Logging by VPNs

Introduction

This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use. In this article, we’ll examine the important issue of logging (collecting and saving) of user activity by VPN services.

Definitions

Relative to VPN services, “logging” refers to the retention of information concerning the connection of the user to the VPN service. Generally, the information being logged consists of “metadata” as opposed to “content.”

The distinction between “metadata” and “content” is important. “Content” refers to the information that you (as an Internet user) are purposefully sending and receiving during your Internet session. Thus, “content” includes the text and graphics of the web page you are viewing, the username and password you send to a website, the files that you upload and download, the message text of your email, etc. “Content” is usually not logged by a VPN service, unless the VPN is utterly disreputable.

“Metadata” is data about “content” or about your connection, but not the content itself. Thus, metadata of internet activity that a VPN might collect and log includes:

• Time and duration of your web connections (i.e. timestamps)
• Devices used for your web connections
• Your local IP address
• Your location and geographical data
• The IP addresses of the destinations that you access during your Internet session
• The volume of your uploads and downloads

A fairly comprehensive tutorial about VPN logging that you should read is available at https://proprivacy.com/vpn/comparison/best-no-logs-vpns#what-are-vpn-logs. I strongly recommend that you skip the top 40%-50% of this web page that purports to list the “best no-logs VPNs” and instead start reading at the sub-heading “What are VPN logs?” (Note: since proprivacy.com is a VPN review site that relies on commissions from VPN affiliate programs for income, do not blindly trust their reviews and recommendations of VPNs or their “Best VPN” lists.)

Logging expectations vs. logging practices

Most users of VPNs have expectations of privacy and security when they use the VPN to access the internet. However, many VPNs do not follow a “strict no-logging policy.”

The article “Guide to Choosing the Best VPN (for you)” that appeared on a well-respected independent VPN advice website states:

When you connect to a VPN service, you are essentially just adding one more stop along your route to the open internet. The VPN is a “man in the middle” who you are trusting with the traffic and connection data that is being generated in the background as you use the internet.

Some VPN companies choose to log this data. There are many reasons for doing so, some more legitimate than others. Some services record this to protect themselves legally in the case they are approached by authorities. Some companies keep minimal connection logs to aid them in maintaining servers. Some will even sell your data to third parties as part of their business model.

If your concern is privacy, you most likely do not want your browsing habits and connection data being recorded. Choose a service that specifically states that they do not keep logs, AND which types they do not keep. Make sure they do not keep ANY kind of activity or connection log.

Many services claim to not keep logs, but are vague, and upon closer inspection actually do keep certain types, so be wary of such promises until you’ve confirmed it for yourself in their respective terms and privacy policies.

(from Choosing a VPN) (archived)
(paragraph breaks added by me)

It is imperative that you realize that a VPN that logs the data or metadata of your internet session is invading and compromising your privacy.

The CDT VPN Questionnaire Project with respect to logging

Let’s return to the “Signals of Trustworthy VPNs” questionnaire for VPNs that was designed by the Center for Democracy & Technology (CDT) in conjunction with several VPN services. (The first section of the CDT questionnaire was discussed in my previous article.)

The second section of the “Signals of Trustworthy VPNs” questionnaire is “Data ‘Logging’ Practices.” The first two (of the three) questions that VPNs are encouraged to answer in that section are:

Question 4: Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated?

Question 5: Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?

This is the same information that the “Guide to Choosing the Best VPN (for you)” article (linked above) recommends you seek out from a VPN.

If one has prior experience in evaluating the trustworthiness of VPNs, it should come as no surprise that the stated logging practices of different VPNs can be difficult to ascertain, confusing, or only partially disclosed, if not outrightly misleading. CDT has stated that “VPNs often trip over themselves to make broad “no logging” claims that have turned out to be inaccurate time and time again.”

CDT continued, “A responsible VPN is very up front about what it means by logging and what data it retains over time, even if it is aggregated or anonymous. This should be at the top of any privacy policy or terms of service. It should be separately disclosed and easily discoverable via the VPN’s website or app.”

Examples of logging practices

My research into the logging practices of VPNs reveals evidence of trustworthy practices by some VPNs but also utterly deceitful policies and actions by a few other VPN services.

Some VPNs have been caught “red-handed” relative to contradictions of their own logging policy. Here are a couple of examples:

• PureVPN (see https://betanews.com/2017/10/09/purevpn-logs-fbi/)
• HideMyAss! VPN (see What Everyone Ought to Know About HideMyAss) (archived)

On the other hand, some VPNs have experienced “real-world” testing of their no-logs policy and have had that policy verified. E.g.:

• Private Internet Access (see https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/)

Researching logging policies of VPNs

Situations similar to the above examples have been only rarely reported, so we must gather information about the logging policies of VPNs by other means. One could laboriously find the pertinent policy statements and terms of service “agreements” that are posted on VPN websites for each and every VPN service under consideration. However, the results of this sort of investigation is already available on some websites.

Thus, there are some lists about VPN logging policies that have been compiled by VPN review sites. Although (as I have noted in my other articles) these review sites may well be presenting biased information that favors the VPN companies with which they are affiliated, a compiled list of the logging policies of VPNs sourced from VPN review sites may nevertheless serve as a starting point in a search for trustworthy VPNs relative to logging.

“Does your VPN Keep Logs?” on the comparetech.com website includes information for over 100 VPNs. When I perused that list in April of 2021, of these 100+ VPNs, 58 were listed as logging neither information about a user’s connection to the VPN server nor info about the user’s the user’s traffic (activity) on the Internet.

The “VPN Providers That Keep Certain Logs” list that was previously available on the bestvpnrating.com website provided logging information on 165 VPNs, 111 of which were reported as not logging user’s connection and/or usage information.

These two lists seem to be reporting results that are not completely consistent. The former list implies that about ½ of VPNs perform no connection and traffic logging whereas the latter list implies that about ⅔ of VPNs perform no such logging. Perhaps these two lists are using different definitions for the logging parameters that are under scrutiny.

There are a couple of other lists that present the self-proclaimed logging policies of some VPNs:

The published results of CDT’s “Signals of Trustworthy VPNs” questionnaire tell us what the six VPNs that have thus far responded to the questionnaire state about their logging policies. (If only there were more VPNs that have participated…)

The torrentfreak.com website has been publishing a similar questionnaire for a few years now. The 2022 version with results is here: https://torrentfreak.com/best-vpn-anonymous-no-logging/

The torrentfreak.com list serves as a relatively comprehensive source of the responses of 26 VPN providers to questions “about their respective logging policies as well as other security and privacy aspects.” Thus, this list may help alleviate the necessity of visiting several VPN service websites to scour their pages for information about their logging policies.

(Once again, however, beware of possible bias and heed the note at the end of that TorrentFreak web page about VPN providers listed in the article that are TorrentFreak sponsors. “We reserve the first three spots for them as a courtesy. This article also includes a few affiliate links which help us pay the bills…”)

A comprehensive VPN info source that I consider to be completely unbiased is from the former website of “That One Privacy Guy.” His “Simple VPN Comparison Chart” summarizes the logging practices of about 185 VPN services. Of the 185 VPNs, only 32 were judged to have “generally good” overall logging policies.

Creating a list of non-logging VPNs

Despite having some concerns about the accuracy of the first two logging policy lists that were presented above, I thought it would be useful to see which VPNs that are shown to have acceptable logging policies on both of those two lists also receive a “Green Flag” (equivalent to a “generally good” grade) for logging policies and practice on the unbiased “Simple VPN Comparison Chart” by “That One Privacy Guy.”

The resulting list that I compiled thus may be considered to comprise the “top-notch” VPNs relative to logging policies since they are considered to have acceptable logging policies by all three of the sources. Presented in alphabetical order, the 17 VPNs are:

• AzireVPN
• BlackVPN
• BolehVPN
• CactusVPN
• CyberGhost
• Doublehop
• FrootVPN
• IVPN
• Mullvad
• NordVPN
• OVPN.com
• Private Internet Access
• ProXPN
• PureVPN
• SlickVPN
• VPNSecure
• VPNTunnel

The advantage of this combined listing is that there is a “triple endorsement” of the logging policies of the VPNs. Each list is serving as a check against the others. (Please note that, although these VPNs seem to excel relative to their logging policies, some VPNs on the above list are problematic relative to other parameters.)

These 17 VPNs that seem to have “strict no-logging” policies are definitely of interest to me, as one of my criteria in choosing a VPN for my own use is a “no logs” policy.

Relative to logging policy, it is important to note that this sort of list should only be considered to be a starting point for VPNs that seem to be worthy of further investigation. One must then peruse the websites of VPNs to scrutinize their logging policies and TOS (Terms of Service) web pages.

Summary

As we’ve seen before, there are no easy answers in choosing a VPN service that is trustworthy and suits your needs. As with other characteristics of a VPN, if a VPN’s logging policies and practices are important to you, it is imperative that you carefully examine all available information about that characteristic.

So, find or compile a list (or choose the list in this article) and use it as a starting point to do some “digging” into the nitty-gritty specifics of the logging policies of various VPN services. Due diligence in performing this task should reap significant rewards (and prevent the headaches that would be a consequence of an uninformed choice of a VPN service resulting from a lack of investigation).

We’ll examine the location and jurisdiction of VPNs, i.e. where is their base of operations and under what laws and regulations they operate, and we’ll consider the importance of this in the next article of this VPN series, titled “5, 9 and 14 Eyes - Do the ‘Eyes’ Have it or Not?”