IPVanish no user logs claim in doubt after Homeland Security child porn case

IPVanish, one of the world’s most popular and trusted VPN providers is coming under scrutiny after it was reported that it may have breached its strict no user logs policy. But details remain sketchy and their new owners have denied involvement.

IPVanish is one of many providers that makes a big deal out of the fact that they keep absolutely no logs about their customers use of their service. But court papers which were filed in 2016 seem to suggest otherwise.

The case which challenges IPVanish’s claims

The case in question is a child abuse inquiry being run by the Department of Homeland Security in the USA. Special Agent Scott Sikes was monitoring an Internet Relay Chat (IRC) channel when a suspect posted a link to a child porn image.

The agent engaged with the suspect who subsequently sent more links. He then captured the suspects IP Address which he traced to Highwinds Network Group, a cloud storage, CDN, and colocation company. Homeland Security issued Highwinds with a summons for records of the user behind that IP Address.

At the time, Highwinds was also the owner of IPVanish and it quickly became apparent that the suspect was an IPVanish user.

Initially, Highwinds reacted as would be expected. They informed Homeland Security that they don’t log user activity so had no information. Under normal circumstances, that should have been the end of the matter.

Did IPVanish help Homeland Security nab one of their customers?

But the Agent contacted Highwinds again regarding the matter and that is when their response becomes worrying.

According to Agent Sikes, Highwinds suggested that Homeland Security should submit another summons requesting more specific and detailed subscriber information. They did just that and on June 9th 2016, Highwinds was issued with a summons for “any data associated with IRC traffic using IP 209.197.27.72, port 6667.”

On 21st June, they handed Homeland Security the information they were looking for. This included the user’s name, email address, VPN subscription details, his real IP address, and the times that he connected and disconnected from that server.

After Comcast also handed over information related to the original IP Address, Vincent Gevirtz was arrested and subsequently admitted to sharing child porn online.

While there will be little sympathy for Gevirtz, the question of how and why IPVanish was able to hand this type of information to Homeland Security, and indeed advised them on how to obtain it, when they claim to retain no user logs is more concerning.

Does IPVanish have a no user logs policy or not?

On the face of it, it seems like a contradiction. If IPVanish does have a no user logs policy, it should have this type of user information available to hand over to Homeland Security. If it does record this type of information, then it cannot claim to keep no user logs.

Unfortunately, trying to get to the bottom of what happened is complicated because, in 2017, Highwinds was bought out by a company called StackPath, which now owns IPVanish. And their line of defence seems to be ‘nothing to do with us’.

When approached for comment on the case by the TorrentFreak website, Jeremy Palmer, the Vice President, Product & Marketing at StackPath said, “I can’t speak to what happened on someone else’s watch, and that management team is long gone.”

He went on to state that the former management team of Highwinds had now all left the company and he reasserted that IPVanish keeps absolutely no user logs and claimed that StackPath were committed to defending IPVanish user’s privacy at all costs.

While it is understandable that StackPath doesn’t want to be damaged by the decisions of the previous management team, this is a far from satisfactory response for most IPVanish users. So, TorrentFreak pushed again and this time was given a statement from StackPath CEO Lance Crosby.

In it, he said that when StackPath acquired Highwinds they performed due diligence on IPVanish and found no user logs and no logging system, or any suggestion of an intent to keep user logs.

Was this case a ‘one-off’?

He then suggested that the Gevirtz case could have been a ‘one-time directed order from authorities’. In other words, he thinks the previous management team, perhaps on learning about the nature of the offences, went out of their way to get Homeland Security the information they needed.

This is, of course, possible and would be understandable, but it could also prove a hugely damaging decision for IPVanish in the long run. It is also a very convenient answer for StackPath, who are keen to preserve IPVanish’s reputation as a secure and private VPN provider.

And it also begs the question that, if no user logs are kept, how was the former management team able to get details of when one customer was using a specific server?

We are still no closer to finding out categorically what happened in this case yet. And unless StackPath, or the previous Highwinds management team, provides more details, we may never know for sure.

But there is now a big question mark over IPVanish’s ability to keep user data safe. And in the long term, that is likely to be quite damaging for what is one of the most popular VPN providers around.

Comments