As I wrote in July, OVPN received a court order from the Rights Alliance (RA) at the request of AB Svensk Filmindustri and Nordisk Film A/S. RA wants to know which user was allocated a specific Public IPv4 address, at a specific time. Furthermore, RA wants to know the name, address, payment information as well as how long that specific user account was a paying subscriber to OVPN.
To be clear, OVPN can not provide the requested information as there are no logs related to which customer was historically allocated a specific IP address.
The case is still ongoing as we have sent responses back and forth throughout the summer. A final decision from the Patent and Market Court (PMC) should be received in September. However, a lot of interesting things have transpired so far, which I believe are worth mentioning.
OVPN won the application for security measures
However, the Rights Alliance did not give up after this, but has continued its demands that OVPN is lying and that we must have the requested information. Neither PMC nor OVPN probably thought that RA would continue to argue the same line for two months.
The rights alliance creates its own evidence
The Rights Alliance is "run by independent consultants," but it's Sara Lindbäck who's representing them in their case against OVPN. In one of the statements, she cites her colleague Anders Nilsson's PM as evidence:
Further information on how the VPN service and the static IPv4 service work and what information should be available for the service to function properly, appears in the attached PM, appendix 12, which is invoked as evidence.
We oppose that RA writes a text and claim that as evidence. Our lawyer, Michael, responded beautifully:
With regard to the memorandum referred to as "evidence", it is noted that - as previously submitted memorandums - it was written by an employee at the Rights Alliance, ie. the applicants' representatives. In OVPN's view, this is to be seen as a supplementary submission to the Applicants rather than evidence.
In any case, the submitted PM is speculative and vague regarding the requested information and it only states that OVPN "reasonably" has such information as its system "likely" works in a certain way. It also appears that the person who wrote the memorandum does not know “exactly how OVPN's payment system works ...” Thus, the document, even if it were to be considered evidence, still lacks evidential value in relevant respects.
The Rights Alliance requests more information
Originally, RA wanted to know the name, address, payment information and how long the account has been a paying customer with us. OVPN does not ask our customers for name or address at all, so that information would be impossible for us to provide.
During the process, the Rights Alliance has changed its claim and now wants to obtain significantly more information about the account — namely "all the information they hold." We have drawn the Court's attention to the fact that, through this remark, they have significantly increased their scope which also raises GDPR concerns. We dispute this, even though we have no idea which account they actually want information about.
The Rights Alliance tries to use receipts as evidence
Regardless of your opinion about RA, one can't help but feel impressed at their creativity when they tried to use receipts as a method to identify the customer:
Even if storage is not carried out in accordance with the Electronic Communications Act, companies have an obligation to save invoices and customer information both in accordance with the Accounting Act and for tax reasons. [...] For the reasons mentioned above, OVPN must have information about who bought the service, which service is purchased, what the service costs and for how long the service is to be used.
OVPN is not the only VPN service that offers public IPv4 addresses and I think there is a good chance that this approach can be used on other VPN services to identify which customer has subsequently been allocated a certain IP address. However, it does not work on OVPN.
OVPN's receipts for Public IPv4 do not specify which IP address has been assigned, but only that a certain customer has paid for the service. OVPN's customers can also purchase subscriptions for several years at a time. This in itself constitutes an obstacle to even theoretically being able to link a service at a precise time to a specific payment. And to top if off, customers can also change the assigned Public IP address at any time.
The fact that we, according to the Accounting Act, are obliged to record business events and store receipts in a way that makes it possible to follow the course of a business, does not mean that we are required to or even should have specified on receipts which IP address a customer is assigned. It can be equated to McDonald's having to specify on the receipt which farm the meat on the hamburger comes from.
The rights alliance hires a security specialist
In RA's latest statement, they retain an external consultant who has written an opinion which RA again cites as evidence.
My name is Jesper Larsson and I work as a security specialist at the company 0x4A. My focus area in IT security is technical infrastructure where I work with penetration tests and as a security advisor.
Jesper speculates in the statement that it should be "considered extremely probable that the user or identity associated with the configuration is stored in a user database…"
Again, we dispute this and reiterate that their assumptions can not - despite the allegedly high probability - be taken for granted over OVPN's own claim. We understand Jesper's approach, but since he does not have all the information on how OVPN is actually run, he can only speculate.
The security specialist continues and state that “the user has configured his VPN account to point to the given domain. In order for this type of configuration to be possible, data about the configuration must be stored at OVPN at least during the time when the account is active,” which is a truth with modification.
First, such a DNS level configuration is done by the domain owner and not by OVPN. Namely, it is the so-called "A records" that are created with the domain provider that determine where a domain is pointing. No such configuration is made on OVPN's side at all. It is unclear whether the security specialist does not understand how DNS works, but the statement is simply not true.
The security specialist believes that we should be able to retrieve the requested information in our user database, or in backups of the user database. A backup of the database is in practice a copy of the current database at a given time. Such a backup can then give an idea of which username was allocated a specific Public IPv4 address at the time the backup was performed. With OVPN, backups are saved for a limited time and then deleted automatically. When OVPN received the information injunction and the request for security measures, the backup for the period requested by RA had already been deleted.
Last, but certainly not least, is the fact that the security specialist - three days after his remark in the Patent and Market Court - seems to have changed his position in a group conversation on Telegram. In the conversation, Jesper comments on our business. Jesper first states that he "/b/elieves that ovpn has clearly done a good job with its integrity and privacy."
He then clarifies that "/b/elieves that the account with the static address is not linked to any ounce of PII data that can be traced to any person or organization".
(screenshot of the conversation in Swedish)
PII is a term for Personally Identifiable Information about an individual.
The security specialist's statement in the group conversation thus seem to be in direct conflict with his conclusions in the statement to the court.
It will be exciting to see what the Rights Alliance now comes up with as their own expert agree that OVPN does a good job regarding integrity and privacy, and that he does not believe that there is any identifiable information to retrieve.
Note: all quotes have been translated from Swedish.