Fake Subpoenas to test the validity of a VPN's (or any company that claims no logs) no log policy?

Discussion of OpSec, Threat Models, Protection, Assessment & Countermeasures.

While the focus of this community's OpSec discussions may center around DarkNet (DN) activity, all members of this sub are encouraged to think about, discuss, and share ideas relating to OpSec.

I am very curious as to why this is not being done. I have a suspicion that the only checks some companies do to ensure the subpoena is coming from a real law enforcement officer would be that the email comes from a government domain that matches that of LE and the subpoena looks close enough to a real subpoena. You can find many subpoena templates on the internet.

This could help weed out bad VPNs that don't stay true to their policy.

I often have bad theories, so please tell me why this would not work

Hehehe. Most of the plebs here don't even know what EDRs are, so I doubt they'll try to do it to vpn companies.

I tried it on mullvad, and they said they didn't store data.

It would be interesting to pressure the server providers or data centers. I've tried it and they refereed it to the VPN provider and there I was told "no logs" too.

It's possible that they just figured out you were not actually law enforcement.

So I wouldn't use this method as a way to ensure that your VPN provider doesn't keep logs.

But if any VPN does fail this test, then that's a VPN you shouldn't go anywhere near lol

Not saying that others have not done it. But over the years I've been served. Once from the feds chasing one of my clients, they used PDF email and phone calls. Another time it was when working for a company and all their locations were served, each one by an agent in person, accompanied by a search warrant (we should have told them to fuck off because they were only "administrative subpoenas"). Any VPN company worth more that $12.43 would simply give this fake subpoena to their attorney who will then immediately know it is fake and he would report it to the feds; who would have a good laugh at you listing contact information for a response so they use it in the new case they will be filing. The subpoena would have to be issued by a court clerk, requested by an attorney. It would be a "subpoena duces tecum" meaning it would ask for materials or documents which are relevant to a legal proceeding.

The VPN company would know it was fake but might reply just because they know full well you are just fishing so they throw you a company-line worm to chew on.

But you have to remember companies like to cut costs on essential things so that they can make maximum profit. After receiving a few subpoenas, they might think they are in a position to identify real from fake subpoenas without the aid of an attorney anymore.

Also the only way that I imagine an attorney could identify a fake subpoena would be by using their legal contacts or legal access. There might be some governmental website out there, only accessible to lawyers and with the correct subpoena identifier they can search up that particular subpoena to check it's valid.

I'd think that at minimum they would simply call the clerk of the court who issued the subpoena.

Me personally my opsec (and others opsec should be too) has got too the point that even if the vpn company I use was to keep logs they would only get a 50 mile radius of my location

No.... not if they send a subpoena to your internet provider.

Replying to /u/SexyPenguin (dreads reply Captcha is blank) No they wouldn't get my info, because I don't use my own Internet service provider

You can still solve the captcha if it's blank.

If you're using someone else's wifi connection, they still get the general location within, what? half a block?

Again your assuming im using my neighbors wifi connection or a building nearby. Its more complicated than that, would want to discuss it for opsec reasons.

You're either using wifi or ethernet.

You don't have a mile long cable, so you're using wifi.

Wifi can only go so far.

LOL, not even with cialis.

/d/OpSec

Comments (13)