Is it possible to Identify a VPN user by finding relations in traffic?

Question

If I am using VPN service to protect my identity, can my traffic be used to identify all my traffic?

For example, if I am accessing two services:

1. Some service A, where I do not leave any identifying information.
2. My personal E-Mail account.

Can someone find a relation between (1) and (2), such that he will be able to tell that both are accessed by the same person.

Naively I would think that it is impossible and someone would at most be able to tell that I am using VPN provider to access my E-Mails, without knowing about (1).

But perhaps my computer, browser or something else leaves some kind of signature in the data, which would enable someone to find a relation?

Answer 1

This depends on whether you are worried about being convicted, or dealing with probable cause (in the U.S.).

Let's assume that you are at home. You start up your VPN and connect to your offsite VPN provider. If I am monitoring outgoing traffic (from your house), I know that you just connected to a certain IP address, and that the IP address is a VPN provider. Everything inside the payload of the packet is encrypted.

You then decide while at home, to check your email. I happen to be monitoring outgoing traffic from the VPN provider (which is not encrypted). I record it all using snort, and run Wireshark against the output. I see a connection to your email address and an email written. This may be protected by SSL if it's webmail. If it's regular email, it's likely plain text. If it's not plain text, I can try to intercept it at the receiver. The email is of no legal significance (i.e. you aren't using it to plan something unlawful). However, I make note of the fact that you confuse the use of their, there, and they're. I'll also notice a few idioms you like to use.

Over the course of monitoring outgoing traffic I see your account write several emails. I note patterns of misspellings, and more figures of speech. I collect these over a period of a month or two.

I then put the items that I notice into Wireshark. I add several things that you are known to say. Every time a misspelling occurs, or the use of an idiom (that you use) is found in the content of ANY packet that is outgoing from the VPN service you use, I view it.

Given another month or two I have a lot of data points. Some are sites you went to, others are not. The first thing I do is eliminate all of the data points that exited the VPN service provider while you were NOT on line (i.e. I didn't see you online from home, remember I started by monitoring that connection).

Then I look at the remaining traffic and see if I have any cluster points. Lots of recurring themes. Same subject matter over an over. I compare that to your unencrypted traffic, and your email.

I haven't applied enough filters to isolate you from the noise (people that use the same idioms/spelling errors you do), but I would have a good case for probable cause. If I have enough points of reference, it is just like a fingerprint.

Essentially I'm applying a Bayesian analysis to a corpus of work, to state something about the likelihood that I believe an exemplar to be a member of the set constructed by my suspect. The collection of works that I would compare to comes from any work that the suspect has publicly acknowledged they are responsible for. That analysis is well-known (and there's a whole statistics StackExchange site, too).

I'll let you answer, what would I come up with at this point?

Answer 2

Well this is very possible with datamining, I worked on a project related to the MIT Reality mining project.

In the reality mining project people were trying to find relations in behavior of people. Once you have a baseline of recurring or typical behavior of a user you can identify him with a certain certainty and this without looking to who the device belongs or what number he's using.

We were able, by just looking at a number of factors (I can't disclose which in particular, but we at least used the ones present in the reality mining project), with a certainty of 95% that person X is probably John Doe.

Now this principle can be applied to any type of information where you can analyze people's behavior. This means we can probably apply it as well when you are connecting from a VPN.

Datamining is used more than you think.

You also make say stuff about using a certain browser. Now there was a project as well (https://panopticlick.eff.org/) where analysis was done on what the browser discloses about itself. This was also a rather unique per person. (plugins, user agent data, ...) Behavior analysis is big business these days and probably something of the most scariest things out there :)

Answer 3

Sure. There are many ways that someone might be able to draw such a connection between your two accounts.

One simple way: they send you an HTML email with a link or inline image, that's hosted on the same domain hosting service A. When you click the link or load the inline image, your browser connects to domain A. If you've visited service A recently, your browser may still have a session cookie for your session with service A. So now service A learns the connection between your email address and your account on service A. Read about "web bugs" for more.

Preventing these kinds of identity linkages is challenging. Depending upon the level of anonymity required, the simplest way may be the following: when you want to use service A, boot into a LiveCD running Tor and access service A. While running Tor, use only service A, nothing else. While booted into your normal OS, never access service A. This keeps your "secret life" and your "public life" separate.

Answer 4

Chances are they may not find the connection between this 2 accounts, if you really do not leave any trailing mark using the 1st method.

However, the website may know that you are behind the proxy. It is also very subjective, and very much depend on the VPN configuration and also if the VPN's IP was already being spotted and flagged. This could be easily being determined by check it via a few proxy detection list, such as, https://www.fraudlabs.com/demoip2proxy.aspx, and so on. Check a few to get the accurate result, as different providers have different data list.

Furthermore, try not to use email to communicate, as it can be easily trace back using the email header.

Answer 5

I really question how secure the VPNs are. Even if your VPN provider won't log you, your DNS, ISP providers can still track you. I would certainly not use Hidemyass. Sep 2001,FBI arrested Cody Kretsinger, a core member of LulzSec for hacking into the Sony Pictures website. London based VPN provider Hide My Ass (HMA) appears to have played a vital role in Kretsinger’s arrest. It doesn’t take too much imagination to see that VPNs can also be used for outright illegal activities, copyright violations and hacking for example. All VPN providers know this and, while their terms and conditions always state that their services are not to be used for illegal activities, they derive a portion of their revenue from users who signed up for just that purpose, something all VPN providers are aware of. If a provider does not log your IP address and does not log your activity while using their system, how would they be able to investigate anything? Even if they tell you that they won't keep logs, can you really trust them? I just don't think using VPN service to protect your identity is going to work.

Answer 6

Yes, it is very possible.

A VPN can hide your "real" IP address, so e.g. someone monitoring a bittorrent swarm would have to send a notice to your VPN provider, instead of your real ISP.

You still have an IP address at the VPN end. If you visit service A, and your personal email provider, they will see the same IP address. If they share data (or a third party such as the government obtains data from both), service A can associate the visits from this IP address with your email address. This works the same with and without the VPN.

Unless they do NAT. But that would tend to break bittorrent. So they won't.

If you use TOR instead, you'll get something equivalent to NAT - because multiple TOR clients use the same exit node. It's supposed to change exit nodes every ten minutes. And they're serious about the browser-side privacy problem as well; there's a convenient TorButton extension for Firefox (and a downloadable bundle of the two).

Answer 7

It really depends on your VPN provider.

For example, the vast majority keep logs of what IP's are assigned to what user - so really it's no different from connecting to your ISP apart from the fact that the computer to VPN providers traffic path is encrypted. If for example IP aaa.bbb.ccc.ddd was responsible for illegal actions a court order could retrieve the logs from the VPN, see it was registered to you, along with whatever other information they are logging about your traffic habits.

Now some claim they don't hold logs, and perhaps use features such as shared IPs to make this harder, and give each user on the shared IP plausible deniability that they were the party responsible for the traffic at the time of the incident. This makes it a lot harder to trace your traffic, and then it falls back on secondary analysis such as what was provided by Everett.

So in a world where VPN providers don't lie about their logging, it's possible to remain relatively anonymous (don't forget Everett's method only really picks up things unique to you, if I simply browsed a site and didn't interact it's not identifiable via this method). Saying that I certainly wouldn't trust it to the point of doing anything naughty. For example - http://www.informationweek.com/security/privacy/lulzsec-suspect-learns-even-hidemyasscom/231602248

Answer 8

What about this scenario..1. connect go to an internet cafe starbucks whatever, connect through hopspot shield as vpn ... free version. 2. bring up the tor browser from inside your true crypted partition. Now engage your bittorent client download to your encrypted true crypt partition.

But main problem as I see it with paid vpn and companies like webroot anonymizer is that all they will have your name and address when you pay them through your credit card. So how is that ever going to be anonymous? Obviously they will submit to any federal subpoena your info and any logs.

Clearly free vpns like hotspot free won’t know who you are if you’ve downloaded from a internet café and gone to another café to set it up and use.

As long as you’re paying in cash then how would they know? ….after all if it could be traced it would be the internet café isp and ip that would come up.