VPN Logs. Should you be concerned?

VPN logsI’ve been meaning to write this up since March when I talked about a VPN Leak situation. Are you aware that some VPN providers maintain logs about your usage of their service? Some VPN logs are more detailed than others. In some cases the VPN providers state on their website that they don’t keep logs and yet they still do. This could potentially go against the requirements of the #GDPR as they must state clearly what personal data they process on you. So saying they don’t and then actually doing it, is a breach of the law.

We don’t do VPN logs … often

BolehVPN clearly states on their main site that they have a No logs policy. There for all the world to see in green and white:

And yet, if you mosey on over to their privacy policy, that changes things:

This might seem a reasonable process to allow. After all nobody likes people who are abusing a service. However they are saying they turn on VPN logs to capture enough information to be able to identify a user and find out what they are up to that is causing the alleged abuse. Now bear with me on this one. It’s not as far fetched as you might think.

  • What if the “abusive user” was actually law enforcement in a totalitarian regime?
  • What if they had compromised BolehVPN’s servers and were trying to locate “rebel activists” within their borders?
  • What if they start overloading the servers, prompting BolehVPN to initiate logging to identify the offenders?
  • If the “rebel activists” were connected at that time, then law enforcement should be able to gain access to those logs and be able to identify them.

I’ll now toss in the GDPR aspect here. That privacy policy doesn’t specify what personal data is being logged, which would actually be a requirement for any EU resident using the BolehVPN service. So they would be in breach of the regulation here.

Careful wording

Some providers use very carefully chosen language. For example Astrill VPN says clearly on their main website page “No Logs kept” and then in their privacy policy they indicate that they have logging in place, but only while the connection is active. So the logs are not kept, but they still exist for the duration of the connection.

At least Astrill specify what data they have in the “temporary” log.

Excessive VPN Logs

Other providers are quite open about the information they log on you, but in some cases the amount of information they log is actually quite concerning. HideMyAss VPN keeps a record of the following for at least 30 days (though it could be longer):

For a company that sells a product that supposedly improves your online privacy, that is quite a lot of information about you that they are holding onto. The other concern here is that HideMyAss is a UK based company. The United Kingdom has in recent years passed what is known as the Snoopers Charter. This gave government ministers powers to access peoples personal data without there being a suspicion of law breaking.  Also the UK is a member of the Five Eyes Countries. These countries regularly ask for and are provided with intelligence about individuals, ostensibly for national security purposes.

With the amount of data logged by HideMyAss and easy access to it by the powers that be, you won’t be browsing the internet as privately as you may think. They have, in the past, handed over information to the US FBI about a hacker.

I’ve broken no laws. Why should I be concerned?

You may have broken no laws now. But what if the government introduced a law that you didn’t like and you could bypass this law by use of a VPN. You might value the fact that a good private VPN doesn’t give law enforcement enough data to convict you.

While this might be an unlikely scenario (though with the way things are going in the US right now, who knows), it probably isn’t something that should directly concern you. Flip this around though. There are countless people (e.g. journalists, human rights advocates), living in countries that are effectively police states, who are trying to get the truth out about what is happening in those countries and they absolutely need every bit of anonymity that they can get.

VPNs are absolutely essential to these type of people, but also for people who value their online privacy and security. I typically will never connect to a public Wi-Fi internet connection (e.g. in a coffee shop) as I simply do not trust how they have been set-up. I also cannot be certain that the access point to which I would connect is actually the one being provided, as an evil doer can have their Laptop “impersonate” (spoof) the coffee shop’s Wi-Fi and then record all of the data that is sent and received from my laptop.

Instead, I will typically use the hot-spot facility on my phone to connect to the internet. However if my signal is terrible and I really need to get on the internet, I will connect to the Wi-Fi, but then immediately establish a VPN connection, thus encrypting my connection and making all of the data meaningless to any bad guy intercepting my traffic.

The bottom line here is, if you value privacy, then get yourself a VPN that does not log any data about you or your activity on their service. You’ll have to read the privacy policies closely though to ensure that this is the case and that VPN logs are not recorded.

Let’s be careful out there.