The co-founder of torrent website The Pirate Bay has torn into virtual private network (VPN) service Hide My Ass! for handing over logs on an alleged LulzSec hacker to the FBI.
Hide My Ass! kept logs on all customers, including the alleged hacker, and had handed those over to British law enforcement following requests from the FBI which was tracking LulzSec.
Cody Kretsinger, 23, the alleged member of the LulzSec group, was charged with conspiracy and unauthorised impairment of a protected computer.
He is accused of participating in a week-long SQL injection attack, ending in early June, against the Sony Pictures site. The compromise resulted in the theft of data belonging to roughly one million users, some of which was publicly posted.
Hide My Ass! surrendering of logs drew criticism from Privacy International and threats from the loose-knit Anonymous collective, which had affiliations with LulzSec.
The service defended its acquiescence to the requests. In a statement it said users were “naive” to think online criminals would be protected from law enforcement under its service.
"Our VPN service and VPN services in general are not designed to be used to commit illegal activity," Hide My Ass! said.
"It is very naive to think that by paying a subscription fee to a VPN service, you are free to break the law."
Peter Sunde, co-founder of BitTorrent website The Pirate Bay and paid VPN service iPREDator, said Hide My Ass! was wrong to keep logs and hand it over to police.
The Pirate Bay launched iPREDator in 2009 in response to new Swedish laws that gave copyright enforcement organisations more power to demand access to the personal details of alleged file downloaders.
“Having semi-privacy is just plain stupid, and not being upfront about what happens with your data is just plain wrong,” Sunde said.
“We've built our own reputation by really standing up for what we believe in and we fight for the same things still.
"It's obviously all about trust though, and I hope that people will stop trusting Hide My Ass! and other shady outfits.”
Sunde said iPREDator did not store logs and asked users to provide minimal personal details when signing up for the service.
The service was operated in Sweden and governed by local laws (pdf) that iPREDator said required authorities to prove a case could achieve at least a two year jail sentence before user IP addresses could be obtained.