logs – Techdirt (original) (raw)

Stories filed under: "logs"

from the copyright's-dangerous-obsessions dept

As Walled Culture the book (free digital versions) details, for decades the copyright industry has lobbied consistently (and successfully) for more and harsher laws targeting alleged infringement. Against that background, it is hardly surprising that these laws are used on a massive scale every day. But some companies take this to extremes. Here, for example, is a story on Ars Technica from earlier this year:

In an attempt to prove that RCN (now known as Astound Broadband) turned a blind eye to customers illegally downloading copyrighted movies, the [film] studios subpoenaed Reddit seeking identifying information for specific users who commented in piracy-related threads. While some of the comments were posted in 2022, other comments were made in 2009 and 2014.

The lawsuit was originally filed in 2021, which means that the studios were demanding the names of people for posting a comment anonymously more than a decade ago. Fortunately, the judge quashed the subpoena, for reasons discussed in the Ars Technica post. Despite that clear defeat, the same film studios are back demanding:

“Basic account information including IP address registration and logs from 1/1/2016 to present, name, email address and other account registration information” for six users who wrote comments on Reddit threads in 2011 and 2018.

Once again, the film studios are obsessing about something somebody wrote 12 years ago. Aside from the fact that the studios are repeating an argument they have already lost before, it is absurd for them to be wasting people’s time and money on something that was written this long ago, that may or may not have some tenuous connection to alleged copyright infringement.

This level of obsession with a tiny and most likely irrelevant post that took a few seconds to write over a decade ago, borders on the pathological. It is another demonstration of how copyright not only distorts technology, markets and the law, but has also warped the minds of some people.

Follow me @glynmoody on Mastodon. Originally posted to Walled Culture.

Filed Under: copyright, inducement, logs, reddit users, subpoena
Companies: rcn, reddit

Cops Raid Swedish VPN Provider Only To Find Out There’s No ‘There’ There

from the oh-no-the-things-aren't-even-there dept

There are few things I enjoy writing about more than cops who feel waving around a piece of paper will ensure they can get what they want. I’ve handled a few of these stories before, most of them centered on Signal, the little messaging service that could — one that does not collect user data and would rather exit the marketplace than subject itself to encryption-breaking government mandates.

So, it always gives me pleasure to learn that cops armed with court orders approached a privacy oriented tech company only to find out the stuff they wanted didn’t actually exist at the place they searched. Due diligence is a thing, investigators. Your boilerplate is obviously false if you’ve claimed (based on “training and expertise“) that the place you want to search contains the information you wish to obtain.

That’s the case here. A Swedish VPN provider was raided by local law enforcement, but was unable to produce any of the information officers were searching for… something officers might have realized prior to the search if they’d bothered to read the terms of service. Here’s Michael Kan with the details for PC World:

The company today reported that Swedish police had issued a search warrant two days earlier to investigate Mullvad VPN’s office in Gothenburg, Sweden. “They intended to seize computers with customer data,” Mullvad said.

However, Swedish police left empty-handed. It looks like Mullvad’s own lawyers stepped in and pointed out that the company maintains a strict no-logging policy on customer data. This means the VPN service will abstain from collecting a subscriber’s IP address, web traffic, and connection timestamps, in an effort to protect user privacy. (It’s also why Mullvad VPN is among our most highly ranked VPN services.)

If the cops had run a search of Mullvad’s website before running a physical search of its offices, it might have discovered the stuff they swore would be found there actually wouldn’t be found on Mullvad’s premises. It’s not like it’s that difficult to find:

There is a law to collect user data in India and other countries. Does this affect Mullvad?

Mullvad does not collect user data. Mullvad is based in Sweden and none of the Swedish regulations (https://mullvad.net/help/swedish-legislation/) can force VPN providers to secretly collect traffic-related data. We also have no servers, infrastructure or staff in India.

In other words, bring all the law you want, but in the end:

Raid if you want. But you can’t have what providers like Mullvad are unwilling to collect. In the end, you’ve done nothing more than make some noise and embarrass yourself. It’s all there in the Mullvad FAQ, including the fact that Mullvad performs no logging of user activity. If your investigation leads you to providers like Mullvad, it’s a dead end. Look elsewhere.

This policy isn’t in place because Mullvad wants to protect criminals. It’s in place because people all over the world deserve protection from government overreach. That criminals may benefit from policies like these doesn’t make these policies bad, it just makes it more difficult for abusive governments to engage in third-party-enabled surveillance.

And the long history here shows Mullvad isn’t a home for criminals. It’s just an extremely well-run VPN provider:

“Mullvad has been operating our VPN service for over 14 years. This is the first time our offices have been visited with a search warrant,” the company added.

You know who is in the best position to stop local law enforcement officers from embarrassing themselves? LOCAL LAW ENFORCEMENT. Maybe read the ToS and FAQ at the site you’re planning to raid before you approach a court with a bunch of assumptions and half-truths to secure a fruitless warrant demanding companies turn over information they don’t retain. Doing otherwise means looking bad at your job (at best) and authoritarian (at worst). If cops want to regain the respect and trust they swear they’ve always enjoyed in the past, the first thing they can do is actually do the investigative parts of investigations. That way they won’t look ridiculous when they go marching out of a tech company’s offices with fuck all in their hands.

Filed Under: logs, privace, sweden, vpn, warrant
Companies: mullvad

Five Bar Owners Arrested In France For Not Logging Internet Use By Patrons Using Bars' WiFi Connections

from the what-even-the-fuck-but-in-French dept

A seldom used mandate from France’s 2006 anti-terrorism law is being wielded rather conspicuously in a single French city to lock up small business owners.

At least five bar owners in Grenoble, France have been arrested for providing WiFi at their businesses without keeping logs. The bar owners were arrested under a 2006 law that technically classifies WiFi hotspot providing establishments as ISPs, and require them to store one year’s worth of logs or connection records for anti terrorism purposes.

France has a long and inglorious history of forcing ISPs to log user activity, but this is the first time data retention laws have been used against business owners who allow customers to connect to their WiFi. In 2011, the law was expanded to demand the logging of user login info and passwords, thus ensuring service providers would always be tempting targets for malicious hackers.

The new and sudden enforcement of a nearly 15-year-old law seems pretty weird, considering it only targeted five bar owners in one city. This suggests Grenoble law enforcement might have a bit too much time on its hands. It doesn’t appear to be part of a larger sweep across the country to (harshly) remind small business owners of their data retention obligations.

The bar owners — who were all released after questioning — said the hospitality section union (UMIH) never made them aware they needed to retain 365 days of customer internet activity, despite holding several conferences and seminars on running hospitality business. UMIH responded by saying it’s not the union’s fault members don’t read UMIH junk mail.

Umih admitted that the training doesn’t mention WiFi logging but noted that Umih members should have known about this important requirement because it was mentioned in a newsletter.

Dystopia — well, more of it — has come to Grenoble, France. Five bar owners are now more than fully aware of their data retention obligations. Since these arrests have made international news, it’s safe to assume customers are also now fully aware their internet activity is being logged and stored every time they connect with a bar’s hotspot.

Not that staying home helps. Bar patrons face the same harvesting of data whether they stay in or go out. ISPs — which includes anyone offering a “public” connection — are under the same obligations. Failing to do so could net bar owners (or cable company employees) a 75,000 Euro fine and up to a year in prison.

And, in a damned if you do/damned if you don’t twist, there’s a good chance this kind of logging — especially without explicit consent from patrons — violates the far-more-recent GDPR. But few bar owners will have the money needed to challenge France’s law or have the ability to run this by the EU Commission for a second look. That leaves it up to the local cops, who appear to have found a new way to make things periodically miserable for the community they serve.

Filed Under: anti-terrorism, bar wifi, cafe wifi, france, isps, logs, privacy, small businesses, wifi

Cyberstalking Case Highlights How VPN Provider Claims About Not Keeping Logs Are Often False

from the privacy-panacea dept

Tue, Oct 10th 2017 06:30am - Karl Bode

When the Trump administration recently decided to gut consumer privacy protections for broadband, many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn’t need privacy protections, since they could simply use a VPN to fully protect their online activity. But we’ve noted repeatedly that VPNs are not some kind of panacea, and in many instances you’re simply shifting the potential for abuse from your ISP — to a VPN provider that may not actually offer the privacy it claims.

Latest case in point: like many companies, a VPN provider by the name of PureVPN has been advertising for years on its website that it keeps no logs of user behavior:

“PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That’s why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities.”

But when the Department of Justice announced last Friday it had arrested a Massachusetts man by the name of Ryan Lin for stalking, one key component of the case involved using PureVPN logs to track his online activities. According to the DOJ complaint (pdf), the man in question engaged in a ?multi-faceted campaign of computer hacking and cyberstalking?:

“It is alleged that Lin engaged in an extensive, multi-faceted campaign of computer hacking and cyberstalking that began in April 2016 and continued until the date of his arrest, against a 24-year-old female victim, her family, friends and institutions associated with her. Lin, the victim?s former roommate, allegedly hacked into the victim?s online accounts and devices, stealing private photographs, personally identifiable information, and private diary entries that contained highly sensitive details about her medical, psychological and sexual history. It is alleged that Lin then distributed the victim?s private photographs and diary entries to hundreds of others. ”

Lin had apparently used Tor, PureVPN, and other tools to try and obscure his online footprints. In this instance, authorities seemed to already have enough brick and mortar evidence against Lin to build a case, but data from the logs Pure VPN supposedly doesn’t collect helped contribute to the case against him:

“An affidavit submitted by Special Agent Jeffrey Williams in support of the criminal complaint against Lin provides most of the answers….?Artifacts indicated that PureVPN, a VPN service that was used repeatedly in the cyberstalking scheme, was installed on the computer,? the affidavit reads. From here the Special Agent?s report reveals that the FBI received cooperation from Hong Kong-based PureVPN.

?Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,? the agent?s affidavit reads.

It should go without saying that Lin’s alleged behavior is abhorrent. That said, the case serves as an example of how the promises most VPNs make about not keeping logs can’t really be trusted, something the company’s users would have noticed if they’d dug a little deeper into the VPNs privacy policy, which details how the Hong Kong company does store IP addresses as well as connection duration, time and date. Ironically, Lin had taken to Twitter not that long ago to acknowledge that VPN promises on this front often aren’t worth all that much:

“There is no such thing as a VPN that doesn?t keep logs,? Lin said. ?If they can limit your connections or track bandwidth usage, they keep logs.?

Few will shed a tear over a stalker not heeding his own privacy and security advice. But as VPNs are also used by political dissidents, reporters, and millions of security-conscious individuals, it’s worth remembering that the technology isn’t the magic fairy privacy dust it’s often portrayed as in media reports. And VPNs are not, as ISP lobbyists have claimed, a panacea for the slow but steady erosion of online privacy protections by companies looking to collect and sell every shred of personal data that’s not nailed down.

Filed Under: doj, logs, privacy, ryan lin, vpn
Companies: purevpn

Toy Maker Vtech Hacked, Revealing Kids' Selfies, Chat Logs, & Even Voice Recordings

from the because-we-can dept

Tue, Dec 1st 2015 02:03pm - Karl Bode

As companies race to embrace the inanely-named “internet of things” (IOT), security and privacy are usually a very distant afterthought. That’s been made painfully apparent by “smart” refrigerators that expose your Gmail credentials, “smart” TVs that transmit your living room conversations unencrypted, or “smart” tea kettles that compromise your Wi-Fi network security. In all these examples the story remains the same: everybody’s so excited to connect everything and anything to the internet, few companies can be bothered to do so intelligently and correctly.

And with the mad rush to bring this kind of aggressive myopia to toys, the lack of security is now impacting kids as well. Late last week a hacker revealed that he (or she) had hacked into the servers of Hong-Kong-based toy company Vtech, exposing the data collected by the company’s “Kid Connect” service (which lets parents use smartphones to talk to kids using toy tablets and other devices). Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

What’s more, the hack revealed that Vtech was storing kid selfies, voice recordings, and even entire chat logs between parents and their kids. In short, Vtech was gathering and saving pretty much anything these devices could get their hands on. VTech didn’t respond to questions regarding why it needed to store all this data. And that’s likely because, like most IOT gear makers, it didn’t much think about it. It was so enamored with the gee whizery of gobbling up all manner of user data for later use, it couldn’t much be bothered to ensure fundamental security best practices.

As Mark Nunnikhoven at Trend Micro remarked shortly after the hack was revealed, the lure of IOT has many companies collecting far more data than they could ever even conceivably need — just because they can:

“This opens the organizations up to unnecessary risk. If the words “might”, “possible”, or “potential” are used in an argument supporting the collection of data, you’re about to violate the principle of least data. You should only collect and store data for well understood use. Data should be evaluated for it’s overall value to the organization and?just as importantly?the risk it can pose to the organization. Unless the cost to acquire the data in the future is so ridiculously high that it’s infeasible, you should always opt to collect and store the data when you have a concrete use for it.”

That’s common sense, but the excitement surrounding IOT has made it clear that common sense doesn’t enter into it. At least not in the design and implementation phase. Only once they’re caught not giving a damn about security or privacy are these over-enthusiastic companies suddenly model citizens. Vtech is of course no exception, since issuing a press release stating it has shuttered many of the websites hoovering up this data. The company also reiterates how it’s “committed to protecting our customer information and privacy”:

“We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future. Our Privacy Statement can be found on our website here. The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech. We will provide further updates as appropriate in the future.”

But if companies were so breathlessly committed to privacy, they wouldn’t rush products to market and leave fundamental security standards as a distant afterthought in the first place. And with everything from your smart toaster to your kids’ Barbie doll now gobbling up an ocean of household data, it’s going to be an increasingly ugly lesson to learn.

Filed Under: hack, internet of things, kids, logs, privacy, toys
Companies: vtech