VPN Wired

Your Online Security Advisor

Nord_W

What are No-Log VPNs, VPN Logging, and No-Log Policies?

VPN Logging, No Log VPNs and Policies

VPN services have gained momentum over the past couple of years. Be it the epidemic or the rising demand for a more private and secure browsing experience, VPNs have come a long way. VPNs have grown into a staple product with a potential customer behind every screen. And with such an untapped potential market to explore, commercial VPNs didn’t disappoint. In a bid to attract more tariffs, they explored innovative methods and technology to gain traction. From a long list of servers (in the thousands) to advanced features (kill switch, split tunneling), VPN providers outdid themselves at every step. One such marketing gem is the No-Log VPN, where a VPN claims to have zero-logging. Today we will explore what No-Log VPNs are. We will also take a closer look at what logs a VPN keeps, the so-called No-Log policies, and the process known as VPN logging.

Every time you connect to a VPN, it records it. Simply put, a VPN tends to record the incoming or outgoing connections to a VPN server. It may not sound that bad, as providers claim they only keep a bare minimum of your data. It includes user IDs, the IP address of the server, and the timestamp denoting the connection uptime. However, is it true? The driving point behind a VPN is that it keeps the user anonymous from their ISP. A user won’t be happy to know that it just replaced one data tracking entity for another. That’s where no-log policies come into play. According to providers, a No-Log policy can assure users the VPN itself isn’t keeping any tabs on their online activities. Hence the term – No-Log VPNs. However, to understand logging policies, we have to take a look at the VPN logging process.

VPN Logging: What is it?

Before we delve further into the topic of no-log VPNs, let’s try and understand what VPN logging is. With “no-log policy” becoming more like a marketing gimmick, it is understandable to assume that all VPNs keep some logs. Generally, data logging means gathering data in a select time portion. When done by a VPN, this process is known as VPN logging. But why so much scrutiny over a VPN logging your data? Because when a VPN logs your data, it defeats the whole purpose of you getting a VPN in the first place. VPNs are popular because they promise privacy on the internet. If your provider is keeping logs, it isn’t secure because it can be forced to give up your data.

Another reason people go for VPNs is that they want to hide data from ISP. They trust VPN providers and hand over their data from an ISP to their VPNs. But it can be the case of going from the lion’s mouth to a wolf’s den. There is no guarantee that your data won’t end up on the market, selling at a premium. Especially when a VPN can log what you do on the internet. From your IP address, browsing history, device information to the size of your data packets.

With a VPN, you are essentially transferring your trust from an ISP to the provider. As such, the particular VPN’s login practices will need to be under scrutiny.

Types of Logs

There are two types of VPN logs:

1. Connection Logs (metadata)

Connection logs are the most common type of log file that VPNs tend to keep. They contain technical information about your VPN connection. Under normal circumstances, they don’t retain your private information. Referred to as metadata or diagnostic logs, they consist of connection metadata about VPN sessions rather than the actual content. The data collection can be at a server level, beneficial to both the provider and the user. It can also be at an individual level. However, if collected individually, these logs can link to Personally Identifiable Information (PII) that poses a risk.

Types of data a Connection log retains is:

  • Bandwidth usage
  • Dates and times of connection
  • Originating IP address (personal level)
  • VPN server IP address
  • Protocol used
  • Frequency of a particular server

2. Usage Logs (activity logs)

The more invasive kind of log is when a VPN keeps our online activity records. The usage logs defeat the entire purpose of a VPN. Most “no-log VPNs” actually keep your activity log one way or another. We can further classify these logs such as:

IP address logs

VPNs aren’t 100% safe, especially when a VPN logs your real IP, for whatever reason. You may trust your VPN, but your IP address is undoubtedly PII and thus can easily be used to identify you.

Traffic logs

Traffic logs, as the name suggests, are a record of your entire online activity. By using a VPN, you may escape the prying of your ISP, but are you sure your provider won’t come to bite you in the back?

Particular data retained under the usage log can be:

  • IP address
  • Your upload/download history
  • Social media
  • Search history
  • App usage
  • Psychological profiling based on browsing history
  • Browsing history
  • DNS requests
  • URLs visited
  • Usage metadata

Reasons for VPN Logging

You may be wondering: if logging is such a bad practice, why do VPN still do it? Logs are indeed fatal for the VPN business. However, that’s only from the perspective of a user. They aren’t entirely bad for a VPN provider. Because without logging, VPN providers won’t know who is it that’s using the services, nor will they be able to provide services that match the subscription agreement. All in all, logging aids the provider in developing and enhancing their services further.

However, there are also VPN providers that keep logs for hidden charges. For example, free VPNs have to turn a profit somewhere, and that’s where log files come into play. Several reasons to log VPN use are as follows:

  1. Limiting Bandwidth — Most Free or freemium VPNs adopt a policy that can keep tabs on your data traffic within a certain period. They do so because without logging your data, they can’t enforce bandwidth caps on you.
  2. Limiting the number of connected devices — Some VPNs may offer an unlimited amount of connections per subscription. But most providers have a cap. To ensure that an account doesn’t exceed the allowed amount of devices connected, they require logs.
  3. Due to VPS — Many VPNs, instead of a dedicated server, opt for virtual servers or VPS to curb costs. Therefore, the provider itself may not require logs of your activity, but a VPS provider certainly does.
  4. Due to certain legal obligations — Many VPNs are located in countries with strict data retention laws. As such, they have to maintain a certain amount of logs, no matter what they claim otherwise.
  5. To mine & sell your data to adverts — Free VPNs must recoup the cost of providing service, and they do so by deploying ads. That fact itself isn’t an issue. It only becomes one when providers take things a further and attempt to sell your data to said adverts. Such companies, to maintain a steady profit, choose to retain logs and sell them.
  6. To optimize performance — As we have learned above, certain logs are beneficial to the service itself. From optimizing the existing VPN to enhancing the service, VPNs retain a limited amount of data.

Ideal VPN Logging – No logging

It brings us to the topic: what kind of logs are ideal for a healthy VPN? While we acknowledge that there isn’t a correct answer to this question, we would still like to say No-logs is the right kind of log for a VPN.

A No-log policy guarantees the user’s trust in a provider. It also ensures that the VPN on an essential ground becomes more secure as far as privacy is concerned.

No-Log VPNs

No-log VPNs are those VPN that strictly abide by the mantra of running a log-free VPN service. These VPNs not only claim to be logs-free but provide proof regarding that fact. A no-log VPN is a virtual network that doesn’t collect (log) any user data. Why are no-log VPNs the forerunners in the VPN race? Users need a VPN because they want better security and privacy. As a tool that encrypts user data and claims to aid users in their privacy, it becomes paramount that VPNs stick to the same principles.

A No-log VPN garners the most trust amongst its peers. However, with the inclining amount of commercial VPNs, this has become more or less a marketing strategy to attract potential customers. Today 90 out of 100 VPNs that claim to be no-log are indeed keeping some logs one way or another.

In this article, we will understand the need behind no-log VPNs and the benefit associated with them. Then, we’ll examine a few genuine VPNs that adhere to the policies of keeping no logs.

Why do we need No-Log VPNs?

The driving factor behind a No-log VPN boils down to legalities. To be more specific, to the country where the VPN provider is registered and the laws governing it. A government can force a VPN to hand over data if the law allows them to do so. Thus, a VPN that doesn’t store logs technically has nothing to hand over. For other VPNs, what matters most is the jurisdiction they operate.

Jurisdiction matters for a VPN because of:

  1. Five/Fourteen Eyes Countries — This is a loose alliance of 5 to 14 countries that share intelligence data. Uncovered due to Snowden, these countries are even a suspect in online surveillance. Therefore, many worry that a VPN located in a member country can be forced to hand over their data.
  2. Data retention laws — Laws are something that varies from place to place. The question to ask a VPN provider is whether the law requires ISPs to retain consumer data? And do such laws apply to them too? If yes, then the VPN has to log your data to function.

Five Eyes/Fourteen Eyes

As mentioned above, the five eyes, or FVEY for short, is an intelligence alliance of five countries, namely:

  • USA
  • UK
  • Canada (lenient on data retention)
  • Australia
  • New Zealand

The alliances’ official purpose is to enhance national security by adopting a free intelligence sharing model that includes pooling resources to process more intel. However, as pointed out by Snowden, this arrangement can easily circumvent restrictions regarding online surveillance.

A big part of this intelligence alliance depends on monitoring and decrypting web traffic. On top of that, many countries that are members of this alliance advocate for an encryption backdoor. It is a worrisome thought for privacy activists.

Since its inception, this alliance has grown, with countries like Denmark, France, the Netherlands, Norway, Belgium, Germany, Italy, Spain, and Sweden joining the fray. It currently stands at fourteen strong.

Benefits of No-Log VPNs

A No-log VPN is crucial for those who want a robust privacy tool. Certain benefits associated with No-Log VPNs are:

  1. Keeps you anonymous — A VPN keeps you anonymous on the web. Not totally, but it helps to an extent. Especially with a No-log VPN, you don’t have to worry about governments or someone else, for the matter, gaining access to your private data.
  2. Robust security — Since a No-log VPN ensures that it doesn’t retain anything, it makes for a complete security experience.
  3. Peace of mind — The most crucial aspect of a No-log VPN is that it provides a certain level of tranquility. With a no-log policy in use, a user doesn’t have to worry about any data leaks.

Verified No-Log VPNs

There have been instances like independent audits or real legal matters concerning data that helped us verify VPNs that hold to the essence of no logging. Although they did keep a limited amount of logs, it was made clear in their respective policies. Not only did they pass third-party assessments, but when pressed by authorities, they did not have any logs to hand over.

  1. Express VPN: Anonymous Connection Logs
  2. Nord VPN: Strict No-log policy
  3. PIA: No-log VPN

Acceptable Logs

No-logs is a figurative term. A total log-less VPN can not even operate. For any service to function, it would need a certain amount of information. Thus even the best providers on the market retain some amount of data. However, this retention is about the fact that said data cant identify the user in any way whatsoever. As such certain justifiable logs that a VPN provider can retain are as follows:

  • Aggregated Bandwidth Usage (server level)
  • Aggregated Connection Logs (server level)
  • VPN Server Location
  • Server Load Data
  • A subnet of Originating IP address (can only be used to identify your ISP)

Unacceptable Logs

A VPN is a privacy tool first and foremost. If a provider, for any reason, resorts to log and retain information that can be private, it needs to be avoided at all costs. Such unacceptable logs are:

  • Browsing activity (PII)
  • Originating IP Address (PII)
  • Assigned VPN Server IP Address (individual level)
  • Individual Timestamps
  • Individual Bandwidth Usage
  • DNS Queries

Problems with No-Log VPNs

VPNs are a commercial product. As such, they also need marketing. Sadly, no-log policies have become a cornerstone of such marketing strategies. Some VPNs mislead users by vague, false, or deliberate confusing logging policies. If you use a VPN without knowing what its logging policy curtails, you may put yourself at unnecessary risk.

The common problems with no-log VPNs are as follows:

  • False advertising — A VPN can claim something but do something opposite.
  • Deliberate ambiguity — Some VPNs do not clarify their terms and conditions or policies and such.
  • Lack of detail — Even when they provide some information regarding policies, there is a certain lack of clarity on the topic.
  • Jurisdiction — A VPN out of the reach of law can both be a good and a bad thing.