Here’s what I gather from the released documents:
The FBI started with the suspect and worked backwards. This isn’t a situation of PureVPN giving up customer IP addresses
No VPN provider is going to go to jail over the illicit use of its services by its users. It’s quite possible that prior to the FBI knocking on their door, they didn’t keep logs. I’d imagine the following scenario:
This is exactly why people should use Tor before connecting to a VPN and not the other way around. Tor hides you before you connect to an entity that can be coerced to hand over identifying information to law enforcement. But, hey, I could be completely wrong.
This is a little tangential but I have to ask…
What do you gain by going home → Tor → VPN → internet instead of going home → Tor → internet? In the latter you have one place (home) which all your connections pass through where a wiretapper could correlate them and glean information about what you are doing from the timing information about how many packets you send when. In the former, you have two (home, VPN). This seems like a net-loss of privacy?
home → Tor → VPN → internet
home → Tor → internet
There’s only two reasons I’d use a VPN for while behind Tor: to gain UDP support, which Tor lacks; or to ensure that my traffic appears to originate from a certain geographic area.
The VPN (before TOR) can hide TOR traffic.
If I remember correctly, in one case of a false bomb threat a suspect was pinned because they were the only ones on the whole school using TOR. That is, the metadata of using TOR can turn you into a suspect, as it’s not a popular service and TOR usage is scarce.
I’m curious about the other way around. How can you connect to a VPN after connecting to TOR? Routing all your traffic throuth TOR using a SOCKS proxy?
So if I’m not mistaken, a full setup (with drawbacks of course) could be:
home -> vpn (hides tor usage) -> tor -> vpn (allows UDP and hides exit node IP)
Some sites don’t allow traffic from Tor exit nodes - routing through the VPN works around that. It also avoids the constant Cloudflare CAPTCHAs. And as @lattera said, UDP support. Some Freenet users use an anonymous VPN, via tor, to hide their IP and Freenet is UDP only.
A VPN with more foresight could instead use a warrant canary to let its users know whether the FBI may be keeping logs.
We looked in to this for our privacy focused VPN service for the higher education and research sector in the Netherlands. Unfortunately, the legal status of warrant canaries is unclear at best. When a intelligence agency (most have quite far-reaching powers) with jurisdiction and a legal ground compells you to cooperate, not updating the canary probably is a violation of the subpoena and/or gag order because there is no real legal difference between saying “We got a gag order!” and not saying something because you had a gag order.
Of course you can calculate the risk and potential consequences when deciding whether a warrant canary would be a good idea or not. Maybe the use of a warrant canary is worth much more to you/your organization than the potential risks of not complying with gag orders.