When it comes to VPN logs, there’s a lot of confusion.
Countless VPN services are making the “no logs” claim for marketing purposes, but in reality, they are keeping some form of logs.
In this guide we’ll cover the different types of VPN logs, the reasons for keeping logs, and what you can do to further protect your online privacy.
Types of VPN logs
There are three different types of VPN logs (also discussed in the VPN guide).
Usage (browsing) logs – These logs basically include online activity: browsing history, connection times, IP addresses, metadata, etc. From a privacy standpoint, you should avoid any VPN that collects usage data. Most of the VPN services that are collecting usage logs are free VPN apps, which are basically spyware. The data they collect is then sold to third parties, thereby monitoring the “free VPN” service.
Connection logs – Connection logs typically include dates, times, connection data, and sometimes IP addresses. Typically this data is used for optimizing the VPN network and potentially dealing with user problems or terms of use issues (torrenting, illegal activities, etc.).
While basic connection logs are not necessarily a problem, there is an increasing number of VPNs that keep connection logs, while falsely claiming to be a “no logs” service. Examples of this are ProtonVPN, Betternet, PureVPN, Windscribe, and TunnelBear.
No logs – No logs simply means the VPN service is not keeping any logs whatsoever. Having a truly no logs policy can be difficult to implement while at the same time enforcing restrictions, such as device connections or bandwidth. This is especially the case when VPNs need to enforce restrictions such as bandwidth or the number of devices being used per subscription.
Reasons for logging
There are many reasons for maintaining some form of logs – and they are not necessarily bad.
1. Limiting the number of devices
One of the biggest reasons for maintaining logs is to limit the number of devices used with a subscription. Nearly every VPN imposes limits (3, 5, 6…) on the number of simultaneous connections that can be used with a subscription. Enforcing connection and device limitations may require some form of logging (at least when the user is connected to the service).
Exactly how the VPN service is enforcing connection restrictions while still being “no logs” is a question that only your VPN service can answer.
Another example is Perfect Privacy, which has a truly zero logs policy and allows users an unlimited number of device connections. According to Perfect Privacy, no logs = no restrictions (a high standard).
2. Limiting bandwidth
Bandwidth restrictions also require logging. To limit the amount of bandwidth used with a given account, logging is obviously necessary. Therefore if any VPN has bandwidth limits and also claims to be a “no logs” VPN, this should raise some questions. Three examples of this are Trust.Zone, TunnelBear, and Windscribe, which all offer “free trials” that are limited to a certain amount of bandwidth.
3. Logging with rental servers (VPS)
Many VPNs utilize virtual rental servers (virtual private servers). A VPS is much cheaper than a dedicated (bare metal) server, but this creates some problems from a privacy standpoint.
The problem is that rental servers will often maintain logs of server activity. Furthermore, local authorities can possibly force a server host to log data. In this case, the “no logs” policies of a foreign VPN company means absolutely nothing – local authorities would go directly to the datacenter to get whatever they need.
One example of this was a man in the Netherlands who was arrested despite using a “no logs” VPN provider. The police simply went to the server host (i.e. the landlord) and got all the data they needed to find and arrest the man (who was accused of making bomb threats).
4. National spying agencies force companies to log
Spying agencies, such as the NSA and GCHQ, have been known to force companies to log and/or hand over private customer information. Big tech companies in the US have been facilitating NSA spying since at least 2010 – see the PRISM Program. The Investigatory Powers bill in the UK mandates all data be logged and maintained for 12 months. Targeting a particular company or server network is especially easy.
Even worse, logging requests may be accompanied with a “gag order” – making it illegal for the company to disclose what they’re being forced to do.
5. Troubleshooting problems and optimizing VPN performance
Logging connection data is often justified by VPN providers for fixing problems with their service and optimizing their network. While running a fast, secure, and reliable VPN service does not necessarily require logging, most VPNs will at least maintain some minimal connection logs to keep everything working well.
Contradictory claims and false promises
The biggest problem right now is that more and more VPNs are using the “no logs” phrase as a marketing slogan, when it is in fact not true at all. Typically they’ll make a “no logs” claim boldly on their homepage, and then carefully disclose all the data they “keep” when you read the privacy policy and terms.
Here’s an example from PureVPN:
While connection logs are not necessarily bad, making false or contradictory statements only adds to the confusion when selecting a VPN.
VPN logs = grey area
The reality is that it’s nearly impossible to ever verify if these “no logs” claims are true.
Further adding to this confusion is that some VPNs have convoluted definitions of what “no logs” actually means. And of course, there’s no standard that can be used and no widely-accepted definition.
Foreign jurisdiction – Making matters even worse, many VPNs operate in overseas jurisdictions and can never be held liable for dishonesty and false advertising. If a VPN service in Hong Kong lies to customers in the United States, there’s not much that can be done.
Foreign (overseas) businesses will never be held liable for violating false advertising laws and deceiving customers. There are simply beyond the law. While this is often good for privacy, it is also a drawback for accountability.
This is why trust is so important.
If you find a VPN that makes contradictory or misleading statements about their policies, it raises questions about their honesty and trustworthiness.
When “no logs” claims are verified
On a positive note, there have also been few examples where legal cases have verified the validity of a VPN provider’s “no logs” claims. Let’s take a look at a few of those examples:
ExpressVPN server seized in Turkey
The most recent of example of a VPN provider’s “no logs” claims getting backed up by real-world events is with ExpressVPN. Last year they had one of their servers seized in Turkey, where police were attempting to obtain customer data for an investigation. However, due to ExpressVPN’s no logs policies, authorities were not able to get any information from the server, simply because no data was available.
ExpressVPN issued a statement on their website, here is a brief excerpt:
As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.
This case confirmed ExpressVPN’s logging policies and overall commitment to securing customer data.
Perfect Privacy server seized in Holland
Another example of this is with Perfect Privacy having their servers in Rotterdam seized. As with ExpressVPN, no customer data was affected due to a strict no logs policy. This is explained further on their website.
In addition to a completely no logs, zero-knowledge policy, Perfect Privacy also operates all of their servers in RAM disk mode. This ensures that nothing is stored on the actual server, and if power is ever cut, there will be no data available (further explained in the Perfect Privacy review).
Other cases
In another case, Private Internet Access was called into court regarding an FBI investigation. In court they publicly stated that they do not have any logs or customer data to provide to authorities. While this does not really verify anything, it does add further validity to their “no logs” claims.
And lastly, there have also been a few cases where law enforcement agencies have shown “no logs” claims to be false. One infamous case was with PureVPN logging customer data and handing this over to authorities, despite claiming to have a “zero logs policy” on their homepage. See the article VPNs are Lying About Logs for more info on this topic.
Update: See the new no logs VPN guide for more information about VPNs that have been proven to be “no logs” with real-world test cases.
Conclusion on VPN logs
With VPN logs, the main thing to look for is honesty and transparency. If you see that the “no logs” claims on the homepage do not align with the VPN’s privacy policy, then that indeed is a problem.
In terms of the big picture, other important considerations are jurisdiction and test results.
These factors are all taken into consideration with the rankings on the best VPN service report.
Law enforcement agencies will insist that VPN Service Providers always deny having logs, and put them under pressure to turn over ‘no logs’. It is a matter of trust; in the internet and the business world with VPN services no one can be trusted. The only trust is what is encrypted by my tools on my system before it leaves my network. VPN’s are a business model where money is collectd from users and from the sales of the data profiles. They all do it. The only safe way to stay anonymous in the internet is to encrypt the internet from point of departure to point of reception by open-source gpg or similar open and non commercial cryptographic tools.
Bandwidth logs don’t have to log anything else. The standard openvpn client allows to get the number of in/out bytes on disconnect. This can be logged without any ips, just to a account (common name of the certificate). This isn’t “no log”, but this is “no log of ips or anything identifying”
You call Perfect Privacy a no log VPN, however they do connection logs.
False. Take a look at their website and particularly the “Why VPN” section. They do not log customer data and have repeatedly claimed they will cease to exist before that ever happens.
Perfect Privacy has a solid track record when it comes to customer privacy. They had two servers seized last year in Rotterdam. But between no logs, running dedicated premium servers, and using their servers in RAM disk mode, no customer data was affected. No logs and no restrictions on bandwidth or connections. That’s the best logging policy you’ll find anywhere.