We do not hide people’s online details if they do use the service to do something illegal, says UK-based VPN service provider
Following the arrest last week of suspected LulzSec member Cody Kretsinger or ‘Recursion’ after Anonymous VPN service HideMyAss.com provided his details to authorities, another member of the hacker group could be tracked down based on the same details.
According to a report in The Guardian, there is at least one more member of LulzSec used the HideMyAss service to disguise his IP addresses.
The report said that another alleged hacker with the moniker ‘Neuron’, may be facing arrest soon.
Last week, a man from Arizona was arrested over his alleged role in the hack attack on sonypictures.com that took place earlier this year by hacker group LulzSec. The FBI said that Kretsinger, 23, could be a member of the hacker group.
A federal grand jury indictment has charged Kretsinger with conspiracy and the unauthorised impairment of a protected computer. It said Kretsinger and co-conspirators obtained confidential information from Sony Pictures’ computers using an "SQL injection" attack.
In May, LulzSec, which has also claimed responsibility for the hack of the Public Broadcasting Service (PBS) website, had said that they used a "simple" attack on a "primitive" security hole to gain control of Sony Pictures database.
If convicted, Kretsinger faces a maximum sentence of 15 years in jail.
A few days after Kretsinger’s arrest, HideMyAss revealed that it does not hide people’s online details if they use its service for illegal purposes. The VPN service said that it disclosed Kretsinger’s IP address to comply with a court order.
"Being able to locate abusive users is imperative for the survival of operating a VPN service, if you can not take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn. The main type of logging is session logging – this is simply logging when a customer connects and disconnects from the server, this identifies who was connected to X IP address at X time, this is what we do and all we do."
However, the company added that it would disclose user details only if a UK court orders the company to do so.
The company said that "if a request for information is sent to us from overseas, we will not accept this request unless it is sent through the appropriate UK channels and a UK judge warrants a court order or a court summons that forces us to provide this information.
"We are not intimidated by the US government as some are claiming. We are simply complying with our countries legal system to avoid being potentially shut down and prosecuted ourselves."
The UK-based HideMyAss defended its decision to hand over logs to the FBI, saying that all providers keep records of users.
It said, "Some providers choose not to do session logging and instead try to locate the abusive customer by using the intelligence from the complaint, for example if someone hacks XYZ.com they may monitor traffic to XYZ.com and log which customers have a connection to this website. Ask yourself this: if a provider claims not to do any form of logging, but is able to locate abusive customers, how are they able to do this without any form of logging?"
The revelation has prompted some strong reactions from different corners of the Web world.
Rival AirVPN refuted statements made by HideMyAss. The company said, "For example, they [HideMyAss] claimed that ‘all VPN providers keep logs. When there was a court order issued to them, they WILL release it’. On top of that, they released on their website a communiqué which, in our opinion, is harmful to the professional reputation and to the the status of mere conduit of a service provider."
AirVPN claimed that users are safe with their service. It said, "For the aforementioned reasons, we would like to re-assure our users and our customers that nothing like that may happen with AirVPN, for a series of legislative (we are based in the EU, not in the USA, and we don’t recognise USA jurisdiction, obviously) and above all technical reasons."
Hackers issued a warning to HideMyAss. AnonymousIRC tweeted, "Question @HideMyAssCom: Was it worth to rat out one guy who allegedly hacked #PSN in exchange for all your business? You will find out soon."