0

Given a nation-state has full access to the logs of the ISPs operating on its territory and given it knows that a certain activity has been conducted by a user from its territory, can they do the following:

  • when starting their investigation, they trace initially the IP to a VPN server in another country
  • then they identify all domestic IPs, that have communicated with that VPN server at the time of the activity and thus identify the user (or a small group of users).

Is this logic correct?

If this is correct, I'd say it is safer to use Tor than a VPN, as at least with Tor they have to go through all the users who were using TOR at that moment. With VPN, the chance is much smaller that more than one user was using a particular provider and was connected to exactly the given server of the provider at the precise moment.

schroeder
  • 123,438
  • 55
  • 284
  • 319
breeby
  • 1
  • 1
  • 1
    Yes, it is possible, even in case of Tor in some scenarios. See this answer: https://security.stackexchange.com/a/147411/26794 – buherator Jun 28 '18 at 08:33
  • 2
    Possible duplicate of [Could logless VPNs be traced?](https://security.stackexchange.com/questions/175179/could-logless-vpns-be-traced) – forest Jun 28 '18 at 10:17

1 Answers1

-1

The logic used in your question is correct.

In the example of a nation-state wanting to trace online activity back to a user it would be as follows.

  1. The initial communication will show the source IP address happening to be registered with a VPN provider.

  2. The nation-state will then contact the VPN provider via sending a subpoena,etc requesting the logs for the VPN server registered with the IP address identified in step 1. Depending on where the VPN server is located, and how the company operates they will either have to provide this information, or respond explaining they're unable to do so due to either, not storing any logs, or being out of the nation-states jurisdiction and not having to comply.

  3. In the event the VPN provider responds with the logs this will show potentially the true public IP of the user they're trying to trace. Which will be the IP address registered with that users ISP. It is at this stage the nation-state will follow a similar process to what was explained in Step 2 but with the ISP.

Generally in terms of operational security it is best to run TOR over VPN as they both have their pros and cons, but taking this layered approach is a much better option.

RT Security
  • 34
  • 2