To their slight credit, the law states they cannot store the information and it cannot be used for any other purpose. But I don't think there are any penalties for that.

But I know how off the shelf server software works. For reliability and performance, there are layers upon layers of logging, buffering and caching at every single off-the-shelf solution they use to implement the final software product.

All of those can be used to recover the info, by whatever gets access to the system. Be that an employee who wants to sell the data, a virus, a lawyer with a subpeona, a CIA agent, a federal agent with no heed to state law, or the company who "accidentally" sells the data with other data.

There is a reason that there are multiple "no log" VPNs that have been search warranted and the only one who has managed to have them come out empty handed is Mullvad. It is difficult to do.

To their slight credit, the law states they cannot store the information and it cannot be used for any other purpose. But I don't think there are any penalties for that.

But I know how off the shelf server software works. For reliability and performance, there are layers upon layers of logging, buffering and caching at every single off-the-shelf solution they use to implement the final software product.

All of those can be used to recover the info, by whatever gets access to the system. Be that an employee who wants to sell the data, a lawyer with a subpeona, a CIA agent, a federal agent with no heed to state law, or the company who "accidentally" sells the data with other data.

There is a reason that there are multiple "no log" VPNs that have been search warranted and the only one who has managed to have them come out empty handed is Mullvad. It is difficult to do.