IPVanish is a highly respected US-based company that has always declared to have a strict no logs policy. It appears to be a lie.
Keep in mind that the logs go back to an incident that took place in June 2016, and IPVanish was then acquired by a company that maintains that no records are stored.
The Zero Logs Claim
Looking at the Internet Archive Wayback Machine, it can be clearly seen that both before and after the incident, IPVanish asserted that no logs were kept at all: “IPVanish does not collect or log any traffic or use of its Virtual Private Network service.”
On 4 May 2016, a US Department of Homeland Security investigator was talking undercover to a suspect who posted some links to child pornography. The special agent traced the IP address which linked the suspect back to Highwinds Network Group, a CDN company which launched in the Usenet industry and which owned IPVanish at the time.
Upon getting a non-lawfully binding summons, Highwinds confirmed that the IP address was theirs, but said that it would not be able to help with the investigation because:
“To protect customer data, we do not log any usage information. Therefore, we do not have any information regarding the referenced IP.”
This lacks consistency with the upcoming part of the court affidavit used for the subsequent trial.
“Highwinds Network Group suggested the HSI submit second summons requesting subscriber information more detailed in nature.”
Homeland Security Investigations (HSI) complied and was rewarded with a set of detailed connection logs that evidently identified the suspect.
It’s proof that IPVanish were indeed keeping logs contrary to “zero logs” policy claim. It gets murkier as Highwands seemed to have freely cooperated with HSI in handing them over.
Mr. Gevirtz is a genuinely despicable human being and its good news he was caught. But users want VPNs to provide privacy for legal reasons and expect them to uphold the privacy claims they make. The most important being no logs.
A Different Company Owns IPVanish Now
The whole issue is made more difficult by the fact that StackPath acquired Highwinds (and therefore IPVanish) in February 2017. Replying back to a Reddit discussion on the matter, Stackpath CEO, Lance Crosby, made the following post: “IPVanish has always marketed itself as a “no logging” VPN. At the time of the acquisition 2/6/17, the StackPath team and a third party performed due diligence on the platform. No logs existed, no logging systems existed and no previous/current/ future intent to save logs existed. The same is true today. We can only surmise, this was a one time directed order from authorities. We cannot find any history of logging at any level.”
IPVanish’s Vice President of Product & Marketing, Jeremy Palmer agreed with the statement.
The problem lies in the fact that even though a different company now owns it, many of the senior IPVanish staff have been with the company for years.
The United States of Surveillance
Back in 2013, NSA whistleblower Edward Snowden revealed the mind-boggling scope and ambition of United States’ mass surveillance program. It represents a case of “collect it all,” and even though much digital ink has been spilled on the issue, no real progress has come of it.
America has no mandatory data retention laws, but it looks like US government flexing its muscles always gets what it wants.
This was what might have happened with IPVanish.
Is IPVanish Trustable?
Maybe PureVPN and Hide My Ass have similarly been nabbed lying about the logs they keep. Until a method to independently audit providers’ no logs claims is set up, the only way to know for sure if a VPN service is trustworthy about its logging policy is when it proves those claims in court.
But what you can about is that a VPN will protect your privacy much more than your ISP will. In IPVanish’s case, the fact that a different company runs it now provides something of a get-out clause to the actions of its past management.
But, then again, many senior staff members were also senior staff members when it took place. And anyway it’s America.