We receive data requests frequently. People want to obtain data about our users, but we don’t have any to share: We do not log any user activity or connection data, so it simply doesn’t exist. Curious about just how many requests we get?
That’s what our quarterly transparency report is for. Let’s dive in!
Legal Requests — Our Q3 Numbers
For our transparency report, we now tally DMCA complaints and police requests.
We previously also reported on malicious activity flags we received. When we started our transparency reports, malicious activity flags were just that: warnings from ISPs and businesses that IP addresses were being used for malicious purposes.
Today, that’s not the case, at least not entirely. A “malicious” activity flag is far more broadly defined. Now, an IP simply being associated with a VPN can be enough to trigger a flag, and increasing numbers of websites now block VPN traffic in an attempt to “prevent abuse”.
In short, continuing to report on malicious activity flags does not provide any meaningful additional transparency or context. So, for now, we will not be including this figure in this, or future, reports. We will continue ensuring the quality of our IPs as normal.
- Digital Millennium Copyright Act (DMCA) complaints are requests we receive when copyright holders inform us that one of our IP addresses was used to illegally distribute copyrighted materials.
- Police requests are requests we receive when law enforcement agencies inform us that one of our IP addresses was used in unlawful activity.
July | August | September | |
DMCA Complaints | 113,255 | 107,312 | 21,114 |
Police Requests | 5 | 0 | 0 |
As usual, we’re unable to comply with these requests. We abide by a strict no-logs policy, and our RAM-only servers regularly wipe data. We don’t know anything about what you do online while connected to our servers, and we are under no legal obligation to store user data. Because of this, we don’t have anything to share with the authorities.
With that said, let’s have a look at the numbers.
DMCA Complaints
July | August | September |
113,255 | 107,312 | 21,114 |
The numbers of DMCA complaints were extremely high in July and August—outdoing any other time of the year so far—while taking a sharp dip in September.
What could be behind this sharp rise? Major summer sporting events probably had something to do with it. The correlation is stark, with the DMCA numbers hitting a record low for the year once September – less exciting for global sports and a slow season for new shows – rolled around.
Police Requests
July | August | September |
5 | 0 | 0 |
We received five police requests this quarter, all in July. It was more than any other month this year. Regardless, we do not have any user data to provide to law enforcement.
Bug Bounty Program — Q3 Numbers
Through our Bug Bounty Program, we invite cybersecurity researchers to inform us of any vulnerabilities they find in our software, with the possibility of monetary rewards. This quarter, we received 224 submissions, with 151 unique issues. In total, 5 of these submissions were considered valid, with the other 145 reported issues categorized as false positives, informational, or invalid.
Q3 cybersecurity in review
Headlines reporting cyberattacks are everyday reminders of the digital threats that companies and individuals face. Here are a few that appeared in Q3.
Attackers Hijack UK Railway Station Wi-Fi
In September, a cyberattack targeted the public Wi-Fi services at 19 major railway stations across the UK, including London Euston, Manchester Piccadilly, and Birmingham New Street. Passengers attempting to connect to the Wi-Fi were confronted with Islamophobic messages, including references to terrorist attacks.
The incident prompted Network Rail to quickly disable the affected Wi-Fi services. It was discovered that the attack was likely perpetrated using an admin account from the company that manages the Wi-Fi landing pages. A suspect, an employee of the Wi-Fi provider, was arrested.
Customer Data Stolen at Boulanger and Other French Retailers
The Boulanger cyberattack in September was a significant data breach that affected several well-known French retailers, including Boulanger (specializing in electronics), Cultura (a book and media store), and Truffaut (a gardening and home store). The stolen data, which was later leaked online, contained personal information such as customer names, email addresses, and potentially payment information.
Data leak of Nokia employees’ personal information
In July 2024, Nokia was the target of a significant cyberattack that exposed sensitive information of over 7,600 employees. The breach was attributed to a threat actor named “888” who claimed responsibility on a known cybercrime forum. The compromised data included personal details such as employees’ names, job titles, email addresses, and phone numbers, all of which were leaked from a third-party service used by Nokia. The attack is believed to have been enabled by vulnerabilities in the third-party systems that Nokia used to manage employee records.
Many companies fail to take proper security measures. But when it comes to your online activity, there are proactive ways to protect your privacy and security. Take matters into your own hands. Opt for privacy-friendly services, read privacy policies, and use tools like CyberGhost VPN to encrypt your traffic, especially on public Wi-Fi.
Leave a comment