The news came as a bombshell for those who operate in the VPN (opens in new tab) industry, which in comparison to others like Web hosting, seems more like a cottage one where everybody is acquainted with everyone else.
10 days ago, Reddit user 8obhex, wrote an explosive post (opens in new tab) about a criminal complaint document (opens in new tab) (PDF) that alluded to the fact that Highwinds Network Group, now owned by StackPath (opens in new tab), and the company behind the popular IPVanish (opens in new tab) VPN, kept logs despite their no-logging policy.
What followed was a torrent of comments that abruptly ended when the 8obhex account and nine related comments were deleted. The subsequent fury caused by the disclosure forced Lance Crosby (opens in new tab), the CEO of the company, to make an official statement on Reddit.
Techradar Pro approached StackPath with nine questions, eight of which were answered by Jeremy Palmer, VP, Product and Marketing at the company.
1. Court records recently posted on Reddit (IPVanish_Summons.png) suggest that in 2016 IPVanish responded to a summons by handing over information on a user’s activities, including connection times, possibly the use of specific protocols, and disconnection times. Are those records a complete and accurate summary of what happened, or is there any further background information you can provide?
Because this happened prior to StackPath's acquisition of Highwinds Network Group, we have no additional details about this case. The former legal and executive team is long gone. It would be impossible for me to speculate about what might have happened.
2. IPVanish has claimed to have a strict “no logging” policy for many years. The court response suggests this was untrue. What information was being recorded by the service during 2016? If you’re unsure what the previous management was doing, what actions have you taken to find out?
StackPath performed due diligence and an independent audit prior to acquisition. There was no record of any logs being stored. We've done an internal audit to ensure our current policy is consistent with our practices. As our CEO Lance Crosby said - "With no exception IPVanish does not, has not, and will not log or store logs of our users as a StackPath company."
It's a completely different company, with a new executive and legal team. Security and privacy is our core mission. We've invested heavily in the new team and infrastructure to ensure our customer's privacy is always paramount.
4. The court documents suggest that in 2016 IPVanish would hand over documents almost as soon as they were requested. What is your current policy on responding to law enforcement requests, subpoenas or court orders?
Our legal team will verify the legitimacy and jurisdiction of the inquiry. Our response to those inquiries is simply that we have no information to provide, which is absolutely true.
5. If you first learned about this incident from the report on Reddit, how could you come right out and say that IPVanish doesn’t log any more? Would you not have had to do a complete review first?
6. Did your due diligence process in late 2016, early 2017 uncover the court documents from 2016? At what moment did you discover these documents from 2016?
These court documents did not come up in diligence. We first heard the details of this case when the story broke on Reddit.
7. If you found out before the Reddit report, why did you not disclose that information publicly, as the incident was in direct contradiction of IPVanish’s long standing “no logs” policy.
See answer above
8. You brushed off the report by saying it wasn’t under your watch. But since the Highwinds team came with the acquisition are there not any long-time engineers who can answer for what exactly happened?
StackPath did not acquire the entire Highwinds engineering team. The current team has no additional details about the case.
9. What is StackPath doing today to protect against the risk of server seizure and log data showing up (even unintentionally) on hard disk or system memory?
We have many layers of physical and digital security for the VPN service. All traffic data passing through our network is encrypted and unreadable by anybody, including us.