X

Why you should be skeptical about a VPN's no-logs claims

For VPNs, being a no-logs provider is easier said than done.

hodge-headshot-2022
hodge-headshot-2022
Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
8 min read
VPN for online security and privacy
James Martin/CNET

Never mind its speed, customer service, or price -- the single most persuasive claim any virtual private network  provider can make to appeal to potential customers is that it keeps no logs of your web activity while you use its service. Every leading service in our directory of recommended VPN services and in the wider market globally claims to be a "no-logs" provider. 

The problem with that no-logs claim, though, is that you can't prove a negative. Verifying that a VPN isn't logging user activity is impossible from the outside. That's why some VPNs hire external auditors -- or even journalists --  to check inside their networks and see if they can find anything amiss. It's a nice idea, but even once you're rummaging through internal servers, not stumbling across a trove of logs doesn't mean they aren't there. 

That's the core problem with even the best VPN -- despite all the audits and transparency gestures many companies undergo, it's still a user-trust business. No matter how much we trust any particular VPN to help mask our internet browsing, it's virtually impossible to verify whether a VPN truly keeps no logs. And we engage in that service knowing that all of our data is essentially funneled to a single company, with servers whose activity no expert can verify.

The reality is that all VPN providers have to keep certain logs of your activity in one way or another to make sure the service is maintained, and to continue operating at maximum speed. If you're using the VPN just for watching out-of-area sports or streaming services, you may not be worried about a record of your VPN traffic. But for political dissidents, lawyers, journalists and leakers, distinguishing between the two types of user logs kept by VPN companies when deciding which you should invest in is key to personal safety. 

Read more: Best VPN services of 2020

Connection logs 

The first kind of logs VPN providers may keep are sometimes called connection logs. In the best-case scenario, these are limited and seemingly anonymized logs that help the VPN provider monitor the workload of each server so that they can manage traffic, prevent abuse of the service and keep its network running. Any VPN service that limits the number of simultaneous connections per user (which is nearly all those we've reviewed, except for Surfshark) has to keep some of these kinds of logs in order to enforce the customer limit. 

Connection logs could include things like: 

  • The time you connected to the VPN and how long you were connected for
  • The IP address you originally connected from
  • Which server within the VPN you're connecting to
  • Any diagnostic data you agree to send to the VPN following a crash

Because data retention laws vary by country, a VPN provider may be required to keep some kind of connection logs for a specific period of time in order to make them available to law enforcement officials if subpoenaed.  

Make no mistake, some of these types of logs can readily identify your home as a source of internet traffic, thereby compromising your privacy . Because of this, some companies such as ExpressVPN, vow to never keep connection logs. 

It's worth looking at the types of connection logs your VPN claims to maintain, and for how long they're maintained. If your VPN keeps IP address connection logs, for instance, then it's best to look elsewhere for a provider. 

Usage logs

The more concerning kind of VPN user logs are commonly called usage logs. These are the ones that a VPN company means when it calls itself a "no-logs provider." Usage logs, sometimes called traffic logs, are literally records created which describe your IP address and track its activity across the websites you visit. If a VPN service is caught keeping these kinds of logs, it's a PR disaster at the very least, and possibly an existential challenge. 

Some of the things that can be discovered about you via your usage logs could include:

  • A list of all the websites that you've visited 
  • The content of any messages you've sent or received if not encrypted
  • A list of which apps and services are on your device (if the VPN funnels web traffic for all the connected apps on your device)
  • Your physical location, if your IP address is being logged

Suffice it to say, that's the sort of information being logged by ISPs and advertisers that drives many users to subscribe to a VPN in the first place. So finding out that your VPN is logging the same info on you is just substituting one bad actor for another. 

Read moreRed flags to watch out for when choosing a VPN

7 free 'no-log' Hong Kong VPNs that were keeping logs

That's exactly what happened earlier this month, when Hong Kong-based VPN provider UFO VPN was found by Comparitech to be keeping detailed information on its users. A database of usage logs -- including account credentials and potentially user-identifying information -- was exposed. To make matters worse, six more VPNs -- all of which were apparently sharing a common "white label" infrastructure with UFO -- were also reportedly logging data, according to The Register

While all of the offenders billed themselves as no-log VPNs, they were also free VPNs -- another reason why you should always avoid using free VPNs

top5-vpn1
Watch this: Top 5 Reasons to Use a VPN

The law enforcement test

One of the clearest ways a VPN provider can prove it keeps no usage logs is to have its servers seized by authorities. That's exactly what happened to ExpressVPN in 2017, when an investigation into the 2016 assassination of Russia's ambassador to Turkey, Andrei Korlov, led Turkish authorities to seize one of ExpressVPN's servers looking for logs of conversation allegedly related to the crime. Authorities came up empty-handed, which bolstered ExpressVPN's no-logs reputation

The same trial by fire happened to IPVanish and PureVPN in 2016 and 2017, respectively -- but with decidedly different results.  In the case of IPVanish, federal law enforcement came knocking with a warrant (or, more precisely, a Department of Homeland Security records summons), and the VPN's "zero-logs" policy was put to the test. IPVanish provided authorities information that led to the identification and arrest of a child predator. A similar incident the following year revealed PureVPN had cooperated with the FBI to track a stalker using its service. In other words: Both "no log" VPNs appeared to be providing logs to authorities. 

Read moreHow to identify a good VPN: 3 features to look out for

No such thing as online anonymity

To be clear here, my beef isn't with a VPN company helping cops catch a child abuser or stalker via usage logs, assuming the requisite warrants or subpoenas are proffered. It's with a VPN company lying to its customers about its underlying policies. VPNs are international operations. The lie that helps law enforcement in the US catch abusers is the same lie that helps law enforcement in China arrest a person for using a VPN at all. 

If you take away just one thing from this article, let it be this: Total anonymity on the internet does not exist. Do not allow any company to fool you into believing that you are operating completely anonymously on the internet. In most cases, the skillful choice and operation of a VPN is the best way to improve your privacy odds and can make you much harder to catch, but no VPN (or any software) can truly make you disappear.

You may also consider using private browsing tool Tor instead of a VPN, but be warned: Tor is browser-based and therefore does not by default encrypt all of the internet connections your computer is making at any given moment. So any internet-connected background programs or apps -- whether seemingly secure messaging apps, torrenting apps, or even unseen micro-apps that help a larger piece of software function -- which are operating outside of the Tor browser could be leaving a trail of your private data. Using Tor with a VPN simultaneously can also ultimately undermine both types of privacy if you haven't properly configured the two to work together. 

Also be wary of home-based proxy servers as a cure-all if you are in a country with anti-VPN and anti-encryption policies; without proper obfuscation technology, your traffic will look like two kids inside a trench coat trying to sneak into an R-rated movie. 

Tips for choosing a safer VPN 

If you're using VPNs because the stakes of your searches are life and death, then not only do you want to scrupulously check your VPN's privacy policy to see if it openly admits to any of these logs, but you want to be sure you select a VPN proven to never keep logs (in other words, one that survived a server seizure unscathed or has an impressively thorough audit record). Even then, the risk you take still includes a potentially unknown company ownership structure. 

To improve your privacy odds, look for a VPN headquartered outside of the reach of a country with data retention laws and international intelligence sharing agreements, which supports Perfect Forward Secrecy and obfuscation, touts a RAM-only server network, and avoids or limits the use of virtual servers. Virtual servers can be necessary in some cases, such as ExpressVPN's current use of them in Turkey, but they're generally thought less secure than "bare-metal" physical servers. 

The shadiness of VPN supply chains is well documented. So you may also improve your privacy odds by selecting a VPN which owns 100% of its fleet of servers (a rare claim, and rarer still to prove), and by connecting only to those servers maintained outside the countries whose surveillance you're trying to avoid. Most VPNs lease server space from third-party contractors across the world out of financial necessity, but each of those server warehouses present a potential privacy vulnerability. 

At any point, a spot of outdated server management software (which varies from contractor to contractor) in the far reaches of a country could lead to potential identity exposure. We saw this when NordVPN saw a single server contractor compromise in October 2019, leading to its recent RAM-only conversion. A less charitable interpretation of that risk is warranted here: Anyone with administrative access to those servers, under the right kind of persuasion, could potentially activate some form of monitoring. 

In the best case, that monitoring would only reveal traffic which retains a base level of HTTPS encryption, and wouldn't reveal the server you came from or the server you're heading to. In the worst case, your traffic is naked and your use of a VPN can get you in more trouble than the search you tried to hide with a VPN. 

For more on VPNs, check out all the VPN terms you need to know, and why you should never trust a free VPN.

windows-10-virus
Watch this: Best antivirus apps for Windows 10