VPN Shame

A Compiled List of VPN Services That Have Been Caught Logging, Lying or Hacked

NameCheap VPN is Wrapped Up in IPVanish Logging Scandal — 17/12/2018

NameCheap VPN is Wrapped Up in IPVanish Logging Scandal

NameCheap, the Domain Name Registrar, has recently started a VPN service. It is a full fledged effort to enter the space, with strange unicorns and all.

It has the usual marketing claims of being private, fast and secure, but one thing caught my attention immediately. They have a large network of “40 locations and 1000+ servers.” Rolling out that kind of infrastructure takes a while. Not only do you have to design and implement your VPN services, but you have to work with and vet 40 different datacenters. Unless of course you don’t do any of that and just resell someone else’s VPN service…

Now, before we go deeper, I like NameCheap as a brand. They do a lot of privacy activism work that is admirable including working with the EFF, fighting for Net Neutrality, fighting to keep domain registrations private, etc.

NameCheap has partnered with IPVanish, who develops their apps and provides the network. They share the same servers and use the exact same technology. This means that if a person gets a NameCheap VPN subscription, they are really getting IPVanish and that’s a problem. IPVanish was caught logging their information after claiming that it was a no log service. After a violation of trust this large, no company should be working with them, especially if they take privacy and security seriously.

Because we are all about proof, let’s do some digging:

A Reddit user noticed some curious similarities between the IPVanish and NameCheap VPN website, showing that they both refer back to the same parent website.

This lengthens the list of IPVanish connected brands to VPNHub (PornHub VPN), Overplay.net, Unblock.us, Encrypt.me, and StrongVPN.

You should not, ever, trust brands that have outed (and lied to) their users before.

StrongVPN is Wrapped Up in the IPVanish Logging Scandal — 07/08/2018

StrongVPN is Wrapped Up in the IPVanish Logging Scandal

When looking at the IPVanish logging situation and relating what companies are caught up in this anti-privacy scandal, we need to look for specific company names. IPVanish, its parent company StackPath, and the line of company acquisitions that led to StackPath. IPVanish was owned by a parent company, HighWinds, who also acquired a company who has hosting and routing resources called BandCon. Recently, all of these involved companies were acquired by StackPath.

So we have BandCon = IPVanish = HighWinds = StackPath. When we say any of these names pop up, we know that the VPN service is using StackPath/HighWinds infrastructure and can be wittingly or unwittingly logging all of their users.

When looking at IPs and Domains that are owned by StrongVPN, the name ReliableHosting comes up everywhere. Their customer support even comes from a @reliablehosting.com domain.

Here’s an example:

If we look up IP ranges that are assigned to StrongVPN, A lot of them are directly using StackPath infrastructure:

Exhibit A:

Exhibit B:

Exhibit C:

We can also see that StackPath is one of their primary peers for network connectivity here:

One might think that this link between StrongVPN and StackPath isn’t very strong. But a simple Google search gives you a number of employees that work for StackPath and ReliableHosting, or StackPath and StrongVPN.

Either StrongVPN is owned by StackPath outright, or the companies are so close that they share a significant number of employees. StrongVPN, like IPVanish, claims that they do not log any user information.

After it has been proven that IPVanish logs, we should not trust any StackPath company, any company that shares employees with StackPath, nor any company that is using StackPath infrastructure as it can be knowingly or unknowingly logging their users and violating their privacy.

ExpressVPN Had Their Servers Seized – They Contained No Logs —

ExpressVPN Had Their Servers Seized – They Contained No Logs

ExpressVPN had one of their servers seized in Turkey by the authorities who were investigating an assassination of an official in Ankara.

According to the Turkish authorities, some information about a police officer (their Gmail and Facebook) was deleted remotely by someone using the ExpressVPN service. The server that they had seized contained no logs and did not help with the investigation.

This is one of the rare cases where we get to see if a VPN is telling the truth when they assert that they do not keep any logs.

While it is unfortunate when a VPN acts as a roadblock to a genuine investigation, we also have to consider the enormous benefit that the public has by not allowing unfettered access to all of our internet traffic.

The threat of parties using our information for reasons outside of our own interests is far greater than the downside of authorities needing to conduct investigations with more traditional police-work. It is absolutely crucial that no-log services like these remain vigilant about protecting our privacy.

In a statement, ExpressVPN commented:

“While it’s unfortunate that security tools like VPNs can be abused for illicit purposes, they are critical for our safety and the preservation of our right to privacy online. ExpressVPN is fundamentally opposed to any efforts to install “backdoors” or attempts by governments to otherwise undermine such technologies.”

VPNHub is Tangled in the IPVanish and HighWinds Logging Scandal — 09/07/2018

VPNHub is Tangled in the IPVanish and HighWinds Logging Scandal

PornHub’s new business venture, VPNHub, is caught up in the IPVanish logging scandal, and the parent company aids building the censorship systems that VPNhub is trying to sell you!

When looking at the IPVanish situation and relating what companies are caught up in this anti-privacy scandal, we need to look for specific company names. IPVanish, its parent company StackPath, and the line of company acquisitions that led to StackPath. IPVanish was owned by a parent company, HighWinds, who also acquired a company who has hosting and routing resources called BandCon. Recently, all of these involved companies were acquired by StackPath.

So we have BandCon = IPVanish = HighWinds = StackPath.

VPNHub launched their new service a couple of months ago, and there’s a shiny looking app that seems simple to use and looks very flashy.

The only problem is that when you take a look under the hood, the app is connected to companies that log, and even further, the company has serious ethical conflicts of interest.

The process of verifying the connection to IPVanish is simple. You sign on to the service, select a location, and then Google “my ip” to see the exit IP address that the VPN server has.

You can then look up this IP to see whose network it belongs to with a simple Google search:

They are using Bandcon/HighWinds/StackPath servers.

Ethical concerns:

The primary marketing for the VPNHub service is the connection to the PornHub brand. The VPN is advertised as a way to circumvent blocks on porn or other content. That sounds like a match made in heaven until you realize that the parent company of PornHub (MindGeek) actually designed the porn censorship system that is in place. The company is selling both the lock and the key, and profiting from both, all the while potentially logging and collecting data while you’re on their VPN service through HighWinds/StackPath.

According to the VPNHub privacy policy at the time of this writing:

“We do not track user activities outside of our Applications, nor do we track the browsing activities of users who are logged into our VPN service.

Appatomic does not collect or log any traffic or use of its Applications or Services.”

This claim is interesting, considering they are using a companies’ servers that are specifically known to log user data, with court cases showing this activity directly.

If IPVanish can’t be trusted, neither can any other company that is using the same infrastructure. The fact that they are aiding censorship efforts for profit, while selling the method to circumvent them for profit is against everything privacy activism stands for.

IPVanish Logs While Claiming They Don’t — 08/07/2018

IPVanish Logs While Claiming They Don’t

In June 2018, a suspect was arrested on child abuse charges after key information from IPVanish, a “no-logs” VPN provider turned over logging information to authorities on request. In the actual affidavit (page 22-23) you can see that Highwinds network group, the parent company of IPVanish, was contacted with a request for data (not a warrant) for information regarding the suspect.

IPVanish then turned over logs that included subscriber information, and was able to narrow the search to specific days and activity (destination IP of traffic, timestamps, and was able to narrow data requests by port and protocol).

A VPN that is not logging should not have any of this information to turn over.

Further more, it looks like Highwinds went above and beyond the scope of the request (which again, was not a warrant) and provided the source IP of the VPN user.

All of this information is at odds with what IPVanish was advertising on their site on May 3rd of this year. Let’s take a look at their front page with the Wayback Machine: https://web.archive.org/web/20180503002434/https://www.ipvanish.com/

And if we look at their privacy policy page on the same date: https://web.archive.org/web/20180522041725/https://www.ipvanish.com/privacy-policy.php

“IPVanish does not collect or log any traffic or use of its Virtual Private Network service.”

This is literally all that is mentioned about logging. Nothing about retaining IPs, timestamps, services visited, or disclosure policies. Retaining this data is significant because it creates liability. If you have data to turn over to a nation with a legal demand, you are obligated to cooperate. If you have nothing of value to give to enemies of privacy, then your customer base is safer.

Their privacy policy was updated on May 30th, which again restates that they do not log under any circumstances. https://www.ipvanish.com/privacy-policy.php

IPVanish and HighWinds have already shown that they cannot be trusted. They should not be trusted with anyone’s private information after this incident. There is no reasonable explanation as to why or how this could happen at a company that cares about customer privacy.

To make things even worse, IPVanish leases infrastructure to other VPN services, so this logging incident extends liability to other VPN providers who may not even know what data is being retained by HighWinds, and many other VPN providers are owned by HighWinds’ parent company, StackPath.

The HighWinds / StackPath related VPN companies include: (Click on the company name for evidence)

IPVanish
Overplay.net
Unblock.US
Encrypt.me (formerly Cloak VPN)
VPNHub (the new PornHub VPN service)
StrongVPN

The Hola VPN Browser Plugin Shares Your Internet Connection with Botnets — 01/07/2018

The Hola VPN Browser Plugin Shares Your Internet Connection with Botnets

The Hola VPN Browser Plugin Shares Your Internet Connection with Botnets

The popular Hola VPN extension is funded by reselling the bandwidth of the people on the network, allowing malicious users to stage attacks from your home IP address.

Further, it contains / contained serious security vulnerabilities that can compromise the systems of Hola users.

Security firm Vectra writes (source TorrentFreak):

“First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system.”

If the implications of that aren’t entirely clear, Vectra assists on that front too. On Windows machines, the certificate is added to the Trusted Publishers Certificate Store which allows *any code* to be installed and run with no notification given to the user. That is frightening.

Furthermore, Vectra found that Hola contains a built-in console (“zconsole”) that is not only constantly active but also has powerful functions including the ability to kill running processes, download a file and run it whilst bypassing anti-virus software, plus read and write content to any IP address or device.[see update]

“These capabilities enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software,” Vectra says.

Finally, Vectra says that while analyzing the protocol used by Hola, its researchers found five different malware samples on VirusTotal that contain the Hola protocol. Worryingly, they existed before the recent bad press.”

Hola has a bad security reputation and sells your bandwidth to the highest bidder.

Even worse, Hola logs pretty heavily, according to their own privacy policy:

And if you sign up with a social media account, they harvest everything that is public as well:

So to sum up Hola VPN: Botnets, Selling Your Bandwidth, Security Vulnerabilities, Data Harvesting for “Analytics.”

PureVPN – Logging Incident – October 2017 —

PureVPN – Logging Incident – October 2017

PureVPN was caught logging user data in October 2017

In October 2017 Ryan Lin was arrested on charges of cyberstalking his former roommate. Ryan had been using PureVPN, a “no-log” VPN service that had apparently turned over logs to authorities.

If we take a look at PureVPN’s privacy policy page from May 2016 (unfortunately it looks like they had a 301 redirect on the site during 2017, which breaks the Wayback Machine), we can see that they boldly claim to be a no-log service and claim “Even we can’t see what you do online.”

This is in direct conflict with the information from the case of Ryan Lin. The privacy policy from 2016 states that PureVPN doesn’t retain any logs and goes to great lengths to talk about how laws in Hong Kong do not require them to retain any data.

When subpoenaed by the FBI, PureVPN had log/on off times, bandwidth used, and the source IP of the user at minimum.

“Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,”

You should not trust a VPN service that logs. You definitely should not trust a VPN service that logs and lies about it to their customers.

The current version of the PureVPN Privacy Policy does disclose that they log connection information and bandwidth used, but they claim it is only limited to the name of the internet provider, which “location” (but not specific server) you used, and the day but not the time of day.

But after this huge breach of trust with the community, can we trust any claims about what they are logging now?