Recently an Australian Radio program (Hack) through the Australian Broadcasting Company reported on a user who was served with a copyright infringement whilst they were using a VPN. To better explain how this occured, I am going to explain how a VPN works, and then recommend some tips and alternatives to prevent this from happening to you too.

For the record: We do not condone the piracy of movies, television shows, applications, basically anything which holds a copyright notice. Copyright infringement is extremely hurtful to international economies and is rumoured to cost many, many billions of dollars across international money markets. That, and some pirates pack their applications with malware... not worth the popups for a free DVD ripper is it?

First of all, the user in the Hack story was using VyprVPN which is usually provided as a free bonus for users who signup for Giganews Usenet access. VyprVPN is actually quite a slick application with some varying levels of control for setting the encryption strength and speed of connection. But it is worth pointing out here, that this is only encrypting the connection between your home computer and VyprVPN's servers. Once your connection transits beyond VyprVPN it is unencrypted, unless you are using another layer of encryption like Tor or another VPN (VPNs in VPNs in VPNs).

It was this decrypted data across the Internet which attracted the attention of copyright holders, who then submitted a DMCA notice to VyprVPN (being the owner of the IP address being used to download / upload copyrighted content). VyprVPN then forwarded that infringement to the user, through their registered email address.

 

VyprVPN maintain that they do not maintain logs of their user's activities, however they apparently maintain enough data to pin point a user to their assigned IP address. This raises an interesting concern for VyprVPN users... how long does VyprVPN maintain this data, and how susceptible are VyprVPN to forwarding malicious or speculative notices to their connected users for unsubstantiated breaches?

 

For example, now that we know VyprVPN have set precident for forwarding violation notices, can a copyright holder lodge a DMCA against ANY VyprVPN IP address and hope for VyprVPN to forward it to the protected account.

Another interesting scenario would be a malicious actor looking to blackmail a legitimate user, may use this mechanism to deliver a socially engineering DMCA notice to a party. That party may be forwarded the notice via VyprVPN (adding to the legitimacy of the email) and prompting the end-user to action the email contents.

 

So what about those recommendations? Well it is not that expensive or hard to build your own VPN server which can be hosted remotely, and would cost far less than the alternatives and be much more secure and less prone to detection by copyright holders, and be rate-limited by your ISPs.