IPVanish, a VPN provider that for years claimed a strict no-logging policy, led Homeland Security to a suspect using a Comcast IP address, court papers filed in 2016 reveal. StackPath, the new operator of IPVanish, informs TorrentFreak that they won't speak on behalf of the former team who have long since left the company. Assurances of security have been promised for the future, however.

On May 4, 2016, Scott Sikes, a Special Agent with the Department of Homeland Security, was engaged in a child abuse investigation.

Acting undercover, Sikes was monitoring a channel on Internet Relay Chat (IRC) when a suspect posted a link. When Sikes opened it he discovered an image of child pornography.

Sikes struck up a one-on-one chat session with the suspect who subsequently posted three more links, each containing the same kind of material. It was later discovered that the suspect had posted 17 other links leading to similar abuse imagery.

Having captured the suspect’s IP address (209.197.26.72), Sikes traced it back to Highwinds Network Group, a cloud storage, CDN, and colocation company that is perhaps best known among file-sharers for its massive Usenet-related business.

Homeland Security followed up by issuing a Summons for Records on Highwinds, demanding that it hand over the details of the user behind that IP address at the times the IRC user posted the links.

Although not directly mentioned by name in court documents, at the time Highwinds owned the VPN provider IPVanish, a company that has repeatedly claimed to carry zero logs relating to its customers’ activities. It appears that the suspect tracked by Homeland Security was an IPVanish customer but any hope he would remain anonymous was soon dismissed.

On May 26, Highwinds responded to the summons, confirming that the IP address belonged to its VPN service. Initially, the company told HSI that to protect customer data, “we do not log any usage information. Therefore, we do not have any information regarding the referenced IP.”

However, after Sikes contacted Highwinds again, the company suggested that HSI submit a second summons requesting more detailed subscriber information.

On June 9, 2016, HSI served a second summons on Highwinds, requesting “any data associated with IRC traffic using IP 209.197.27.72, port 6667.” On June 21, Highwinds came up with the goods.

In a response to HSI, Highwinds provided information which allowed HSI to identify the suspect connecting to the VPN server, connecting to the IRC server, and then disconnecting from the VPN server. Highwinds also handed over the suspect’s name (Vincent Gevirtz), his email address, plus details of his VPN subscription.

Also made available to HSI was Gevirtz’s real IP address (Comcast 50.178.206.161) “as well as dates and times [he] connected to, and disconnected from, the IRC network,” times which coincided with the activity being investigated by HSI.

HSI then issued a summons on Comcast, requesting customer information on the IP address in question. Comcast responded three days later with a slightly different name – Julian Gevirtz – plus an address in Indiana. Vincent Gevirtz was subsequently found at that address with his parents and later admitted to the conduct carried out in the IRC channel. He further admitted to having shared images of abuse online for at least seven years.

While there will be few people disappointed that Gevirtz was tracked down by HSI, there was considerable uproar yesterday when the court documents were posted to the /r/piracy discussion page on Reddit.

IPVanish has always been extremely vocal about its no-logging policies but the court documents in the Gevirtz case appear to show that the company logged extensively, apparently down to what services were accessed and when.

So, with this apparent contradiction in hand, TF contacted StackPath, the company that bought Highwinds and therefore IPVanish back in 2017. How can its “zero logs” policy exist alongside the handing over of so much information?

“We are glad you asked. That lawsuit was from 2016 – long before StackPath acquired IPVanish in 2017,” said Jeremy Palmer, Vice President, Product & Marketing.

“IPVanish does not, has not, and will not log or store logs of our users as a StackPath company. I can’t speak to what happened on someone else’s watch, and that management team is long gone. But know this – in addition to not logging, StackPath will defend the privacy of our users, regardless of who demands otherwise.”

It’s pretty clear from this statement that StackPath doesn’t want to get into what went before and at least to a degree, that’s understandable. That being said, these things must have some kind of paper trail – logs if you like – that document what went on and who was responsible. So we asked again, this time tacking on some more questions to try and nail things down.

We began by asking about the general logging policies of IPVanish before StackPath took over. Clearly, if the old policy was to log (as the court papers suggest), at some point StackPath must’ve seen those policies and realized they were incompatible with their new approach to privacy. If that was the case, what were the old policies and when were they revised to StackPath standards?

“I can’t speak on behalf of the former executive or legal team (involved in this issue) as they are no longer part of Highwinds Network Group, and haven’t been since the acquisition,” Palmer reiterated.

“It’s impossible for me to speculate or comment about what may have happened under different ownership/management. We don’t keep VPN logs [now]. We value our customer’s privacy above everything else.”

The problem here is that at least as far as the IPVanish privacy statements go, the old policies are exactly the same as the new ones – no logs. Clearly, something has to give. At this point, Palmer provided us with a statement from StackPath CEO Lance Crosby.

Crosby is an industry heavyweight, there is little doubt about that. Founder, CEO and Chairman of Softlayer until its sale to IBM in 2013, Crosby was also former COO of ThePlanet. He doesn’t offer any clear proof but says that the HSI case could’ve been a one-off.

“At the time of the acquisition 2/6/17, the StackPath team and a third party performed due diligence on the platform. No logs existed, no logging systems existed and no previous/current/future intent to save logs existed,” Crosby says.

“The same is true today. We can only surmise, this was a one time directed order from authorities. We cannot find any history of logging at any level. Your privacy is paramount and we will fight any persons or government agencies seeking to infringe upon such.

“I can’t speak to what happened on someone else’s watch but Technology is my life and I’ve spent my career helping customers build on and use the Internet on their terms. StackPath takes that even further — security and privacy is our core mission. I also happen to be a lawyer and I will spend my last breath protecting individuals’ rights to privacy, especially our customers,” he concludes.

While having Crosby’s word on a no-logging future carries weight, we are sadly no closer to finding out what happened back in 2016. There is no mention in the court documents of the one-time logging scenario outlined above although that is certainly possible. The big question of whether it could happen again is up for debate.

Moving forward, IPVanish says it is committed to its ‘no-logging’ policy and says that the difference today is a “completely different management team” and a CEO who is “a strong privacy advocate” who “built StackPath on this foundation.”

IPVanish is the latest high-profile VPN to have provided information to the authorities after earlier claiming security for their users. Back in 2011, HideMyAss handed over information that would help to jail LulzSec hacker Cody Kretsinger. Last year it was revealed that PureVPN helped the FBI catch a cyberstalker.