Logging by VPNs
First published: April 2019. Latest revision: December 2019.
This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use. In this article, we’ll examine the important issue of logging (collecting and saving) of user activity by VPN services.
Relative to VPN services, “logging” refers to the retention of information concerning the connection of the user to the VPN service. Generally, the information being logged consists of “metadata” as opposed to “content.”
The distinction between “metadata” and “content” is important. “Content” refers to the information that you (as an Internet user) are purposefully sending and receiving during your Internet session. Thus “content” includes the text and graphics of the web page you are viewing, the user name and password you send to a website, the files that you upload and download, the message text of your email, etc. “Content” is usually not logged by a VPN service, unless the VPN is utterly disreputable.
“Metadata” is data about “content” or about your connection, but not the content itself. Thus, metadata of internet activity that a VPN might collect and log includes:
- Time and duration of your web connections (i.e. timestamps)
- Devices used for your web connections
- Your local IP address
- Your location and geographical data
- The IP addresses of the destinations that you access during your Internet session
- The volume of your uploads and downloads
A fairly comprehensive tutorial about VPN logging that you should read is available at https://www.bestvpn.com/vpn-comparison/best-no-logs-vpns/. I would recommend that you skip the top 30%-40% of this web page and start reading at the sub-heading “What are VPN logs?” (Note: since bestvpn.com is a VPN review site that relies on commissions from VPN affiliate programs for income, you should not blindly trust their reviews and recommendations of VPNs or their “Best VPN” lists.)
Logging expectations vs. logging practices
Most all users of VPNs have expectations of privacy and security when they use the VPN to access the internet. However, many VPNs do not follow a “strict no-logging policy.”
The article “Guide to Choosing the Best VPN (for you)” on a well-respected independant VPN advice website states:
When you connect to a VPN service, you are essentially just adding one more stop along your route to the open internet. The VPN is a “man in the middle” who you are trusting with the traffic and connection data that is being generated in the background as you use the internet. Some VPN companies choose to log this data. There are many reasons for doing so, some more legitimate than others. Some services record this to protect themselves legally in the case they are approached by authorities. Some companies keep minimal connection logs to aid them in maintaining servers. Some will even sell your data to third parties as part of their business model.
If your concern is privacy, you most likely do not want your browsing habits and connection data being recorded. Choose a service that specifically states that they do not keep logs, AND which types they do not keep. Make sure they do not keep ANY kind of activity or connection log.
Many services claim to not keep logs, but are vague, and upon closer inspection actually do keep certain types, so be wary of such promises until you’ve confirmed it for yourself in their respective terms and privacy policies.
(paragraph breaks and bold emphasis added by me)
It is imperative that you realize that a VPN that logs the data or metadata of your internet session is invading and compromising your privacy.
The CDT VPN Questionnaire Project with respect to logging
Let’s return to the “Signals of Trustworthy VPNs” questionnaire for VPNs that was designed by the Center for Democracy & Technology (CDT) in conjunction with several VPN services. (The first section of the CDT questionnaire was discussed in my previous message.)
The second section of the “Signals of Trustworthy VPNs” questionnaire is “Data ‘Logging’ Practices.” The first two (of the three) questions that VPNs are encouraged to answer in that section are:
Question 4: Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated?
Question 5: Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?
This is the same information that the “Guide to Choosing the Best VPN (for you)” article (linked above) recommends you seek out from a VPN.
If one has prior experience in evaluating the trustworthiness of VPNs, it should come as no surprise that the stated logging practices of different VPNs can be difficult to ascertain, confusing, or only partially disclosed, if not outrightly misleading. CDT states that “VPNs often trip over themselves to make broad “no logging” claims that have turned out to be inaccurate time and time again.”
Examples of logging practices
My research into the logging practices of VPNs reveals evidence of trustworthy practices by some VPNs but also utterly deceitful policies and actions by a few other VPN services.
Some VPNs have been caught “red-handed” relative to contradictions of their own logging policy. Here are a couple of examples:
- PureVPN (see https://betanews.com/2017/10/09/purevpn-logs-fbi/)
- HideMyAss! VPN (see https://invisibler.com/lulzsec-and-hidemyass/)
On the other hand, some VPNs have experienced “real-world” testing of their no-logs policy and have had that policy verified. E.g.:
- Private Internet Access (see https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/)
Researching logging policies of VPNs
Situations similar to the above examples have been only rarely reported, so we must gather information about the logging policies of VPNs by other means. One could laboriously find the pertinent policy statements and terms of service “agreements” that are posted on VPN websites for each and every VPN service under consideration. However, the results of this sort of investigation is already available on some websites.
Thus, there are some lists about VPN logging policies that have been compiled by VPN review sites. Although (as I have noted in my other articles) these review sites may well be presenting biased information that favors the VPN companies with which they are affiliated, a compiled list of the logging policies of VPNs sourced from VPN review sites may nevertheless serve as a starting point in a search for trustworthy VPNs relative to logging.
“VPN Logging Policies” on the comparetech.com website includes information for 127 VPNs. Of the 127 VPNs, 96 VPNs are listed as not logging the user’s IP address and 62 VPNs as not logging information about a user’s connection to the VPN server.
The “VPN Providers That Keep Certain Logs” list on the bestvpnrating.com website provides logging information on 165 VPNs, 111 of which were reported as not logging user’s connection and/or usage information.
These two lists seem to be reporting results that are not consistent. The former list implies that about ½ of VPNs perform no logging whereas the latter list implies that about ⅔ of VPNs perform no logging. Perhaps these two lists are using different definitions for the logging parameters that are under scrutiny.
There are a couple of other lists that present the self-proclaimed logging policies of some VPNs:
The published results of CDT’s “Signals of Trustworthy VPNs” questionnaire tell us what the six VPNs that have thus far responded to the questionnaire state about their logging policies. (If only there were more VPNs that have participated…)
The torrentfreak.com website has been publishing a similar questionnaire for a few years now. The 2019 version with results is here: https://torrentfreak.com/which-vpn-services-keep-you-anonymous-in-2019/
The torrentfreak.com list serves as a relatively comprehensive source of the responses of almost 50 VPN providers to questions “about their respective logging policies as well as other security and privacy aspects.” Thus this list may help alleviate the necessity of visiting several VPN service websites to scour their pages for information about their logging policies.
(Once again, however, beware of possible bias and heed the note at the end of that web page, which states: “several of the providers listed in this article are TorrentFreak sponsors. We reserve the first three spots for our sponsors, as a courtesy. A few of the links to VPN providers contain affiliate links which help us pay the bills…”)
A VPN info site that I consider to be completely unbiased is thatoneprivacysite.net. That site’s massive (nearly overwhelming) “Detailed VPN Comparison Chart” lists extensive information for 185 VPN services. Of the 185 VPNs, 32 are shown as having “generally good” logging policies.
Creating a list of non-logging VPNs
Despite having some concerns about the accuracy of the first two logging policy lists that were presented above, I thought it would be useful to see which VPNs that are shown to have acceptable logging policies on both of those two lists also receive a “Green Flag” (equivalent to a “generally good” grade) for logging policies and practice on the unbiased “Detailed VPN Comparison Chart” at thatoneprivacysite.net.
The resulting list that I compiled thus may be considered to comprise the “top-notch” VPNs relative to logging policies since they have been found to have acceptable logging policies by all three of the sources. Presented in alphabetical order, the 15 VPNs are:
- Private Internet Access
The advantage of this combined listing is that there is a “triple endorsement” of the logging policies of the VPNs. Thus, each list is serving as a check against the others. (Please note that, although these VPNs seem to excel relative to their logging policies, some of the VPNs on the above list are problematic relative to other parameters.)
These 15 VPNs that seem to have strict no-logging’ policies list are definitely of interest to me, as one of my criteria in choosing a VPN for my own use is a “no logs” policy.
Relative to logging policy, it is important that this sort of list should only be considered to be a starting point for VPNs that seem to be worthy of further investigation. One must then peruse the websites of VPNs to scrutinize their logging policies and TOS (Terms of Service) web pages.
As we’ve seen before, there are no easy answers in choosing a VPN service that is trustworthy and suits your needs. As with other characteristics of a VPN, if a VPN’s logging policies and practices are important to you, it is imperative that you carefully examine all available information about that characteristic.
So, find or compile a list (or choose the list in this article) and use it as a starting point to do some “digging” into the nitty-gritty specifics of the logging policies of various VPN services. Due diligence in performing this task should reap significant rewards (and prevent the headaches that would be a consequence of an uninformed choice of a VPN service resulting from a lack of investigation).
We’ll examine the location and jurisdiction of VPNs, i.e. where is their basis of operations and under what laws and regulations they operate, and we’ll consider the importance of this in the next article of this VPN series, titled “5, 9 and 14 Eyes - Do the ‘Eyes’ Have it or Not?”