HideMyAss VPN was caught logging in 2011

In 2011 Kody Kretsigner aka “recursion” from the Hacker group Lulzsec, was arrested after HideMyAss gave up connection logs on the user. Here is what HideMyAss had on their front page in 2010, prior to them handing over user information to authorities: https://web.archive.org/web/20100709225352/http://www.hidemyass.com/

It repeatedly mentions anonymity and privacy, but has no mention of logs anywhere on the site.

Interestingly, HideMyAss continues to this day to claim that they are a private service, that they provide “anonymity” and “make you damn near untraceable” despite hard evidence to the contrary. This quote is taken directly from the front page of the site, made at the time of this article being written:

“We’ll make you damn near untraceable so that nobody can track what you do — even your internet provider. Meaning you can browse privately. Easy.”

They even go as far as to use a character that looks like Guy Fawkes to toy with the idea that their service is private. It’s an interesting choice considering that Lulzsec was at one point working with Anonymous, whose symbol is the infamous Guy Fawkes mask. Remember remember that HideMyAss logs all throughout November.

Every piece of information retained by a VPN provider is a privacy flaw. Use a VPN provider that respects your privacy and minimizes the retention of your data. HideMyAss tried to defend its policies throughout what it called the “lulzsec fiasco”, by saying that the users “should not have committed crimes.” The problem with this line of thinking is that it sweeps aside the fundamental problem with privacy services that keep logs. Who gets to decide what a crime is? In this case, a person committed what a reasonable person would call a crime. However, in some Muslim nations being a homosexual is a crime.

Logging user data puts a VPN provider in a legal position where they have to decide what demands for data they will honor and which of these demands they can reject. If the government of the UK passed a law tomorrow forcing all connection logs to be handed over to authorities, a provider that logs is compelled to give up data on all of their user’s activity. A no-log service has nothing to hand over and no obligation to any outside forces. There’s nothing to give up.

If you dig around on their site today, buried under privacy and legal pages you’ll find their logging policy, which is unchanged from 2011. I guess it is better that they disclose it now. There was no mention of it on the 2010 page.