It seems inevitable that anytime there’s a discussion of VPNs, someone chimes in that a) of course all VPNs are really logging users, and b) it would be impossible for them not to log users. Unfortunately, there have been a number of cases where VPNs that strongly implied they were not logging or tracking users actually went out of their way to help law enforcement or intellectual property owners.
Turkey’s seizure of an ExpressVPN server–as part of its investigation into the assassination of Russian Ambassador Andrey Karlov–went the opposite direction. According to a statement by ExpressVPN released after Turkish media recently began reporting about the server’s seizure,
According to recent Turkish media reports, investigators in Turkey allege that a still-unknown individual used ExpressVPN in an attempt to delete evidence related to last year’s assassination of Russian Ambassador Andrey Karlov. This individual, according to the reports, logged into the Gmail and Facebook accounts of the assassin (off-duty police officer Mevlüt Mert Altintas) and deleted conversations that would have been relevant to the investigation.
As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.
. . .
VPNs are first and foremost security tools that help to protect users from being hacked, tracked, monitored or otherwise compromised. As such, the ExpressVPN service is built from the ground up to provide the best protection possible, including ensuring that our servers do not contain personal data about anyone’s online activity.
While it’s unfortunate that security tools like VPNs can be abused for illicit purposes, they are critical for our safety and the preservation of our right to privacy online. ExpressVPN is fundamentally opposed to any efforts to install “backdoors” or attempts by governments to otherwise undermine such technologies.
Several things come to mind after reading ExpressVPN’s statement:
- I’m surprised an individual somehow connected with the assassination of a Russian ambassador would use a commercial VPN to try to cover his or her tracks. Yes, ExpressVPN publicly claimed to not do any logging of any sort, but that’s a pretty high stakes bet that that person made.
- Contrary to the naysayers, some VPNs do, in fact, run their services in such a way that they have extremely limited to zero knowledge about their users’ activities after the fact.
- The inability of ExpressVPN to offer the sort of information that Turkey is looking for in this high profile case is likely to lead to calls for more regulation around VPNs. ExpressVPN notes that it is based in the British Virgin Islands which has “strong privacy legislation and no data retention requirements.” I imagine they’ll be under a lot of pressure to “update” their data retention requirements.