VPN Shame

A Compiled List of VPN Services That Have Been Caught Logging, Lying or Hacked

NameCheap VPN is Wrapped Up in IPVanish Logging Scandal — 17/12/2018

NameCheap VPN is Wrapped Up in IPVanish Logging Scandal

NameCheap, the Domain Name Registrar, has recently started a VPN service. It is a full fledged effort to enter the space, with strange unicorns and all.

It has the usual marketing claims of being private, fast and secure, but one thing caught my attention immediately. They have a large network of “40 locations and 1000+ servers.” Rolling out that kind of infrastructure takes a while. Not only do you have to design and implement your VPN services, but you have to work with and vet 40 different datacenters. Unless of course you don’t do any of that and just resell someone else’s VPN service…

Now, before we go deeper, I like NameCheap as a brand. They do a lot of privacy activism work that is admirable including working with the EFF, fighting for Net Neutrality, fighting to keep domain registrations private, etc.

NameCheap has partnered with IPVanish, who develops their apps and provides the network. They share the same servers and use the exact same technology. This means that if a person gets a NameCheap VPN subscription, they are really getting IPVanish and that’s a problem. IPVanish was caught logging their information after claiming that it was a no log service. After a violation of trust this large, no company should be working with them, especially if they take privacy and security seriously.

Because we are all about proof, let’s do some digging:

A Reddit user noticed some curious similarities between the IPVanish and NameCheap VPN website, showing that they both refer back to the same parent website.

This lengthens the list of IPVanish connected brands to VPNHub (PornHub VPN), Overplay.net, Unblock.us, Encrypt.me, and StrongVPN.

You should not, ever, trust brands that have outed (and lied to) their users before.

Private Internet Access Receives Subpoena for Logs – Has None 2018 — 03/12/2018

Private Internet Access Receives Subpoena for Logs – Has None 2018

In 2017, an investigation in San Jose related to a series of hacks and defacing of webpages led investigators at the FBI to subpoena Private Internet Access for subscriber information.

Private Internet Access had no information to turn over, and John Arsenault, Private Internet Access’ legal counsel, testified in court regarding the practices of PIA and other privacy VPN services.

From the story here:

https://paloaltoonline.com/news/2018/06/02/alleged-hacker-claimed-he-was-paid-to-attack-news-site

Authorities were led to the suspect because he conducted some of his illegal activity through his Father’s home and at a nearby business, which gave investigators those IP addresses to follow-up on.

Once again, Private Internet Access proves that they do not log and as a result cannot respond to requests for information from governments or law enforcement. If you are serious about your privacy, get a reputable VPN that doesn’t log or sell your information.

Private Internet Access Receives Subpoena for Logs – Has None (2016) — 07/09/2018

Private Internet Access Receives Subpoena for Logs – Has None (2016)

In 2016 an investigation in Florida related to a stalking suspect and a number of false bomb threats was being conducted, and part of the investigation led to an IP address for a Private Internet Access VPN server. The FBI then presented Private Internet Access with a subpoena and Private Internet Access had no logs to provide. They could only tell the FBI that the servers that the IP address range that they were interested in were located on the east coast of the US. They had no other information due to their no-logs policy. Torrentfreak writes:

It is important to note that the FBI was able to build a significant case against the suspect using other police work. They knew that the suspect had motive, and banking information led them to store surveillance tapes and other evidence that led to the person serving justice.

This is one of the core arguments of privacy advocates; that “going dark” is a fallacy and police are more equipped than ever to catch criminals. Dragnet surveillance is not a necessary piece of the puzzle and privacy tools and services that push back against mass surveillance help us to cling to what little privacy remains in the information age.

UnblockUS VPN and SmartDNS Service is Connected to IPVanish Logging Scandal — 21/08/2018

UnblockUS VPN and SmartDNS Service is Connected to IPVanish Logging Scandal

When looking at the IPVanish scandal and relating what companies are caught up in this anti-privacy scandal, we need to look for specific company names. IPVanish, its parent company StackPath, and the line of company acquisitions that led to StackPath. IPVanish was owned by a parent company, HighWinds, who also acquired a company who has hosting and routing resources called BandCon. Recently, all of these involved companies were acquired by StackPath.

So we have BandCon = IPVanish = HighWinds = StackPath.

If we take a look at the SmartDNS instructions for Unblock.us, they give us two IP addresses for their DNS servers.If we look up those IP addresses, the servers belong to HighWinds:

And DNS2 also belongs to HighWinds:

If we can’t trust IPVanish with our data, we can’t trust any of these companies that are sharing the same infrastructure.

Overplay.net is Connected to the IPVanish and Highwinds VPN Logging Scandal — 20/08/2018

Overplay.net is Connected to the IPVanish and Highwinds VPN Logging Scandal

When looking at the IPVanish scandal and relating what companies are caught up in this anti-privacy scandal, we need to look for specific company names. IPVanish, its parent company StackPath, and the line of company acquisitions that led to StackPath. IPVanish was owned by a parent company, HighWinds, who also acquired a company who has hosting and routing resources called BandCon. Recently, all of these involved companies were acquired by StackPath.

So we have BandCon = IPVanish = HighWinds = StackPath.

So where does OverPlay come into this equation? Overplay’s VPN and SmartDNS services are using StackPath’s infrastructure.

Here is Overplay’s instructions for setting up SmartDNS:

The two DNS servers are directly linked to HighWinds (StackPath), the owners of IPVanish.

The secondary DNS server is linked to BandCon which is also IPVanish/HighWinds/Stackpath infrastructure.If IPVanish can’t be trusted, neither can any other company that is using the same infrastructure.

 

StrongVPN is Wrapped Up in the IPVanish Logging Scandal — 07/08/2018

StrongVPN is Wrapped Up in the IPVanish Logging Scandal

When looking at the IPVanish logging situation and relating what companies are caught up in this anti-privacy scandal, we need to look for specific company names. IPVanish, its parent company StackPath, and the line of company acquisitions that led to StackPath. IPVanish was owned by a parent company, HighWinds, who also acquired a company who has hosting and routing resources called BandCon. Recently, all of these involved companies were acquired by StackPath.

So we have BandCon = IPVanish = HighWinds = StackPath. When we say any of these names pop up, we know that the VPN service is using StackPath/HighWinds infrastructure and can be wittingly or unwittingly logging all of their users.

When looking at IPs and Domains that are owned by StrongVPN, the name ReliableHosting comes up everywhere. Their customer support even comes from a @reliablehosting.com domain.

Here’s an example:

If we look up IP ranges that are assigned to StrongVPN, A lot of them are directly using StackPath infrastructure:

Exhibit A:

Exhibit B:

Exhibit C:

We can also see that StackPath is one of their primary peers for network connectivity here:

One might think that this link between StrongVPN and StackPath isn’t very strong. But a simple Google search gives you a number of employees that work for StackPath and ReliableHosting, or StackPath and StrongVPN.

Either StrongVPN is owned by StackPath outright, or the companies are so close that they share a significant number of employees. StrongVPN, like IPVanish, claims that they do not log any user information.

After it has been proven that IPVanish logs, we should not trust any StackPath company, any company that shares employees with StackPath, nor any company that is using StackPath infrastructure as it can be knowingly or unknowingly logging their users and violating their privacy.

ExpressVPN Had Their Servers Seized – They Contained No Logs —

ExpressVPN Had Their Servers Seized – They Contained No Logs

ExpressVPN had one of their servers seized in Turkey by the authorities who were investigating an assassination of an official in Ankara.

According to the Turkish authorities, some information about a police officer (their Gmail and Facebook) was deleted remotely by someone using the ExpressVPN service. The server that they had seized contained no logs and did not help with the investigation.

This is one of the rare cases where we get to see if a VPN is telling the truth when they assert that they do not keep any logs.

While it is unfortunate when a VPN acts as a roadblock to a genuine investigation, we also have to consider the enormous benefit that the public has by not allowing unfettered access to all of our internet traffic.

The threat of parties using our information for reasons outside of our own interests is far greater than the downside of authorities needing to conduct investigations with more traditional police-work. It is absolutely crucial that no-log services like these remain vigilant about protecting our privacy.

In a statement, ExpressVPN commented:

“While it’s unfortunate that security tools like VPNs can be abused for illicit purposes, they are critical for our safety and the preservation of our right to privacy online. ExpressVPN is fundamentally opposed to any efforts to install “backdoors” or attempts by governments to otherwise undermine such technologies.”