An age old question in the VPN (Virtual Private Network) industry and by users, in general, is “Does my VPN provider log?”. There are many different types of meanings to the word “log” and in general the main concern should be does your VPN provider log your activity?
Does your VPN provider log
Of course, to a simple question like this the answer for nearly 99.9% of paid for VPN services can most likely be guessed, with the answer being a conclusive, no. To log actual user traffic would completely remove the point of using a VPN service in the first place and the chances of any user being willing to sign up for a service that is recording what you get up to is likely to be none.
This leads to a very important question about what we expect from our VPN providers. The majority of users will agree that privacy and a level of encryption are two of the main requirements when searching out a suitable VPN provider, the fact that it doesn’t log actual user traffic is a given.
There is a portion of users who make it a strict requirement that the service must offer “No Logs” and with this they introduce the require for no room for manoeuvre. What exactly should No Logs entail though? It is a rather broad statement, are we expecting no connection logs? no personal detail logs? no accounting logs? no tracking logs? While we strive for the most secure provider we pressure those providers even further to offer possibility unobtainable specifications.
The saying that the customer is always right is in many cases true for business and in a competitive industry with many hundreds of providers they will adapt and generally bend over backwards to accommodate the requests of their (paying) customers. The customer is king and to retain customers, what they strive for, must be offered.
There are good VPN providers out there
The majority of VPN providers are honest, reputable companies and will only make statements based on what is true such as IPVanish who are a truly no-log VPN provider but the persistent echo of “No Logs” that users regularly bandy around could cause some more unknown or pop-up companies to, on the surface, offer exactly what the user requires without the actual backing behind it. Paying lip service to those requirements could go far in earning the respect of customers which becomes a dangerous game of cat and mouse advertising slogans.
Some of the more open and honest companies suffer because of their unwillingness to make untrue claims or use words that imply more than is possible and for this I find it a rather unfair situation. I would much prefer VPN providers to be open and honest about their logging policies which gives me the option to make up my own mind than be told it keeps no logs whatsoever only to find out 6 months down the line that is untrue, or they don’t keep logs but the data centre does.
I for one am happy for providers to keep connection logs, to me this is a necessary evil to help troubleshoot issues that may arise on the service. How would customers who demand no logs expect a service to continue uninterrupted if they couldn’t resolve issues. The majority of VPN providers use servers provided by third parties. Those themselves will have requirements of what is allowable on their network. If one user was causing so much abuse then the data centre themselves would take issue with the VPN provider and unless it was resolved are likely to terminate the contract of the VPN provider.
Without logs it is difficult to resolve, although, not impossible.
So supposing the VPN provider happily accepts this is a possibility of a no log policy and moves data centre, the user who was responsible in the first instance would be able to carry on committing a range of abuses at the detriment of the provider on new servers. Is it realistic to expect the provider to continually break contracts with third party data centres in order to facilitate the abusive activities of one user, or in the case of a large provider could run into the thousands of abusive users if the customer base was big enough.
Focus should be more upon how long connection logs are kept for and in what secure state. Encrypted and moved to another undisclosed location is one possibility and there are plenty of other ideas that could be implemented to facilitate the secure storing for short periods of time. Not forgetting that connection time logs tied to a user account offer little identifiable information if securely stored and only accessible by your provider.
They do however serve a purpose to link a user to a specific activity but only at such a time when law enforcement or another wronged body comes forward to the VPN provider stating that at XYZ time XYZ user was committing XYZ crime. As long as the provider is prepared only to converse in situations that they are legally required to then why is there such uproar? In the majority of high profile cases in which VPN providers have given up details they have 1) been required by law to and 2) are being required to supply information to assist in a criminal case. Are we prepared to allow all crimes to go unpunished only because a $6 VPN service was enlisted?
So the theory is that no logging is the golden elixir of VPN security and without being heavily into networking and the way in which data centres work for the average user taking those two tiny words, “No Logs” is enough… but it isn’t, it is the tin foil hat.
After discussion with a provider who shall remain nameless at my discretion, multiple possibilities were given that could allow the identity of a user to be discovered even on a service that suggests no logs.
The situation is further complicated by what a third party or law enforcement could do. If the server doesn’t have full disc encryption which requires pre-boot authentication then they could just reboot and login without a password (single user mode) – This isn’t necessarily stopped even if the server does have full disc encryption and storing keys and information in RAM. It is possible to seize a server without powering down to take back to a lab and dump the RAM content. There are endless possibilities that the average user just aren’t aware of that would be available to law enforcements. Remember, if they want you enough, they will get you.
At what point do we consider logs, logs? Many websites use Google Analytics to better understand where their traffic and in the case of VPN providers, their customers come from, there is nothing wrong with this in general but if a provider claims “No Logs” then would you consider this a breach of your trust for taking their word? When are no logs, really no logs?
To summarise, it is advantageous to consider providers who offer clear information on their logging policy and if that policy is “No Logs” and is true then fine, but in general consideration should be given to a range of factors when considering what VPN provider is suitable for your needs, a huge part of that should be their logging policy but don’t discount those who offer clear information on what they store, how long they store it and be prepared to think constructively about providers even though they perhaps store “connection logs”.
As long as you aren’t up to anything overly criminal in nature a good provider will always put your security first employing best practise to secure such logs and defend your identity and privacy in matters when a court of law has not instructed them to otherwise.
Your thoughts and input are welcome and suggestions how we can greater improve communication between us as users and providers can only benefit the VPN community, feel free to post your thoughts in the comments section below, discussion welcome.
On Off Image courtesy of digitalart / FreeDigitalPhotos.net