobile network carriers many of which are stock market listed dont monitor the networks to protect their users, thus do they fail in their duty of care? I think many victims of crime could have a case, it wouldnt be hard to spot whats going on for them, in much the same way the postal service can tell whats going on when people deliver drugs through the postal system, or supermarket loyalty card schemes can highlight changes in their customers which can indicate health issues. The lawyers and judges probably wouldnt be able to understand it, in much the same way people cant understand quantum physics, so is there a case to bring?
Everyone gives away metadata, if you know what to look for, the crime is the current setup of society benefits a privileged few!
