Do you believe what your VPN says about its logging policies?
Be careful.
A recent court case in Massachusetts has once again proven that some VPNs with “zero log” policies are indeed keeping logs and handing this information over to authorities.
In this guide we’ll examine the recent case and other examples to illustrate what’s going on and how you can protect yourself.
Here’s what you need to know.
Law enforcement vs “no logs”
PureVPN was recently caught red-handed.
The Department of Justice just published a complaint involving a cyberstalking case. The case involved a US resident who was allegedly stalking and harassing people while using PureVPN.
The relevant section of the complaint appears at the bottom of page 22:
While it is difficult to determine exactly what details these “records” (logs) contained, it is clear that enough information was provided for law enforcement officials arrest the PureVPN user on cyberstalking charges.
The FBI complaint above clearly appears to contradict the PureVPN privacy policy – notably this section here:
But this isn’t the first time law enforcement agencies have rained on the “no logs” VPN party.
According to a post on WipeYourData, a user of the “absolutely no logs” EarthVPN service was arrested with the help of “connection logs” obtained by police. While the post is short on details, it states Dutch police used these “connection logs” to arrest the EarthVPN user for allegedly making bomb threats.
When the story broke, EarthVPN allegedly blamed the datacenter where the server was located, but commenters suggested that the VPN may have handed over information to police. (There’s no way to know for sure and the original report is short on details.)
And finally, there’s also the case with HideMyAss.
According to Invisibler, HideMyAss, the UK-based VPN service, appears to have cooperated with US authorities in handing over logs in a hacking case. This lead to the arrest of a hacker in what is known as the “LulzSec fiasco”.
There are likely more examples that we will never know about where VPNs have handed over customer data (logs) to authorities.
Contradictory “no logs” claims
Further adding to the confusion is that there is no standard definition of “logs” or “no logs” used across the VPN industry. As you will see below, many VPNs come up with their own convoluted definitions.
Here are two examples where the marketing claims seem to contradict the privacy policies.
Example 1: Betternet
Betternet privacy policy:
Betternet may collect the connection times to our Service and the total amount of data transferred per day… Betternet uses third-parties (the “Third Party”) for advertisement. Third Party may use technologies to access some data including but not limited to cookies to estimate the effectiveness of their advertisements.
Example 2: PureVPN
Now returning again to the PureVPN privacy policy, notice the first and second-to-last sentences:
Apparently keeping “connection and bandwidth” is part of PureVPN’s “zero log policy”.
It seems many people will just look for the “no logs” claims on the homepage and never read the fine print in the privacy policy.
These contradictory claims are fairly common with VPNs.
Red flags with VPN logs
How do you know if you can trust what your VPN says about logs?
There is no concrete answer here, but you can watch out for these red flags:
- Contradictory statements – Compare the marketing statements to the privacy policy. If they contradict each other, you may have a problem.
- Restrictions + “no logs” – If a VPN is enforcing restrictions, this often requires some form of logging. While connection restrictions can perhaps be implemented in real time, bandwidth restrictions require logging.
- Jurisdiction – VPNs in certain jurisdictions, such as the US and UK, may be compelled to hand over information to government authorities. VPNs in the US, for example, can be forced to monitor/log their users by government authorities while being prohibited from disclosure (gag orders).
VPN logs are generally a grey area.
Reading the fine print will help you sort through the noise.
How to protect yourself
Here are five ways to protect yourself from a VPN service or server that may be compromised:
- Verified “no logs” claims – There have been two examples where “no logs” claims have prevailed over law enforcement. Private Internet Access had their “no logs” claims tested and verified in US court last year. In another example, Perfect Privacy had two of their servers seized in Rotterdam (also reported by TorrentFreak). According to Perfect Privacy, customer data remained safe due to the server configuration and their strict “no logs” policies.
- Multi-hop VPN – One way to protect yourself if a VPN server is compromised is through a multi-hop VPN configuration. A multi-hop configuration will help to mask incoming and/or outgoing traffic. Both ZorroVPN and Perfect Privacy offer self-configurable multi-hop VPN chains with up to four servers. VPN.ac offers 18 different double-hop configurations.
- VPN + Tor – If done correctly, using a VPN in combination with the Tor network can further protect users (but performance will drop significantly).
- Multiple VPN services – Using more than one VPN service at the same time will also provide more anonymity. A simple way to implement this setup would be to use one VPN on a router, and then connect to that network through another VPN on your computer/device. Implementing this technique with virtual machines is another option. (The main drawback will again be performance.)
- Privacy-friendly jurisdiction – Choosing a VPN that is outside the 5/9/14 Eyes surveillance countries may offer further protection. Nonetheless, this is no silver bullet. As we saw with PureVPN, being operated in Hong Kong does not mean they won’t cooperate with US authorities.
VPN logs are not necessarily a bad thing. It all depends on your threat model and how much privacy and online anonymity you seek to achieve.
Many VPN providers keep some logs and clearly explain this on their website. Two examples of logging transparency are VyprVPN and ExpressVPN (ExpressVPN recently revised its website to further clarify their policies). But there are other VPN services that keep or “retain” data, while falsely claiming to be “no logs” on their homepage (red flag).
The key is to understand what’s going on with these policies, look for honest and transparent providers, and take extra precautions if you want to achieve higher levels of online anonymity.
Hello everybody,
PureVPN did not log anything!!!!!!
The Data they used is the Registration Email Address from PureVPN and claimed information from this Email Address from the Email Provider. Then they got the real Identity of the Suspect. Now further more it is just for normal to collect evidences of IP usage and in the USA government can listen on ISP’s Endpoints and they catched the VPN IP from PureVPN used on several Accounts of the Suspect and he was 100% Identified by that process.
It’s just Analysing Metadata so everybody think twice doing bad things on the internet harms your own security!
Stop doing stupid things like stalking other people, don’t you have anything better todo? Make up your life and do better things makes the world much better and harms not the privacy nor questions privacy if less people doing bad things, the government have no reason to pursue anyone on the internet. Don’t harm other people in interNot or in your life it doesn’t worth it!
And even if you use an Email Address on registration a VPN Provider even then you make a mistake one time and you are busted! Thats not so easy because FBI and CIA is always watching!
As Sven already pointed out, the behaviour of many VPN providers to boldly claim “no logs” in absolute terms only to weaken and deluten them afterwards in the fine print is obvious.
However – and that is at least a “missing link” for me – all this “hide & seek” with the terms and wiggling around only makes sense as long as all those companies have an underlying interest to keep logs after all. But what is it? Like some rare cases show, apparently no one has gone to jail yet by not having been able to hand over such data.
From a (maybe naive) perspective all I see is a tiny amount of advantage when looking at things like quota enforcement, limiting the amount of users who may share an account and a bit of debugging help at the cost of huge disadvantages such as risking to lose customers, being blackmailed by authorities to hand over information, etc.
If I had a VPN service running and legally wouldn’t be forced to log anything, why should I even care for that in the first place? So maybe someone can enlight me what I am missing here.
I use PureVPN all over the world and have never had a problem connecting. Don’t know why you have an issue?
Hi Pete, I suspect that when I ran all of the testing for the review that the servers I was trying to connect to were overloaded. As explained in the PureVPN review, I was unable to connect to many servers in my region (Europe).
PIA lies about no logging. They do it by using word games. According to two now ex-PIA employees (https://airvpn.org/topic/23959-private-internet-access-caught-lying-about-their-no-logging-statements/):
“According to an ex-PIA employee, PIA does log PIA user account activity on the VPN: The information logged is written to a collective record that is a private business record for system monitoring. This record, due to the manner in which this information is collected, is considered (part of) a “proprietary method” and thus is ‘legally’ not disclosable in response to subpoenas or advertising or response to questions about logging. This allows them to ‘legally’ say they do not log when in reality they do in this “proprietary method” record. The information recorded in this “proprietary method” record is user activity on the VPN such as the ISP IP address the user connected to the PIA gateway server with, where the users goes on the internet, times and dates of the user activity, and how many devices the user has connected. This is tagged with the user PIA provided user account name used to log into the VPN system, this is the reason PIA will not allow this user account name to be changed once assigned.
According to an ex-PIA employee: First, the PIA VPN only encrypts between your device (PC, phone, etc…) and the ‘public IP assigning” regional gateway you are connected to. Second, the data leaves the regional gateway onto the internet un-encrypted. Third, and people do not realize this, before you hit the actual PIA “public IP” (the VPN IP the internet sees) regional gateway your traffic passes through a ‘gateway server’ that is in the same IP range as the TAP adapter (e.g. 10.x.x.x) and that begins the tracking of the PIA assigned user account ID and VPN activity of that PIA assigned user account. At this point your traffic is in the PIA network and is no longer encrypted. The user traffic is then passed onto the internet via the regional gateway unencrypted by the PIA encryption. Between that TAP IP range ‘gateway’ server entry to the PIA VPN system and, before leaving, the regional gateway server out on to the internet your traffic is not encrypted any longer and is the point where PIA logs VPN user activity in their “proprietary method” record. Now you know how PIA is able to do it, and how they log VPN users activity on the VPN and match it up specifically to a specific user and log it by using their “proprietary method” record. PIA claims that no log is written to the gateway server by writing such to dev-null which essentially writes it to nowhere as though it never existed, but this only involves that at the gateway server and the “proprietary method” record is written elsewhere and maintained for a period of time thus PIA can say that no log is written at the gateway server. (note: this is a simplistic explanation provided by an ex-PIA employee, its actually more complicated than that presented here but the end effect is the same and that end effect is PIA user activity on the PIA VPN is logged by PIA.)”
PIA is a U.S. based company. Under U.S. law (and other countries as well) a company is not obligated to reveal “proprietary methods” in response to questions, advertising, or in response to subponea (for user information or activity, in this case on a VPN). So by playing word games and calling it “a private business record for system monitoring” which is part of their “proprietary method” PIA can “legally” say they have no logs or they do not log when in reality they do log in their “proprietary method private business record for system monitoring” instead of calling it “logging”.
Hi Jack, interesting points. Although I can’t verify the validity of these claims with respect to PIA, you are correct in suggesting that VPNs are playing “word games” when it comes to logs. As I said in this article, there is no definition of “logs” or “no logs” – so anything goes.
Even “trusted” VPNs that are put up on a pedestal by the tech industry are playing “word games” when it comes to logs. This is also the case with ProtonVPN for example, where they advertise “no logs” but then disclose data that is “retained indefinitely” in their privacy policy. The VPN plays dumb if you call them out on it, but they know that most people will look for the “no logs” phrase on the homepage and not dig any deeper.
Your “proprietary methods” comments are also interesting. If the “secret sauce” is protected under law and still involves some sort of convoluted logging practices, we will probably never know. This is a grey area indeed. Thanks for your input.
Unless you are ONLY using public wifi on a computer you NEVER use for personal logins, you CAN be tracked if THEY really want to get you.
Which VPN would you recommend for streaming from geo-restricted websites?
Hi Stefan, most VPNs should be able to access geo-restricted sites without any problem. My top two recommendations at this time are Perfect Privacy or VPN.ac.
However, if you are referring to streaming websites/services, such as Netflix or BBC iPlayer, I would instead recommend ExpressVPN. Their service continues to work with all major streaming sites. Another alternative is VPNArea, although the performance is not quite as good as with ExpressVPN.
Okay here. With the case with the FBI, finding a connection between your ISP and PureVPN network proves absolutely nothing. The idiot was accessing his gmail and other accounts which are linked to him previously. It’s like saying, “It’s not me” when it IS you! The FBI didn’t find out who he was through the VPN, the FBI knew who he was and then tracked his internet usage. PureVPN didn’t reveal anything, except connections were made. Effectively, the FBI reverse traced him through his accounts. Gmail account was accessed from this IP address… query them on info, they say this IP was connected for this long from this ISP. Query the ISP… and so on.
PureVPN doesn’t log activity, just connections, maybe bandwidth. But this is effectively anonymous information.
VPNs do not log your activity, whereas your ISP may be (required). Also, it is a fact that a VPN service will cooperate fully with the law. What does that mean? Each VPN service varies. They provide what they know (a connection was made, maybe the bandwidth), and it is extremely limited.
I think the article here is trying to be objective, but the subjective narrative can be seen.
I can say that while PureVPN’s customer service isn’t the best, it’s pretty good at the basic stuff. The one thing they seem unwilling to help with is DD-WRT and OpenVPN w/IPTables to create a bypass for certain streaming devices. Also, their instructions on setting up DD-WRT via OpenVPN shell is… troublesome.
I have 4 lifetime VPN subscriptions, some of which are shared among other people. PureVPN, once you’re set, is quite useful. VPNs are more about encrypting your traffic, not invisibility. Let’s not be naive in thinking that a VPN is going to make you entirely invisible, anonymous and non-detectable. It adds a layer of security and anonymity to an extent, but there’s always a way (rarely forward, sometimes reverse).
The US criminal complaint proves that PureVPN records connection logs, while it claims the opposite. Period.
Hi Dan, I have to disagree with many statements in this comment. Connection logs are not “anonymous information”. They can be used to match up your activities, which is exactly what happened in this case.
You also state that a “VPN service will cooperate fully with the law” – but that is not entirely true. A VPN service must cooperate with the laws under which they operate (jurisdiction). For example, a Romanian VPN service does not have to “cooperate” with an American DMCA complaint – different countries, different laws. Jurisdiction is key here – it may be good to avoid Five Eyes and 14 Eyes.
Now, when I tested PureVPN for the review I found leaks with every single server I could connect to. There were many servers I couldn’t even connect with. Also, you may be interested in the VPN scams article, given that you have purchased four different lifetime subscriptions.
Could you make a review on Windscribe vpn
Hi Peter, it’s on the to-do list 🙂
The police use it because there is also a connection log. The connectivity log is one such vulnerability. You can take away your personal information by using it. This is why you should use secure vpn that does not store all logs in places that are located in a safe country except for 14 eyes and their cooperating countries and foreign countries.
vpn.ac is also not secure. Records and deletes ip addresses and timestamps daily, and also stores bandwidth separately. It is too dangerous. It becomes a big clue.
Even if are a criminal, you should never give away your personal information. Even if it is dangerous, you must keep it secure unconditionally. purevpn has completely lost its vpn position due to its own safety. Now people will hate and hate it and not use it.
Hi Jack, any VPN that is enforcing limitations (connections or bandwidth) is probably keeping some form of logs. That’s just the reality of the situation. But you claiming that VPN.ac is “not secure” because they are honest about their logging policies (logs are deleted every day) is ridiculous. They are a very secure VPN service, with highly advanced encryption, created by an internet security company (NetSec). They keep minimal connection logs to further secure their network, and are very honest about these policies.
My recommendation if you want a truly “no logs” VPN is to use a service that promises “no logs” and does not have any restrictions whatsoever (Perfect Privacy). Or, just use two VPNs together to keep things more anonymous.
Could you do a Tor vs Epic privacy browser?
Hi Adam, I’d opt for the Tor browser (in combination with a VPN and the Tor network disabled). I’ve read that Epic browser leaks (here and here).
Tor vs epic? really? Tor is incredibly slow. Epic is a no name browser. Seriously just stick to chrome, firefox, even safari (get a mac or use linux) and add on the proper extensions (ghostly, adblocker, etc.) and get a good vpn. You will be more covered than 95%+ of people.
Indeed, the Tor network is quite slow. But you can use the Tor browser without the Tor network. The Tor browser is just a hardened version of Firefox that protects you against tracking, browser fingerprinting, and spoofs your device as Windows 7. And you don’t need any add-ons or modifications (other than disabling the Tor network) – see here.
SVEN, I got nordvpn 3 weeks ago. it does slown down internet. perfectprivacy is too expensive. i wish there was a good/safe/cheap 2-3 years membership vpn like nordvpn, but faster. i saw Privateinternetaccess 2 years for $60. i havent tried tor. i might get money back from nord an try PIA. I Wont touch expressvpn/perfectprivacy cause cost 2 much. u said that vpn.ac logs, but admits it. i know u reviewed nord as great, but u never recommend it. i like nords safety and over 3000 servers. i’ve been reading alot in the past month. i want a safe, out of 14 eyes, fast cheap no logs vpn with thousands of servers. should i try PIA? WHAT ELSE U RECOMMEND OR AND WAYS 2 MAKE NORD vpn ASTER. I KNOW THAT FREE VPNS ARE A MESS, LOL. probably 4get free vpns. i’m excited, but kinda frustrated looking around. in 2015 i was hacked for $180 ransom. i remained IT work. calm for about 30 minutes while the guy yelled asking what was i doing. i 1st restarted comp. he still was controlling my mouse. i then did SYSTEM RESTORE to a day before restore point. it worked.
Hi Bill – regarding NordVPN, you could try different servers and different VPN protocols perhaps. Private Internet Access (PIA) is supposed to have pretty decent performance, but the obvious drawback is that they’re located in the United States. ExpressVPN is less than Perfect Privacy, they have thousands of servers, and they’re located in a good privacy jurisdiction. While it is a bit expensive, they do offer a coupon for three months free (you’ll see it applied at checkout) and a 30 day refund window.
” Epic is a no name browser. ”
Something being known or popular doesn’t make it good. In fact, mostly the opposite. The more popular and well known product is, the more opportunities its creator(s) have to trick their users/customers. And more often than not, they can’t resist to do so.
This is one of the reasons why Chrome which was once marketed as lightweight fast browser, is now horrifically slow at loading times, spends minutes at black (or white) loading screen, consistently lags and freezes, eats tons of ram, to the point that it is impossible to use it on low-end PCs. I won’t even speak about the amount of tracking (integration into Google’s “ecosystem”) it does, and how little you may do to configure privacy settings.
In general, I noted, that the more obscure the thing is, the more chances are there that it is actually good. Because people in general don’t need something to have a functionality, they need it to be fast, easy and just work. And to cater to their needs (and getting profit of their needs), the creators of popular products tend to strip their products out of their (useful) functions, and add garbage instead. Ironically, Chrome went from easy, light and fast to complicated, heavy and slow. While it integrated some of the functions which arguably may be useful to people (their own Google Translate, PDF Viewer, Flash, MP3, AAC and MP4 support), it made the browser heavier. Not to mention that there is still plenty of functionality, which is not available to Chrome without usage of extensions, so I don’t see why aforementioned functions couldn’t be limited to optional extensions or/and plugins as well.
Firefox itself shares urls (web addresses) with Google in order for the later to inspect them for fishing and malware. There is also a whole list of functions, which in one way or another violates your privacy. Refer to “Hardening of firefox” threads. Their stance on privacy is laughable, as even browsers, based on Chromium, such as Brave, actually block ads, tracking and third party cookies by default. While Firefox does not block any of them, unless you use an incognito mode. And it does not block ads at all still.
Tor is not slow. In fact Tor is way faster than Firefox for several reasons.
a. Tor is a hardened Firefox. So unnecessary functions (obviously not all of them, which is yet another problem) are disabled, which makes Tor faster.
b. Tor features No Script extension by default, which disables majority of ads, animated content and other garbage which eats bandwidth and slows down experience in the internet.
Why then in your or other people’s experience Tor is slow? Because Tor by default uses onion routing. It transfers your data through several relays (basically other people’s computers), so the speed of browsing in Tor depends on their connection speed. If they have a slow internet, or in fact only one of them has a slow internet, then you experience slow connection as well. If all of them, on the other hand, have fast connection, then (considering that your connection is not faster or slower than their one) you will not see any difference, or in fact notice connection being faster due to unnecessary functions being disabled and scripts being blocked. You may browse in Tor without using onion routing. It is also better for fingerprinting than using Firefox or (god forbid) Chrome with bunch of extensions. Fingerprinting is basically a method of identifying you through the information browser reveals through javascript, flash and other ways. It does not matter if you use proxy or VPN, as this information comes from your browser. It includes information about operating system, browser, extensions, fonts, plugins, time zone, language, information about hardware. Majority of Tor users do not use any of extensions, other than the built-in ones. So simply by using Tor normally, you are not identifiable from any other Tor user (besides not using onion routing, obviously). While, on the other hand only minority of Chrome and Firefox (more of the latter though) users install extensions, let alone privacy-related ones. If you do not care about fingerprinting issue, then you are way better with using countless of Firefox and Chromium (important, not Chrome) open-source derivatives. As it is highly unlikely that they are doing shady things in the background like Chrome or other closed-source browsers by big corporation do. (Be aware, though, that Chromium, the open source browser, which Chrome is based on, does connect to Google. There is even a special version of Chromium, which is deprived of those functions). And several of them (including Brave) have additions which reduce the need for extensions in the first place.