[kwanbix]

One thing that I always wondered from VPNs.

Let's say a pedophile uses Mullvad to get forbidden images, isn't the VPN liable?

I mean, the law enforcement will see that the IP was from Mullvad's office, so I assume they are the ones doing it? How do they avoid this?

It is a real doubt. Maybe stupid, but real.

[madspindel]

Mullvad actually got raided by the police in a similar case, described here: https://mullvad.net/en/blog/2023/5/2/update-the-swedish-auth...

> However, had they taken something, it would not have given them access to any customer information.

> These are the national laws that makes it possible to run a privacy-focused VPN service in Sweden:

[jameskilton]

I am not a lawyer, but my understanding is that this generally falls under Section 230, as you can make the same argument about Comcast, AT&T, et.al. who lets the bytes go over their infrastructure.

[kwanbix]

But the difference is that Comcast, AT&T, et.al can say, jameskilton was using this IP. The VPN is saying, I don't know.

[nwellnhof]

That's only a problem if the VPN is in a jurisdiction with data retention laws: https://en.wikipedia.org/wiki/Data_retention

[hollander]

What if you get the same IP time and again?

[dylan604]

All this would do would be to lead the investigation to get a warrant/subpoena to have the VPN service provide user details about the account and anything else relevant like logs. This is where the "we don't log shit" bullet points comes into play as well as running only from RAM. If the warrant allows for removal of hardware, all data is lost once power is removed. LEOs would have to bring lots of batteries.

[throwmeaway2232]

or liquid nitrogen. https://en.wikipedia.org/wiki/Cold_boot_attack

[nerdbert]

They're going to freeze the whole data center? It's rack after rack of machines that the traffic could have passed through, right? And if they're not logging IPs to RAM then they only have a fraction of a second to get the right one before the register is overwritten with the next user's info.

[mlyle]

You do need to know where to send the user's return traffic, so you'll need a table ultimately comprising mappings of network flows to end-user addresses. Of course, once the flows close you don't need to retain this information. In practice, you'll also need information about all currently-open VPN sessions.

[bgm1975]

If the feds have physical access and considering the high likelihood that these are VMs and not physical, it would be a whole lot easier to get the hypervisor to just snapshot the VM w/ its memory and perform forensics against that file(s).

[Dennip]

They don't avoid it - which is why they were raided by the police at one point and why they're no longer offering port forwarding

[manishsharan]

and then suppose you login to that VPN and are looking up children's sweaters for your kids and keep the session on .. while law enforcement is looking up the ip address associated with the earlier activity which is now assigned to you . Good luck explaining to the the cops about VPNs and IP addresses.

This is my fear.

[dspillett]

You are not going to be the only person appearing to come from that IP address – many will likely be NATed through it.

The more significant concern is if you are the other side: if you deliberately run some sort of VPN or other proxy that others can use, or less deliberately do so. Many hacked or otherwise suspicious browser add-ons, and other malware, will make HTTP(S) requests & other connections on behalf of their C&C hosts and to your ISP or anyone else those requests will be largely indistinguishable from those that are the result of your activity.

[x86x87]

Who enjoys privacy when we can all live in fear?

You need a VPN that actually cares about your privacy and goea the extra mile to ensure it. On top of that if the VPN service does not know who you are how can they actually tell the cops. On top of that you don't need to explain it to the cops - if you are ever accused this should be done in a court of law where we understand what ips are (heck, even some cops understand it - it's not exactly rocket science nowadays)

[flkenosad]

You don't have to explain anything to cops. You explain it to lawyers and judges.

[dylan604]

You actually shouldn't even say anything to the cops. If they show up with a warrant for arrest as well as search, you're going to jail no matter what you say. If they show up with just a search warrant, they are going to take whatever they want to take whether its outside the purview of the warrant or not. It will be up to a lawyer to convince a judge it was out of scope at a later date after it has already been taken. You will never convince a team of cops that their warrant is wrong when they show up. The only chance you have is if you're uber criminal and have your attorney present when they arrive.

[mrweasel]

> You actually shouldn't even say anything to the cops.

Unless you're in the UK, in which case: "You do not have to say anything. But it may harm your defense if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence."

[dylan604]

As a Yank, that line always felt odd when watching BritCop dramas. How is the alleged meant to know the specifics of a defence when the full charges haven't even been levied, or how is the alleged meant to read the mind of a lawyer? It just feels like something rigging the system

[dspillett]

And the court of public opinion. By the time lawyers and judges are involved, unless you are very lucky, your name and photo is all over the tabloids. Any retractions published when you are later found completely innocent will be the equivalent of a column inch or two on page 17.

[WendyTheWillow]

Simply not an issue for nearly everyone.

[ThePowerOfFuet]

Until it happens to you.

[WendyTheWillow]

No, even if it happened to me it would not be relevant for the vast majority.

[hiatus]

Maybe if you live in Florida.

[darreninthenet]

IANAL but my understanding of current case law is that it IP address does not automatically mean a particular person.

[Obscurity4340]

Pretty sure if they live by themself and nobody else comes into their dwelling and there is no other name attachef to their subscriber info it does

[darreninthenet]

Nope... wardriving? Spoofing? Too much uncertainty to convict with. Basis for a warrant on the property? Yes, probably.

[mrweasel]

What if they are on cellular and that hasn't been upgraded to IPv6?

Years ago I handled fraud cases for an e-commerce site with local police, at some point they started asking for IP and port numbers for the offenders, rather than just the IP. Turns out that one of the cellular phone providers had basically run out of IPv4 addresses for their 4G network and did some NAT solution. If you didn't have the port number the client had connected from then they could only tell you which cell tower had been used, not who the customer was.

[Obscurity4340]

Do you know if there's a guide about all the ipv4/6 stuff and optimal internet settings for Mac or more high-level generally?

[14]

Definitely not. I still am logged into my ex girlfriend wifi so if I wanted to harm her I could easily go stand outside her home at night and download malicious files. That would not make her guilty. They may investigate but that is not proof she did something unlawful.

[Obscurity4340]

That's remarkably—err, trusting—of her to not like change her WiFi password after finishing up with you. Yikes

[uxp8u61q]

Case law in what country? Mullvad is Swedish, are you knowledgeable about Swedish case law?