When it comes to VPN logs, there’s a lot of confusion.
Countless VPN services are making the “no logs” claim for marketing purposes, but in reality, they are keeping some form of logs. In this guide we’ll cover the different types of VPN logs, the reasons for keeping logs, and what you can do to further protect your online privacy.
But first, why should you care about VPN logs? While there are some people who use a VPN for streaming only, most people care about their online privacy. Examining a VPN service’s logging policies will help to determine how well the VPN does in the privacy category.
Furthermore, if your VPN is logging data, then this data could also be lost, hacked, leaked online, or even end up for sale on some Dark Web forum. So the savvy VPN user will carefully consider a VPN’s logging policies before signing up. So let’s take a closer look….
Types of VPN logs
There are three different types of VPN logs (also discussed in our main VPN guide).
Usage (browsing) logs – These logs basically include online activity: browsing history, connection times, IP addresses, metadata, etc. From a privacy standpoint, you should avoid any VPN that collects usage data. Most of the VPN services that are collecting usage logs are free VPN apps, which are basically spyware. The data they collect is then sold to third parties, thereby monitoring the “free VPN” service.
While basic connection logs are not necessarily a problem, there are some VPNs that keep connection logs, while falsely claiming to be a “no logs” service. Examples of this are Betternet, PureVPN, Windscribe, and TunnelBear.
No logs – No logs simply means the VPN service is not keeping any logs. Having a truly no logs policy can be difficult to implement while at the same time enforcing restrictions, such as device connections or bandwidth. This is especially the case when VPNs need to enforce restrictions such as bandwidth or the number of devices being used per subscription.
We have also learned that VPNs may require logging with some VPN protocols, such as the WireGuard VPN protocol. However, as we noted in the NordVPN vs Surfshark comparison, both of these VPNs use a Double NAT system with WireGuard, thus allowing them to not keep any logs or connection data.
Reasons for logging
There are many reasons for maintaining some form of logs – and they are not necessarily bad.
1. Limiting the number of devices
One of the biggest reasons for maintaining logs is to limit the number of devices used with a subscription. Nearly every VPN imposes limits (3, 5, 6…) on the number of simultaneous connections that can be used with a subscription. Enforcing connection and device limitations may require some form of logging (at least when the user is connected to the service).
Exactly how the VPN service is enforcing connection restrictions while still being “no logs” is a question that only your VPN service can answer.
Another example is Perfect Privacy, which has a truly zero logs policy and allows users an unlimited number of device connections. According to Perfect Privacy, no logs = no restrictions (a high standard).
2. Limiting bandwidth
Bandwidth restrictions also require logging. To limit the amount of bandwidth used with a given account, logging is obviously necessary. Therefore if any VPN has bandwidth limits and also claims to be a “no logs” VPN, this should raise some questions. Three examples of this are Trust.Zone, TunnelBear, and Windscribe, which all offer “free trials” that are limited to a certain amount of bandwidth.
3. Logging with rental servers (VPS)
Many VPNs utilize virtual rental servers (virtual private servers). A VPS is much cheaper than a dedicated (bare metal) server, but this creates some problems from a privacy standpoint.
The problem is that rental servers will often maintain logs of server activity. Furthermore, local authorities can possibly force a server host to log data. In this case, the “no logs” policies of a foreign VPN company means absolutely nothing – local authorities would go directly to the datacenter to get whatever they need.
One example of this was a man in the Netherlands who was arrested despite using a “no logs” VPN provider. The police simply went to the server host (i.e. the landlord) and got all the data they needed to find and arrest the man (who was accused of making bomb threats).
4. National spying agencies force companies to log
Spying agencies, such as the NSA and GCHQ, have been known to force companies to log and/or hand over private customer information. Big tech companies in the US have been facilitating NSA spying since at least 2010 – see the PRISM Program. The Investigatory Powers bill in the UK mandates all data be logged and maintained for 12 months. Targeting a particular company or server network is especially easy.
Even worse, logging requests may be accompanied with a “gag order” – making it illegal for the company to disclose what they’re being forced to do. We noted this exact case, for example, in our IPVanish review.
5. Troubleshooting problems and optimizing VPN performance
Logging connection data is often justified by VPN providers for fixing problems with their service and optimizing their network. While running a fast, secure, and reliable VPN service does not necessarily require logging, most VPNs will at least maintain some minimal connection logs to keep everything working well.
Contradictory claims and false promises
Here’s an example from PureVPN:
While connection logs are not necessarily bad, making false or contradictory statements only adds to the confusion when selecting a VPN.
VPN logs = grey area
The reality is that it’s nearly impossible to ever verify if these “no logs” claims are true.
Further adding to this confusion is that some VPNs have convoluted definitions of what “no logs” actually means. And of course, there’s no standard that can be used and no widely-accepted definition.
Foreign jurisdiction – Making matters even worse, many VPNs operate in overseas jurisdictions and can never be held liable for dishonesty and false advertising. If a VPN service in Hong Kong lies to customers in the United States, there’s not much that can be done.
Foreign (overseas) businesses will never be held liable for violating false advertising laws and deceiving customers. There are simply beyond the law. While this is often good for privacy, it is also a drawback for accountability.
This is why trust is so important.
If you find a VPN that makes contradictory or misleading statements about their policies, it raises questions about their honesty and trustworthiness.
When “no logs” claims are verified
On a positive note, there have also been few examples where legal cases have verified the validity of a VPN provider’s “no logs” claims. Let’s take a look at a few of those examples:
ExpressVPN server seized in Turkey
The most recent of example of a VPN provider’s “no logs” claims getting backed up by real-world events is with ExpressVPN. Last year they had one of their servers seized in Turkey, where police were attempting to obtain customer data for an investigation. However, due to ExpressVPN’s no logs policies, authorities were not able to get any information from the server, simply because no data was available.
ExpressVPN issued a statement on their website, here is a brief excerpt:
As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.
This case confirmed ExpressVPN’s logging policies and overall commitment to securing customer data.
Perfect Privacy server seized in Holland
Another example of this is with Perfect Privacy having their servers in Rotterdam seized. As with ExpressVPN, no customer data was affected due to a strict no logs policy. This is explained further on their website here.
In addition to a completely no logs, zero-knowledge policy, Perfect Privacy also operates all of their servers in RAM disk mode. This ensures that nothing is stored on the actual server, and if power is ever cut, there will be no data available (further explained in the Perfect Privacy review).
VPN logs audits
In some cases, VPNs have undergone third-party audits that have verified no logs. For example, we have the case of NordVPN and VyprVPN, which have both been audited and verified to be no logs.
See our no logs VPN guide for more information about VPNs that have been proven to be “no logs” with real-world test cases.
In another case, Private Internet Access was called into court regarding an FBI investigation. In court they publicly stated that they do not have any logs or customer data to provide to authorities. While this does not really verify anything, it does add further validity to their “no logs” claims.
And lastly, there have also been a few cases where law enforcement agencies have shown “no logs” claims to be false. One infamous case was with PureVPN logging customer data and handing this over to authorities, despite claiming to have a “zero logs policy” on their homepage. See the article VPNs are Lying About Logs for more info on this topic.
Conclusion on VPN logs
In terms of the big picture, other important considerations are jurisdiction and test results.
These factors are all taken into consideration with the rankings on the best VPN service report.