It’s no secret that technology products oversell their features so that they can impress consumers. But what about technology products that ‘undersell’ their features? VPN services are notorious for this, as many claim that they don’t keep logs, or have a ‘Zero Log Policy’.
But this couldn’t be further from the truth.
‘No logs’ or ‘zero logs’ are the most variable terms in cyber security, as the terms are truly dependent upon each companies definition of logs.
So here’s a quick breakdown of how logging actually works.
The Types of Logs
True Zero Logs
Like the name suggests, a service that employs a true zero logging policy is as secure as you can get. The service genuinely won’t collect any of your data while using the software so you are really an anonymous user. This type of logging policy is by far the most effective as it is impossible for any of your data to ever be sold to advertisers, or used against you in the case of a criminal investigation. A VPN famous for upholding this policy in court is Private Internet Access as the firm has repeatedly denied the FBI access to user logs as they truly don’t keep any.
Session logs are what most VPNs refer to when they say they have a ‘no logging policy’. A session log is a relatively basic log which keeps track of the metadata that you engage in while using the VPN. The metadata which is typically collected comes from such metrics as usage time, bandwidth used and what VPN server was used.
Though these logs do in fact contain some basic data, they are for the most part quite harmless. However, users that want absolutely no data collected are better off looking for a true zero logging service.
Activity logs are a scary thing as they can record a large amount of data pertaining to what you do on the web while using a VPN. Activity logs can collect metrics such as what you have searched for, the websites you have visited, the files you have accessed/downloaded and even the items you have purchased. These logs are in fact very frightening as the data can be sold by VPN firms to third party advertisers, or used against individuals in the case of a criminal investigation.
IP Address Logs
IP address logs are a slightly less scary prospect than activity logs, but still a feature which should set some alarms off. IP address logs collect your physical location via your internet IP address and often the time which you logged in to the VPN. Thus, the service has a history of your IP address and login time, which could potentially be enough information to identify you in a number of investigative situations.
Data Agreements and Policies That Affect Logging
Services don’t usually keep logs unless they are forced to by a government entity which has policies focused on monitoring citizens. The most notable of the government agreements are the Five, Nine and Fourteen Eyes which monitor the activities of citizens residing in these countries. If the country’s data agencies don’t have the legal jurisdiction to spy on their own people, they will simply request one of the other governments to do so for them. Below is a breakdown of the agreements and countries which are part of the massive data sharing/spying agreements.
Five Eyes Agreement
The most notable of the government agreements to monitor individuals is the Five Eyes Agreement, which is an agreement between the US, UK, Australia, New Zealand and Canada to share data about the citizens of each country. The policy arose in 1946 between the US and UK after the Second World War as a means to monitor the activity of the Soviet Union and its allies. The agreement aimed to intercept signals from Soviet militaries but over the years developed the capability to spy on telephones, computers and fax machines for domestic citizens. With such a wide network of information, it didn’t take long for Canada, Australia and New Zealand to also join the agreement.
In today’s modern era, that system of information tracking is now run by a software known as ECHELON, which allows governments to spy on both commercial and private operations and collect mass amounts of data on individuals. This information can then be shared between any of the member countries and used to track suspicious individuals. Most of today’s data stems from phone calls, web activity, faxes and any other type of digital communication device. Thus, individuals residing in the five member countries are subject to a mass amount of data interception if found to be suspicious. For this very reason, the governments of each country have the power to demand user activity info from VPN services.
Nine Eyes Agreement
It didn’t take long for other countries to jump on board with the Five Eyes data sharing agreement as it became a very useful tool for the original member countries in many regards. Thus, four more nations joined the agreement, adding the Netherlands, France, Norway and Denmark. Even though the new members are in fact part of the agreement, some have their own data protection laws such as the Netherlands. Some of the Netherlands data protection policies strictly protect personal privacy, limiting what information can be kept by VPNs.
Fourteen Eyes Agreement
Due to the efficiency of the Five and Nine Eyes agreement, it expanded again to another five countries, adding Spain, Germany, Belgium, Italy and Sweden. These countries also became subject to data sharing, which allowed the group of countries to effectively spy on the individuals of other countries. Thus, the Fourteen Eyes agreement formed the ultimate system of spying, which now dramatically affects the validity of VPNs based in those countries.
Recent Cases with Logging
While so many companies claim to have a no logging policy, few genuinely mean that they don’t collect any logs. Such is the case with PureVPN; a Hong Kong based VPN which recently surrendered the data of a specific user over to the FBI.
PureVPN was asked to aid the FBI in a stalking case where a PureVPN customer had apparently used the service to commit cybercrimes and harassment. Upon request, PureVPN provided login times and locations to the FBI, indicating where the suspect had logged in to the service from and at what time. The session logs ultimately aided the FBI in its persecution of the suspect, but placed PureVPN in the spotlight as the service claimed that it did not keep any logs.
Though the PureVPN case is the most notable, it is certainly not the only instance where a VPN has surrendered user data to authorities. This case, as well as many others, proves just how variable ‘no logging’ policies can really be.
Ways to Protect Yourself
Read the Fine Print
Although many firms may claim that they don’t keep any logs, their fine print often says otherwise. Thoroughly read through the fine print of every service to ensure that none of your information is being captured for research purposes.
Avoid the Fourteen Eyes Countries
As a whole, the VPNs which come from the Fourteen Eyes member countries are typically less private due to strict data retention policies. However, some VPNs in these countries do in fact disregard the mandatory rules and refuse to keep any logs of users as they claim the human right to privately access information is superior to policies. Furthermore, some of the countries do have strict privacy protection laws for citizens, making it questionable as to whether a VPN must log user data or not.
Use a VPN with Tor
Using a VPN with Tor (the onion router) can provide an extreme level of privacy if done correctly, making it nearly impossible for your data to be tracked in even the strictest of countries. However, if your VPN is not used with Tor properly, then your web activity can be traced through the exit nodes of Tor, making you even less safe than before.
At the end of the day, the level of privacy that you desire should help determine what type of VPN service is right for you. Do your research prior to subscribing to a VPN and ensure that whatever you sign yourself up for, is exactly what you are looking for.