RestorePrivacy

Resources to stay safe and secure online

VPN Logs: Everything You Need to Know

By Sven Taylor 2 Comments
VPN logs

When it comes to VPN logs, there’s a lot of confusion.

Countless VPN services are making the “no logs” claim for marketing purposes, but in reality, they are keeping some form of logs. In this guide we’ll cover the different types of VPN logs, the reasons for keeping logs, and what you can do to further protect your online privacy.

But first, why should you care about VPN logs? While there are some people who use a VPN for streaming only, most people care about their online privacy. Examining a VPN service’s logging policies will help to determine how well the VPN does in the privacy category.

Furthermore, if your VPN is logging data, then this data could also be lost, hacked, leaked online, or even end up for sale on some Dark Web forum. So the savvy VPN user will carefully consider a VPN’s logging policies before signing up. So let’s take a closer look….

Types of VPN logs

There are three different types of VPN logs (also discussed in our main VPN guide).

Usage (browsing) logs – These logs basically include online activity: browsing history, connection times, IP addresses, metadata, etc. From a privacy standpoint, you should avoid any VPN that collects usage data. Most of the VPN services that are collecting usage logs are free VPN apps, which are basically spyware. The data they collect is then sold to third parties, thereby monitoring the “free VPN” service.

Connection logs – Connection logs typically include dates, times, connection data, and sometimes IP addresses. Typically this data is used for optimizing the VPN network and potentially dealing with user problems or terms of use issues, such as using a VPN for torrenting, illegal activities, etc.

While basic connection logs are not necessarily a problem, there are some VPNs that keep connection logs, while falsely claiming to be a “no logs” service. Examples of this are BetternetPureVPN, Windscribe, and TunnelBear.

No logs – No logs simply means the VPN service is not keeping any logs. Having a truly no logs policy can be difficult to implement while at the same time enforcing restrictions, such as device connections or bandwidth. This is especially the case when VPNs need to enforce restrictions such as bandwidth or the number of devices being used per subscription.

We have also learned that VPNs may require logging with some VPN protocols, such as the WireGuard VPN protocol. However, as we noted in the NordVPN vs Surfshark comparison, both of these VPNs use a Double NAT system with WireGuard, thus allowing them to not keep any logs or connection data.

Reasons for logging

There are many reasons for maintaining some form of logs – and they are not necessarily bad.

1. Limiting the number of devices

One of the biggest reasons for maintaining logs is to limit the number of devices used with a subscription. Nearly every VPN imposes limits (3, 5, 6…) on the number of simultaneous connections that can be used with a subscription. Enforcing connection and device limitations may require some form of logging (at least when the user is connected to the service).

Exactly how the VPN service is enforcing connection restrictions while still being “no logs” is a question that only your VPN service can answer.

Another example is Perfect Privacy, which has a truly zero logs policy and allows users an unlimited number of device connections. According to Perfect Privacy, no logs = no restrictions (a high standard).

2. Limiting bandwidth

Bandwidth restrictions also require logging. To limit the amount of bandwidth used with a given account, logging is obviously necessary. Therefore if any VPN has bandwidth limits and also claims to be a “no logs” VPN, this should raise some questions. Three examples of this are Trust.Zone, TunnelBear, and Windscribe, which all offer “free trials” that are limited to a certain amount of bandwidth.

3. Logging with rental servers (VPS)

Many VPNs utilize virtual rental servers (virtual private servers). A VPS is much cheaper than a dedicated (bare metal) server, but this creates some problems from a privacy standpoint.

The problem is that rental servers will often maintain logs of server activity. Furthermore, local authorities can possibly force a server host to log data. In this case, the “no logs” policies of a foreign VPN company means absolutely nothing – local authorities would go directly to the datacenter to get whatever they need.

One example of this was a man in the Netherlands who was arrested despite using a “no logs” VPN provider. The police simply went to the server host (i.e. the landlord) and got all the data they needed to find and arrest the man (who was accused of making bomb threats).

4. National spying agencies force companies to log

Spying agencies, such as the NSA and GCHQ, have been known to force companies to log and/or hand over private customer information. Big tech companies in the US have been facilitating NSA spying since at least 2010 – see the PRISM Program. The Investigatory Powers bill in the UK mandates all data be logged and maintained for 12 months. Targeting a particular company or server network is especially easy.

Even worse, logging requests may be accompanied with a “gag order” – making it illegal for the company to disclose what they’re being forced to do. We noted this exact case, for example, in our IPVanish review.

5. Troubleshooting problems and optimizing VPN performance

Logging connection data is often justified by VPN providers for fixing problems with their service and optimizing their network. While running a fast, secure, and reliable VPN service does not necessarily require logging, most VPNs will at least maintain some minimal connection logs to keep everything working well.

Contradictory claims and false promises

The biggest problem right now is that more and more VPNs are using the “no logs” phrase as a marketing slogan, when it is in fact not true at all. Typically they’ll make a “no logs” claim boldly on their homepage, and then carefully disclose all the data they “keep” when you read the privacy policy and terms.

Here’s an example of a logging policy we discussed previously in our PureVPN review:

VPN logs not true

While connection logs are not necessarily bad, making false or contradictory statements only adds to the confusion when selecting a VPN.

VPN logs are a grey area

The reality is that it’s nearly impossible to ever verify if these “no logs” claims are true.

Further adding to this confusion is that some VPNs have convoluted definitions of what “no logs” actually means. And of course, there’s no standard that can be used and no widely-accepted definition.

Foreign jurisdiction – Making matters even worse, many VPNs operate in overseas jurisdictions and can never be held liable for dishonesty and false advertising. If a VPN service in Hong Kong lies to customers in the United States, there’s not much that can be done.

Foreign (overseas) businesses will never be held liable for violating false advertising laws and deceiving customers. There are simply beyond the law. While this is often good for privacy, it is also a drawback for accountability.

This is why trust is so important.

If you find a VPN that makes contradictory or misleading statements about their policies, it raises questions about their honesty and trustworthiness.

When “no logs” claims are verified

On a positive note, there have also been few examples where legal cases have verified the validity of a VPN provider’s “no logs” claims. Let’s take a look at a few of those examples:

ExpressVPN server seized in Turkey

The most recent of example of a VPN provider’s “no logs” claims getting backed up by real-world events is with ExpressVPN. Last year they had one of their servers seized in Turkey, where police were attempting to obtain customer data for an investigation. However, due to ExpressVPN’s no logs policies, authorities were not able to get any information from the server, simply because no data was available.

ExpressVPN issued a statement on their website, here is a brief excerpt:

As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.

This case confirmed ExpressVPN’s logging policies and overall commitment to securing customer data.

Perfect Privacy server seized in Holland

Another example of this is with Perfect Privacy having their servers in Rotterdam seized. As with ExpressVPN, no customer data was affected due to a strict no logs policy. This is explained further on their website here.

In addition to a completely no logs, zero-knowledge policy, Perfect Privacy also operates all of their servers in RAM disk mode. This ensures that nothing is stored on the actual server, and if power is ever cut, there will be no data available (further explained in the Perfect Privacy review).

VPN logs audits

In some cases, VPNs have undergone third-party audits that have verified no logs. For example, we have the case of NordVPN and VyprVPN, which have both been audited and verified to be no logs.

See our no logs VPN guide for more information about VPNs that have been proven to be “no logs” with real-world test cases.

Other cases

In another case, Private Internet Access was called into court regarding an FBI investigation. In court they publicly stated that they do not have any logs or customer data to provide to authorities. While this does not really verify anything, it does add further validity to their “no logs” claims.

And lastly, there have also been a few cases where law enforcement agencies have shown “no logs” claims to be false. One infamous case was with PureVPN logging customer data and handing this over to authorities, despite claiming to have a “zero logs policy” on their homepage. See the article VPNs are Lying About Logs for more info on this topic.

Conclusion on VPN logs

With VPN logs, the main thing to look for is honesty and transparency. If you see that the “no logs” claims on the homepage do not align with the VPN’s privacy policy, then that indeed is a problem.

In terms of the big picture, other important considerations are jurisdiction and test results.

These factors are all taken into consideration with the rankings on the best VPN service report.

About Sven Taylor

Sven Taylor is the founder of RestorePrivacy. With a passion for digital privacy and online freedom, he created this website to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics. His focus is on privacy research, writing guides, testing privacy tools, and website admin.

Reader Interactions

Comments

  1. Adward

    I have used hola vpn. How long they will keep my activity log?Please answer.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *