Yesterday John looked at what a zero logging policy is when it comes to commercial VPN providers. Today let's look at which VPNs claim not to keep logs and therefore, in theory, are unable to track you online.
VPNs with no logs are a common sight these days. Commercial providers understand customer desire for privacy and it has become a big selling point in the VPN industry.
Some countries have a data retention law requiring ISPs to keep log data on customers for 1-3 years. VPNs aren't classified as ISPs and are usually not subject to data retention laws for logging.
However, depending on the country and datacentre in which the VPN server(s) are hosted, the datacentre themselves or transit providers may keep logs. If the VPN is correctly configured this shouldn't reveal your activities, because your inbound traffic is mixed with other customers and outbound traffic is on randomised shared IPs.
Debunking "no log" myths
Some commentors claim that no-log VPNs are not possible to operate. Here's a quick run down of the common myths;
- Without logs a VPN company couldn't limit device connections
Not strictly true. Of course some kind of data storage is necessary to limit the number of connected devices (for example, some VPNs allow 5 simultaneous connections) but this can be done without impacting user privacy at all. This kind of data is ephemeral and not a threat to user privacy. A simple hook on VPN connect/disconnect can increment/decrement a counter on the user account record.
- A VPN can't protect against DDoS and port scans without logging
A port scan or DDoS attack against a VPN provider will be hitting completely different services to that of a legitimate, authenticated VPN user. Even if such activities are logged on the network infrastructure they shouldn't capture legitimate VPN user data in any way, and log files would be huge, requiring regular cleaning out.
- VPNs can't offer support to customers without logs
Customers who aren't able to connect to their VPN should receive a specific error message and error code describing the problem and possible solutions. Logging is not a requirement for supporting and troubleshooting user connection issues.
- DNS doesn't work without logs
Yes, yes it does.
VPNs with no logs
So who can you trust? Every month we compile a list of anonymous VPNs which have a no logging policy. We also compare other important privacy features like private DNS servers, DNS leak protection and Internet kill switch functionality in the VPN client software. OpenVPN users will need to add some custom scripts for the last two to work. Look at the list to see which VPNs will protect your anonymity online.
Some commentors have noted that in the past some commercial VPNs have lied about their logging policy. While we can't be 100% certain each provider is telling the truth, we do thoroughly check the wording and fine-print of their service agreements. If you are concerned that a VPN might still log your activity check to see how long they have been in operation. A long-standing commercial VPN service will have received hundreds or thousands of DMCA and Intellectual Property legal letters demanding customer information - if they kept logs it would have been discovered by now.
What's not covered?
Even if a commercial VPN says they don't keep logs, there are other ways your online activity could be monitored. Of course check for DNS leaks and other types of information leak when you use the VPN. Don't just rely on the web proxy portion of a VPN service either, go the whole distance and encrypt all your Internet traffic.
There have been cases where VPN providers were caught tracking users in different ways. In 2013 Proxy.sh announced that they were using network sniffing tools to monitor activities of an alleged hacker, and hoovering up logs on all user activity on a specific US-based server for 7 days.