Written May 24, 2016
Note: This was originally posted on reddit, but is now being posted on my site.
Early on, my VPN Comparison project had evoked reactions of admiration from some, and anywhere between annoyance and vitriol from others. The latter usually took the form of companies on the list who didn’t like that I made evident certain policies or who noticed that they don’t compare favorably. For the last couple of months, every now and again, I’ll get messaged by some throwaway account with vague threats or angry rambling trying to discredit me. This has made me extra cautious as I check messages – anyone could be sending anything and (as you are probably already aware people are often not who they claim to be online).
So, onto the story:
Last week, I received some reddit mail from an individual claiming to be from a certain VPN company. The individual then proceeded to offer me a bribe – a lifetime subscription to their service (which they told me was up for negotiation), in exchange for my cooperation in recommending their service and bringing them up casually in conversation.
The original reddit mail:
Dear That One Privacy Guy
My name is [redacted] and I am the PR Manager Digital and Partnerships at Ivacy VPN. I really appreciate your hard work that goes into making a comparison sheet of VPNs. I really admire it and at times have taken references comparing VPNs.
Right now, I have something great to offer you. As a PR Manager of Ivacy, I can offer you a lifetime account of Ivacy VPN, but, I would really appreciate if in return you can create a post or mention us on your forums or threads that you create.
See, people look up to you as an authority- as an influencer, and if you mention us in any relevant discussion, that’ll be a very beneficial thing.
So, I will really appreciate your positive response in this regard, or any terms that you want to put forward. We are open for negotiations.
My first reaction was “check the account” which confirmed the throwaway with this as its first post. Given the attention the project had recently gotten on several big tech blogs and other places, I almost dismissed is as just some troll. But then I stopped to think about it. Half of the reason I started my project was because of affiliate corruption, and sadly, it wouldn’t be beyond the realm of possibility for this be legitimate. I owed it to the community to investigate further.
I replied to “[redacted]” that we should take the conversation to email, which I created a throwaway email account for. “[redacted]” sent me an email shortly after confirming that he indeed wanted to discuss further his proposed arrangement.
Dear, That One Privacy Guy,
So, I have emailed you on reddit regarding the deal. What would you like to know more. I would really appreciate your feedback.
As I’d hoped, he took the bait and I got what I wanted for confirmation – the email headers. They revealed that the email had indeed come from someone at @ivacy.com, but not from “[redacted]”. the email address came from one “[redacted]” instead.
The relevant bit from all the way at the bottom:
Received: by [redacted] (Authenticated sender: [redacted]@ivacy.com, from: [redacted]@ivacy.com)
So, I started googling and looking for connections between [redacted] and Ivacy – and I found exactly what I was looking for.
Post after post by [redacted] with more of the same astroturfing spam I had seen on reddit earlier. This also included a link tying this individual directly to the company.
I just want to leave you with some thoughts about privacy. We live in a society where privacy is undervalued and under assault daily. Some people eventually notice this and discover that they do value their own. They set out on a pilgrimage of sorts to educate themselves and learn about tools to help them protect it (as I did when I started my project). Because we depend on each other for direction and others to write software and run services to help keep us secure – TRUST AND TRANSPARENCY – are paramount.
However, transparency comes before trust. Encourage transparency in the tools and companies we rely on.
Our privacy is hard enough to protect without these kinds of deceptive practices making us second guess our options.