VPN Shame

A Compiled List of VPN Services That Have Been Caught Logging, Lying or Hacked

IPVanish Logs While Claiming They Don’t — 08/07/2018

IPVanish Logs While Claiming They Don’t

In June 2018, a suspect was arrested on child abuse charges after key information from IPVanish, a “no-logs” VPN provider turned over logging information to authorities on request. In the actual affidavit (page 22-23) you can see that Highwinds network group, the parent company of IPVanish, was contacted with a request for data (not a warrant) for information regarding the suspect.

IPVanish then turned over logs that included subscriber information, and was able to narrow the search to specific days and activity (destination IP of traffic, timestamps, and was able to narrow data requests by port and protocol).

A VPN that is not logging should not have any of this information to turn over.

Further more, it looks like Highwinds went above and beyond the scope of the request (which again, was not a warrant) and provided the source IP of the VPN user.

All of this information is at odds with what IPVanish was advertising on their site on May 3rd of this year. Let’s take a look at their front page with the Wayback Machine: https://web.archive.org/web/20180503002434/https://www.ipvanish.com/

And if we look at their privacy policy page on the same date: https://web.archive.org/web/20180522041725/https://www.ipvanish.com/privacy-policy.php

“IPVanish does not collect or log any traffic or use of its Virtual Private Network service.”

This is literally all that is mentioned about logging. Nothing about retaining IPs, timestamps, services visited, or disclosure policies. Retaining this data is significant because it creates liability. If you have data to turn over to a nation with a legal demand, you are obligated to cooperate. If you have nothing of value to give to enemies of privacy, then your customer base is safer.

Their privacy policy was updated on May 30th, which again restates that they do not log under any circumstances. https://www.ipvanish.com/privacy-policy.php

IPVanish and HighWinds have already shown that they cannot be trusted. They should not be trusted with anyone’s private information after this incident. There is no reasonable explanation as to why or how this could happen at a company that cares about customer privacy.

To make things even worse, IPVanish leases infrastructure to other VPN services, so this logging incident extends liability to other VPN providers who may not even know what data is being retained by HighWinds, and many other VPN providers are owned by HighWinds’ parent company, StackPath.

The HighWinds / StackPath related VPN companies include: (Click on the company name for evidence)

Encrypt.me (formerly Cloak VPN)
VPNHub (the new PornHub VPN service)

About the Author and Contact Information for Corrections / Love / Hate — 01/07/2018
The Hola VPN Browser Plugin Shares Your Internet Connection with Botnets —

The Hola VPN Browser Plugin Shares Your Internet Connection with Botnets

The Hola VPN Browser Plugin Shares Your Internet Connection with Botnets

The popular Hola VPN extension is funded by reselling the bandwidth of the people on the network, allowing malicious users to stage attacks from your home IP address.

Further, it contains / contained serious security vulnerabilities that can compromise the systems of Hola users.

Security firm Vectra writes (source TorrentFreak):

“First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system.”

If the implications of that aren’t entirely clear, Vectra assists on that front too. On Windows machines, the certificate is added to the Trusted Publishers Certificate Store which allows *any code* to be installed and run with no notification given to the user. That is frightening.

Furthermore, Vectra found that Hola contains a built-in console (“zconsole”) that is not only constantly active but also has powerful functions including the ability to kill running processes, download a file and run it whilst bypassing anti-virus software, plus read and write content to any IP address or device.[see update]

“These capabilities enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software,” Vectra says.

Finally, Vectra says that while analyzing the protocol used by Hola, its researchers found five different malware samples on VirusTotal that contain the Hola protocol. Worryingly, they existed before the recent bad press.”

Hola has a bad security reputation and sells your bandwidth to the highest bidder.

Even worse, Hola logs pretty heavily, according to their own privacy policy:

And if you sign up with a social media account, they harvest everything that is public as well:

So to sum up Hola VPN: Botnets, Selling Your Bandwidth, Security Vulnerabilities, Data Harvesting for “Analytics.”

HideMyAss VPN – Logging Incident – 2011 —

HideMyAss VPN – Logging Incident – 2011

HideMyAss VPN was caught logging in 2011

In 2011 Kody Kretsigner aka “recursion” from the Hacker group Lulzsec, was arrested after HideMyAss gave up connection logs on the user. Here is what HideMyAss had on their front page in 2010, prior to them handing over user information to authorities: https://web.archive.org/web/20100709225352/http://www.hidemyass.com/

It repeatedly mentions anonymity and privacy, but has no mention of logs anywhere on the site.

Interestingly, HideMyAss continues to this day to claim that they are a private service, that they provide “anonymity” and “make you damn near untraceable” despite hard evidence to the contrary. This quote is taken directly from the front page of the site, made at the time of this article being written:

“We’ll make you damn near untraceable so that nobody can track what you do — even your internet provider. Meaning you can browse privately. Easy.”

They even go as far as to use a character that looks like Guy Fawkes to toy with the idea that their service is private. It’s an interesting choice considering that Lulzsec was at one point working with Anonymous, whose symbol is the infamous Guy Fawkes mask. Remember remember that HideMyAss logs all throughout November.

Every piece of information retained by a VPN provider is a privacy flaw. Use a VPN provider that respects your privacy and minimizes the retention of your data. HideMyAss tried to defend its policies throughout what it called the “lulzsec fiasco”, by saying that the users “should not have committed crimes.” The problem with this line of thinking is that it sweeps aside the fundamental problem with privacy services that keep logs. Who gets to decide what a crime is? In this case, a person committed what a reasonable person would call a crime. However, in some Muslim nations being a homosexual is a crime.

Logging user data puts a VPN provider in a legal position where they have to decide what demands for data they will honor and which of these demands they can reject. If the government of the UK passed a law tomorrow forcing all connection logs to be handed over to authorities, a provider that logs is compelled to give up data on all of their user’s activity. A no-log service has nothing to hand over and no obligation to any outside forces. There’s nothing to give up.

If you dig around on their site today, buried under privacy and legal pages you’ll find their logging policy, which is unchanged from 2011. I guess it is better that they disclose it now. There was no mention of it on the 2010 page.

Purpose of this Site — 07/06/2018

Purpose of this Site

This is a site for privacy activists to check on the status of their VPN services. Here I will compile a list of information on VPNs that have been caught logging, lying to their customers, or coverups of security incidents.

I will do my best to source all information correctly and back up all of the claims made on this site with hard evidence.

You should be able to easily tell which services are protecting you, and which services should never be used.

This site is neutral and managed by the author’s own personal funds. There will be no advertising nor affiliate links on this site. I may set up a donation address in the future to help fund hosting costs and to help compensate me for my time spent doing research if readers think the information is valuable.