In June 2018, a suspect was arrested on child abuse charges after key information from IPVanish, a “no-logs” VPN provider turned over logging information to authorities on request. In the actual affidavit (page 22-23) you can see that Highwinds network group, the parent company of IPVanish, was contacted with a request for data (not a warrant) for information regarding the suspect.

IPVanish then turned over logs that included subscriber information, and was able to narrow the search to specific days and activity (destination IP of traffic, timestamps, and was able to narrow data requests by port and protocol).

A VPN that is not logging should not have any of this information to turn over.

Further more, it looks like Highwinds went above and beyond the scope of the request (which again, was not a warrant) and provided the source IP of the VPN user.

All of this information is at odds with what IPVanish was advertising on their site on May 3rd of this year. Let’s take a look at their front page with the Wayback Machine: https://web.archive.org/web/20180503002434/https://www.ipvanish.com/

And if we look at their privacy policy page on the same date: https://web.archive.org/web/20180522041725/https://www.ipvanish.com/privacy-policy.php

“IPVanish does not collect or log any traffic or use of its Virtual Private Network service.”

This is literally all that is mentioned about logging. Nothing about retaining IPs, timestamps, services visited, or disclosure policies. Retaining this data is significant because it creates liability. If you have data to turn over to a nation with a legal demand, you are obligated to cooperate. If you have nothing of value to give to enemies of privacy, then your customer base is safer.

Their privacy policy was updated on May 30th, which again restates that they do not log under any circumstances. https://www.ipvanish.com/privacy-policy.php

IPVanish and HighWinds have already shown that they cannot be trusted. They should not be trusted with anyone’s private information after this incident. There is no reasonable explanation as to why or how this could happen at a company that cares about customer privacy.

To make things even worse, IPVanish leases infrastructure to other VPN services, so this logging incident extends liability to other VPN providers who may not even know what data is being retained by HighWinds, and many other VPN providers are owned by HighWinds’ parent company, StackPath.

The HighWinds / StackPath related VPN companies include: (Click on the company name for evidence)

IPVanish
Overplay.net
Unblock.US
Encrypt.me (formerly Cloak VPN)
VPNHub (the new PornHub VPN service)
StrongVPN