By far, the most common way you'll see VPNs described is "no logs" or "zero logs." It sounds appealing on a marketing page, but how can the average user be sure that their provider truly keeps no logs? Security experts will claim that's what independent audits are for, and for the most part, that's true. However, that doesn't solve the issue of needing to trust the claims of yet another third party.
We're practically stuck in a loop of "who watches the watchmen?" (or "who audits the auditors" in this case.) While they're a decent way to gauge the quality of a VPN provider, audits are most often performed on a replica of the VPN's infrastructure. Sure, that builds trust in the provider, as they don't willingly provide access to user data to an outside party. In the end, that still tells us a "biased, limited, and perishable story," as F5 director Raymond Pompon puts it.
At the end of the day, even the best zero logs VPNs need some way to keep their service up and running. And yes, that will involve some form of logging, no matter how minimal. For example, VPNs with a device limit need to track how many devices are linked to your account. Others may track data usage to impose data caps or OS and app versions to provide crucial security updates.
So what can you do to determine how private a VPN actually is? Read on to find out.
While you should definitely read the VPN terms of service before signing up with any provider, that's not always enough. For instance, some VPN providers may flat out lie about their no logs claims.
Such was the case when 7 Hong Kong-based VPNs leaked 1.2 TB of data online. Over 20 million users had their names, emails, passwords, addresses, IPs, browsing history, and other sensitive details exposed online. All 7 providers claimed they don't log user data. Oops.
It's important to note that these were all free VPNs, which you should avoid if you care about privacy at all. Free providers need to take care of operational costs somehow, which usually involves selling user data to advertising networks.
What are some better ways to determine if a VPN is lying about its no-logs policy? 3 methods are reliable to some extent.
1. Court-proven VPN No Logs Policies
We've previously covered several cases where no-logs VPNs shared data with governments - PureVPN, IPVanish, and EarthVPN specifically. In those cases, they shared data needed to catch a child predator, a stalker, and a culprit making bomb threats. While all of them definitely deserved to get caught, that isn't the issue here. Instead, it's the fact that said VPN providers lied about their no-logging policy.
On the other side of the barricade lie providers such as Private Internet Access (PIA), who have had their data logging tested in court more than once. Suffice to say, PIA couldn't provide any user information to the authorities for a simple reason: they don't store it in the first place.
2. Transparency Reports
While they also deal with the authorities on a regular basis, CyberGhost VPN takes a slightly different approach. They provide quarterly transparency reports showcasing DMCA complaints, malicious activity flags, as well as police requests for user data. As expected, CyberGhost VPN can't provide any such details as they do not retain any user logs.
What little information they do gather (such as hardware details) is transformed into an MD5 hash that cannot be traced back to their users.
PIA is another example of a provider with (semi-annual) transparency reports (Q1 2022 found here). Meanwhile, IVPN updates its transparency report page annually. As you can see, they had never provided any user information, even when the data requests were valid. So far, so good.
3. Government Seizures
On the extreme end of the spectrum are cases where governments tried to obtain user data by confiscating the VPN provider's servers. In 2017, Turkish authorities seized ExpressVPN servers as part of investigations into Russian ambassador Andrey Karlov's assassination. Naturally, the police could not find anything useful, as the provider does not keep connections or activity logs that could be tied to users.
Furthermore, ExpressVPN introduced its TrustedServer technology in 2019, eliminating the use of hard drives on its network. Most top-notch VPNs now run RAM-based servers that wipe all data on reset, vastly improving security against government seizures, rogue employees, and other threats to user privacy.
Instead of Trusting VPN No Logs Claims, Do This
Aside from the cases illustrated above, the best way to judge whether a VPN is worth it is to look at the company's history and background. Here are some questions that can help you in your search:
- Is the company headquartered in a country with strict data retention laws (such as the UK and Australia)?
- Do they engage in misleading advertising?
- Has the provider been involved in any privacy scandals?
- Has an independent security company audited them?
- Is the provider transparent about their company ownership? Who are the people leading the company?
- Who are the investors backing the VPN, if any?
Bonus points for VPNs that maintain their own server network rather than renting out third-party data centers. It's optional but definitely welcome, as that minimizes the chances of incidents like the 2018 NordVPN data center hack. Thankfully, NordVPN has since shifted to a fully RAM-based server infrastructure and has gotten back on track to being one of the top VPNs in the industry.
Finally, we need to come to terms with the fact that a VPN does not guarantee 100% anonymity on the internet. No single piece of software can, although you can get pretty close if you combine VPNs, Tor, and virtual machines. Even then, that anonymity is limited to your browsing activity, as any network-facing app traffic (like torrents or instant messaging) isn't covered by Tor.