I am not a lawyer, but my understanding is that this generally falls under Section 230, as you can make the same argument about Comcast, AT&T, et.al. who lets the bytes go over their infrastructure.
All this would do would be to lead the investigation to get a warrant/subpoena to have the VPN service provide user details about the account and anything else relevant like logs. This is where the "we don't log shit" bullet points comes into play as well as running only from RAM. If the warrant allows for removal of hardware, all data is lost once power is removed. LEOs would have to bring lots of batteries.
They're going to freeze the whole data center? It's rack after rack of machines that the traffic could have passed through, right? And if they're not logging IPs to RAM then they only have a fraction of a second to get the right one before the register is overwritten with the next user's info.
You do need to know where to send the user's return traffic, so you'll need a table ultimately comprising mappings of network flows to end-user addresses. Of course, once the flows close you don't need to retain this information. In practice, you'll also need information about all currently-open VPN sessions.
If the feds have physical access and considering the high likelihood that these are VMs and not physical, it would be a whole lot easier to get the hypervisor to just snapshot the VM w/ its memory and perform forensics against that file(s).
and then suppose you login to that VPN and are looking up children's sweaters for your kids and keep the session on .. while law enforcement is looking up the ip address associated with the earlier activity which is now assigned to you . Good luck explaining to the the cops about VPNs and IP addresses.
You are not going to be the only person appearing to come from that IP address – many will likely be NATed through it.
The more significant concern is if you are the other side: if you deliberately run some sort of VPN or other proxy that others can use, or less deliberately do so. Many hacked or otherwise suspicious browser add-ons, and other malware, will make HTTP(S) requests & other connections on behalf of their C&C hosts and to your ISP or anyone else those requests will be largely indistinguishable from those that are the result of your activity.
You need a VPN that actually cares about your privacy and goea the extra mile to ensure it. On top of that if the VPN service does not know who you are how can they actually tell the cops. On top of that you don't need to explain it to the cops - if you are ever accused this should be done in a court of law where we understand what ips are (heck, even some cops understand it - it's not exactly rocket science nowadays)
You actually shouldn't even say anything to the cops. If they show up with a warrant for arrest as well as search, you're going to jail no matter what you say. If they show up with just a search warrant, they are going to take whatever they want to take whether its outside the purview of the warrant or not. It will be up to a lawyer to convince a judge it was out of scope at a later date after it has already been taken. You will never convince a team of cops that their warrant is wrong when they show up. The only chance you have is if you're uber criminal and have your attorney present when they arrive.
> You actually shouldn't even say anything to the cops.
Unless you're in the UK, in which case: "You do not have to say anything. But it may harm your defense if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence."
As a Yank, that line always felt odd when watching BritCop dramas. How is the alleged meant to know the specifics of a defence when the full charges haven't even been levied, or how is the alleged meant to read the mind of a lawyer? It just feels like something rigging the system
And the court of public opinion. By the time lawyers and judges are involved, unless you are very lucky, your name and photo is all over the tabloids. Any retractions published when you are later found completely innocent will be the equivalent of a column inch or two on page 17.
The point is that it could happen to anyone, if their choice of connectivity arrangements make it possible, so it is a relevant concern for everyone when planning such connectivity arrangements (whether or not they care about the implications of it potentially happening to you, me, or anyone else).
No, it could not happen to anyone, for a whole host of reasons…
A number that rounds to zero in the 21st century is the number of people who have been randomly cancelled. You can disagree that it is proportionate to their offense, but z e r o people were just sitting around and woke up a) in the public eye and b) were completely and entirely good people who were maligned needlessly in a permanent way.
It is in no way a real concern for 99.9999999% of people.
> but z e r o people were just sitting around and woke up a) in the public eye … who were maligned needlessly
Demonstrably false. There are a significant number of individual cases I could mention off the top of my head. If you want a whole bag of them to look at in one go, read up on the NOTW “name and shame” campaign which resulted in numerous entirely spurious accusations, and actual vigilante attacks as well as legal investigations. The court of public option can be a concern for all.
> b) were completely and entirely good people
On a slightly more facetious note: if anyone claims to be absolutely 100% totally good, someone somewhere will disagree :)
There is no objective definition of good that all will agree on, and even if there are none of us are perfect our entire lives.
Same thing different words. Your point (it doesn't happen to many so no one needs to worry) is an appeal to infinity, much like how Douglas Adam's used an appeal to infinity for humour purposes to “prove” that the population of the universe is zero (and any people you may meet are just figments of a deranged imagination).
You: “It happens to a small number of people, there are many many more people than that, so it averages out to effectively zero, so no one needs to worry”
Me: “Toe stubbing only happened to a small number of people, there are many many more people than that, so it averages out to effectively zero, so no one needs to be careful about their feet”
HHGTTG: “the volume of the universe is infinite there must be an infinite number of worlds. But not all of them are populated; therefore only a finite number are. Any finite number divided by infinity is zero, therefore the average population of the Universe is zero, so the total population must be zero and any people you may meet are just figments of a deranged imagination”
What if they are on cellular and that hasn't been upgraded to IPv6?
Years ago I handled fraud cases for an e-commerce site with local police, at some point they started asking for IP and port numbers for the offenders, rather than just the IP. Turns out that one of the cellular phone providers had basically run out of IPv4 addresses for their 4G network and did some NAT solution. If you didn't have the port number the client had connected from then they could only tell you which cell tower had been used, not who the customer was.
Definitely not. I still am logged into my ex girlfriend wifi so if I wanted to harm her I could easily go stand outside her home at night and download malicious files. That would not make her guilty. They may investigate but that is not proof she did something unlawful.
Let's say a pedophile uses Mullvad to get forbidden images, isn't the VPN liable?
I mean, the law enforcement will see that the IP was from Mullvad's office, so I assume they are the ones doing it? How do they avoid this?
It is a real doubt. Maybe stupid, but real.