Exclusive Interview With HideMyAss COO Danvers Baillieu: On Logging, Privacy & Security

HideMyAss is one of the biggest VPN providers on the market with a wide reaching network of servers globally. Like most VPN companies, it has a strong stance on privacy so we spoke with the company’s COO Danvers Baillieu to find out more about HideMyAss’ logging policies, protecting its servers and how it reacts to requests from authorities.

What is HideMyAss’ logging policy and what kind of user data do you log?
It’s all really set out clearly in our logging policy on our website so I would prefer to direct you to that; it’s got it all set out in decent detail but we make it very clear that we do log the IP of the VPN server that our users connect to and we keep that data for up to three months. We use that to prevent abuse of our service.

How long have you had this policy in place and when was it last altered?
We’ve cut down the length of time we’ve kept our data logs. I believe we were keeping them for more like six months and we looked at the sort of complaints we get and the time it takes for them to reach us. We found that two to three months struck a better balance between the requirement to prevent abuse and most of our users who don’t abuse our service to have logs kept for a shorter length of time. Indeed, our general approach to privacy, which is if you don’t hold data on people, you can’t lose it or expose it. We did revise that, I’m thinking, over a year ago. I can’t remember the precise date. We’ve always had a policy of keeping logs.

Have you ever received any DMCA requests or other court orders and what is your policy for reacting to these orders?
With DMCA requests, we pass on the content of a DMCA request to a user and we tell them that we’ve received the request. They generally contain some technical data around the connection that was made, they normally contain the title of the piece of content that was being shared; that kind of thing.

We collect those reports and we send them to the user who is identified from our logs and we ask them respectfully to stop file sharing this particular content on the basis that we’ve received a complaint about it but we do point out that the report may be inaccurate. We’re not accusing them but simply we’re passing it on and we also point out that we haven’t passed over any of the user details to the company making the DMCA complaint.

And I can say confidently that we’ve never had a DMCA complaint go further than that. We obviously respond to the DMCA companies and say look, we have notified our user.

What happens if a user refuses your requests and continues with their activity?
If the user was to repeatedly refuse and wanted to use our service in that way, we’d have to suspend them.

What are your general thoughts on VPN providers using warrant canaries?
I think it’s an interesting topic. It’s unclear to me what the parameters of these warrant canaries are, whether they’re being used by some of our competitors. For example, are they saying their warrant canary will be triggered if they become subject to say some kind of PRISM scheme where they’re having to give over all their data indiscriminately or are they saying they will activate the warrant canary if they get one DMCA or one court order requiring them to hand over some user information.

A lot of the ones operating warrant canaries claim not to do any logging. I think most of the companies that claim not to do logging are in fact lying because they must have some way of preventing abuse on their service and many say that they’ll take action against users for abuse but they find it convenient to say that they’re not logging. We’re one of the few that are completely transparent about our logging policy.

First of all, I’m unclear what the parameters are around the use of the warrant canary and secondly if for example you’re using a warrant canary to alert people that you’re suddenly embroiled a scheme like the PRISM scheme, which by the way we wouldn’t be because we’re not based in the US. Let’s say that was the case and you’re ordered by a court not to disclose your involvement in this, I don’t see how some nod or a wink by the use of a warrant canary gets you off the hook.

Either you’ve alerted users or you haven’t alerted users. I guess their argument would be that, like I don’t understand what it’s supposed to signify and I’m a qualified lawyer working in the VPN sect so how on earth is anyone else supposed to really understand what it is? I’m not sure.

You’re based in the UK. How does this affect the way HideMyAss operates?
I think the UK is a good place to operate a privacy-focused business. We have strong data protection laws in Europe and we have a very clear respect for the rule of law in the UK. The courts have got a good track record in protecting civil rights and human rights including privacy in general in the UK. I think we operate in a fairly benign legal environment for our business and clearly, when we are ordered to disclose data by a competent UK court then we would have to do so.

I would rather be in that situation than a country that has a less developed legal system whereby data or information can be seized without going through the proper judicial processes.

I think some VPN providers make great play of being located in these slightly shady jurisdictions. Whilst they may not have laws requiring people to make disclosure that’s probably because the authorities don’t really respect the liberties of people, not make disclosure. Or hand over information when they come knocking, they just expect it to be handed over.

hma homepage

What can you tell us about who has access to your servers around the globe?
Do we have physical access? No, most of them are in data centers. It’s incredibly difficult to get access to data centers for very good reasons. If one of our technicians wanted to go down there it would be a huge procedure in proving their identity and authority and so on. These are very secure locations on the whole.

If your question is, are we worried about the data center getting access to our data, I can categorically say that we’re not. Because of the way that we configure our servers means if one of our servers were compromised physically then there wouldn’t be any user data available on those servers. They would come up empty and they would still have to come to us through the correct legal channels.

You have a very large VPN server network as it stands. Will you be expanding again soon?
We should have servers all over the globe by the end of this year. I’d expect you to expect us to have servers in every single country as a recognized geo if you know what I mean. There are different definitions of country on the Internet compared to the United Nations. But we’re looking to have full coverage to give our customers the maximum choice of service.

Read our full list of VPN providers.