In April 2017, San Francisco resident Ross M. Colby was arraigned in U.S. District Federal Court in San Jose following an FBI investigation into alleged hacking offenses.
The 34-year-old was accused of hacking into several local media websites owned by Embarcadero Media Group including the Palo Alto Weekly and the Almanac. He was charged with intentional damage to a computer, attempted damage, and misdemeanor computer intrusion.
According to the indictment, Colby illegally accessed Embarcadero Media email accounts in July 2015. Then, in September 2015, several of the company’s websites were hacked to display the Guy Fawkes image associated with Anonymous. The message “Unbalanced Journalism for profit at the cost of human right. Brought to you by the Almanac” was also left behind.
Facing more than two decades in prison and fines totaling several hundred thousand dollars, Colby pleaded not guilty and was freed on bail. On May 29, 2018, Colby’s trial began in federal court in San Jose. Palo Alto Online has been reporting (1,2) on the case, which has thrown up something of interest to VPN users.
According to evidence provided by FBI Special Agent Anthony Frazier, between July and September 2015, IP addresses operated by VPN provider Private Internet Access (PIA) were used to access email accounts and systems belonging to Embarcadero Media.
A former Colby roommate claims that the pair discussed computer security and frequently had discussions about the use of VPNs. He had even helped Colby set one up, he said. Last Friday, the San Jose Federal Court also heard that Colby told his roommate that he’d hacked a news website for pay.
Also giving testimony was John Allan Arsenault, general counsel for London Trust Media, the owner of Private Internet Access.
According to Almanac News, Arsenault told the Court that some VPN companies, PIA included, do not retain logs of customers’ Internet activities. This means they are unable to produce useful information in response to a subpoena.
Arsenault told the Court that PIA accepts several payment methods, including cryptocurrency, but doesn’t keep records of customers’ names and addresses. The only thing the company holds is the email address used when the customer signs up. There was no record of Ross Colby signing up to PIA with his two known email addresses, Arsenault said.
“We’re limited to search by what the government gives us. Just because we can’t find it doesn’t mean they didn’t use the VPN service,” he said.
“Someone could create a throw-away (email) account to subscribe to us,” he added.
But while PIA could not connect Colby’s IP addresses to any illegal activity, the same could not be said of other companies. Evidence presented to the Court showed that in addition to the PIA addresses that were used to access the Embarcadero Media email accounts, an IP address belonging to Comcast was also used on 20 occasions.
Records provided by Comcast showed that John Colby, Ross Colby’s father and a retired Massachusetts state trooper, was assigned that particular IP address between June 2015 and October 2015, the date of the FBI’s subpoena to Comcast. John Colby further testified that his son stayed with him for about 10 days in July 2015, a period which coincided with the email breaches at Embarcadero Media.
Evidence provided by the FBI also showed that an IP address used by Ross Colby at his home in San Francisco was used to access Embarcadero accounts, as was an IP address registered to a cafe frequently used by Colby.
The case highlights some important points for those interested in Internet security.
The most interesting for privacy advocates is that this is the second time that Private Internet Access’s “no-logging” policy has been tested in court. Such claims are notoriously difficult to prove but PIA has now passed twice with flying colors.
However, the big lesson is that if an Internet crime is serious enough to involve the FBI, IP address evidence will be just part of the equation, with testimony from family and associates playing a major role too.
The final decision on Colby’s plea lies with the jury, which is yet to render its decision.
Disclaimer: PIA is one of our sponsors. This article was written completely independently of that fact, as always.