A student in Holland was arrested in June last year (2013) after issuing a bomb threat to his university. Although the act was in itself reprehensible, and the young man deserves everything he gets (for the record he claims that he is innocent and someone else used his VPN account), the key issue as far as we are concerned is that he was using EarthVPN when he made the threat, a service which promises not to keep any logs of users’ online activities.
The story is not new, but online interest in it has grown recently, with many observers accusing EarthVPN of being another Hide My Ass (referencing the notorious 2011 case where HMA cooperated with the UK and US authorities to help catch a LulzSec hacker who used its service to hide his identity). As many irate commentators have pointed out, a VPN that does not protect its user’s privacy is no VPN at all.
The situation here however seems to be rather different. An an EarthVPN spokesperson issued the following explanation:
‘Let me clarify some false accusations. We do not keep logs and neither provide 3rd party as there are no logs to provide.
As this issue seems to be related within netherlands what we can disclosure is one of our server in netherlands have been seized recently with a court order.There are no logs kept on the servers so it is technically impossible to match a user of his activities.
What we can only suspect is the datacenter have IP transfer logs as we were also having DDOS protection.
After this circumstance happened we have cancelled our contract with the datacenter.’
While there is no way of confirming these facts, they do sound very plausible. This does however bring up the very serious issue of how trustworthy local datacenters are, and how can they be prevented from handing over their logs when presented with a court order (subpoena etc.), whatever the VPN provider says.
While this can be partially addressed with explicit contractual agreements between the datacenter and VPN provider, a much more robust and fundamental solution is to use shared IP addresses so that it is all but impossible to determine which of the dozens or hundreds of users using that IP is responsible for any particular online action or behavior. Had EarthVPN been using shared IPs, then the datacentre would have had no meaningful information to hand over to the police, so EarthVPN must have been using dynamic (or unlikely but possible) static IPs.
In our view there is no excuse for a VPN provider not to use shared IPs, and EarthVPN’s failure to do so (assuming its version of events is reliable), is unforgivable. It is also not the first time that EarthVPN has been embroiled in controversy over its technical (in)competence, as the spat over its possible exposure of both its public and private keys in its OpenVPN .crt file demonstrates (links for this can be found at the end of our EarthVPN review).