
IPVanish “No-Logging” VPN Led Homeland Security to Comcast User - placatedmayhem
https://torrentfreak.com/ipvanish-no-logging-vpn-led-homeland-security-to-comcast-user-180505/
======
sandGorgon
CEO's statement on Reddit :
[https://www.reddit.com/r/Piracy/comments/8ogup1/ipvanish_cla...](https://www.reddit.com/r/Piracy/comments/8ogup1/ipvanish_claims_0_log_policy_busted_for_logging/e03mrw6/)

> _We don 't typically jump into Reddit or other forums but this topic is too
> important to me. I'm the CEO of StackPath and we acquired IPVanish in
> February, 2017 (more than a year after the lawsuit from 2016). With no
> exception IPVanish does not, has not, and will not log or store logs of our
> users as a StackPath company. Most important, StackPath will defend the
> privacy of our users regardless of who demands otherwise. I can't speak to
> what happened on someone else's watch but Technology is my life and I've
> spent my career helping customers build on and use the Internet on their
> terms. StackPath takes that even further—security and privacy is our core
> mission. I also happen to be a lawyer and I will spend my last breath
> protecting individuals' rights to privacy, especially our customers._

~~~
saas_co_de
Whether a company promises not to keep logs or not they can and always will
comply with legal requests (court order, warrant, national security letter,
etc, etc) to monitor specific targets. Otherwise they will be out of business.

Bottom line: don't do illegal stuff. These services (if they are actually
telling the truth about not logging) are good for protecting your privacy as a
law abiding citizen but they don't really provide any shield for criminal
activity.

~~~
MaxBarraclough
So you're just going to ignore the fact that they explicitly promised their
users that they don't keep logs, while keeping logs?

I wonder if it qualifies as unlawful false advertising.

~~~
lotyrin
If they didn't keep logs and aren't lying, they could still be asked or
warranted to allow LEO to monitor their system live during a suspect's usage
in order to identify them.

~~~
MaxBarraclough
Indeed, they could be compelled to do that, but according to the article they
_were_ keeping logs in this case, despite explicitly advertising that they
didn't.

~~~
Proof
This is exactly the issue that should be stressed repeatedly. When a firm
advertises itself as such, that values customers' privacy,etc etc. There
should not be any logs, espeically if they make it their number one selling-
point.

Regarding illegle activities, if there is a will strong enough that warrents
Powers that be to track down something, one way or another, it will happen. No
matter, how much one deludes himself into a sense of security. The idiot in
the article shoudln't have been posting shit in a fucking irc channel to begin
with.

Pardon my english, am very tired and not my mother-language.

------
openasocket
An important thing to note here is that they were served with a "Summons for
Records," not a warrant. With a warrant the DHS has to provide probable cause,
it has to be signed off on by a judge, and cannot be refused. A summons has
none of those things; it can absolutely be refused, at which point they would
have to get a warrant.

I'd also like to add that I don't have an ethical problem with a VPN company
that keeps logs and turns them over to law enforcement with a valid warrant.
Lying about keeping logs, though, I do find unethical, as well as not
requiring a warrant for access.

I also think that explicitly not keeping logs to protect users from law
enforcement is shady to say the least. If law enforcement has a valid warrant,
I don't have an issue with providing them with the data they need to find and
prosecute.

~~~
sandworm101
>>> I also think that explicitly not keeping logs to protect users from law
enforcement is shady to say the least.

I guess that depends on which law enforcement you are talking about. An FBI
agent going after someone distributing child pornography is a rather
sympathetic police action. What about a Chinese officer going after someone
for "treason"? What about a Russian cop looking for someone who tweeted pics
taken at a protest rally? Or what about a Canadian cop asking questions about
a teenager in Sweden, someone well outside Canadian jurisdiction? Or what
about the FBI agent asking for some celeb's home address? Rather than pick
sides, the best answer is to just not collect the data in the first place.

VPN companies operate at an international level. The cops from some countries
cannot be trusted. Cops in all countries make mistakes. A few of them our
there are corrupt. And often times the person claiming to be a cop is either
well outside their authority, or just lying about being a cop. I tell my
client's to not even respond to communications from any sort of law
enforcement or intelligence agency. Pass it to your lawyers. Let them first
verify who and what authority is making the request. Do not leave such
determinations to engineers and support staff.

~~~
openasocket
I agree that it depends on who the law enforcement is. I think operating a VPN
service for Chinese citizens to evade censorship and not doing logging to
protect those users would be ethical, for example. Like I said in another
comment, you have to think about the odds of dealing with an LE request you
consider unethical, and balance the consequences of providing logs or not
providing logs. Personally, I trust the US justice system enough that I
wouldn't have a problem with complying with a valid warrant (after legal due
diligence, of course). But that's subjective and I understand others may not
feel the same way.

> VPN companies operate at an international level. The cops from some
> countries cannot be trusted. Cops in all countries make mistakes. A few of
> them our there are corrupt. And often times the person claiming to be a cop
> is either well outside their authority, or just lying about being a cop. I
> tell my client's to not even respond to communications from any sort of law
> enforcement. Pass it to your lawyers. Let them first verify who and what
> authority is making the request. Do not leave such determinations to
> engineers and support staff.

Totally agree with everything here.

~~~
manicdee
> I agree that it depends on who the law enforcement is.

All Law Enforcement is corrupt. The only unknown is the level of corruption.
As a service provider in any country, we have no idea whether we will be
dealing with a good cop or a bad cop, and the safest assumption to make is
that they are all bad cops. Don't let the good cop set a precedent for
interaction that the bad cop can abuse.

The system will work to abuse your trust. If the first warrant tou get is to
help catch a pedophile who has been kidnapping children, and you sgree to
provide logs for that, the Government will be upset when you don't comply with
the next warrant which is a wife beating cop trying to track down his
estranged wife who is due to appear in court tomorrow.

You have shown that you have the required data, the purpose of the warrant
doesn't have any impact on the legal requirement to comply.

------
neverminder
In the mean while it looks like PIA is still standing it's ground (for now):
[https://torrentfreak.com/private-internet-access-no-
logging-...](https://torrentfreak.com/private-internet-access-no-logging-
claims-proven-true-again-in-court-180606/)

~~~
krn
ProtonVPN (operated from Switzerland) claims[1]: "Our security team has also
identified at least one VPN service which is working on behalf of a state
surveillance agency."

If I had to guess, it would be PIA: the most popular, the most accessible, and
the most affordable US-based VPN.

When a VPN is run by NSA, of course it will stand up in all courts. How would
a state surveillance agency let its tool be so publicly destroyed? And it
doesn't have to keep any logs at all. They can just be forwarded in real-time,
based on a set of filters and rules ("URLs that are requested by <IP>", "IPs
that are requesting <URL>").

[1] [https://protonvpn.com/blog/threat-
model/](https://protonvpn.com/blog/threat-model/)

~~~
rasengan
[Comment retracted and removed by author's request.]

~~~
krn
I wasn't aware that ProtonVPN was not run by ProtonMail, even though I happen
to be from Vilnius, Lithuania myself and even have a close friend working at
Tesonet. If this is true, that makes me question how much anything branded
Proton* can be trusted in general.

~~~
protonmail
ProtonMail team here. The above is not correct. ProtonVPN is developed and
operated by ProtonMail. However, it exists as a separate legal entity for
security reasons. This is to avoid ProtonMail getting banned in jurisdictions
where VPNs are illegal. An example is China where ProtonVPN is banned, but
ProtonMail is permitted. Had they been the same company, both would have been
banned together. So from the legal standpoint, we put as much separation as
possible between ProtonMail and ProtonVPN.

Like ProtonMail, the ProtonVPN team is distributed, split between Geneva,
Skopje, Vilnius, and San Francisco. Tesonet (one of the biggest IT firms in
Vilnius) was previously used as outsourced HR before we incorporated our own
entity in Vilnius. We have similar arrangements for our staff in San
Francisco, Prague, and Skopje. The above poster's intentions are a bit
suspect, given that he's the co-founder of PIA...

~~~
krn
> Tesonet was previously used as outsourced HR before we incorporated our own
> entity in Vilnius

But your entity's business address in Lithuania is still Tesonet's HQ. And
Tesonet runs the entire technical infrastructure needed for a VPN service. So,
are you partners or competitors?

------
fegu
How many VPN services are run by the government three letter agencies through
decoy companies? Seems like a match made in heaven.

~~~
mirimir
There's no way to know that, either. One of the first VPN services,
Anonymizer, morphed into a CIA operation. And Tor, after all, is still heavily
funded by the US government. However, as cynical as I've become, I believe
that the US freedom vibe is more than PR.

But anyway, there's no way to know. So your best bet is nested VPN chains.
Including providers from jurisdictions where cooperation is less likely.
Insorg is Russian, for example. Also, AirVPN, IVPN and Riseup have said that
they'll shut down before they'll log.

~~~
TimTheTinker
> your best bet is nested VPN chains

It _is_ possible to set up an anonymous DigitalOcean account funded by a Visa
gift card and associated with an anonymous email provider.

Perhaps the best privacy-preserving tool would be a pool of anonymous, public
accounts to public and private VPN services, and a client app that dynamically
builds and connects via nested VPN chains.

~~~
DoctorOetker
But how do you buy the anonymous gift/prepaid whatever card?

Cash bills are marked with unique codes, and the trip from
bank->(consumer->seller)*->bank tends to be relatively short, often 1 or 2.
Systematic/sustained transfers are easily detected with graph theory &
statistics... Especially if most other actors are carrying their cell phone
with them all the time!

~~~
TimTheTinker
In this case, a little obscurity goes a long way. A $5/month droplet is more
than enough for a single household’s internet use. If you make cash purchases
with any frequency, it’s very possible to make your once-every-10-months $50
Visa gift card purchase nearly untraceable (at least by dragnet/mass methods).
Your cover is far more likely to be blown by other things, like which IP
address connects to the droplet most frequently.

~~~
DoctorOetker
Hi, I live in europe, and am not familiar with visa gift cards in specific.
Would you mind describing exactly how they work, what form you buy them in,
and how you use or enable them?

I.e. is the code printed at the time of buying? Or does it have a scratch-off
code and packaged in plastic wrap? Is it scanned under a device while selling?

Even if there dont seem to be any unique codes, an IR fluorescent barcode
could be used on the card, or its plastic wrap.

Even if there are no unique codes, the cards might come from a rack or pack in
sequence, and the cashier instructed to scan a new pack of cards when opening
a new pack!

~~~
TimTheTinker
It's just a prepaid credit card. Looks and behaves like any normal credit
card, except that it has no name or address associated with it (and will
validate against any).

Yes, they have unique numbers, and the time/date/location of purchase is known
for each card's number. Like I said, this is not secure enough to defend
against targeted attacks by well-resourced actors, but good enough to stay out
of the dragnet, at least for now.

~~~
Proof
Question: wouldn't it just be more feasible for American govt to request to
have all the numbers to be handed to them prior to the sale? That way they
would know, where it was bought and be able to track down by whom.

Sorry for my English. I hope my question is understandable.

~~~
TimTheTinker
They could do that, but I’ve never heard of it. And compelling companies to do
it long-term would be illegal (AFAIK, IANAL).

------
mseebach
The user sounds like he was a regular on the IRC channel. Did they perhaps add
particular logging on the IP/port combo when asked to, rather than having
always logged, and lied about it?

I mean, it's still not consistent with "no logging", but it still protects
"backwards" privacy of connections happening in the past, and crucially it's a
kind of logging that will always be technically possible to implement for a
VPN provider, and probably legally trivial for law enforcement to mandate with
a court order (or national security letter) - regardless of how strongly a
worded policy the provider has in place.

------
aphextron
I spent some time looking into building a VPN business. It's a real bottom
feeder industry. The margins are tiny and the bulk of your traffic will be
malicious. Anyone who says they don't log is simply lying to your face; the
liability is insane if they don't. I'd rather use a provider that at least is
honest about their logging policy, although even that is a terrible idea. The
only real solution is running your own Streisand node on an anonymous VPS paid
with crypto.

~~~
tlrobinson
> Anyone who says they don't log is simply lying to your face; the liability
> is insane if they don't

...

> The only real solution is running your own Streisand node on an anonymous
> VPS paid with crypto

Why would VPN providers need to log but VPS providers don't?

~~~
aphextron
>Why would VPN providers need to log but VPS providers don't?

It's a question of obfuscation. A private VPN provider is receiving explicit
logs of every single URL request you make, and has access to the actual
machine processing the request. A VPS provider cannot. With an IPSEC tunnel
terminated inside the VM, there's no way they can see your incoming traffic.
They could monitor your outgoing traffic in theory, but would have to be
specifically looking for this and targeting you.

~~~
tlrobinson
If you're the only one using a private VPN run on a VPS then they effectively
have access to the same information: your IP address and all of your traffic.

I'm just curious why VPNs would be required to log but VPS aren't if they can
be used for the same purposes. Is it just because VPNs are more likely to be
used for illegal purposes?

------
Casseres
Anyone looking for VPN suggestions, start here:

[https://www.privacytools.io/#vpn](https://www.privacytools.io/#vpn)

~~~
huhtenberg
Care to elaborate why this particular site is notable?

~~~
boomboomsubban
It's run in the open by a group on reddit, with relatively detailed
explanations on why they make their recommendations and timely changing of
recommendations. A strong place to start, though you may wish to do further
research before a large decision.

------
lolc
Beginner's mistake: Choosing a VPN-cloak based in one's own jurisdiction.

~~~
curiousgal
To be honest, The US' federal arm is far-reaching

~~~
lagadu
Still it's a lot harder to convince a, lets say, Chinese court to order that
kind of surveillance on a local company over an allegation of a crime that
happened half a world away. Add a couple more vpn layers over multiple
international jurisdictions and it's a huge effort that can easily take years.

------
jorge-fundido
VPN companies don't care too much about customers that are concerned about
privacy - too small a percentage of their customer base. Catering to those
trying access geo-blocked content is where the money's at.

------
cascom
Seems pretty naive to risk jail timeover the commercial claims of some
internet company...

I use a vpn to reduce tracking and keep my ISP in the dark - and so have
gravitated to the names in the space that seem to be more solid corporate
citizens

F-secure -
[https://www.f-secure.com/en/web/home_global/freedome](https://www.f-secure.com/en/web/home_global/freedome)

Proton Tech - [https://protonvpn.com](https://protonvpn.com)

------
phyzome
« It’s impossible for me to speculate or comment about what may have happened
under different ownership/management. »

You keep using that word, "impossible". I do not think it means what you think
it means.

------
Grollicus
Would it be possible to sue a lying company for damages in a case like this?
Especially if (as it seems) they were not forced to give traffic data by a
warrant but instead complied on their own?

------
justadudeama
This is why I host my own open vpn instance on AWS EC2. If the government is
going to come after me/my IP, they are going to get it one way or another (I
know Amazon will hand over my account info if asked for it) so I might as well
cut out any security risks in between (are the servers that my VPN providers
using secure?).

