GDPR became the bane of everyone’s email inbox as we were all inundated with companies aiming to comply with new European Union regulations. In the process flooding our email account with requests to keep pumping their mailings out.
However in this flurry of email spam, one massively overlooked industry affected by GDPR is the VPN industry.
GDPR strengthens consumer privacy laws and puts the power of European Union citizens’ data firmly back in their hands. No longer can companies (including VPN providers) store personal information that isn’t essential for their service. If they do, they need to let us know.
In relation to VPN providers in particular it should, in theory, allow EU citizens to find out what data is being stored and with this, most importantly, if what are commonly know as “logs” are being stored.
But how are they performing?
I wanted to know how VPN providers were responding in this area, something which could land them in huge legal trouble in future. So I set about finding out.
Background information on the experiment
I started off by consulting a Senior Lecturer at a top UK university with relevant experience in information technology, intellectual property and media law to get to grasps with the basics of GDPR requirements.
It was quickly apparent that GDPR would essentially change the position of VPN service providers and open them up to future legal challenges.
Rewinding back a little you may be aware of recent high profile cases including the likes of EarthVPN, PureVPN, IPVanish and others who have publicly made claims to retain “no logs” of customers connection data but the opposite has been discovered.
Under GDPR any user now has the ability to request ALL personal data held on them which should, in theory, include any connection data, even if the provider claims they retain none of it.
Now the likelihood of a provider handing over connection logs when they claim they don’t is minimal.
The upshot is if at a later date it was discovered that they did indeed collect and retain such connection data but hadn’t provided it to you when requested they would fall foul of GDPR.
In fact, even without you requesting such information, if they stored it but you didn’t consent, they could also be failing GDPR.
Potentially this means VPN services can be fined up to 4% of their annual turnover regardless of where they operate from in the world.
It’s of massive importance as we move forward to open and honest logging practices.
The providers I put to the GDPR test
I set about contacting 10 of the top names in the VPN industry requesting all details held on myself using GDPR as the reason.
As a reviewer of VPN services I am signed up to many but aside from review periods rarely use most of them so the data retained may be slightly less than what you as a regular user may expect.
The providers tested in no particular order included:
I contacted all providers on 15th June 2018.
Companies and organisations have ‘One Month’ to respond to all requests, known as Subject Access Requests (SAR) and unless they are complex in nature this timescale should be adhered to.
What I discovered for each provider
ExpressVPN
ExpressVPN was one of the first to respond, within a few hours of my request. Initially reiterating their privacy policy and furnished me with their page advising as such. Not quite what I was expecting from a GDPR request. [15/06]
After a further email explaining the nature of my request they finally responded.
What data they claimed to hold:
ExpressVPN responded the same day and confirmed they only store the details that a user can see in their account panel and supplied a link.
They reiterated that they do not store connection logs, IP addresses, timestamps or such.
VyprVPN
VyprVPN responded equally as fast within hours of my request asking for verification of my account for security purposes.
After following up with confirmation of my identity they informed me that it had been escalated and I would hear back from them in due course. [15/06]
What data they claimed to hold:
VyprVPN responded on 11th July with an attached file containing all the data held on me.
The file contained my name and address details, my email address and the type of payment used.
It also contained connection data including, the IP Address of the VPN server I used, the time I connected and disconnected, my home IP address and the amount of data I transferred both in and out.
The earliest connection data was from 13th June and three records of this nature were found. I do not however regularly use the VyprVPN service.
CyberGhost VPN
CyberGhost VPN was also one of the first to respond. Their system seemed well geared for GDPR as they supplied a dedicated form to complete in relation to GDPR requests. [15/06]
Due to some personal delay, my GDPR request form was submitted on 27th and confirmed by CyberGhost VPN on July 3rd. They confirmed that the 30 day period would begin from 27th June and they would aim to respond with my requested details before that point. [03/07]
What data they claimed to hold:
CyberGhost VPN responded on 25th July 2018.
The information supplied contained my username, the date the account was created, the key used to activate the account, the types of devices active on the account and my country code.
I was informed that via ZenDesk my username and email address were also collected.
The rest of the email reiterated their stance to not logging user details or connection logs.
NordVPN
NordVPN responded the day after my request. They were keen to point out that their privacy policy was in line with the GDPR. [15/06]
What data they claimed to hold:
In the same email they responded with the data they held on me. This was simply my email address.
As I hold a test account for review purposes there were unlikely to be any address details stored if they do indeed retain such information.
Proxy.sh
Proxy.sh responded the day after my request stating they do not retain or log any details because their services are run from ram. [16/06]
I questioned this response and asked for all and any details stored on myself. I was again informed that there are absolutely no logs kept at all. I had to restate the requirements of GDPR and my request.
What data they claimed to hold:
I was finally supplied with my name, email address, address and phone number.
I was told they also held support tickets but if I wanted information on these I would be required to pay a ‘fee’.
I was further told if I wanted to verify such I could enforce the request through courts. As Proxy.sh is registered in the Seychelles that would be an expense too much for many.
HideMyAss
HideMyAss responded 3 days after my request. They provided a dedicated GDPR link where I could receive basic account information stored. [18/06]
To receive information on connection data they informed me I would need to provide photographic documentation. Upon consulting our expert, he agreed this was an acceptable method of process and indeed one which actually protects your privacy.
I questioned the process as I was unwilling to send photographic documentation via email due to its insecure nature. After much back and forth via email I was finally given an address in Serbia where I could send physical confirmation of my identity.
I questioned the use of a none European Union address for identification purposes for an EU regulation. I was then finally given a London, UK address. [21/06]
At this stage I opted not to continue the process with HideMyAss and as such am unable to confirm what information was stored on myself.
While I can understand their requirement to be careful with users’ privacy it seems a better process of supplying identification documents needs to be introduced. As it stands it is only possible via insecure email or a lengthy physical postal process.
What data they claimed to hold:
Unknown
StrongVPN
StrongVPN responded 3 days after my request with a generic response asking me to confirm I made the request. [18/06]
What data they claimed to hold:
After my confirmation, StrongVPN responded on 18th July with an email containing a zip file. The zip file was password protected and the password was my account name.
The ZIP file contained many files inside.
The information supplied was lengthy and varied although most related to my account such as payment type, subscription length and cost of the account. It wasn’t what I would consider personally identifiable information. As far as, if this information was read by anyone else they wouldn’t understand personal details about myself.
However, it’s commendable that this information was included.
One file contained my name, email address and IP Address. I assume this was for my active account. I could not ascertain if this was my current IP Address replaced on each connection or if it was the IP address of my initial account activation.
It also contained every email they had sent to me in the past 14 months.
IPVanish
IPVanish responded 3 days after my initial request. It was a generic reply asking me to confirm I made the initial request. [18/06]
What data they claimed to hold:
I confirmed this and IPVanish responded on 18th July with a zip file containing both details on my account and on any support tickets I had opened. The file was password protected. I was informed the password was the account name.
The ticket data file contained details on my original ticket opened for the GDPR request. This was the content of my ticket, the date it was opened and my email address.
The second file contained my name, email address, account username, account status, the subscription type I have, the date due for renewal, the payment method used and the date I confirmed my email address when I originally signed up for their service.
PrivateInternetAccess
PrivateInternetAccess took 4 days to respond to my initial request. I received a generic response providing details on their logging policy, reiterating their commitment to privacy. This was a generic response not dealing with my initial request [19/06]
I replied to the email informing them of the requirements of GDPR and my request. I received a swift response stating that the only details they hold were what they had earlier provided me. [19/06]
I responded a second time restating the importance of my request. I received a further reply from another member of support staff reiterating the original two responses without any understanding of my initial request.
Without response on my part, the original emails were followed up 1 hour and 30 minutes after the last received email apologising for the confusion and supplying the details of the information held on my account. This was handled by the ‘Senior Vice President of Customer Experience’.
What data they claimed to hold:
PrivateInternetAccess disclosed I had held 3 accounts ranging from 2015 until the present day. It included the random account username, the account “pin”, the account start and expiry date and the number of days remaining on the account.
All accounts showed that they were paid for by gift card. All three accounts were test review accounts but there were no further personal details about myself or my usage included.
VPN.ac
VPN.ac responded to my initial enquiry on 8th June.
What data they claimed to hold:
They supplied details of my name, phone number, email address, sign up date, how long I had been a client, the date and time I had last logged in and my IP address.
It also contained my VPN account username and any timestamps for the past 24 hours in line with their logging policy. As I had not used the service in the past 24 hours there were no such details.
Conclusion: How are VPN providers performing with GDPR
I conducted the experiment not long after GDPR came into force. However, as the Senior Lecturer I consulted before I conducted the experiment stated, companies have had more than 2 years prior to it coming into force to prepare.
The results show a mixed bag of outcomes. Some VPN providers appear well prepared for GDPR, others give the impression they’re still really unsure about what it entails and its requirements. Others felt like it was a huge inconvenience.
As an overall view, it appears VPN companies could do much better to streamline the process. I’m confident as they receive more requests and users understand the powers that GDPR offer, the process will improve.
Most importantly GDPR should be an opportunity for companies to be held to account should they fail to satisfy the requirements. It will be interesting to see which VPN provider next falls foul of claims of “no logging” and how the law can be used to punish them for such blatant lies.
While GDPR is accepted as good in theory, it may not live up to expectations in practice. There are also multiple possibilities that GDPR may conflict with individual countries own data retention requirements and the future surrounding such issues is yet to be discovered.
Why not put your VPN provider to the test? Simply drop them an email requesting all details held on yourself specifying GDPR. Let me know in the comments section what you find.
Illustrations © Tatyana Merkusheva & Daranee Promprasit | Dreamstime.com
