We have noticed a disturbing trend in the VPN industry. More and more VPN providers are promising an “anonymous” or “no logging” VPN service while providing minimal, or zero, transparency about how they actually handle your data. These so called “anonymous” VPN providers fall into two categories:
We aren’t the only ones who question the “anonymous” or “no logging” VPN providers:
[i]f someone tells you ‘you will be completely anonymous, [because] you’ll have VPN running all the time’, that’s a lie.SpiderOak, VPN, privacy and anonymity
…you have absolutely no way to know for sure how safe a “No logs” claim really is. Trusting your life to a no logs VPN service it is like gambling with your life in the Russian rouletteWipe Your Data, “No logs” EarthVPN user arrested after police finds logs
[a]nyone who runs a large enough IT infrastructure knows that running that infrastructure with ZERO logs is impossible.
The “anonymous” or “no logging” VPN Providers have diverted privacy-conscious VPN users to focus on the false promise of anonymity instead of focusing on what really matters when choosing a VPN provider: transparency, trust, ease of use, performance and reliability. We hope dispelling some of these common myths will lead to a more transparent and frank discussion about privacy in the VPN industry and on the Internet in general.
- Myth #1: I can be anonymous on the Internet
- Myth #2: Anonymity and privacy are the same
- Myth #3: When my VPN provider advertises an “anonymous” service, that means they don’t log any identifying information about me
- Myth #5: Even if my VPN provider uses hosted or cloud-based VPN servers I can still be anonymous
- Myth #6: Even if my VPN provider doesn’t own and operate the network I can still be anonymous
- Myth #7: Any VPN logging is bad
- Myth #8: Privacy companies don’t collect or sell my data
- Myth #9: All VPN software is the same
- Myth #10: Tor is a better alternative than a VPN
I can be anonymous on the Internet
Anonymity is defined as not being named or identified. You are not anonymous when you are online, even when using privacy tools like Tor, Bitcoin or a VPN. Every service has at least one piece of information that can be used to distinguish different users, whether it’s a set of IP addresses (VPN and Tor) or a wallet (Bitcoin). This information alone may not reveal any private details about the user, but it can be associated with other similar information to eventually identify an individual.
A VPN doesn’t make you anonymous either, but does greatly increase your privacy and security online. A VPN is similar to the curtains for the windows of your house. The curtains provide privacy for activities happening inside your house – even though your house address is public.
Privacy is a more realistic goal, not anonymity. Privacy is inherently personal and has different definitions for different people, but privacy generally means the ability to exclude information about yourself. Privacy can also mean the right to express yourself:
[p]rivacy is your right and ability to be yourself and express yourself without the fear that someone is looking over your shoulder and that you might be punished for being yourself, whatever that may be.
Anonymity and privacy are the same
Services that claim to make you anonymous attempt to eliminate any identifying data (which is not a realistic goal, as discussed in Myth #1). However, services designed to protect privacy instead allow users to control access to their personal data, but do not eliminate all identifying data.
Internet users can use private web browsers, proxies, Tor, encrypted messaging clients, VPNs and other great tools to increase their privacy online. These privacy tools help defend against mass surveillance by governments or by private corporations “deputized” to collect information at the direction of the government (in the United States companies such as AT&T, Verizon, Time Warner, Comcast). But none of these tools, alone or in any combination, make you anonymous. Online privacy through secure communications is a realistic goal, but anonymity is a false promise.
Edward Snowden recently encouraged Internet users to focus on increasing privacy to defeat “mass surveillance:”
…basic steps will encrypt your hardware and … your network communications [making] you…far, far more hardened than the average user – it becomes very difficult for any sort of a mass surveillance. You will still be vulnerable to targeted surveillance. If there is a warrant against you, if the NSA is after you, they are still going to get you. (emphasis added) But mass surveillance that is untargeted and collect-it-all approach you will be much safer.
As one of Golden Frog’s founders posted to the Usenet, “You are not anonymous on the Net. You can run, but you can’t hide.”
When my VPN provider advertises an “anonymous” service, that means they don’t log any identifying information about me
A VPN Provider in the UK that advertised an “anonymous service” on its website was outed for turning over customer information about a LulzSec Hacker to the authorities. As you will read below, limited VPN logging is not necessarily bad, as it helps the VPN provider troubleshoot customer issues, prevent abuse of its IP space and network and offer different VPN plans (such as multi-device or GB limited plans). But advertising one service and delivering another service is wrong.
Website: “surf anonymously”
Website: “PureVPN anonymous VPN service;” “makes you anonymous;” “anonymous web surfing”
“Furthermore, in the course of using PureVPN services, you or someone else on your behalf may give out information about yourself or give access to your system. This information may include, but not limited to:
- Names and IP addresses
- Operating systems
- Operational logs”
Website: “surf anonymously;” “browse anonymously”
“When choosing an access point please note that only this server will process your IP address and request for the webpage you would like to access (the “Targeted Website”).”
“…on the server you selected, your site request and your IP address are received via an encrypted connection.”
Website: “surf anonymously;” “top notch security and anonymity”
When a VPN provider simply says they perform “no logging” it does not guarantee online anonymity or privacy. Any systems or network engineer will confirm that some minimal logging is required to properly maintain and optimize systems or the network. In fact, any provider claiming “no logging” should cause you to immediately question what is happening with your private data. If a VPN provider kept absolutely no logs, they wouldn’t be able to:
- Offer plans with limits on GB usage or per user basis
- Limit VPN connections to 1, 3 or 5 on a per user basis
- Troubleshoot your connection or offer support for server-side problems
- Handle your DNS requests when using the VPN service. They might rely on a 3rd Party DNS provider that logs DNS requests
- Prevent abuse, such as spammers, port scanners and DDOS to protect their VPN service and their users
Even if my VPN provider uses hosted or cloud-based VPN servers I can still be anonymous
Anyone that runs server infrastructure knows running infrastructure with ZERO logs is extremely difficult, if not impossible. Now imagine how hard it would be to eliminate logging if you DIDN’T run your own infrastructure and instead rented your VPN servers and network from 3rd parties! Aside from Golden Frog, virtually all VPN providers in the world do not run their own infrastructure. Instead, VPN providers “rent” their servers and network from a “landlord,” such as a hosting company or data center. When the VPN provider “rents” instead of “owns,” how can it guarantee that its “landlord” will respect the privacy of its VPN users?
Just last year, a Dutch customer of a “no log” VPN Provider was tracked down by authorities by using VPN connection logs after using the “no log” VPN service to make a bomb threat. The VPN provider’s data center provider (“landlord”) apparently seized the VPN server at the direction of the authorities. The data center provider was also keeping network transfer logs of the VPN provider. The VPN Provider says they cancelled the contract with the data center but strangely didn’t address the other 100+ locations where they presumably rent VPN servers. Did they cancel contracts with those data centers too? Predictably, this same VPN Provider still prominently advertises an “anonymous VPN service” and claims it keeps “absolutely no logs.”
In the forum of a different VPN Provider, a discussion thread conveniently disappeared when a user questioned whether users can trust data centers to not log.
In 2016, another VPN provider, Perfect Privacy, had two of its servers seized by police in the Netherlands. In this instance the authorities went straight to the hosting provider to obtain the hardware, bypassing the VPN provider completely. This again illustrates the danger of using third parties. If a provider uses third-party hosting and isn’t even contacted when the servers are seized, how can they possibly ensure your data and information are kept safe?
Some questions to ask about VPN Providers who “rent” servers include:
- How can the “Server Renters/Cloud” protect their users from their hosting companies taking snapshots of their machines for backup purposes, DDOS purposes, or at the direction of law enforcement?
- How can “server renters” prevent a live migration of the hosted VPN server in which an entire image is taken of the computer, including operating system memory and hard drive, especially when live migrations can be invisible to the VPN Provider?
- What happens to the data when the hosted machine is no longer used by the VPN provider?
- If you don’t own the server, how can you be sure your landlord doesn’t have a key or backdoor into the hosted server?
Even if my VPN provider doesn’t own and operate the network I can still be anonymous
Most VPN providers (except Golden Frog of course!) don’t run their own network and instead let hosting providers run the network for them. “Running your own network” means you own and operate the router and switches. If your VPN provider does not run its own network, you are susceptible to their hosting company listening for traffic on both inbound and outbound connections. Listening to Internet traffic allows for a tremendous amount of correlation and identification of user activity.
For example, if you listen to two people talk in a restaurant you can learn enough from the conversation to identify who is talking – even if you don’t know their identity when you start listening. If a VPN provider does not run its own routers, then it can’t control who is listening to its users. Even worse, a “no-logging” VPN provider recently admitted that it used a “packet sniffing” software to monitor traffic to prevent abuse.
Any VPN logging is bad
By logging a minimal amount of data, VPN providers can vastly improve your experience when using a VPN. VPN providers should only retain the minimum amount of data to operate their business and delete that data as soon as they don’t need it.
Edward Snowden recently said at SXSW 2014:
“One of the things I would say to a large company is not that you can’t collect any data [but] that you should only collect the data and hold it for as long as necessary for the operation of the business.”
Minimal logging provides VPN users the following benefits:
- Improved speed and performance by allowing VPN providers to optimize network connections
- Improved reliability by allowing VPN providers to identify and fix low level service issues to prevent outages
- Troubleshooting of specific customer issues, including speed, connection and application issues
- Different levels of accounts to meet customer needs, such as connection limited accounts and byte limited accounts
- Protection against abuse from spammers, port scanners, DDOS, etc, so VPN providers can terminate customers who are abusing other Internet users
- Termination of malicious users so VPNs remain a respected Internet tool for preserving users’ right to privacy, and so VPN users are not blocked from websites and services
MYTH #8 NEW
Privacy companies don’t collect or sell my data
We have noticed a disturbing trend of “so-called” privacy companies offering free services so they can snoop on users. Just because a company offers a privacy product or service does not mean they will keep your data private. This is especially true for companies that offer free services to users. When you use a privacy tool you are often are required to give access to more information than the tool can protect, so you need to trust the company. Marketing companies have rushed into the privacy space and are abusing that trust. Here are some examples:
Onavo (by Facebook)
Facebook bought a VPN app called Onavo in 2013. Why would Facebook buy a VPN app? Because the VPN functionality gives the app visibility into the network connection for the entire phone. Consequently, information such as URLs and app usage is exposed, and Facebook can examine user activity for their own purposes. The price of free is just too high.
Hola is yet another offender masquerading as a privacy company. Hola offers “secure browsing” to its users, but was recently revealed to be selling the bandwidth of its free users without their knowledge, effectively turning them into a botnet.
VPN Defender (by App Annie)
App Annie is a mobile analytics firm that collects and sells app usage data to companies, such as venture capitalists, for competitive research. App Annie bought VPN Defenderlast year presumably, just like Facebook, so they could collect more app usage data. In the analytics industry, this practice is called “selling the insides.”
Web Proxy Services
Most proxies don’t encrypt your Internet connection, and to operate they have visibility to each and every URL you visit. A recent blog post that analyzed the security of free proxy services determined that only 21% of the over 400 services examined weren’t “shady,” and over 25% of proxies modified the web code to inject ads. Many companies who offer services to help you be “anonymous” online actually collect a great deal of personal and identifying information on their users – information which they could sell.
MYTH #9 NEW
All VPN software is the same
As a recent study pointed out, some VPN products can suffer from IPv6 leakage and DNS vulnerabilities, causing many users to think twice about relying on a VPN to protect them online. However, not all VPNs are created equal. When it comes to the IPv6 leak, only VPNs that run through IPv6 are in danger, and those that use 3rd-party clients (which Golden Frog does not do) are most at risk. As for the DNS vulnerabilities, most VPN providers don’t offer their own DNS servers like Golden Frog does. When DNS requests are sent over 3rd-party networks to 3rd-party DNS servers, users are more vulnerable to monitoring, logging or manipulation.
MYTH #10 NEW
Tor is a better alternative than a VPN
Tor is frequently cited as an alternative to using a VPN. However, as several publications have correctly pointed out, Tor doesn’t make you anonymous. Even Tor admits that it can’t solve all anonymity problemsand cautions users to proceed accordingly. Tor is difficult for the average Internet user to setup, and users often complain that Tor is slow. One publication even said “If you still trust Tor to keep you safe, you’re out of your damn mind.”
Tor has even accused the FBI of paying Carnegie Melon $1 Million to use their “Tor-breaking research” to reveal the identity of some of the service’s users.