Why is VPN providers like Cryptostorm or OVPN not recommended

Pretty much title. Both providers seem to be very privacy focused etc, and trusted… at least OVPN. Cryptostorm seems to have been through some controversy, with one of their “staff” members or whatever, and accusations of being a honeypot, even though i can’t seem to find any proof on that.

By whom, they don’t have any infrastructure audits audits, and ovpn has no source code for their clients.

Here is one good reason.

That blog post literally looks like marketing fluff.

That’s a good point.

Yes you’re right, but my point was mainly to point out that OVPN has been acquired by Pango, a company who owns other, not very trustworthy VPN companies and thus, it adds another reason why OVPN should not be listed.

Pango is the owner of Hotspot Shield (VPN), Identity Defense (data aggregation service/broker), VPN 360, Ultra VPN, etc.

Sounds like they buy honeypots.

I want to provide proof, to back up my claims, so here it is. Black and white.

• Owns Hotspot Shield VPN (AnchorFree) - https://www.corporationwiki.com/California/Sunnyvale/pango-inc/44270431.aspx

• He has lectured to government contractors at the Technical Training Centre, Chennai Chengalpattu (Tamil Nadu, India) - https://in.linkedin.com/in/ravichandran-g-a8a1a391

• “Hari Ravichandran … is CEO and Founder of Jump Ventures, a scalability infusion firm … and also the CEO and Founder of Aura a technology company dedicated to simplifying digital security … Hari has founded successful businesses focused on technology-enabled services and web security …” — funded by Indian and US government-owned property manufacturers. - About Hari Ravichandran - Hari Ravichandran

• “AnchorFree, the company that makes the popular Hotspot Shield virtual private network (VPN) software, on Wednesday announced that it raised $295 million in a new funding round.” — VPN Company AnchorFree Raises $295 Million - SecurityWeek

• The CSO /Co-founder Eugene Malobrodsky was engineer at SimulTrans which facilitates localization of and testing of government materials

• Partnered w/ Sujay Jaswa, (silent investments and known investments)

• Sujay is one of Silicon Valley’s leading business innovators, and oversees WndrCo’s investment and operating activities. Sujay Jaswa - WndrCo He makes Ventures and Growth investments, and creates companies through Venture Buyouts. He serves as Chairman of Aura, Twingate, and Super Unlimited, and led WndrCo’s investments in Figma, 1Password, Databricks, Pango, Pilot, Rally, Zagat / The Infatuation, etc.

• “AnchorFree was accused last year by the Center for Democracy & Technology (CDT), a nonprofit technology advocacy organization, of collecting user data through Hotspot Shield and sharing it with advertisers.”

• “Earlier this year, a researcher disclosed the details of a vulnerability that exposed the names and locations of Hotspot Shield users. The expert made his findings public after claiming that the vendor ignored his attempts to report the flaw. A patch was released a few days later.”

At the very least, this means both Hari and Sujay have partnered with venture business capitalists whom purchase businesses, and either flip them, or build them into other venture business capitals. They buy companioes and use them to either purchase other companies or sell them to make seed money for other projects, which all seem to have the WORST privacy policies, facilitating stealing and selling user data, up to and including browsing history, ad preferences, location data, names and addresses, phone numbers, usual PII. They have a LONG history of buying from weird companies that are paid for in seed funding rounds by shady companies that also have bad track records of selling user data, just like them.

It’s clear that they have incompetent partners, as well as staff, because despite being a comp sci major, Hari seems to hire ex-contractors for governments of both India and the US, who have little experience in their fields.

OVPN was sued a few years ago and proved in a Swedish court that they don’t and can’t store any logs.

But as mentioned above I find it odd that they focus heavily on transparency and then… They don’t open source their apps.

Or maybe they said they didn’t who really knows, either way an infrastructure audit also checks security related stuff, for example against infiltration and exfiltration of data from the company.

In any case, being to court and saying you can’t provide something isn’t the same thing as attestation from a third party.

Indeed, but IMO it makes the company stick out compared to the countless of other corporations that run a VPN that has neither open source nor a court order to back up their no-logging policy.

I also think there’s a bit more to it than OVPN simply claiming that’s the case:

To summarize the verdict, the Rights Alliance and their security experts have not been able prove any weaknesses in OVPN’s systems that could mean that logs are stored. OVPN therefore wins the information injunction as our statements and evidence regarding our no log VPN policy have not been disproven. The movie companies also need to pay OVPN’s legal fees which amounts to 108 000 SEK (roughly $12300 at current exchange rate).

I’d still recommend Mullvad over this.

I would add that any court case, criminal investigation documents and server seizures (see Express in Turkey in 2017) should be treated similarly to “no-logs audits” when considering it as a trust signal. It can be useful, especially it’s a recent one. However, conditions can change the next day - I’d argue it’s specifically relevant notion if the company got acquired after the fact, which is true for both Express and OVPN.