IPVanish is a well-regarded US-based VPN company that has always claimed to have a strict no logs policy. It seems this was a lie.
It should be noted that the logs relate to an incident that occurred in June 2016, and IPVanish has since been acquired by a company that insists no logs are kept on its watch. It is nevertheless a very murky story…
The no logs claim
Using the Internet Archive Wayback Machine, we can clearly see that both before and after the incident, IPVanish claimed to keep no logs at all:
"IPVanish does not collect or log any traffic or use of its Virtual Private Network service.”
This is what the IPVanish homepage looked like in June 2016 when the incident occurred.
The incident
On 4 May 2016 a US Department of Homeland Security investigator was chatting undercover to a suspect who posted some links to child pornography. The special agent traced the IP address used by the suspect back to Highwinds Network Group, a CDN company which started out in the Usenet industry and which owned IPVanish at the time.
Upon receiving a non-legally binding summons, Highwinds confirmed that the IP address belonged to it, but said that it was unable to assist with the investigation because:
"To protect customer data, we do not log any usage information. Therefore, we do not have any information regarding the referenced IP.”
So far so good. Which makes it the next part of the court affidavit used for the subsequent trial particularly bizarre!
"Highwinds Network Group suggested the HSI submit second summons requesting subscriber information more detailed in nature.”
Homeland Security Investigations (HSI) duly did this and was rewarded with a set of detailed connection logs that clearly identified the suspect.
It's evident that IPVanish were keeping logs although they claimed to have a"zero logs” policy. The situation is worsened by the fact that it seems Highwinds freely cooperated with HSI in handing them over.
A matter of trust
Mr. Gevirtz is a truly despicable human being and we are glad that he was caught. Many people, however, use VPNs to provide privacy for entirely legitimate reasons, and these people need to be able to trust the privacy claims made by their VPN provider. The most important of these claims is keeping no logs.
IPVanish is now owned by a different company
The entire issue is complicated by the fact that Highwinds (and therefore IPVanish) was acquired by StackPath in February 2017. Responding to a reddit discussion on the issue, Stackpath CEO, Lance Crosby, posted the following:
"IPVanish has always marketed itself as a "no logging” VPN. At the time of the acquisition 2/6/17, the StackPath team and a third party performed due diligence on the platform. No logs existed, no logging systems existed and no previous/current/ future intent to save logs existed. The same is true today. We can only surmise, this was a one time directed order from authorities. We cannot find any history of logging at any level.”
This statement was backed up by Jeremy Palmer, IPVanish’s Vice President of Product & Marketing:
"IPVanish does not, has not, and will not log or store logs of our users as a StackPath company. I can’t speak to what happened on someone else’s watch, and that management team is long gone. But know this – in addition to not logging, StackPath will defend the privacy of our users, regardless of who demands otherwise.”
The problem is that, although now owned by a different company, we know that many of the senior IPVanish staff have been with the company for years. Indeed, Jeremy Palmer recently told us himself that he has been with the company since around 2015, and Chief VPN Architect Josh Tway has been with the company since its inception.
The United States of surveillance
Back in 2013, NSA whistleblower Edward Snowden exposed the staggering scope and ambition of United States’ mass surveillance program. It truly is a case of "collect it all,” and despite much digital ink being spilled on the issue, nothing in real terms has changed since.
America has no mandatory data retention laws, but in a world where even small US privacy tech companies have been strong-armed into handing over their customers’ encryption keys, it has always seemed inconceivable to us that high-profile VPN companies can possibly have evaded becoming compromised by the US government.
As a matter of pure speculation, something of this kind may well have happened with IPVanish. But then, US-based Private Internet Access (PIA) is one of the very few VPN companies anywhere to have proved its no-logs claims in front of a court of law – not just once, but twice!
So can I trust IPVanish now?
Who knows? IPVanish isn't the first VPN provider to find itself in this situation. PureVPN and HMA have have both been found to have aided investigations by handing over logs. Until there is some way to independently audit providers’ no logs claims, the only way to know for sure if a VPN service is honest about it's logging policy is when it proves those claims in court.
Even then, conspiracy theorists could easily concoct paranoia-filled scenarios that cast doubt on even this level of proof. After all, despite the court cases proving its claims, the fact that PIA is based in the US still concerns us…
What is certain is that a VPN will protect your privacy much more than your ISP will. In the case of IPVanish, the fact that it is now run by a different company which disowns the actions of its past management does give it something of a get-out clause.
But on the other hand, many senior staff members were also senior staff members when the incident happened. And also America.