Exposed – Many VPN Providers Log Your Data
All the VPN providers claim “Anonymity & Privacy” for their services. So, it’s right to ask a question like whether the VPN providers are true with their claims or not, as many of their claims about privacy, anonymity are oftentimes disingenuous.
Technically it’s not always true that a VPN provides pure Anonymity and Privacy. They may say “100% No Logs”, but it’s more of a marketing term to attract clients. For instance, whenever a user contacts the support team for their queries or issues to be resolved, VPN providers do try to know what’s creating the issue to resolve them and for that, they do ask at least some details, of which certain logs are kept for a limited time. But it doesn’t mean that its necessarily a bad thing as long as actual addresses or phone numbers are not logged.
However, if any provider keeps an extensive number of logs or the provider comes under 5, 9 & 14 eyes jurisdictions due to which they have to disclose transparency reports, then it’s better to avoid those VPN providers.
Also, different VPN providers do different types of logging activities. So, before getting into which VPN providers are safe and which are not, let’s first cover the different types of VPN logs that VPN providers keep, as there’s a handful of VPN providers who have been put to the test and verified their Zero Log Policy claims. And, until an incident occurs such as a subpoena from the Government, no one can tell whether a VPN provider is entirely safe or not. It doesn’t mean that a VPN should not be used and some are even transparent about their logging activity, but you must be aware whether it’s a reliable product.
Generally, there are two different types of VPN logs, namely, Usage/Activity Logs which invades privacy and then Connection Logs which are quite harmless and are often deleted after one or two weeks.
Activity/Usage Logs – What Is It & How It Can Prove Harmful?
Depending upon the VPN providers activity/usage logs vary, but the majority of Free VPNs keep track of these. Because, Free VPN services need to pay for expansion of their servers, updates of the software, website expenses, technical support, data centers and much more which are not free So, they likely sell the users information to third-party services.
Connection Logs – Collects Information but Less Harmful
Usually, these connection logs collect IP addresses, connection date, time, and location. However, VPN providers do not reveal your identity, location, connection time, and date directly. Some VPNs who collect connection logs, despite claiming to support Zero Log policy are TunnelBar, Betternet, Proton VPN, and PureVPN. Though the good part is that, it’s temporary like for one to two weeks, and like HideMyAss some goes up to 6 months, but after that it’s deleted. So, as per the perspective of privacy, to some extent it’s intrusive.
Warrant Canaries – Way to Inform their Users About Secret Warrant
Here, Warrant Canaries come in, and it’s not related to logging any information regarding connection or activity. But they are the landing pages which are advertised by the VPN providers to maintain their privacy. It’s a published statement on a specific page which confirms that service has never received any secret warrant till date. However, if the page stops publishing a regular statement, it means the canary statement is removed, which means the subpoena is issued towards that VPN provider while prohibiting them from reporting it.
Though, the use of this “Warranty Canary” does have particular queries. For example, why a “Warranty Canary” is needed if a VPN provider claims to have a no logs policy. And, they are updated once a month which makes them a bit useless. However, it was essential for making the readers aware, so a little insight has been given in this post.
Helps in Troubleshooting
Troubleshooting is one of the common reasons for data logging. For example, while using a VPN, you may encounter connectivity issues, WebRTC leaks, or other related issues. If there’s a log of your data, it can prove beneficial in optimizing the VPN network as well as to solve the problems. Also, majority of the VPN troubleshooting, or maintenance does require little connection logs.
Limited Concurrent Connections
Using VPS (Rented Servers)
Granting Requests of Government Laws or Intelligence Agencies
Moreover, the Government intelligence security organizations such as the GCHQ (Government Communications Headquarters) and the NSA (National Security Agency) spy on the UK and the USA based tech companies, as a part of surveillance program PRISM since 2010, which issues a “gag order” for demanding logging files of any tech company without disclosing it to the target user. And if the issued “gag order” is not followed, it can even be counted illegal.
VPN Providers & Their Logging Policies
Seychelles Headquartered – Astril VPN
"Our system keeps track of active sessions - connection time, IP address, device type and Astrill VPN application vesion during the duration of your VPN session."
"Additionally to this, we keep last 20 connection records which include: connection time, connection duration, country, device type and Astrill client application version number."
As per these above statements, we can say that Astrill does collect the actual logs such as Connection timestamps, devices used, users’ country and even the IP address.
Also, the question of the FAQ section, “Does Astrill keep any logs?” states that it’s done only for the ACTIVE sessions for monitoring the simultaneous connection from one subscription. And, claims to remove the logs once the session is over. So, if you’re looking for any VPN with zero-log policy, then its better you look any other providers.
The USA Headquartered – Anonymizer
Anonymizer is considered as a part of an “Internet Enemy” country, as per the Reporters Without Borders. It follows the government laws which involve 5/9/14 Alliances. So, it’s legal to say that Anonymizer does keep user’s VPN logs and if the subpoena with a gag order gets issued to them, they won’t be able to say no and have to provide all the details. Moreover, the terms of service page have been removed. But luckily, I was able to find the statement written into it:
“To the maximum extent permitted by applicable law, Anonymizer may monitor your use of the Anonymizer service, e-mail, or other electronic communications and may disclose such information in the event it has a good faith reason to believe it is necessary for purposes of ensuring your compliance with this Agreement, and protecting the rights, property, and interests of the Anonymizer Parties or any customer of a Anonymizer Party.”
To be more precise, Anonymizer VPN logs whatever they can and if that’s not enough, on their website homepage they had even stated,
“You’ll never have to worry about keeping track of your usage or connections”, which is quite contradicting.
Ace VPN – The USA based VPN Provider
“Personal Information is collected when you establish an account with us, place an order on the site, participate in a contest, sweepstakes or on-line survey, or when you communicate with any of our departments such as customer service, sales or technical services through the site, telephone, email or fax.”
AirVPN –Italian VPN Provider
Germany based- Avira Phantom VPN
Malaysian Headquartered – BolehVPN
Being headquartered in Malaysia, BolehVPN is entirely safe from the 5/9/14 Eyes jurisdiction. And it even claims that “BolehVPN does not keep logs of user activity or access. We do keep logs of general traffic throughput of our servers to ascertain loading and usage of our servers but not at an individual level. However if we do notice any unusual activity on our servers (high bandwidth loading, high number of connections or cpu usage) we may turn on logs temporarily to identify abuse of our services (such as DoS or spamming through our servers).”
However, they even claim, “Turning on logs for troubleshooting is a very last resort and is necessary to ensure the integrity of our services. It has happened very rarely (only a handful of times in our 9 years of operation) and such information was not disclosed to third parties but merely used to terminate the offending user. In any case logs were usually enabled for not more than few hours and only for the particular server that was experiencing abuse.” So, we assume that the provider may become co-operative if they receive a subpoena for revealing logs of a target.
The USA Headquartered – FlyVPN
But I like their openness. If you visit their TOC page, below lines are written:
“When you use FlyVPN, we will record the following information:
- Your local IP
- Timestamp of when you successfully accessed VPN
- The VPN IP that is assigned to you
- The port number that is assigned to you
- Timestamp of when you disconnected from VPN”
Cyprus Based – Faceless.me
By looking at these types of contradictory statements, we think it’s better to avoid such VPN providers and instead go for others.
Canada Based VPN Provider- Flow VPN
Canada being part of Five Eyes Alliance, makes FlowVPN bit questionable. Furthermore, the statement made by Flow VPN is also something making it more doubtful.
For instance, if you look through TOC page of the provider, it says “Upon installation of the client application all users are allocated an Account Name against which we reserve the rights to log subscription information (including transaction references), connecting IP address, authentication requests, session data (allocated IP, connection date, time, duration, etc).” It has a hidden message in it, through which users can be fooled.
Further, it even goes on stating, “To comply with the requirements of our bandwidth providers we reserve the right to log activity across our network and use automated systems to monitor network activity for abuse (such as use of BitTorrent and similar peer-to-peer file sharing).”
Likewise, most users that are also looking for safe Torrenting or log-free VPN connections, you’ve to look somewhere else.
France Headquartered – Freedom – IP
Also, their logging policy (for which they are quite frank), gives alarming information that users can be traced back, though it doesn’t record the content of the communications. For example, in their privacy page, it has stated:
“Data kept by VPN Session:
- IP Address of connection
- Start time of session
- End time of session
- Data received of session
- Data sent of session”
The UK Based – HideMyAss
Likewise many VPN providers, HideMyAss also claims the same thing, “We do not collect or store your IP address, your DNS requests, your application or online services use, or the websites you visit.”
However, in the past HideMyAss was involved in an FBI case, where they had handed over the details such as bandwidth data, real IP address, VPN address, timestamps to the intelligence agency for tracking down LulzSec Hacker. The same information has also been posted on their website’s blog, though it has been deleted. Also, we’ve found through internet archives that despite of no-log policy claims they do maintain the logs and user privacy is not 100% or else it wouldn’t have been possible to provide any information if they weren’t.
Moldova Based – HideIP VPN
“HideIPVPN keeps a no-logs policy. It means that activity while using VPN is not being stored nor shared in any form. Only data stored is client’s full name and billing activity. We do not store IP addresses, browsing history, traffic destination or DNS queries. HideIPVPN cannot be obligated to provide data that do not exist due to our log policy.”
“HideIPVPN may disclose information, including but not limited to, information concerning a client, in order to comply with a court order, subpoena, summons, discovery request, warrant, statute, regulation, or governmental request. HideIPVPN assumes no obligation to inform the client that client information has been provided and in some cases may be prohibited by law from giving such notice. Finally, HideIPVPN may disclose client information where necessary to protect HideIPVPN and others from harm or where such disclosure is necessary to the proper operation of the system.”
Cyprus Based IPredator
Headquartered in Cyprus, it’s safe to say that retention laws are not mandatory on IPredator and their belief for users’ rights to their privacy even help them gain a bit of fame in the market. However, according to their “Legal” page, it does collect users data at a certain level. For instance, it claims, “We minimize the use of logs within our systems and only grant access to them to a selected number of staff for debugging when service quality is an issue.” Here, the collected information includes users’ name, email address, payment data and telephone number.
Likewise, they share the legal Canary statement, which says that the data can be collected and can be given to a law-abiding agency if it’s demanded, without informing the targeted user.
Hong Kong Based IronSocket
Also, when you go further down the page, you will find that their claim contradicts itself, as they do collect session information though only for 72 hours, which includes:
- Date and Time of the connection and disconnection.
- Real IP Address and the assigned VPN Server of the user.
- Bandwidth consumption per session in a numerical representation.
The USA Based proXPN
Our system only monitors a connection if a user is having connection issues so that we can improve our services to you.”
Sweden Based PrivateVPN
ProtonVPN From Switzerland
And, here our curiosity turns out true. Currently, ProtonVPN is fighting with the accusations put on them being related with “Tesonet” a data mining company, that has even signed their Google Play Store Android application.
Moreover, it’s even been claimed that ProtonVPN does maintain connection timestamps, which can be linked with real IP addresses or accounts of the users.
The USA Headquartered StrongVPN
“StrongVPN does not collect or log any traffic of its Services, making us a zero-logging VPN.”
McAfee Safe Connect
“We automatically collect information about your interactions with the Services as well as devices on which the Services are installed. In some cases, we automatically collect information about other devices connected to the same network as the device on which the Services are installed.”
And also, they will share information. For example, if McAfee receives any subpoena,
“To legal, governmental, or judicial authorities as instructed or required by those authorities and applicable laws, or in relation to a legal activity, such as in response to a subpoena or investigation of suspected illicit or illegal activities, or where we believe in good faith that users may be engaged in illicit or illegal activities, or where we are bound by contract or law to enable a customer or business partner to comply with applicable laws;”.
“Log data may include the following information- browser type, web pages you visit, time spent on those pages, access times and dates.
Personal information is information that may be of a private or sensitive nature, and which identifies or may identify you. The Personal Information we may collect and retain includes your IP address, your name and email address, screen name, payment and billing information or other information we may ask from time to time as will be required for the on-boarding process and services provisioning.”
Further, it even states, “We will retain your personal information for as long as necessary to provide the Service, and as necessary to comply with our legal obligations, resolve disputes, and enforce our policies. Under applicable regulations, we will keep records containing client personal data, account opening documents, communications and anything else as required by applicable laws and regulations.”
“We log information about your use of our website, including your browser type and language, access times, pages viewed, your IP address and the website you visited before navigating to our website.
a) If we respond to subpoenas, court orders or legal process, or if we need to establish or exercise our legal rights or defend against legal claims.
b) If we believe it is necessary to share information in order to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service or as otherwise required by law.
We may share your data with our services providers who process your personal information to provide services to us or on our behalf “
No doubt, they are doing a great job with their anti-virus software, but when it comes to VPN service, it is not something which can be considered. Despite giving good customer support and other essential features like No IP or DNS Leaks, they miss one of the crucial elements of VPN, which is logging users’ information.
If you go through their Policy, it has claimed right off the bat that AVG Secure VPN does collect user’s data which is kept stored from one month. Also, the information collected by them is your connection timestamps, your original IP address subnet, IP address of the VPN server you connected, amount of data being transmitted. Moreover, they have also claimed
“In the event we are served with valid subpoenas, warrants, or other legal documents (for example, documents concerning the sale of all or part of our business or a merger), or where applicable law compels us to comply, or when we are required to defend the rights or property of the Avast Group, including the security of our products and services, and the personal safety, property, or other rights of our customers and employees — we may share your personal data as collected above.”
“We keep a log at a personal identifiable level which is automatically purged at a 24-hour interval with no backups. The purpose of this log is to prevent abuse patterns from malicious usage of the service.”
“We are transferring your personal data, when necessary to be able to deliver the ordered service to you. These are typically Hosting Providers. In that case, your IP-adress will be transferred to one or more hosting providers handling the communication required to delivery the service.
We transfer personal data to data processors that are solely processing personal data on our behalf and are not allowed to use this data for their own purposes. We have entered into agreements with all data processors regarding a written data processing agreement and ensured that they are subject to confidentiality.”
Seed 4 Me
“we are often asked: “Do you keep logs?” and the answer is “Yes, we do”. The same as the rest VPN providers in the world!
If anybody says VPN company does not keep ANY logs, they lie.
information is kept only for 7 days and then removed.”
Hotspot Shield of Switzerland
However, the recent study of CSIRO says a different story. As per them, Hotspot Shield has used tracking codes which gather and sell the information of their users to third-party advertisers. Also, Hotspot Shield has been charged with a complaint by a non-profit advocacy group of digital rights, the Centre for Democracy and Technology (CDT), regarding this activity of spying on their users and collecting their data.
Canadian VPN Provider – Betternet
Based in Canada, Betternet already comes under the Five Eyes Alliance, making them questionable. Further, they also provide “FREE VPN,” which makes it questionable if they might be logging users’ data. Also, they store information like your actual IP address and browsing activity. Though, their FAQs claim, “Betternet does not collect, log, store, share any data log belonging to users.” But they have also been found collecting users’ browser logs.
Also, we are judging based upon the Free VPN service provided by them, which is mostly run on an ad-revenue model and even sold to third parties.
Finally, we would say all VPN providers differ from each other and it’s same for the data retention law as well Different countries will have different laws to follow, even if they come under 5//9/14 eye jurisdiction.