VPN Shame

A Compiled List of VPN Services That Have Been Caught Logging, Lying or Hacked

Free VPN VPNBook Has Questionable Ownership and Business Practices — 01/07/2018

Free VPN VPNBook Has Questionable Ownership and Business Practices

VPNBook is one of the “free” VPN services that has been around for a while. There’s a number of problems with free VPN services, but the main one is profitability. If you are not paying for the service, the organization has to be paying for their servers somehow. This is usually done by injecting ads into your network traffic, selling your network traffic to third parties, or both. Both of these practices are intensely negative for anyone concerned with privacy.

VPNBook claims on their website that their revenue comes entirely from donations and ads on the website. This is where things start to look like they might not be what they seem. It is not a large logical leap to say that someone who is searching for “free VPN” in Google is probably not going to donate money to a service, so that revenue stream is likely lacking, but correlating the amount of traffic that the site gets against their likely server costs starts to show an accounting picture that just doesn’t add up.

VPNBook’s Alexa ranking places it about the 29000th site on the entire web in terms of traffic.

That is an enormous number of daily users and probably a decent amount of ad revenue from Google Adsense. But, if we consider the amount of bandwidth it would take to run a VPN network capable of serving that many customers, it is 25x-50x the amount of ad revenue that they could possibly be bringing in.

VPNBook is operating servers in seven locations, with customer loads in the thousands of users. Their OpenVPN config files go to both a direct IP address and a domain that resolves to the same IP address, indicating that they are in-fact running fourteen individual servers to support their entire VPN network. This explains the speeds that don’t even support basic low resolution video or even audio streaming. They’ve cheaped out on the infrastructure to keep costs low.

But even the cost of these fourteen servers (seven PPTP and seven OpenVPN) far exceed the Google AdSense revenue that the site would bring in. They must have other revenue streams to be operating.

Then we have the question of ownership. VPNBook claims to be located in “Zurich Switzerland.” However, they operate no servers there, the site isn’t offered in any common Swiss languages, they don’t own a .ch domain, they don’t list a company name or address, and there is no identifying information for anyone who operates the site. The company, if there even is a legal company, could be located anywhere in the world.

Before Google updated AdWords and AdSense to be more private, a review site dug up some information on the advertising account that VPNBook uses, and it was registered to a “Vannet Technology” in British Columbia.

Let’s take a look at the Vannet Technology address through streetview:

It’s a non-existent address that would lie between a Dollar Tree and a Home Hardware.

That site review was old, so perhaps their address moved? I searched for registered businesses named “Vannet Technology” in British Columbia, and got a single result:

An address in Vancouver, and it’s only a partial name match. Let’s see if this looks like it on StreetView:

I suppose you could have servers in there. Let’s take a look around back:

Nope. It looks like a basic warehouse. No servers or VPN techs here.

The entire venture is questionable. The company claims to be Swiss but has no proof, not even a company name. The only business lead is years old and leads to two dead-ends in Canada. Their budget doesn’t add up and the operators of the service are anonymous and therefore have zero liability toward nor zero incentive for loyalty toward their users.

HideMyAss VPN – Logging Incident – 2011 —

HideMyAss VPN – Logging Incident – 2011

HideMyAss VPN was caught logging in 2011

In 2011 Kody Kretsigner aka “recursion” from the Hacker group Lulzsec, was arrested after HideMyAss gave up connection logs on the user. Here is what HideMyAss had on their front page in 2010, prior to them handing over user information to authorities: https://web.archive.org/web/20100709225352/http://www.hidemyass.com/

It repeatedly mentions anonymity and privacy, but has no mention of logs anywhere on the site.

Interestingly, HideMyAss continues to this day to claim that they are a private service, that they provide “anonymity” and “make you damn near untraceable” despite hard evidence to the contrary. This quote is taken directly from the front page of the site, made at the time of this article being written:

“We’ll make you damn near untraceable so that nobody can track what you do — even your internet provider. Meaning you can browse privately. Easy.”

They even go as far as to use a character that looks like Guy Fawkes to toy with the idea that their service is private. It’s an interesting choice considering that Lulzsec was at one point working with Anonymous, whose symbol is the infamous Guy Fawkes mask. Remember remember that HideMyAss logs all throughout November.

Every piece of information retained by a VPN provider is a privacy flaw. Use a VPN provider that respects your privacy and minimizes the retention of your data. HideMyAss tried to defend its policies throughout what it called the “lulzsec fiasco”, by saying that the users “should not have committed crimes.” The problem with this line of thinking is that it sweeps aside the fundamental problem with privacy services that keep logs. Who gets to decide what a crime is? In this case, a person committed what a reasonable person would call a crime. However, in some Muslim nations being a homosexual is a crime.

Logging user data puts a VPN provider in a legal position where they have to decide what demands for data they will honor and which of these demands they can reject. If the government of the UK passed a law tomorrow forcing all connection logs to be handed over to authorities, a provider that logs is compelled to give up data on all of their user’s activity. A no-log service has nothing to hand over and no obligation to any outside forces. There’s nothing to give up.

If you dig around on their site today, buried under privacy and legal pages you’ll find their logging policy, which is unchanged from 2011. I guess it is better that they disclose it now. There was no mention of it on the 2010 page.