If I was the NSA I'd force/put some piece of network hardware that mirrored all VPN traffic exiting PIA's endpoints. I would assume that the US, UK and DE endpoints might be monitored without PIA's knowledge (unless they own the data centre and/or upstream provider?).<p>Then it is fairly simple to start pattern matching the unencrypted traffic exiting your endpoints by matching HTTP headers for each client. Then all they would need is for a VPN user to acces a website that leaks the user's identity and you can back match their previous traffic.<p>For example, you search for information on "how to make a bomb" via the VPN. Your browser sends the the HTTP headers, Accept-Language set to Accept-Language: ar-YE,en-US,fr-FR,de-DE;q=0.5 and a user agent of Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:21.0.0) Gecko/20121011 Firefox/21.0.0. Those HTTP headers aren't unique, but they vastly narrow the search scope.<p>Now as that user you visit your Facebook page, and those same matching HTTP headers are passed. Boom, you've just leaked your true identity.