Does PIA keep logs
Dear PIA Support,
I have recently read a discussion on the PIA forums about PIA's no-logging claims - https://www.privateinternetaccess.com/forum/discussion/25531/is-the-latest-announcement-private-internet-access-does-not-log-a-response-to-the-purevpn-fiasco#latest , and have a few questions regarding this ...
1. Why does PIA quote that "In light of recent news, we would like our clients to rest assured that, as has been proven in US court, Private Internet Access does not store any type of logs and never will. Thank you for helping us fight the good fight."
f there are no logs stored, how can PIA prove that they don't store logs if there are none to collect in the first place ?
Surely the statement by PIA should read "In light of recent news, we would like our clients to rest assured that, as has been presented in US court, Private Internet Access does not store any type of logs and never will. Thank you for helping us fight the good fight."
Given a court order or subpoena and when ordered to hand over their logs the only information PIA could provide were the cluster of IP addresses being use were from the east coast of the United States (for example) as mentioned on https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/ . What basically is logged , not logged and presented ?
2. Following the statement " 4. We do not monitor our users, and we keep no logs, period. That said, we have an active, proprietary system in place to help mitigate abuse." on https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/ - what proprietary system is this ?
There is a good amount of evidence to suggest that PIA does not log e..g like when they removed servers from Russia when the Russian government demanded they start logging the usage of their users - https://www.privateinternetaccess.com/forum/discussion/21779/we-are-removing-our-russian-presence or when they recently removed their South Korea servers , https://www.privateinternetaccess.com/blog/2018/01/removing-south-korea-presence/ .How exactly does PIA not log , what is the process , how do you ensure nothing is logged on the servers ? I am just confused.
Thank you for your support
jamiep4819
I have recently read a discussion on the PIA forums about PIA's no-logging claims - https://www.privateinternetaccess.com/forum/discussion/25531/is-the-latest-announcement-private-internet-access-does-not-log-a-response-to-the-purevpn-fiasco#latest , and have a few questions regarding this ...
1. Why does PIA quote that "In light of recent news, we would like our clients to rest assured that, as has been proven in US court, Private Internet Access does not store any type of logs and never will. Thank you for helping us fight the good fight."
f there are no logs stored, how can PIA prove that they don't store logs if there are none to collect in the first place ?
Surely the statement by PIA should read "In light of recent news, we would like our clients to rest assured that, as has been presented in US court, Private Internet Access does not store any type of logs and never will. Thank you for helping us fight the good fight."
Given a court order or subpoena and when ordered to hand over their logs the only information PIA could provide were the cluster of IP addresses being use were from the east coast of the United States (for example) as mentioned on https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/ . What basically is logged , not logged and presented ?
2. Following the statement " 4. We do not monitor our users, and we keep no logs, period. That said, we have an active, proprietary system in place to help mitigate abuse." on https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/ - what proprietary system is this ?
There is a good amount of evidence to suggest that PIA does not log e..g like when they removed servers from Russia when the Russian government demanded they start logging the usage of their users - https://www.privateinternetaccess.com/forum/discussion/21779/we-are-removing-our-russian-presence or when they recently removed their South Korea servers , https://www.privateinternetaccess.com/blog/2018/01/removing-south-korea-presence/ .How exactly does PIA not log , what is the process , how do you ensure nothing is logged on the servers ? I am just confused.
Thank you for your support
jamiep4819
Comments
Thank you for letting me know , I was just confused due to the forum post https://www.privateinternetaccess.com/forum/discussion/25531/is-the-latest-announcement-private-internet-access-does-not-log-a-response-to-the-purevpn-fiasco#latest
I have already explained a fair bit in this comment on the linked thread, but essentially it will always come down to a question of trust.
Most of us accept PIA's inability to provide anything in court as a good enough proof that PIA is at least ready to fight for you. Some users don't agree it is a proof of anything, but as I explained in my other comment, ultimate proof is simply impossible.
Answering a few of your questions:
Technically simply showing that the configuration has logs turned off and that the log folder is indeed empty should be sufficient for most people, but one could of course claim that we hid them or removed them beforehand. As far as I'm aware, we don't even have syslog in case system logs could be used for anything.
Proving the absence of something is kinda hard on its own, otherwise religious debates would have long been solved.
I unfortunately have no information on this, but I think it's mostly iptables rules like SMTP port 25 being blocked by default and so on. We work by limiting abuse potential rather than detecting it after the fact.
We... don't enable logging? It's not like Windows that does literally everything except you asked for. We use open-source software we can audit and modify as needed. If we compiled the VPN daemons without logging capability in the source code, logically it cannot log anything. There is therefore nothing to monitor, to verify or to "ensure it does not". It cannot. We can do a quick "ls /var/log" and monitor disk IO but that's as far as it can go. We can't monitor something that doesn't exist, and at this point if someone gains logging capability through other means then we have a much, much bigger problem that is a full machine compromise. At which point it becomes "X external organization managed to pwn PIA's servers and log customer traffic" so a bit outside of this discussion's scope.
As I explained in my other comment again, while we do configure everything to not log, one can always argue that there could be external logging. We don't know, and we can't know. It's impossible to protect against that. We have servers in the US, therefore the US government could always be logging everything that goes in and out of PIA's US servers. Same applies for every country we have a server in. For example with South Korea, we removed everything just in time. The only way we could protect against this would be own every single piece of hardware between you, our servers and the sites you visit.
We have stuff in place to properly decommission a compromised server if it would be to happen with the CRL files we ship with both our OpenVPN profiles and the app that basically tells the clients to not trust that server anymore.
But ultimately, it will always be a matter of whether you trust us and our words that we don't log, and whether you trust the country of the servers you connect to. We do everything in our power to protect the anonymity of our users, and this is what we sell and advertise. Whether you think our measures are sufficient is entirely up to you.
Thank you for coming back to me. I understand how PIA’s infrastructure works now. I do trust PIA , I have used them for a number of years. The reason I opened a new thread was because with the original thread that I read about, things got a little confusing as there was an ongoing argument with a few users while you were trying to clarify things on the logging side , however that’s not my business. I guess not only does it come down to trusting a service provider like a VPN but we have to also take into account nothing is100% secure. Sorry if I’ve caused offence it was never my intention , I just wanted to clear things up.
Thank you
jamuep4819
Thanks for acknowledging this extremely important point: "ultimate proof is simply impossible." This is precisely why PIA never should have made the claim in the first place that it had "proof" when there was none that could be produced and never can be.
But isn't that now, more than ever, the problem? PIA has dramatically undermined customer trust by making the "proven in US court" in the first place and, once confronted for it, refusing the back down.
I've learned to trust you personally, @Max-P. You are technically competent and provide candid answers. You also come across as a reasonably humble guy. It's too often just the opposite with some of your peers.
Trust is earned with me, not just blindly given, and once it's cast into doubt often hard to restore. Humility goes a long way with me. Prideful arguments and self-justifications only make things worse.
There are some at PIA who have undermined customer trust with overblown, exaggerated and outright bogus claims. There's also a pattern to it that's been going on for many months. The original claim that sparked this entire multi-thread kerurfuffle has yet to be honestly and forthrightly dealt with by he who caused the original offense. Instead it's been shouted down, shut down, threads closed, customers banned, and swept under the carpet:
That claim was and is misleading, demonstrably false and, in my personal experience with PIA, just more PIA marketing hype. Only after taking considerable heat for more than two weeks was the original claim redacted to read;
It would be bad enough if this were only a one-time incident. It's not. PIA has engaged for at least three years in a pattern of marketing hype. Marketing hype is rooted in exaggeration and exaggeration frequently results in outright lying to the customer. Perhaps there was never the intention of lying in the original "proven in US court" claim. But if not why wasn't there an immediate retraction and apology? Instead several PIA employees engaged in defensive semantics and wordcraft, self-justifications, shutting down threads, and banning those who pressed the matter a little too passionately.
PIA strikes me as a business that has a very thin skin, unable to take customer criticism of any kind, constructive or otherwise.
The bogus "proven in US court" claim is semi-infamous now (being cited on Reddit and numerous other forums) only because of PIA's stubborn pride. The original claimant should have just humbled himself, offered an apology, and then retracted it in a gentlemanly fashion. That would have put a quick end to it and done much in furthering customer trust in PIA. Instead he did just the opposite and dramatically escalated broken customer trust in the process.
Customer trust is rooted in what a customer witnesses in the integrity (or lack thereof) of that company's employees' claims, fulfilled promises, and performance. No customer can realistically expect a company to be perfect; but we do expect that the businesses we patronize quickly own up to their mistakes and make them right. A company who refuses to do so dramatically undermines customer trust and will find itself quickly losing their customers to their competitors.