VPN Shame

A Compiled List of VPN Services That Have Been Caught Logging, Lying or Hacked

VPNHub is Tangled in the IPVanish and HighWinds Logging Scandal — 09/07/2018

VPNHub is Tangled in the IPVanish and HighWinds Logging Scandal

PornHub’s new business venture, VPNHub, is caught up in the IPVanish logging scandal, and the parent company aids building the censorship systems that VPNhub is trying to sell you!

When looking at the IPVanish situation and relating what companies are caught up in this anti-privacy scandal, we need to look for specific company names. IPVanish, its parent company StackPath, and the line of company acquisitions that led to StackPath. IPVanish was owned by a parent company, HighWinds, who also acquired a company who has hosting and routing resources called BandCon. Recently, all of these involved companies were acquired by StackPath.

So we have BandCon = IPVanish = HighWinds = StackPath.

VPNHub launched their new service a couple of months ago, and there’s a shiny looking app that seems simple to use and looks very flashy.

The only problem is that when you take a look under the hood, the app is connected to companies that log, and even further, the company has serious ethical conflicts of interest.

The process of verifying the connection to IPVanish is simple. You sign on to the service, select a location, and then Google “my ip” to see the exit IP address that the VPN server has.

You can then look up this IP to see whose network it belongs to with a simple Google search:

They are using Bandcon/HighWinds/StackPath servers.

Ethical concerns:

The primary marketing for the VPNHub service is the connection to the PornHub brand. The VPN is advertised as a way to circumvent blocks on porn or other content. That sounds like a match made in heaven until you realize that the parent company of PornHub (MindGeek) actually designed the porn censorship system that is in place. The company is selling both the lock and the key, and profiting from both, all the while potentially logging and collecting data while you’re on their VPN service through HighWinds/StackPath.

According to the VPNHub privacy policy at the time of this writing:

“We do not track user activities outside of our Applications, nor do we track the browsing activities of users who are logged into our VPN service.

Appatomic does not collect or log any traffic or use of its Applications or Services.”

This claim is interesting, considering they are using a companies’ servers that are specifically known to log user data, with court cases showing this activity directly.

If IPVanish can’t be trusted, neither can any other company that is using the same infrastructure. The fact that they are aiding censorship efforts for profit, while selling the method to circumvent them for profit is against everything privacy activism stands for.

PureVPN – Logging Incident – October 2017 — 01/07/2018

PureVPN – Logging Incident – October 2017

PureVPN was caught logging user data in October 2017

In October 2017 Ryan Lin was arrested on charges of cyberstalking his former roommate. Ryan had been using PureVPN, a “no-log” VPN service that had apparently turned over logs to authorities.

If we take a look at PureVPN’s privacy policy page from May 2016 (unfortunately it looks like they had a 301 redirect on the site during 2017, which breaks the Wayback Machine), we can see that they boldly claim to be a no-log service and claim “Even we can’t see what you do online.”

This is in direct conflict with the information from the case of Ryan Lin. The privacy policy from 2016 states that PureVPN doesn’t retain any logs and goes to great lengths to talk about how laws in Hong Kong do not require them to retain any data.

When subpoenaed by the FBI, PureVPN had log/on off times, bandwidth used, and the source IP of the user at minimum.

“Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,”

You should not trust a VPN service that logs. You definitely should not trust a VPN service that logs and lies about it to their customers.

The current version of the PureVPN Privacy Policy does disclose that they log connection information and bandwidth used, but they claim it is only limited to the name of the internet provider, which “location” (but not specific server) you used, and the day but not the time of day.

But after this huge breach of trust with the community, can we trust any claims about what they are logging now?

Free VPN HotSpot Shield Logs User Data to Sell —

Free VPN HotSpot Shield Logs User Data to Sell

HotSpot shield is a popular free VPN service for bypassing region locks and firewalls around the world.

The very first paragraph on the front page of the site touts privacy and security as the main uses of their product:

“Hotspot Shield VPN acts like an underground tunnel that connects you to your favorite websites. When you connect to a VPN, it turns a public network into a private network using military-grade encryption so hackers, identity thieves, advertisers, governments, ISPs, and others can’t monitor what you’re doing on the internet.”

The site repeatedly claims that they allow you to surf “securely and anonymously” around the web.

Pay special attention to these words!

Here they specifically name one of the primary purposes of the software is protecting you from surveillance and ad networks:

They even go as far as to claim that privacy is a fundamental human right, and that they are defending you:

They also repeatedly throw around the word “anonymously” and focus on how “they don’t log your IP address.”From the marketing on the front page of their site, you would think that installing HotSpot shield would protect you from ad networks and surveillance, and that they don’t log your information. Let’s take a look at their data collection policies and see how these claims hold up under some scrutiny.

From the AnchorFree (Hotspot Shield’s parent company) privacy policy page:

It is important to understand the entirety to what is being said here. They are extremely careful to repeatedly tell you that they do not store your IP address, nor do they link your device information to you. But the devil is in the details, as it seems that they do collect your IMEI and your “network information.” To an ad network, your IMEI is better than an IP address. It is a unique serial number that is burned into every phone, and it uniquely identifies you no matter what network you are on or where you travel. Your IP address changes frequently, your IMEI never changes. They also don’t define what “network information” they collect, since they do not collect IP addresses. Let’s dig further.

The ad-supported version of HotspotShield (the one that everyone uses) shares your “city level” location. Furthermore, the app allows injecting of complex ads with javascript. This means that tracking cookies and independent data collection are not only possible but probable. And because they inject ads everywhere you go, this is happening continuously as you browse the web on HotSpot Shield.

Furthermore, the “city level” location is an information sharing issue, because in order to do this they have to pull an IP address and give it to one of the third-party services that control IP location information. This means that your IP address is being shared to outside parties to make this technically possible.

So they share your information with third party online advertisers… Which they explicitly said they do not do earlier. The “city-level location” also reappears (which requires them to share your IP with a 3rd party), and they also say that they can and will sell all of their information to anyone who wishes to acquire their business. They continue to affirm that they have very little personal information to collect on each person, and they go through great troubles to convince you that they are not sharing significant amounts of information about you, despite the fact that they have expensive infrastructure to pay for and the service is free.

Hotspot shield is not providing a free service out of the kindness of their hearts. It needs to make money while not charging you. They are paying their bills and turning a profit by selling your information.

So let’s take a look at what the HotSpot Shield app actually does while you’re using it.

Here is research conducted by the Center for Democracy and Technology, where experts reverse-engineered components of the app and found that the app injects cookies and iframes (javascript), runs supercookies (cookies that follow you from site-to-site) and shares information with 5 third-party ad networks. The app also redirects users who visit certain shopping websites to their own custom servers that direct users toward buying certain products or replacing a website’s ads with their own.

Furthermore, the information that they share with outside parties is not encrypted and can be intercepted by any listening party. So much for “privacy and anonymity.”

The closing paragraph of the CDT’s complaint to the FTC sums up the situation beautifully:

 

Free VPN VPNBook Has Questionable Ownership and Business Practices —

Free VPN VPNBook Has Questionable Ownership and Business Practices

VPNBook is one of the “free” VPN services that has been around for a while. There’s a number of problems with free VPN services, but the main one is profitability. If you are not paying for the service, the organization has to be paying for their servers somehow. This is usually done by injecting ads into your network traffic, selling your network traffic to third parties, or both. Both of these practices are intensely negative for anyone concerned with privacy.

VPNBook claims on their website that their revenue comes entirely from donations and ads on the website. This is where things start to look like they might not be what they seem. It is not a large logical leap to say that someone who is searching for “free VPN” in Google is probably not going to donate money to a service, so that revenue stream is likely lacking, but correlating the amount of traffic that the site gets against their likely server costs starts to show an accounting picture that just doesn’t add up.

VPNBook’s Alexa ranking places it about the 29000th site on the entire web in terms of traffic.

That is an enormous number of daily users and probably a decent amount of ad revenue from Google Adsense. But, if we consider the amount of bandwidth it would take to run a VPN network capable of serving that many customers, it is 25x-50x the amount of ad revenue that they could possibly be bringing in.

VPNBook is operating servers in seven locations, with customer loads in the thousands of users. Their OpenVPN config files go to both a direct IP address and a domain that resolves to the same IP address, indicating that they are in-fact running fourteen individual servers to support their entire VPN network. This explains the speeds that don’t even support basic low resolution video or even audio streaming. They’ve cheaped out on the infrastructure to keep costs low.

But even the cost of these fourteen servers (seven PPTP and seven OpenVPN) far exceed the Google AdSense revenue that the site would bring in. They must have other revenue streams to be operating.

Then we have the question of ownership. VPNBook claims to be located in “Zurich Switzerland.” However, they operate no servers there, the site isn’t offered in any common Swiss languages, they don’t own a .ch domain, they don’t list a company name or address, and there is no identifying information for anyone who operates the site. The company, if there even is a legal company, could be located anywhere in the world.

Before Google updated AdWords and AdSense to be more private, a review site dug up some information on the advertising account that VPNBook uses, and it was registered to a “Vannet Technology” in British Columbia.

Let’s take a look at the Vannet Technology address through streetview:

It’s a non-existent address that would lie between a Dollar Tree and a Home Hardware.

That site review was old, so perhaps their address moved? I searched for registered businesses named “Vannet Technology” in British Columbia, and got a single result:

An address in Vancouver, and it’s only a partial name match. Let’s see if this looks like it on StreetView:

I suppose you could have servers in there. Let’s take a look around back:

Nope. It looks like a basic warehouse. No servers or VPN techs here.

The entire venture is questionable. The company claims to be Swiss but has no proof, not even a company name. The only business lead is years old and leads to two dead-ends in Canada. Their budget doesn’t add up and the operators of the service are anonymous and therefore have zero liability toward nor zero incentive for loyalty toward their users.

Purpose of this Site — 07/06/2018

Purpose of this Site

This is a site for privacy activists to check on the status of their VPN services. Here I will compile a list of information on VPNs that have been caught logging, lying to their customers, or coverups of security incidents.

I will do my best to source all information correctly and back up all of the claims made on this site with hard evidence.

You should be able to easily tell which services are protecting you, and which services should never be used.

This site is neutral and managed by the author’s own personal funds. There will be no advertising nor affiliate links on this site. I may set up a donation address in the future to help fund hosting costs and to help compensate me for my time spent doing research if readers think the information is valuable.