When using the Internet, everyone leaves some kind of digital footprint and for most individuals going about their daily business, this could be as simple as their ISP-allocated IP address.
To gain additional privacy, some people turn to VPN providers which exchange the user’s ISP IP address for one operated by the provider. The important thing here for those seeking the best levels of security is to ensure that the VPN provider has systems in place to prevent these two IP addresses from being linked. In basic terms, this means choosing a so-called “no log” provider.
When Logs Exist, They Can Be Targeted
Finnish security company F-Secure operates a VPN service known as FREEDOME which, according to the company, does not log what websites users visit but does create and store connection logs. When required to under the law, FREEDOME will hand over any data it holds in response to law enforcement or court requests, which is normal among all reputable companies.
Back in January 2019, Finland’s National Bureau of Investigation (KRP) seized VPN logging data from FREEDOME in response to a legal request from the Federal Criminal Police Office (Bundeskriminalamt / BKA) in Germany. The BKA was investigating a “serious crime” and traced the perpetrator back to an IP address operated by F-Secure’s VPN service.
By obtaining FREEDOME’s logs, the authorities wanted to get closer to the suspect.
F-Secure Attempts to Have Seizure Overturned
As reported by YLE, F-Secure filed a request at the district court for the seizure to be overturned and the seized logs destroyed, arguing that the data seized should be classified as confidential communications, which may only be seized in accordance with Chapter 10 of the Secret Coercive Measures Act.
The company said that any data seized should only concern communications created by or received from the suspect in the matter. When KRP seized F-Secure’s logging data, the law enforcement agency took more. However, KRP countered by stating that it was entitled to seize the data because what they were seeking wasn’t access to confidential communications but customer data held by F-Secure.
In a May 2019 decision, the district court found in favor of F-Secure, noting that seizing the data would require coercive measures under the Coercive Measures Act. The court also found that F-Secure was not a party to the communications in question but acted as an intermediary, so KRP wasn’t able to use coercive measures either.
What Information Did F-Secure’s FREEDOME VPN Log?
As highlighted earlier, FREEDOME admits to keeping some logs and the extent of that logging was heard in court. According to YLE, the data seized by KRP consisted of customers’ IP addresses, the device ID of the device used to access the service, a session ID, the start and end time of the connection, and the amount of data used by the subscriber.
KRP was interested in logs that could show connection timestamps and the amount of data used. According to an F-Secure expert who gave evidence in court, the logs could not show which sites were visited by a subscriber. However, by combining timestamp and data usage logs, which F-Secure reportedly retains for 90 days, it might be possible to obtain evidence on the suspect.
KRP Files Appeal at the Helsinki Court of Appeal
Unhappy with the decision of the district court and the order to destroy the seized logs, KRP took its case to the Helsinki Court of Appeal.
The appeals court handed down its decision yesterday, upholding the decision of the lower court which ruled that the seizure was illegal and the logs should be destroyed.
What effect this will have on the investigation in Germany isn’t clear but the ruling does offer some additional clarity on what and how data can be obtained from local VPN providers.