When you use a virtual private network (VPN), you expect it to provide you with a decent level of privacy. After all, its entire job is to feed your data through an encrypted tunnel where prying eyes can take a peek. But what happens when the VPN provider keeps logs? Is your privacy still intact, or are you just trading internet service provider (ISP) and government supervision for VPN surveillance?
What Are VPN Logs?
Like most internet-based services, VPNs can store data on their users for a variety of reasons. These are known as "logs" and there are two different categories to define them.
1. Usage Logs
Regardless of your threat model, usage logs are problematic and intrusive. This is because they contain sensitive and personally identifiable information about you and your online habits, including:
- What you upload or download.
- Your real IP address (when you connect to the provider’s servers or website).
- Your browsing history.
- What web applications you use.
- Other metadata
Using a VPN that keeps usage logs defeats the purpose of using one at all, because you're simply allowing your VPN provider to spy on you instead. And if logging usage data doesn’t bother you, consider that the provider might be forced to hand over its data to the authorities anyway, its servers might get hacked, or a disgruntled employee could go rogue and leak usage logs on the deep web.
All of this could simply be avoided if you choose a VPN that keeps no logs in the first place, as it would have no data to hand over or leak.
2. Connection Logs
Unlike usage logs, connection logs just focus on technical data about the VPN connection. They contain information like:
- How much data you use.
- How long you use a server.
- When you connect to/disconnect from a server.
- The VPN server’s IP address.
Connection logs are used to troubleshoot and optimize VPN services, with many providers recording them despite claiming to have a zero logs policy. This makes it difficult to know whether "no logs" truly means no information is being stored, meaning it's always best to go for a service that has proven its zero logs policy in court, such as Private Internet Access (PIA).
Even Connection Logs Can Harm User Privacy
While they seem harmless, even connection logs can often be risky, particularly when a VPN provider stores user IP addresses with them. Your IP address reveals a lot of information about you, such as:
- What country, region, and city you are from.
- Who your ISP is.
- What your ZIP code is.
That’s prime real estate for advertisers, who can use that data to spam you with creepy personalized ads. And that can happen if the VPN provider shares user IP addresses with third parties.
There are even more dangers if the provider suffers a leak or someone breaches into their servers, as your IP address can end up in the wrong hands. Should this happen, hackers could use your IP address to break into your computer remotely, put it up for sale on the deep web, or use it to find your ISP and target them with phishing attacks.
Why store logs at all?
VPN services usually keep logs because they need to comply with data retention laws, make sure users stick to the number of simultaneous devices they’re allowed to use, or enforce bandwidth caps.
Sometimes, though, the reasons are shadier – such as selling user data to advertisers. And other times, VPN providers don’t have control over it because the data center keeps logs without telling them.
The Best Solution for Real Privacy – No Logs
A zero log policy is the only way to make sure a VPN protects your privacy. That way, even if the authorities try to seize their servers or hackers breach them, there won’t be any user data to abuse.
Zero logging is only possible if the provider goes to great lengths to make that happen, like closely working with skilled lawyers to make sure laws can’t force them to keep logs, and only using reliable data centers that don’t keep logs behind their backs.
PIA is a good example of such a service. Their Privacy Policy and multiple appearances in court documents make it clear they don’t log any VPN traffic.
Do VPNs in 5/9/14 Eyes Countries Automatically Keep Logs?
This is a common misconception. We’ve seen a lot of people saying that you shouldn’t trust a no-log VPN if their HQ is in a 5/9/14 Eyes country. If you’re not sure what countries are part of that alliance, here’s the list:
- Australia
- Belgium
- Canada
- Denmark
- France
- Germany
- Italy
- New Zealand
- Norway
- Spain
- Sweden
- The Netherlands
- The UK
- The US
Many people seem to think if a VPN has their HQ in those countries, the law will force them to keep logs. They probably believe that because the 5/9/14 Eyes Alliance is all about member countries sharing intelligence with each other and spying on each other’s citizens. While this is concerning behavior, there are absolutely no specific laws in any of those countries that force VPN providers to keep logs. It’s really up to the provider to decide if they want to store logs or not.
Take PIA, for example again. Their HQ is in Denver, Colorado, in the US. Since it’s a 5/9/14 Eyes country and because the US doesn’t have the best track record with privacy, you might expect them to keep some sort of logs. But that’s not the case at all. And it’s not just an empty claim. PIA actually has court documents that prove they don’t store any logs.
And if that wasn’t enough, PIA has done other things to increase user trust in their service:
- They started open-sourcing their software.
- They stopped providing servers in Brazil to avoid being forced to store logs.
- PIA shut down its Russian servers and its South Korean servers because the authorities wanted to force them to log traffic.
If you’d like to read more about PIA, and see how else they can protect your privacy, check out our in-depth review.
Should VPNs Use Warrant Canaries?
A warrant canary is a legal statement from a VPN provider that informs users whether the provider received any subpoenas, gag orders, or warrants from government agencies that ask them to share user data. Normally, a warrant canary just looks like a simple web page on the VPN provider’s website that receives regular updates. If the updates stop, it is a warning to users that the company has likely been served.
Warrant canaries have good intentions. However, they’re not extremely useful. If a VPN provider just doesn’t keep any logs, it doesn’t need one. In fact, a warrant canary feels like it’s there to distract users from the fact that there is a logging policy.
PIA has a good article on this topic explaining why warrant canaries are not the way to go.
Final Thoughts
VPN logs and privacy just don’t go hand in hand, even if we’re only talking about connection logs. It’s much easier to trust a VPN that doesn’t keep logs of any kind and also has evidence to back up their claims.
How do you feel about this topic, though? Do you think there’s any good reason for VPNs to keep usage or connection logs? Tell us in the comments.