PornHub’s new business venture, VPNHub, is caught up in the IPVanish logging scandal, and the parent company aids building the censorship systems that VPNhub is trying to sell you!
When looking at the IPVanish situation and relating what companies are caught up in this anti-privacy scandal, we need to look for specific company names. IPVanish, its parent company StackPath, and the line of company acquisitions that led to StackPath. IPVanish was owned by a parent company, HighWinds, who also acquired a company who has hosting and routing resources called BandCon. Recently, all of these involved companies were acquired by StackPath.
So we have BandCon = IPVanish = HighWinds = StackPath.
VPNHub launched their new service a couple of months ago, and there’s a shiny looking app that seems simple to use and looks very flashy.
The only problem is that when you take a look under the hood, the app is connected to companies that log, and even further, the company has serious ethical conflicts of interest.
The process of verifying the connection to IPVanish is simple. You sign on to the service, select a location, and then Google “my ip” to see the exit IP address that the VPN server has.
You can then look up this IP to see whose network it belongs to with a simple Google search:
They are using Bandcon/HighWinds/StackPath servers.
The primary marketing for the VPNHub service is the connection to the PornHub brand. The VPN is advertised as a way to circumvent blocks on porn or other content. That sounds like a match made in heaven until you realize that the parent company of PornHub (MindGeek) actually designed the porn censorship system that is in place. The company is selling both the lock and the key, and profiting from both, all the while potentially logging and collecting data while you’re on their VPN service through HighWinds/StackPath.
“We do not track user activities outside of our Applications, nor do we track the browsing activities of users who are logged into our VPN service.
Appatomic does not collect or log any traffic or use of its Applications or Services.”
This claim is interesting, considering they are using a companies’ servers that are specifically known to log user data, with court cases showing this activity directly.
If IPVanish can’t be trusted, neither can any other company that is using the same infrastructure. The fact that they are aiding censorship efforts for profit, while selling the method to circumvent them for profit is against everything privacy activism stands for.
In June 2018, a suspect was arrested on child abuse charges after key information from IPVanish, a “no-logs” VPN provider turned over logging information to authorities on request. In the actual affidavit (page 22-23) you can see that Highwinds network group, the parent company of IPVanish, was contacted with a request for data (not a warrant) for information regarding the suspect.
IPVanish then turned over logs that included subscriber information, and was able to narrow the search to specific days and activity (destination IP of traffic, timestamps, and was able to narrow data requests by port and protocol).
A VPN that is not logging should not have any of this information to turn over.
Further more, it looks like Highwinds went above and beyond the scope of the request (which again, was not a warrant) and provided the source IP of the VPN user.
“IPVanish does not collect or log any traffic or use of its Virtual Private Network service.”
This is literally all that is mentioned about logging. Nothing about retaining IPs, timestamps, services visited, or disclosure policies. Retaining this data is significant because it creates liability. If you have data to turn over to a nation with a legal demand, you are obligated to cooperate. If you have nothing of value to give to enemies of privacy, then your customer base is safer.
IPVanish and HighWinds have already shown that they cannot be trusted. They should not be trusted with anyone’s private information after this incident. There is no reasonable explanation as to why or how this could happen at a company that cares about customer privacy.
To make things even worse, IPVanish leases infrastructure to other VPN services, so this logging incident extends liability to other VPN providers who may not even know what data is being retained by HighWinds, and many other VPN providers are owned by HighWinds’ parent company, StackPath.
The HighWinds / StackPath related VPN companies include: (Click on the company name for evidence)
Encrypt.me (formerly Cloak VPN)
VPNHub (the new PornHub VPN service)
“First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system.”
If the implications of that aren’t entirely clear, Vectra assists on that front too. On Windows machines, the certificate is added to the Trusted Publishers Certificate Store which allows *any code* to be installed and run with no notification given to the user. That is frightening.
Furthermore, Vectra found that Hola contains a built-in console (“zconsole”) that is not only constantly active but also has powerful functions including the ability to kill running processes, download a file and run it whilst bypassing anti-virus software, plus read and write content to any IP address or device.[see update]
“These capabilities enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software,” Vectra says.
Finally, Vectra says that while analyzing the protocol used by Hola, its researchers found five different malware samples on VirusTotal that contain the Hola protocol. Worryingly, they existed before the recent bad press.”
Hola has a bad security reputation and sells your bandwidth to the highest bidder.
And if you sign up with a social media account, they harvest everything that is public as well:
So to sum up Hola VPN: Botnets, Selling Your Bandwidth, Security Vulnerabilities, Data Harvesting for “Analytics.”
When subpoenaed by the FBI, PureVPN had log/on off times, bandwidth used, and the source IP of the user at minimum.
“Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,”
You should not trust a VPN service that logs. You definitely should not trust a VPN service that logs and lies about it to their customers.
But after this huge breach of trust with the community, can we trust any claims about what they are logging now?
HotSpot shield is a popular free VPN service for bypassing region locks and firewalls around the world.
The very first paragraph on the front page of the site touts privacy and security as the main uses of their product:
“Hotspot Shield VPN acts like an underground tunnel that connects you to your favorite websites. When you connect to a VPN, it turns a public network into a private network using military-grade encryption so hackers, identity thieves, advertisers, governments, ISPs, and others can’t monitor what you’re doing on the internet.”
The site repeatedly claims that they allow you to surf “securely and anonymously” around the web.
Here they specifically name one of the primary purposes of the software is protecting you from surveillance and ad networks:
They even go as far as to claim that privacy is a fundamental human right, and that they are defending you:
They also repeatedly throw around the word “anonymously” and focus on how “they don’t log your IP address.”From the marketing on the front page of their site, you would think that installing HotSpot shield would protect you from ad networks and surveillance, and that they don’t log your information. Let’s take a look at their data collection policies and see how these claims hold up under some scrutiny.
It is important to understand the entirety to what is being said here. They are extremely careful to repeatedly tell you that they do not store your IP address, nor do they link your device information to you. But the devil is in the details, as it seems that they do collect your IMEI and your “network information.” To an ad network, your IMEI is better than an IP address. It is a unique serial number that is burned into every phone, and it uniquely identifies you no matter what network you are on or where you travel. Your IP address changes frequently, your IMEI never changes. They also don’t define what “network information” they collect, since they do not collect IP addresses. Let’s dig further.
Furthermore, the “city level” location is an information sharing issue, because in order to do this they have to pull an IP address and give it to one of the third-party services that control IP location information. This means that your IP address is being shared to outside parties to make this technically possible.
So they share your information with third party online advertisers… Which they explicitly said they do not do earlier. The “city-level location” also reappears (which requires them to share your IP with a 3rd party), and they also say that they can and will sell all of their information to anyone who wishes to acquire their business. They continue to affirm that they have very little personal information to collect on each person, and they go through great troubles to convince you that they are not sharing significant amounts of information about you, despite the fact that they have expensive infrastructure to pay for and the service is free.
Hotspot shield is not providing a free service out of the kindness of their hearts. It needs to make money while not charging you. They are paying their bills and turning a profit by selling your information.
So let’s take a look at what the HotSpot Shield app actually does while you’re using it.
Furthermore, the information that they share with outside parties is not encrypted and can be intercepted by any listening party. So much for “privacy and anonymity.”
The closing paragraph of the CDT’s complaint to the FTC sums up the situation beautifully: