paint-brush
What VPN services aren’t telling you about data loggingby@osama-tahir
4,151 reads
4,151 reads

What VPN services aren’t telling you about data logging

by Osama TahirJune 14th, 2019
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Many VPN providers falsely advertise that they avoid any form of data logging. The term “zero logging” is often misleading. VPN providers take advantage of the fact that broad phrases like “data logging’ can mean more than one thing. There are dozens of different types of logs on user details that a service provider can maintain. As x0rz, a security researcher with a keen eye for privacy and cybersecurity issues prevailing on the web, summed up the problem in these words.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - What VPN services aren’t telling you about data logging
Osama Tahir HackerNoon profile picture

Can you think of any popular VPN service out there that doesn’t have a big “NO LOGGING” tag attached right on front of it?

Off the top of my head, I honestly can’t think of any such VPNs. While it is true that some providers actually follow a strict no-logging rule, this isn’t always the case and many providers falsely advertise that they avoid any form of data logging.

This begs the question: can one ever be sure if all the claims of a VPN provider are actually real? This is not an easy question to answer.

I’m probably embarking on a dead alleyway to attempt an answer to this question, but reviewing dozens of VPN services over the years has made me privy to some manipulative tactics that providers routinely employ to their advantage.

I believe the time has come to address this peculiar elephant strolling in the hallways of the VPN industry.

The Truth (or rather half-truth) about VPN logging

It isn’t unheard of in marketing to use ambiguous messages to influence consumer behavior and boost sales. The VPN industry is no stranger to these tactics. This is most evident in the language that VPN providers use to describe their stance on logging, which are in most cases only half-truths.

Since one of the main reasons VPNs have a demand is their supposed ability to provide online privacy to users, phrases such as “zero logs service” are prominently written on a VPN’s main landing pages.

What most users don’t realize is that these phrases aren’t exactly accurate. In fact, VPN providers take advantage of the fact that broad phrases like “data logging” can mean more than one thing, depending on the context.

You see, every time you are connected to the Internet, VPN service providers can see a bunch of information pertaining to you. This may or may not include your IP address, DNS, bandwidth usage, connection timestamps, and even the websites you are visiting. In short, there are dozens of different types of logs on user details that a service provider can maintain

If you want a quick look about the types of logs different providers keep, you can check out VPN comparison table for details.

In a fair world, the term “zero logging” would logically mean that the provider doesn’t keep ANY type of logs whatsoever, no matter if it contains information about what device a user is accessing, their web activities, the IP addresses, their names, addresses, date of birth, marital status, religion, grandpa’s favorite cigar, the name of your cat’s firstborn etc.

I name thee: Rollin’ furball

But the front page taglines on official websites of VPN services often ignores these nuances and the blanket statements relating to their logging policies are seldom accurate representations of their actual policies.

In fact, the more detailed statements about a VPN provider’s privacy policy often contradict the “no logging” claim so carelessly made in the VPN’s promotional pages and ads.

I reached x0rz, a security researcher with a keen eye for privacy and cybersecurity issues prevailing on the web, for a comment and he brilliantly summed up the problem in these words:

“The “zero logs” term is often misleading. The VPN server will most likely keep some kind of logs (if you take a default OpenVPN server, you’ll get logs of connections/disconnections), either for technical (you need to know who is connecting to what in order to prevent abuse) or lawful reasons (may be mandatory in some countries). What they probably mean is “traffic logs” but even that term is vague and doesn’t mean anything if they don’t provide technical tools to enable privacy (for example the “blind operator mode” with kernel module to prevent abuse from malicious sysadmins). I’d like to see more transparency among VPN providers. It’s a matter of trust.”

To be fair, you can’t fault VPN services for keeping some types of logs. It is impossible to run a software service, manage it properly, and resolve customer queries without any data logging. As x0rz accurately points out, it is technically impossible to refrain from the practice of logging altogether.

The problem, however, arises when VPN companies don’t really bother to explain what it really means to be a “no logs” service and do, in fact, take advantage of user’s ignorance to pretend to be something they are not.

Let me now demonstrate how statements made by VPN companies about logging can be misleading.

Speedify — contradictory statements about logging?

Speedify is a US-based VPN service that markets itself as an online privacy solution, among other things.

The provider clearly mentions on its homepage that it “… does not log IP addresses, websites, or data that you send or receive…”

You only need to head over to the privacy policy page to immediately witness a contradiction in the statement and learn, much to your dismay, that the provider actually does keep IP address logs:

On the same page, the provider has a highlighted statement that reads:

Okay, now things are getting a little clearer. It turns out that Speedify indeed does not keep a track of your web activities or the IP addresses of the websites that you visit. The front page claim that “Speedify does not log IP addresses” is actually meant for website IP addresses, not user/device/client-side IP addresses, which is actually stored by the provider as the red highlighter underlined above shows.

And since logging of your IP address easily puts your privacy at risk, Speedify is not truly a “zero logs” provider.

This is what I meant by half-truths and vague statements that VPN companies spin, and which end up misleading customers.

It is entirely possible that the provider wasn’t intending to be conniving and the ambiguity is simply a result of laziness. But either way, they do deserve blame for a lack of professionalism.

Le VPN — no logs kept… or do they?

Le VPN is another VPN service that is guilty of a similar misdirection. The provider doesn’t shy away from giving “no logs” as one of its salient features:

But if you dig deeper and open the privacy policy page, you will learn that Le VPN keeps timestamps and IP address logs when you connect and disconnect to their VPN servers:

So much for the “no logs kept” claim.

Again, it bears mention that the provider gives plausible reasons for why they need to keep these logs (administrative purposes), but surely these guys could simply have written “no traffic logs” instead of the sweeping, categorical term “no logs” in the list of features mentioned in the homepage (screenshotted above the last above).

How VPN logging policies should actually be

As I have mentioned before, if you’re looking for a VPN service that keeps no logs whatsoever, then I’m afraid you’re not going to find one. But what we can and should strive to find is a service that at least doesn’t store any personally identifiable information of the user.

As such, it would make sense to narrow down what we exactly mean by the term “zero logs” and the definition that I propose is this:

“A zero logs service is one that keeps NO personally identifiable information of their users”.

Going by this definition, the situation with the VPN industry isn’t entirely gloomy. There are some VPN providers that are staying true to their word about keeping the privacy of their users safe.

The first important thing that inspires trust in a VPN’s logging policy is obviously how consistent the statements of the providers are. That is to say, if the “no logs” promotional tag is actually corroborated by the privacy policy statements as far as personally identifiable information is concerned.

If the VPN provider doesn’t intentionally use ambiguous language in promotional pages and the privacy statements are consistent with a clear disclosure of what types of data are being logged, then I would consider the VPN company worthy of trust.

The best example of such a VPN service is ExpressVPN. If this provider makes guarantees of keeping no logs, its privacy policy also supports this claim:

In fact, the company was the beneficiary of a blessing in disguise when its servers were seized by Turkish agencies investigating the assassination of Russian Ambassador Andery Karlov. The agency had intelligence that the suspect used ExpressVPN to delete incriminating evidence about the assassination.

The investigators found no actionable information on ExpressVPN’s servers, which proves that the provider indeed doesn’t keep logs of user activity or other information that could be used to expose their identity.

Although it is extremely unfortunate if the service was actually used to sabotage an investigation, it is at the same time a testament that ExpressVPN’s is committed to the protection of user privacy by an abstention from keeping potentially exposing logs on users.

Another great example of transparency and honest marketing is a small VPN provider that has only just finding its feet in the VPN industry: Anon.AF.

The provider has “zero traffic logs” as one of its stated cores values:

Notice the use of the term “traffic” here. The truth is, Anon.AF keeps IP addresses and timestamps because it is a France-based service and is bound by french laws to do so.

But the point is, the provider doesn’t keep traffic logs and it never promises anything more than that.

This in itself is extremely reassuring and shows that the provider actually respects users. In fact, they get down to the specifics to further clarify what they actually do log and what they don’t:

It is refreshing to see a provider for a change that doesn’t spin a web around vague promotional language and keeps it simple by deliberately avoiding confusingly elaborate terms of uses.

I hope more VPN providers take a cue from Anon.AF and strive to attain the same level of honest transparency that these guys have admirably demonstrated.

Final Thoughts

The revolution of digital technology has had many important consequences on modern life. While there is no argument that could possibly discredit the benefits the world is enjoying because of technology, its impact on our privacy is probably one of the less desirable by-products that we are compelled to deal with.

VPN services are fighting a hard battle to wrest some control on privacy from the clutches of the government agencies and corporations, and give it back to the users.

But it is only with a sincere commitment to the serving of user needs and the adoption of a policy of transparent honesty that we can ever hope for this battle to be won by those on the side of the masses and not the ruling few.

<a href="https://medium.com/media/3c851dac986ab6dbb2d1aaa91205a8eb/href">https://medium.com/media/3c851dac986ab6dbb2d1aaa91205a8eb/href</a>