This article has been just updated: December 11, 2019
Virtual Private Network (VPN) services are widely used as a means of maintaining online privacy and anonymity. They accomplish this feat by masking your IP address. Your Internet traffic is routed through one of the service’s VPN servers.
Websites that you contact see the VPN server’s IP address rather than your public IP address, essentially making the connection anonymous. If the website you are accessing logs connections, they will only have evidence of the VPN server making contact, not your computer or device.
Does your VPN Keep Logs?
In order to maintain your privacy and protect your identity, the VPN service should not keep any logs of your activity. If any logs are kept, they should only be for troubleshooting purposes and should not be made available to any third-party. Authority figures or investigators should not be able to access these logs in an effort to determine the real identity of the VPN’s users.
Most VPNs advertise the fact that they do not keep any logs of you or your online activity. Sadly, many things that are advertised fall short of the hype.
Let’s take a closer look at the logging policies that might be instituted by VPNs and try to determine if they are truly protecting you to the level you expect. Failure to do so can put you at serious risk depending on the purposes for which you are using a VPN. We will look a little deeper into what exactly a VPN is logging later in the article.
First, let’s take a look at which VPNs keep logs and which do not. We are not offering an opinion on whether the logs are kept for valid reasons or if turning them over to the authorities in certain situations may be warranted in the pursuit of justice.
These are questions for a greater discussion about online privacy and its impact on society in general. We are simply pointing out VPNs that do or do not keep logs of their user’s activity.
Which VPNs Do and Do Not Keep Logs?
It can be difficult to wade through the advertising and determine if a VPN really is enforcing a no logging policy. Sometimes, the truth comes out due to legal actions that reveal the true logging policy which a VPN follows.
Instances of VPN Logging Being Exposed
There have been several cases where it has been shown that VPNs which claim to conform to a no logging policy have, in fact, kept logs and made them available to the authorities.
In response to an FBI complaint regarding cyberstalking, PureVPN was found to have logs that contributed to the arrest of a PureVPN user. This directly contradicts the company’s no logging policy.
Dutch police arrested a man in 2014 for making bomb threats to a school based in part on IP transfer logs seized from an EarthVPN server.
The UK-based VPN provided connection logs to the FBI in a case of attacks made against Sony Pictures and the PlayStation Network. The company handed over the logs to comply with a court order.
Instances Where the No Logging Policy Has Been Confirmed
Several court cases or independent audits have demonstrated that some VPN services really do not retain any logs of their customers’ activity. Here are a few examples.
The company released the results of an audit in November of 2018 that was carried out by a reputable accounting firm. It confirmed NordVPN’s policies and practices.
Based in the British Virgin Islands, the company refused demands from Turkish authorities to turn over user information. ExpressVPN claimed that they had no logs to provide. When Turkish authorities seized the company’s VPN server located in Turkey they could not obtain any logs or customer data.Perfect Privacy
One of this VPN’s servers was seized by Dutch authorities in an unsuccessful attempt to obtain customer data.
The Types of Logging a VPN Service Might Perform
There are two main types of logging that a VPN may choose to institute. In one case, the logs are fairly innocuous and do not pose a significant risk to your privacy. The other type of logging is much more dangerous to your online anonymity.
Connection logs are used by the VPN to troubleshoot technical problems and to control abuse of their network by hackers. If your VPN retains logs, they are likely to be connection logs. These logs are kept temporarily for a limited time which may span anywhere from a day to several weeks. After the retention time elapses the logs are deleted.
The type of information contained in a connection log can be:
- The IP address of your computer
- The IP address assigned to you by the VPN server
- The amount of data transferred during your connection
- A timestamp indicating the start and end of the connection
Connection logs do pose a slight risk to your privacy. It would be theoretically possible to determine your actual public IP address from the connection log, but recreating your online activities is virtually impossible. The fact that the logs are only kept for a short period of time is also a factor that limits their usefulness to investigating an individual’s online movements.
Activity logs are much more intrusive regarding your online privacy and are rarely kept by a VPN. In fact, if your VPN keeps an activity log you should stop using it immediately. By keeping an activity log it is performing the same type of monitoring that you are trying to prevent through the use of a VPN.
An activity log will generally provide the following information about your online activity:
- All of the websites that you have visited
- The names of all files that you have downloaded
- Various programs and protocols you have used while online
Obviously, this is the kind of data you do not want available if you are at all concerned with your online privacy or anonymity. Your ISP keeps an activity log on your movements and that is one of the reasons which cause many individuals to use a VPN service. Entities that create these types of logs can sell your information to advertisers or provide it to authorities which may not have legitimate reasons for accessing the details of your online life.
Territorial Jurisdiction and Logging Policy
Depending on where the VPN is headquartered and where its servers are located, there may be varying legal requirements that can force the company to hand over logs to investigators. In some locales, the government may directly engage in censorship or geo-restriction to limit access to certain websites. For this reason, it is critical to investigate the jurisdiction under which your VPN service operates.
Cooperative efforts between investigators or authorities in different countries can make it challenging to find the perfect location for the VPN you choose to employ. Countries may be members of the 5 Eyes, 9 Eyes or 14 Eyes alliances which work together to collect and share surveillance data. There are two related factors to consider regarding the jurisdiction under which the VPN operates.
Location of the VPN Provider – This is the business location of the VPN. Based on the country you live in and the uses for which you plan to use the VPN, you might be wise to choose a VPN that is not headquartered in the same nation.
Location of the VPN Servers – The location of the VPN servers may or may not be in the same country as the VPN business. Most quality VPN services will offer servers located in various countries in order to allow users to choose the one that serves their purposes the best. The location of the physical servers may be a more important factor than where the business is located.
You need to consider both the logging policy of your VPN and the jurisdiction in which it operates in order to make a reasonable determination regarding the true privacy of your online activity. NordVPN keeps no logs and operates out of Panama which has no data retention laws.
This combination of policy and jurisdiction should give you confidence that your privacy will be maintained. If your privacy is of great concern, take the time to thoroughly investigate the VPN’s logging policy so you are not unpleasantly surprised at a later date.