Pen register (connection logging) on AirVPN server Jan/Feb 2020

[cccthats3cs 14]

I was digging around CourtListener RECAP - a free archive of US court cases containing some public court records from PACER that have been uploaded to it by CourtListener RECAP users - and decided to search for AirVPN.
I found several hits in the case United States v. Klyushin (https://www.courtlistener.com/docket/61629108/united-states-v-klyushin/) and the very basic gist of this case is that Klyushin was convicted of hacking into a few financial firms to do insider trading.
If you go to the CourtListener page linked above you can access all the PACER court documents that have been uploaded to RECAP. Just to clear up any misunderstandings these are all public federal court records that have been freely made available through RECAP.

The most interesting of the documents from the case is #183 (https://www.courtlistener.com/docket/61629108/183/united-states-v-klyushin/) which is a transcript of day 4 of the jury trial. (PDF attached to this post.)
Within this transcript it is stated:
1. IP address 185.228.19.147 (incorrectly said 288 here, but 228 elsewhere) belongs to DediPath, and was used by AirVPN (pg. 132).
2. A "pen register" or "trap and trace" was placed on this IP address which is a "caller ID of who is communicating with that IP address" (pg. 133).
3. The pen register was authorized by a federal judge (pg. 133).
4. The pen register was active on that IP address from January 28th, 2020, to February 23rd, 2020 (pg. 135).
5. The pen register records were from DediPath, the transcript does not state any involvement or knowledge by AirVPN (pg. 138).

Document #217 (https://www.courtlistener.com/docket/61629108/217/united-states-v-klyushin/) is a transcript of day 9 of the jury trial. (Also attached to this post.)
It provides confirmation of point 5 above and offers more detail on what the pen register captures:
1. The pen register was "sent to the company that hosted the destination IP" meaning DediPath directly (pg. 38).
2. The pen register captured headers only, meaning timestamps of packets, inbound and outbound, and directionality, but not any content of packets (pg. 38-39).

This is quite interesting as I have seen this sort of tap hypothesized as something that could be used to log VPN servers, without the provider's knowledge (no matter what provider) - but up until now I was only aware that it was possible, not that it had actually been done.

gov.uscourts.mad.232574.183.0.pdf gov.uscourts.mad.232574.217.0.pdf

[Staff 9972]

Hello!

@cccthats3cs

Thank you very much, those documents are interesting indeed.

All the matter is indeed a risk which we warned our users about according to their threat model since AirVPN's birth. The described investigation techniques may be instrumental to bring to justice criminals without enforcing provider to blanket data retention, and therefore they show once again the correctness of the Court of Justice of the European Union which forbade repeatedly EU Member States to oblige any ISP to perform blanket data retention. We're also pleased to see that

1. AirVPN made no technical mistake instrumental to the suspect's incrimination and that
2. a "trap and trace" device had to be physically installed outside AirVPN servers

Unfortunately the same methods might also be used by powerful crime organizations or agencies of regimes hostile to human rights to find out and suppress activists, "dissidents" and limit freedom of expression and information.

For this reason we wrote extensively about how to defeat easily such powerful adversaries (provided of course that your system is pristine, not compromised, an essential pre-requisite). In 2012 we published this for example:
https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?tab=comments#comment-1745

Multiple times we warned about the danger of "black boxes" and it's not incidental that "OpenVPN over Tor", for example, has been implemented in our mainstream software since 2011 or 2012 and it is advertised in the home page while Tor is also listed in the "Download" > "Other technologies" section.

Kind regards