PureVPN, a popular virtual private network service based in Hong Kong, provided the United States Federal Bureau of Investigation with the user logs of one of its users, which helped lead to his arrest.

An FBI investigation that included data obtained from PureVPN resulted in the arrest of Ryan Lin, a 24-year-old man from New Town, Massachusetts who was accused of cyberstalking and harassing his former roommate and her friends, family members and other associates through a number of online services.

According to an FBI press release announcing the arrest, Lin is accused of hacking into the victim’s online accounts and stealing information including private photos, personally identifiable data, sensitive details about her medical, psychological and sexual history, private diary entries and other personal information. Lin also allegedly spread her photos and diary entries online.

The accused cyberstalker is accused of creating online profiles under the victim’s name and using her private photos and her personal address to solicit rape fantasies and other graphic sexual activities that resulted in men showing up at her home. With another profile with the victim’s name attached, Line allegedly claimed he was going to “shoot up” a nearby school.

He also allegedly contacted law enforcement on a number of occasions to claim there were bombs at the home of the victim’s family, a tactic often referred to as Swatting that is intended to make police dispatch their SWAT team to respond to a situation. Swatting often results in damage either to property or to people and animals in the home.

“Mr. Lin allegedly carried out a relentless cyber stalking campaign against a young woman in a chilling effort to violate her privacy and threaten those around her,” Acting United States Attorney William D. Weinreb said. “While using anonymizing services and other online tools to avoid attribution, Mr. Lin harassed the victim, her family, friends, coworkers and roommates, and then targeted local schools and institutions in her community. Mr. Lin will now face the consequences of his crimes.”

“Those who think they can use the Internet to terrorize people and hide behind the anonymity of the net and outwit law enforcement should think again,” Acting Assistant Attorney General Kenneth A. Blanco of the Justice Department’s Criminal Division said. “The Department of Justice will be relentless in its efforts to identify, arrest, prosecute, and punish the perpetrators of these horrendous acts and seek justice on behalf of their victims.”

While there are assuredly few people disappointed to see someone accused of such heinous actions in custody, the role of PureVPN in the arrest may raise questions about how much users should trust the service to truly protect their online activity.

VPNs or virtual private networks are a privacy tool that enable a device to send and receive information across a public network as if it was connected directly to a private network. In essence, it obscures the true location of the device and makes it appear as though its activity it coming from another network.

When a person connects to a VPN, it creates an encrypted and secure connection between the user’s device and a remote server.  Any information—from web activity to user information to passwords—is sent first through that encrypted connection. By filtering information through the remote server, a VPN shields that data from anyone on the public network, including internet service providers.

PureVPN provides those remote servers for users to connect to and promises in its privacy policy that “we do not monitor user activity nor do we keep any logs. We, therefore, have no record of your activities.”

Despite this, the FBI notes in a criminal complaint filed against Lin that “records from PureVPN” were used to tie an email account from Lin to a number of other accounts he used to obscure his identity and carry out his online abuse.

The FBI also noted that PureVPN was “able to determine that their service was accessed by the same customer” from two separate IP addresses that were linked to Lin.

“We only have information on IP and Time Stamps when our customers create a private browsing session as mentioned on our website,” a spokesperson for PureVPN told International Business Times. “We do not maintain any logs of browsing history what so ever, or store any kind of user activity.”

Effectively, the VPN provider does keep logs of when a user connects to one of the company’s servers and maintains a history of the IP address that session originated from but does not store the actual activity of the user while browsing through the VPN connection.

That revelation may be enough to make privacy-minded consumers—the vast majority of whom are not using the services for such malicious acts like those Lin is accused of—to reconsider their use of PureVPN.