IPVanish was busted earlier this week for providing logs and customer information to the United States Department of Homeland Security even though they advertised a “zero-log” VPN service. IPVanish’s response seems to largely blame IPVanish’s prior management for logging and they continue to claim that they run a “zero-log” VPN Service.
Our research indicates that StackPath now owns or provides wholesale VPN service to several other brands: they acquired Highwinds (Owners of IPVanish at the time) seven months after the incident leading to disclosure of an IPVanish customer’s data. Our research further indicates that StackPath now owns or provides wholesale VPN service to several other VPN brands:
- StackPath acquired Encrypt.me (formerly Cloak) back in 2016.
- StackPath CEO Lance Crosby also publicly acknowledged on Reddit that StackPath owns IPVanish. Based on similarities in VPN network IP addresses and common web code between their websites and IPVanish, it appears StackPath may also own VPN providers StrongVPN and Overplay.
- Based on VPN server IP addresses and striking similarities to the StrongVPN application, StackPath appears to provide wholesale VPN service to the recently launched VPNHub.
- Highwinds is a known entity to us as a competitor to our sister company Giganews in the Usenet market so we know they operate (or formerly operated) Newshosting, Easynews and Usenetserver. All of those Usenet brands also bundle VPN services with their Usenet accounts. We didn’t take the time to check IP addresses, but does StackPath provide VPN service to those customers, too?
StackPath’s stealth consolidation of several VPN providers raises many questions about their commitment to transparency and to the stated logging policies of the VPN brands they now service and control. To his credit, StackPath CEO Lance Crosby directly addressed the IPVanish logging issue on Reddit, but he didn’t talk about StachPath’s other involvement in VPN services and any potential privacy implications for those customers. It raised the following questions for me:
- All of the StackPath VPN providers listed above (except Encrypt.me) advertise a “zero-log” VPN service, so should users be concerned about their privacy with these providers, too?
- Why does it take an event like this for IPVanish to acknowledge who they are?
- Do the acquiring owners of VPN providers care about user privacy or do they reserve the bulk of their efforts for the bottom line?
Big companies acquiring VPN brands is another big trend we are seeing in the VPN space. From StachPath to Facebook to AVG, companies whose core business is not user privacy buy VPN brands and raise questions about how they will protect their users’ private data. These rolled-up VPN brands do not acknowledge their true owners, because doing so could presumably damage their credibility. The VPN community should demand more transparency from StackPath, because VPN users ought to know who really controls their privacy.
Thanks Golden Frog staff — Yogi, Jordan, Kayleigh, Justin and Derek — for the great memes. Enjoy!