“We do NOT keep any logs that can identify or help in monitoring a user’s activity,” PureVPN boldly claims on its privacy policy page. However, that didn’t stop it from providing logs to the FBI when investigations began into some of the activities of a user of its service, Ryan Lin, in 2017. These logs helped arrest Lin, resulting in a jail sentence of 17 years.

IPVanish made a similar claim on its homepage, specifically claiming to have a “strict zero-logs policy” and claiming to preserve users’ “civil right to privacy.” When the U.S. Department of Homeland Security subpoenaed IPVanish and asked for logs on one user, however, they had enough information to provide it. IPVanish provided DHS with the username, full name, email address, IP address and the connection logs on the user in question (as evidenced by this court document). With this much information available to DHS, it didn’t take much effort to trace the user in question to his home in Muncie, Indiana, where he was arrested.

The users affected in the PureVPN and IPVanish cases are guilty of real crimes that should not be condoned in any form. However, for the average user who wants privacy — a journalist in an oppressive regime, a privacy advocate exposing deceptive government practices, or an ordinary user who simply doesn’t want his/her identity revealed — one can’t help but wonder if the same process that was used to get PureVPN and IPVanish to turn over user data can be used to get information about them.

When people turn to a VPN service, they expect full-on anonymity. Particularly when the VPN service says, “we do NOT keep any logs that can identify … a user” or “we have a strict zero-logs policy.” These days, it seems that when it comes to claims about VPN logging policy, it is mostly just marketing speak. Many VPN services actually keep logs of user activity despite making claims to the contrary — in other words, they are disguised privacy traps waiting to be triggered.

It should take more than just reading the copy of a VPN service provider to decide on which service to go with. 

Understand the jurisdiction of your VPN service provider: Five Eyes, Nine Eyes, and 14 Eyes 

As a privacy professional, you’ve probably come across the term “Five Eyes,” “Nine Eyes,” and “14 Eyes” before. Basically, these terms refer to international surveillance alliances between countries working together to collect and share data. Members of the alliance work together to intercept, collect, analyze, acquire and decrypt data. These alliances came under much public scrutiny, particularly after Edward Snowden’s revelations about the National Security Alliance.

Communications going on in countries that are part of any of these alliances — Five Eyes, Nine Eyes, and 14 Eyes — are going to be under much more scrutiny than in non-member countries. It was just recently reported that members of the Five Eyes alliance talked about the possibility of backdoor methods to bypass encryption.

Understand the data retention laws of the country your VPN service is operating in

At the end of the day, your VPN service provider is a business entity. And businesses, at least if they want to thrive, need to abide by the laws of the country they are operating in. It is very important to pay attention to the data retention laws of the country the VPN service you plan to use is operating in. Be aware of the data retention laws in the country your VPN service is located in, and make your choice accordingly.

Try to understand the true meaning of no logs

Often when most VPN service providers say that they keep “no logs,” what they really mean is that they keep no activity logs (that is logs about your browsing sessions and history). In reality, many “no-log” VPN service providers keep connection logs and timestamps. For example, the popular VPN service offered by Avast (more than 400 million users) claims to keep no logs of user activity. However, this is not true. They actually store connection logs, which show what time you connect to and disconnect from a server, for how long you are connected, and how much bandwidth you transmit. As innocuous as these kinds of logs seem to be, they can be used to determine your identity. It was these kinds of logs (not logs of browsing activity!) that PureVPN handed over to the FBI and that the FBI, in turn, used to put the pieces together to indict Ryan Lin.

When a VPN service provider claims to keep no logs, try to find out what “no logs” truly means. You’d be surprised to discover that under this type of scrutiny, very few VPN services will be able to stand.

Information and permissions required to use the VPN service

In the IPVanish example earlier referenced, the service was able to provide both the user email address, as well as the full name of the user, because the user gave it to them. With more and more VPNs making it possible to pay for their services with Bitcoin and other cryptocurrencies, there are increasingly fewer reasons to give a VPN service your full name and email address. The less information you provide, the better for your privacy.

In regards to mobile VPNs in particular, you also want to be wary about the permissions you give. When a VPN application is asking for access to your device history, access to read your phone status and identity, access to your network information, and other types of access not really necessary to deliver the service you want from them, they most likely are doing more than just protecting your privacy; they are gathering data on you. And the data they gather can be disclosed or sold.

Check for DNS and IP leaks

The reason you’re opting to use a VPN service is to anonymize yourself and protect your identity. When your DNS information is leaked, the reason for using a VPN is defeated altogether — you’re simply dashing the VPN money. And, you’d be surprised, more VPNs than people are aware of leak DNS and IP information. There are countless resources that will help you perform a DNS/IP leak test of your VPN service — be sure to perform this test before using the VPN for anything serious.

photo credit: vladdythephotogeek Investigation via photopin (license)