CyberGhost VPN’s Quarterly Transparency Report — July, August, and September 2023

The better part of 2023 is over, which means it’s time for another edition of our quarterly Transparency Reports. Below we’ll present our data for July, August, and September 2023.

This time around, we noticed a considerable spike in requests, particularly in August. We hypothesize that this happens because of increased cybercriminal activity around that time as many companies reported cyberattacks and data breaches. 

Read on further a deep dive into our Q3 numbers and the steps we take to better our Ghosties’ digital privacy.

Legal Requests — Q3 Edition

This quarter, we received a total of 376,349 requests. This marks a 68% increase compared to our Q2 Transparency Report, when we totaled 223,104 requests. We noticed a similar increase the previous year in Q3 2022, when we received 173,044 requests and noted a 16% increase quarter-over-quarter.

As usual, we’ll break down that number into three categories, which are:

• • • • • Digital Millennium Copyright Act (DMCA) complaints  
        • Malicious activity flags
        • Police requests

A monthly breakdown of all requests looks something like this.

	July	August	September
DMCA Complaints	38,533	61,337	46,021
Malicious Activity Flags	77,797	106,109	46,552
Police Requests	0	0	0

This edition, we see that about a third of the requests we received are DMCA complaints, and malicious activity flags make up the majority.

The requests we receive ask us to disclose some form of personally identifiable information. Normally this pertains to IP addresses, browsing history, or connection timestamps. We don’t have any data to share.

CyberGhost VPN was built with Privacy by Design principles in mind. This means that we designed our service to operate without storing user data. We abide by a strict No Logs policy

DMCA Complaints

DMCA stands for Digital Millennium Copyright Act, which is a copyright law that protects intellectual property. We normally receive DMCA complaints from various copyright holders, including entertainment companies and independent artists. Through these, relevant parties signal that one of IP addresses has been used to distribute copyrighted material.

July	August	September
38,533	61,337	46,021

This time around, DMCA complaints make up 38.8% of all the requests we received. The number has gone up compared to Q2, when we counted 112,321 DMCA complaints.

We can also notice a sharp increase in DMCA complaints in August.

This doesn’t come as a surprise considering highly anticipated releases like Disney’s Star Wars: Ahsoka or Netflix’s One Piece were released in August. A lot of streaming platforms also added classics like Paddington or Spider-Man 2 to their catalogs. It’s likely most of the older titles are geo-restricted to certain markets, which caused people to rely on lesser reputable sites to catch up on the latest releases. This in turn, leads copyright holders to protect their titles and file DMCA complaints.

That said, it’s likely that people are turning to other means of viewing new titles and old-time favorites alike. It’s no secret that streaming platforms are becoming increasingly unpopular. Every major broadcaster is establishing its own paid streaming service, popular services like Hulu are increasing their subscription prices, and services like Disney+ are following in Netflix’s shoes to crack down on password-sharing.

This could be why we’re continuing to see this relatively high number of DMCA complaints in September when compared to Q2. However, with services like Google and Amazon Freevee continuing to launch free online streaming services, we might see these numbers go down in the future.

Malicious Activity Flags

We normally receive malicious activity flags from various registered entities. They signal that one of our IP addresses was used in a cyberattack. This could be anything from botnet attacks to DDoS attacks to automated spam.  

July	August	September
77,797	106,109	46,552

We received quite a lot of malicious activity flags this quarter, with the percentage sitting at 61.2%. The number more than doubled from the previous quarter’s 110,783. 

August leads by a margin yet again. In the cybersecurity world, it marked a very lucrative month for cybercriminals. Among prominent victims hit by cyber attacks in August 2023, we can recount:

• • • • • BPER Banca, Intesa Sanpaolo, FinecoBank , Popolare di Sondrio, and Monte dei Paschi di Siena (All Italian banks)
        • US hospital network, Prospect Medical Holdings
        • The UK Electoral Commission
        • The Police Service of Northern Ireland
        • Canadian dental benefits administrator, Alberta Dental Service Corporation
        • US meal delivery service, PurFoods
        • US retailer, Hot Topic
        • Instant messaging service, Discord
        • Language learning app, Duolingo

Our infrastructure team has been working to mitigate abuse on our network. The sudden decrease in September seems to indicate that the team’s efforts are successful. 

Police Requests

Since the beginning of 2023, we consistently received no police requests, a feat previously unseen for 10 years. This quarter is no different.

Normally, we would receive police requests from various law enforcement agencies and police departments around the world. This happens when a criminal investigation leads to one of our IP addresses. 

We received a request for user data like IP address or browsing history that would help identify a perpetrator. However, since we don’t store any user data, we’re not able to comply. We abide by a strong No Logs policy.

July	August	September
0	0	0

The numbers were fairly consistent so far, but only time will tell what the future holds.

Busy Does It

These past three months, we’ve been at it, working hard behind the scenes to improve our apps and our service. We aim to make CyberGhost VPN an all-encompassing cybersecurity tool to add to your arsenal of defenses against digital threats.That’s why we’re taking steps to ensure we tend to our Ghosties’ needs.

Our Bug Bounty Program Is Going Strong

Our Bug Bounty Program is a great way for us to connect with cybersecurity researchers from all over the world to ensure our service is in top-notch shape. We received 88 submissions this quarter, and 60 of these issues were unique. In total, 13 of these unique submissions were valid. The other 47 reported issues were either false positives, informational, or invalid.

We’re Taking Steps to Improve App Performance

Our software engineers are constantly looking for ways to enhance your experience with CyberGhost VPN, and these past three months they have been busy optimizing our apps’ performance. That’s why we released a few fixes for different platforms, like Windows, iOS, or Android.

In the upcoming months, we plan to add more functional enhancements to our apps, so stay tuned for updates!

We’re at the Front of Cybersecurity News 

Our Director of Product Marketing, Mihai Rida, weighed in on the dangers of public Wi-Fi networks for BFM, a French publication. We’re happy for every opportunity we get to inform various audiences of looming digital threats and offer online safety tips.

That’s why we’re excited when publications report on the research we do to determine how aware people are of cybersecurity matters. This time Fox 19 picked up on our survey on people’s knowledge about revenge porn. We noted that fewer than 30% of our respondents knew what to do if they became victims of this crime. We also discussed deep fakes, and the effects they have on victims. The publication mirrored our advocacy for more education and awareness around the rise in revenge porn and legislation around the issue. 

We’re In for the Long Haul

It seems 2023 was the year of problematic laws making headlines. That’s why we’re vigilant and monitoring how these bills affect online freedom and data protection. This quarter, things haven’t been looking good.

UK Spy Agencies Push for Less Data Regulation

UK spy agencies GCHQ, MI6, and MI5 began lobbying to remove laws that aim to limit the use of personally identifiable information. Originally, the laws were meant to minimize the amount of personally identifiable information that can be used to train AI. 

That said, UK spy agencies are increasingly relying on AI-based systems to analyze and sort through the personal data they intercept. Privacy activists are worried about loosening AI regulations, given how rapidly the technology around it is evolving. 

The UK Government Still Wants to Scan Encrypted Messages

Despite backlash from tech companies like Signal, Apple, or WhatsApp, the UK government still plans to proceed with the Online Safety Bill. It’s a bill that would see tech companies let governmental agencies have the power to scan encrypted messages for images of child abuse. 

The bill has been amended to now require a written report before a “skilled person” can proceed to scan a device. However, this change doesn’t do much to safeguard users’ privacy on messaging apps. Government minister Lord Parkinson has acknowledged these concerns and is adamant adequate protections were put in place to secure user data.

We’re Seeing the Effects of Canada’s Acts

In our previous edition, we expressed concern over C-11, and how the act might inadvertently restrict access to different forms of entertainment. While the act still causes a lot of confusion even now, act C-18, also known as the Online News Act, has already left its mark in the digital world.

In response to the new legislation, Google and Meta announced they would block news in the country. The Canadian federal government quickly retaliated by saying it will pull out all its advertising from the two platforms. This amounts to $10 million CAD in revenue which is around $7.3 million USD and would constitute a substantial loss for any business. 

It’s still not clear how these measures will impact the average Canadian’s internet experience, but they’ve already added extra steps for people to find the information they want.

Adding these to the rise of AI and how it enables cyber attacks at a much larger scale, we can notice that legal protections might not be in place for a while now. It seems it’s still up to individuals and consumers to secure their digital footprint within their own means. 

We’ll continue to monitor for any changes in the digital landscape, and how newer legislation impacts online security and privacy. We’ll make notes of any worrying trends we encounter during our quarterly editions.

In case you missed them, you can read our quarterly editions, right here, on the Privacy Hub:

• • • • • Transparency Report Q1
        • Transparency Report Q2

Alternatively, you can check out our yearly edition on our website. Until next time, stay safe and secure!