This is a transcript of an oral interview I did with the guys at IPVanish. I have edited it for readability, but have aimed to maintain the conversational tone of our chat.
Hi guys, thank you for agreeing to chat with me. Can you please introduce yourselves and explain what you do at IPVanish?
Jeremy: Sure, I’m Jeremy Palmer, Vice President of Product and Marketing. I joined the company almost three years ago. I started out in the Marketing department helping IPVanish grow our affiliate channel. More recently, in the last few months, I have moved into a product focused role, too, helping shape the product direction of IPVanish.
Josh: I’m Josh Tway, Chief VPN Architect. I’ve been with the company for almost eight years now. I’ve worn many hats over the years, and have been transitioning more into product iteration role for IPVanish. I should add that I developed the first couple of versions of both our Mac and iOS apps for IPVanish.
Can you tell me a little about IPVanish as a company – how, when and why it was formed?
Jeremy: The origins of IPVanish really go back to 2001-2002. It started with a company called Highwinds Network Group, which started out in the Usenet industry. It owned many of the large brands in the Usenet category, including Usenet Server and News Hosting and others.
In 2008 Highwinds Network Group leveraged their infrastructure they were using for Usenet to launch a Content Delivery Network (CDN). Back in 2012, we decided to leverage our network infrastructure (again) to launch a world-class VPN service.
That’s when Josh and some other people from our engineering team got together and formed the first product concept for IPVanish. So it goes back to 2012. Josh - maybe you can take over and talk about the early days of IPVanish and where we are today?
Josh: We launched with a Windows app initially, and then not long after I was asked to develop the Mac app.
Initially, we only supported L2TP, PPTP, and limited OpenVPN. It’s fun to see much we have grown. Fast forward a couple of years and the work we can do with different OSs has really grown, and the countries we support has grown, and what we offer has grown.
It’s been amazing to see and has been a long ride. The focus of security in the industry has grown, as has the need to ensure our customers are safe. We now support IKEv2, OpenVPN, OpenVPN Scramble. We still support PPTP for legacy customers
Jeremy: One thing I will say about PPTP is that we do technically support it for customers who prefer it (for certain use-cases). But we certainly don’t advertise it, and we don't recommend it to any of our customers. We obviously try to get them on a more secure and up-to-date protocol.
Josh: Yes, it’s only there because some customers still want to use it. But it has been interesting changing to a larger customer base.
Jeremy: I think we are up to a 1000+ servers now in 60+ countries, and I’m not even sure about the total number of locations as that changes from week to week! So yeah, we have experienced massive growth over the last few years and it’s been a fun ride!
What do you think IPVanish offers that sets it apart from other VPN services?
Jeremy: I think the number one differentiator between us and the other networks out there is that we own and operate 90% of our network. We have our own points of presence (POPs) where we control the rack and stack (the complete configuration). This allows us to optimize speeds, optimize privacy and security.
I know you guys (ProPrivacy.com) have recently launched a new speed test which consistently rates us in the top three, and often the top one on various tests. So I think that speed, privacy, and the security of operating our own network is what really sets us apart.
There is a technical reason I say we own our 90% of our network instead of 100%, and that is so we can offer particular locations to our customer base. For example, it wouldn’t be very prudent of us to open a data center or POP in Albania.
But there are other providers where we can lease hardware from for our infrastructure. That would be where the other 10% of our network traffic is, and where it is controlled.
Josh: We definitely prefer doing our own network, our own data centers, and our own servers wherever humanly possible. But as Jeremy said, it is not always technically possible to be in a place. But customers demand it, so we provide what they need.
I’m not the only one who has been with IPVanish since very early on. There is a tight-knit group of us that is really dedicated on what we do and what we provide. I think that’s what sets us apart is we actually really care about what we do.
So just to clarify: when you say you own your own network, do you mean that you own your own VPN servers?
Jeremy: Yes, and we have a large backbone that we leverage too – the actual fiber network.
I wasn’t fully aware of that. I know VyprVPN has something similar.
Josh: Having a history with Highwinds Network Group comes in handy. We spent years growing our fiber network and we like to use that when we can! It’s something that sets us apart, because a lot of our competitors use virtual servers or lease physical servers, and many of them do not have an internet backbone to call their own.
That is impressive! You mentioned IKEv2 that you are deploying. Could you tell me a little more about it?
Josh: That was a fun one when it was announced at WWDC 2014. Apple was going to support native VPN connections in iOS. I happened to be there, and so learned early on what was happening. So myself and one of our internet directors, sys-engineer Zeph Gillen spent a couple of months that summer really battling down and figuring out the inner workings of IKEv2.
As far as I am concerned, IKEv2 is not a mature technology in the same that OpenVPN is. It has not been tested against the NSA in the same way. What are your thoughts this?
Josh: It is a growing technology, and there are a lot of RFCs and community-wide peer-reviews for the underlying protocol. Apple itself is putting it forward as number one for encapsulating the entire TCP layer – just to bust firewalls when UDP is blocked sort of thing.
OpenVPN is based on however people want to do it, whereas IKEv2 is a well-defined protocol that has a standards backed back-end. That’s really great because anyone can implement software to do the protocol itself.
So while it is growing in adoption, people are still figuring out how to configure it. I think software like strongSwan is having to learn that maybe they didn’t have some things right at scale. But it’s definitely a mature protocol – the protocol itself is rock-solid.
Jeremy: I think in our testing we found it to be more performant than OpenVPN.
Josh: Yeah, it blows OpenVPN out of the water in most cases. And there are things you can do with it (I don’t want to say too much as I don’t want to give all our secrets to competitors!) that can really increase the efficiency. Some things are obvious, such as instructions to improve encryption, but there are other things we are looking to do to really speed it up.
The underlying basis of IKEv2 is IPsec, which has been used as a standard for a very long time. Internet Key Exchange 2 (IKEv2) still on top on the IPSec stack.
Yes, I understand that it is popular with VPNs at the moment thanks to increased performance benefits, but was wondering more how it compares with OpenVPN on the security front?
Josh: For security, IKEv2 is definitely my protocol of choice, and I trust it more than I trust a lot of things protocol-wise. Definitely more than PPTP! Definitely more than L2TP. And I’ll go as far as saying that on most systems if I had a choice between OpenVPN and IKEv2, I would go with IKEv2 every day.
Jeremy: OpenVPN can be helpful is in circumstances where IKEv2 is blocked - OpenVPN going over standard SSL ports (TCP port 443) can get you around that. That is why we offer both protocols on every client.
But we do, of course, tend to go with the one which is more performant. A lot of our customers really want the VPN to act like a regular internet connection – they don’t want to be slowed down at all. We have found that IKEv2 gets them closer to that than OpenVPN.
I think that is fair enough. Thanks for the insight! So what do you think is the most important thing that VPN users really need to understand?
Josh: When you are not on a VPN all your traffic is going in the clear. A lot of people say, “But I am using HTTPS, so it doesn’t really matter.” But that is not the case.
Malicious DNS providers can mean that you are using a different website from the one you are supposed to, and some very skillful man-in-the-middle attacks can cost you. The clearest one, though, is that your ISP is still logging every single lookup you do for every hosting. When you use a VPN this is not happening – you are much more guaranteed privacy over using your ISP.
And when you are using a hotspot, anybody can snoop on that traffic. So you need to protect yourself, and you can be doing HTTPS wrong all day. Not every website does HTTPS, and many do not do it as well as you might think. A VPN helps protect your internet transfer.
So do you think there are pitfalls that VPN users need to be aware of?
Jeremy: A VPN is definitely part of your privacy and security stack, but it’s not complete. It is important to use things like an ad-blocker and to understand what a VPN can and cannot do for you in terms of maintaining your privacy.
A VPN is a critical piece of that, and in some cases the most important piece, but it is not complete. I think people really need to understand that 100% anonymity is not possible, but you can get pretty close if you use the right tools that are configured in the correct way.
Unfortunately, I think people sometimes feel invincible, and they need to understand that you are as strong as your weakest link. This could be a backdoor in your software or some other weakness that you haven’t thought about in terms of your privacy hygiene.
I think it is important to educate yourself in privacy matters, and to understand the role of a VPN so that you can your can do your best to remain private and secure online.
Josh: A good example of that pitfall came up during an internal conversation yesterday. Other VPN providers out there will not jive very well with having other VPNs on your system. At the end of the day, a VPN encrypts your traffic – it cannot protect you against another program vying for attention that is sending your DNS requests to somewhere else.
Jeremy: And if you are logged into Facebook while on a VPN it’s pretty clear who you are! It will also follow you around. So I think best practice is in terms of using Incognito windows and ad-blockers. In combination with a VPN, this will get you 95% of the way there.
Oh, and beware the GPS chip on your mobile device. If you say “yes, I’ll allow access to my location,” then a VPN is not going to protect you.
I think that partly answers my next question, but I’ll ask it anyway: I always think of a VPN as being a vital tool in my online privacy and security toolbox. What other tools would you recommend VPN users have in theirs?
Josh: Password managers for one. As I say, you are only as secure as your weakest link, and people use very insecure passwords and the same passwords over and over again. This is very bad if multiple sites have your passwords and one of them is breached.
So password managers are important, as we need to use more secure passwords and not the same ones. Also using modern ad-blockers, and just being observant. Keep an eye out for anything that looks fishy.
Jeremy: I have been using the Brave browser and Firefox Focus (see 5 Most Secure Browsers) quite a bit for my personal browsing. And I recommend using Incognito mode in any browser.
I prefer Firefox in incognito mode for everyday use, but have been experimenting with Brave Browser, which prevents tracking by default. I think having a good browser and good settings on your browser goes a long way.
For email I use ProtonMail for what I consider my private emails. We have our own corporate email too, of course, but I think for end-to-end encrypted email ProtonMail is pretty good.
And Signal, of course, which I know you have written extensively about on your website.
Josh: Yes, I think Signal is fantastic personally. Also beware of search engines. Google gives great results, but you are going to get tracked. So maybe use DuckDuckGo instead.
Cool. So… IPVanish is a US-based service. We know that the NSA and its ilk are on a mission to spy on everything and everyone, regardless of whether they are US citizens or not. What do you think the implications of this are for a VPN service such as yours?
Jeremy: I think the most important thing to understand is that the NSA works in collaboration with countries all over the world. So its reach goes much beyond the borders of the USA. You need to be aware that your software and hardware – the core architecture of your box – could be comprised or breached at any time.
This doesn’t just go for the NSA – there are also hackers who might be able to access that data. So we have designed our architecture in such a way that if a box were to be comprised, there are no records or anything else that can compromise our users’ privacy kept on it.
I think with the NSA there is more transparency about what is going on with the US government than could be going on in other countries. Just because the NSA has been in the news doesn’t mean that every other country doesn’t have a government organization doing something very similar.
And they may have less due process and steps they need to go through to gather information. The NSA thing is perhaps more bad marketing for the US, although it has been overreaching and not very respectful of privacy.
But at the same time, it is driving people to our product. This is a good thing because it shows that people really do care about their privacy and are going to extra lengths to protect it.
Josh: We try stay ahead of the game. Part of the job is thinking about how we can deal with any threat moving forwards.
Jeremy: As soon as bits and bytes start to travel over borders, the NSA uses whoever methods and means they have to try to infiltrate it. So I think being outside the US gives a false sense of security. If you are in Ireland you may think that Ireland protects privacy and so you can do things without getting tracked…. I think that is naive.
Josh: That was the whole point of PRISM, where we had actual prisms splitting the traffic on fiber optic cables at AT&T here in New York. They were just cleaning it all up. Some people would say that “I don’t use AT&T, so no problem,” or ”I am overseas, so no problem,” but the truth is your data went through that switch and was being duplicated. So they have false sense of security.
At the end of the day we protect users as best we can, but nothing is perfect. A VPN helps, but be careful and protect yourselves.
In the United States the FCC has killed off net neutrality and allowed ISPs sell their customers’ data to advertising partners. My guess is that ISPs will take a very slowly-slowly approach to taking advantage of these changes in order to avoid public outrage. When they do, though, VPNs will become an almost essential tool for preserving privacy and preventing traffic discrimination.
Do you think America will see a boom in VPN use? And if so, how do you think ISPs will react?
Jeremy: Everyone in our company cares about internet freedom. We tried to lobby, we tried to be activists and work with our local and national communities, to stop this stuff from ever happening. All this stuff has helped our business, but it is wasn’t what we were looking for.
We would rather have an industry and business where people don’t need us for getting around ISP blocks or prevent ISPs from spying on them. But unfortunately, that is the way it is. And it has driven people to our business in record numbers over the last 18 months. We have seen a sharp increase in customers because of ISP spying and the net neutrality issue.
Do you think there might be a backlash against VPNs by ISPs because of this? Now that there are no net neutrality laws, for example, ISPs could just block or throttle all VPN traffic.
Jeremy: You bring up an interesting point. I find that some public WiFi networks use something like OpenDNS, which blocks IPVanish and a bunch of other VPNs. So it’s not inconceivable that if ISPs think they are losing a share of traffic to VPNs, that they could theoretically block access to us.
We have been coming up with plans to circumvent that scenario to an extent. But it is a cold reality that ISPs are the first POP (point of presence) to the internet, and if they were to throttle us that would be detrimental to our business.
We are certainly working on ways to ensure our services are available to those who need them.
Josh: There are ways to try to ensure that our connections are even better, to allow the millions of our users to continue using our service even if ISPs started to throttle us.
Jeremy: To be really honest, though, I think this is an apocalyptic kind of idea. I don’t think it’s a likely scenario. There would be multiple lawsuits and a lot of due process before something like this could actually start affecting our ability to do business.
While I think there is a remote chance something like that could happen, I don’t think it is a primary concern for the business right now.
Josh: I think the more likely immediate concern is ISPs selling customers’ data, and a VPN will protect against that.
Jeremy: There has also been some strong pushback from both sides of Congress to try to overturn the recent repeal of net neutrality protections.
Josh: We are just a single vote away from doing that.
Jeremy: We are talking about months or even years before some of these things start to take place, so I am optimistic long-term. I think at the end of the day it will be less of a concern.
Josh: Some States have taken a stance against it, trying to re-enforce net neutrality by saying to ISPs that if they want government State contracts, ISPs must not throttle users and stuff like that. California and New York for example.
What are your views on the global state of online privacy? Is it all doom and gloom, or do you see some positive trends?
Jeremy: I’m starting to see some positive trends in Europe. I don’t necessarily think GDPR is a good thing, but I think what it represents is a recognition by both people and government that an internet user’s privacy is important, and we need measures to protect it.
They may be going about in the wrong way, but I think just the recognition that things have gone too far with Facebook and Google, and that information remains online forever, is important.
I think it is generally a good thing that they are taking steps to improve users’ privacy, even if some of those good intentions are not very well focused. So I’m optimistic long term, especially in some Western regions.
There is much more to be worried about when it comes to repressive regimes, such as many of those in the Middle East, or China. I think improvement there is going to be a slow process that may take decades (rather than years) to really unwind itself.
But I do feel long-term steps will be taken, mainly by citizens, to protect users’ privacy.
Josh: I think just the growth of the VPN industry as a whole really does shows that people are not oblivious. If you start to take away their freedoms or start spying on them, they say “I don’t like that,” and “I don’t want to be blocked.” People like their internet freedom.
I think people are more aware about what is going on, and that exposure to some of the pitfalls can lead to things being better in the long run. That makes me very optimistic.
What are your key focuses as a business and where do you see IPVanish in the next 3-years?
Jeremy: Making privacy a complete picture, and VPN being one of those tools, is where we could start this next conversation. There are many things you can do through the browser, such as ad-blocking, browser behavior and browser configuration, that can help make users more private and secure.
What IPVanish is trying to do, strategically, is to become more of a full-circle privacy company. We are looking at solutions and technologies that will protect users from every potential attack vector. A VPN is one of the more obvious (and) critical aspects, but there are other ways peoples’ privacy can be exposed.
To that end, the product we are working to develop this year and over the next two years will hopefully provide more 360 degree protection.
Josh: We are also investigating how to provide the best encryption for our customers while also offering the best speeds possible. It’s not just the user’s device, it’s also the processing at the server end. We are always looking for avenues to improve this situation with different encryption protocols and generally improving the stack of what we do.
Jeremy: The end goal is for the VPN to operate in the background so you don’t even know it’s there – your computer is just as fast, but you have the added benefits of privacy and security. That’s what we are moving towards every day.
Josh: Some users enjoy tuning this and that setting, but a lot of users just want to improve their privacy and security. They don’t know much about how a VPN works, and don’t care. They just want it work! So we are trying to lower user interaction to improve that.
If each of you were granted one wish, what would it be and why?
Josh: Off the top of my head, I would like more ability to absorb knowledge and have more hours in the day to do so. The reason for this is hope – knowledge is good and makes everything better for everybody.
Jeremy: I would like my kids to grow up in a world that is better than the world I grew up in. I know that is very general, but I do have three kids and it can be a very scary world out there.
Thank you for taking the time to talk with me. I thought that was a great interview! Is there anything else you like to add?
Jeremy: I just want to say that we appreciate the opportunity to talk to you. We are big fans of ProPrivacy.com. It was one of the first sites we stumbled upon when we first entered this industry, and you guys have been big champions of privacy and security.
I think you guys have taken great care (especially recently) to eliminate some biases that have been finding their way onto other web sites. For example, your new sped tests show how they work and show the results in an unbiased way.
I think that has been a really positive thing for the industry, and hope that other websites move in the same direction.
Josh: I have been liking the latest privacy and internet freedom news on there, which it have gone to myself over the last few month. It does seem to provide a more unbiased and objective viewpoint.
Thank you, those are very kind words! And thank you again for the interview.