VPN services have become an important tool to counter the growing threat of Internet surveillance. Encrypting one’s traffic through a VPN connection helps to keep online communications private, but is your VPN truly anonymous? We take a look at the logging policies of dozens of top VPN providers.
Millions of Internet users around the world use a VPN to protect their privacy online.
Unfortunately, however, not all VPN services are as private as you might think. In fact, some are known to keep extensive logs that can easily identify specific users on their network.
This is the main reason why we have launched a yearly VPN review, asking providers about their respective logging policies as well as other security and privacy aspects. This year’s questions are as follows:
1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user/users of your service? If so, what information do you hold and for how long?
2. What is the registered name of the company and under what jurisdiction(s) does it operate?
3. Do you use any external visitor tracking, email providers or support tools that hold information about your users/visitors?
4. In the event you receive a takedown notice (DMCA or other), how are these handled?
5. What steps are taken when a valid court order or subpoena requires your company to identify an active user of your service? Has this ever happened?
6. Is BitTorrent and other file-sharing traffic allowed (and treated equally to other traffic) on all servers? If not, why?
7. Which payment systems do you use and how are these linked to individual user accounts?
8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?
9. How do you currently handle IPv6 connections and potential IPv6 leaks? Do you provide DNS leak protection and tools such as “kill switches” if a connection drops?
10. Do you offer a custom VPN application to your users? If so, for which platforms?
11. Do you have physical control over your VPN servers and network or are they hosted by/accessible to a third party? Do you use your own DNS servers?
12. What countries are your servers located in?
Below is the list of responses from the VPN services in their own words. Providers who didn’t answer our questions directly or failed by logging extensively were excluded. We specifically chose to leave room for detailed answers where needed. The order of the list holds no value.
1. We do not store any logs relating to traffic, session, DNS or metadata. There are no logs for any person or entity to match an IP address and a timestamp to a user of our service. In other words, we do not log, period. Privacy is our policy.
2. Private Internet Access is operated by London Trust Media, Inc., with branches in the US and Iceland, which are a few of the countries that still respect privacy and do not have a mandatory data retention policy. Additionally, since we operate from the countries with the strongest of consumer protection laws, our beloved customers are able to purchase with confidence.
3. All of our VPN systems and tools are proprietary and maintained in house. We utilize some third-party tools in order to provide a better customer experience. By Q3 2017, all of these third party tools will be transitioned to in-house solutions.
4. We do not monitor our users, and we keep no logs, period. That said, we have an active, proprietary system in place to help mitigate abuse.
5. Every subpoena is scrutinized to the highest extent for compliance with both the “spirit” and “letter of the law.” While we have not received valid court orders, we periodically receive subpoenas from law enforcement agencies that we scrutinize for compliance and respond accordingly. This is all driven based upon our commitment to privacy. All this being said, we do not log and do not have any data on our customers other than their signup e-mail and account username.
6. BitTorrent and file-sharing traffic are allowed and treated equally to all other traffic (although it’s routed through a second VPN in some cases). We do not censor our traffic, period.
7. We utilize a variety of payment systems, including, but not limited to: PayPal, Credit Card (with Stripe), Amazon, Google, Bitcoin, CashU, and any major store-bought gift card and OKPay. Payment data is not linked nor linkable to user activity.
8. Currently, the most secure and practical encryption algorithm that we recommend to our users would be our cipher suite of AES-256 + RSA4096 + SHA256.
9. Yes, our users gain a plethora of additional protections, including but not limited to:
(a) Kill Switch: Ensures that traffic is routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic will not route.
(b) IPv6 Leak Protection: Protects clients from websites which may include IPv6 embeds, which could lead to IPv6 IP information coming out.
(c) DNS Leak Protection: This is built-in and ensures that DNS requests are made through the VPN on a safe, private, no-log DNS daemon.
(d) Shared IP System: We mix clients’ traffic with many other clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.
(e) MACE™: Protects users from malware, trackers, and ads
10. We have custom applications to which our users have left amazing reviews. PIA has clients for the following platforms: Windows, Mac OS X, Linux, Android, iOS and a Chrome Extension (Coming soon). Additionally, users of other operating systems can connect with other protocols including OpenVPN, SOCKS5 (unencrypted), and IPSec, among others.
11. We utilize our own bare metal servers in third-party datacenters that are operated by trusted friends and, now, business partners whom we have met and on which we have completed serious due diligence. Our servers are located in facilities including 100TB, Choopa, Leaseweb, among others.
We also operate our own DNS servers on our high throughput network. These servers are private and do not log.
12. As of the beginning of 2017, We operate 3283 servers across 37 locations in 25 countries. For more information on what countries are available, please visit our network information page.
1. As stated in our terms of service, we do not monitor, record or store any VPN user logs. We do not store connection time stamps, used bandwidth, traffic logs, or IP addresses.
2. The registered company name is Tefincom co S.A., and it operates under the jurisdiction of Panama.
3. We use Google Analytics and a third-party ticket/live chat tools (Zendesk/Zopim). Google Analytics is used to improve our website and provide our users with the most relevant information. The ticket/live chat tool is used to provide the best support in the industry (available 24/7), but not tracking our users by any means.
4. We operate under Panama’s jurisdiction, where DMCA and similar orders have no legal bearing. Therefore, they do not apply to us.
5. If the order or subpoena is issued by a Panamanian court, we would have to provide the information if we had any. However, our zero-log policy means that we don’t have any information about our users’ online activity. So far, we haven’t had any such cases.
6. Yes, we allow P2P traffic. We have optimized a number of our servers specifically for file-sharing; ensuring other servers, which are meant for streaming and other purposes, have uninterrupted speeds. In any case, we do not engage in bandwidth throttling for P2P users.
7. Our customers can pay via credit card, PayPal and Bitcoin. We do store the standard billing information for refund purposes, but it can not be related to any Internet activity of a particular customer. Bitcoin is the most anonymous option, as we do not link the payment details with the user identity or other personal information.
8. NordVPN uses NGE (Next Generation Encryption) in IKEv2/IPsec. The ciphers used to generate Phase1 keys are AES-256-GCM for encryption, coupled with SHA2-384 to ensure integrity, combined with PFS (Perfect Forward Secrecy) using 3072-bit Diffie Hellmann keys. IKEv2 protocol is used by default in our OS X and iOS apps, and it can be manually setup on Windows and Android OS. We are also exploring possibilities to develop IKEv2 based apps for Android and Windows. At the moment, Windows and Android apps are using AES-256-CBC encryption with 2048-bit key.
9. Yes, we do provide both an automatic app-level kill switch and a feature for DNS leak protection. Our OS X, Windows, iOS and Android apps have IPv6 leak protection implemented. NordVPN service will not leak IPv6 address.
10. We have custom VPN applications for Windows, MacOS, Android, and iOS. All NordVPN apps are very easy to install and use, even with no previous experience with VPN services.
11. We use a hybrid model, whereby we control some of our servers but also partner with premium data centers with strong security practices. Furthermore, due to our special server configuration, no one can retain or collect any data. All servers have been set up with a zero logs policy. We do have specific requirements for network providers to ensure highest service quality for our customers. We do have our own DNS servers, and all DNS requests go through those.
12. At the moment, we have 741 servers in 58 countries. You can find the full list here.
1. ExpressVPN is an anonymous, offshore, zero-log VPN service provider. We are in the business of keeping our customers private and secure.
We do not possess information that would enable us to identify a user by an IP and timestamp produced as part of an investigation. ExpressVPN IPs are shared among customers, and we don’t have the ability to match a customer to an IP address. We designed our network to maximize privacy protection for our customers.
2. Express VPN International Ltd. is a BVI (British Virgin Islands) company. The BVI is a small, independent nation in the Caribbean renowned as an offshore jurisdiction with strict privacy regulations and no data retention laws.
3. We use 3rd party website analytics tools such as Google Analytics. We use Zendesk for support tickets and Snapengage for live chat. We believe that these are secure platforms.
Information about how you use the VPN itself (such as browsing history, traffic data or DNS queries) is never revealed to 3rd parties and is never logged or stored by ExpressVPN.
4. As we are a network service provider rather than a content host, there is nothing to take down. We also do not attempt to identify an ExpressVPN user in this case, report the user, or otherwise restrict service. Our customers should rest assured that their anonymity is protected.
5. VPN companies receive subpoenas and other legal requests as a matter of regular occurrence. This is one of the most significant advantages of our BVI jurisdiction. A court order would need to take place in the BVI for it to be legally valid. If we receive a request from another jurisdiction, we let them know that we don’t maintain logs that would enable us to match an IP address to an ExpressVPN user.
6. ExpressVPN allows all traffic including BitTorrent from all VPN servers and does not impose restrictions based on the type of traffic our users send.
7. ExpressVPN accepts all major credit cards including VISA, MasterCard and American Express. We also accept PayPal and a large number of local payment options. For users who want maximum privacy and don’t want to send us personally identifying payment information, we recommend bitcoin. In fact, we’ve written a complete guide to protecting your financial privacy with bitcoin.
8. In most cases we recommend (and default to) OpenVPN UDP. Our apps use a 4096-bit CA, AES-256-CBC encryption, TLSv1.2, and SHA512 signatures to authenticate our servers.
9. Yes, we call this leak protection feature “Network Lock”, and it is turned on by default. Network Lock prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when your Internet connection drops or in various additional scenarios where other VPNs might leak.
10. ExpressVPN has award-winning apps for Windows, Mac, iOS, Android, Linux, and routers. Our apps are designed to make it easy for users to choose a VPN location and get connected. They also offer much better security and privacy protection than manually configuring a VPN. With the ExpressVPN App for Routers, we make it easy to protect every device in your home using a VPN that is always connected.
11. Our VPN servers are hosted by trusted data centers with strong security practices. The data center employees do not have server credentials, and the server disks are fully encrypted to mitigate any risks from physical seizure. We run our own zero-knowledge DNS on every server (no 3rd party DNS).
12. ExpressVPN has thousands of high speed servers in 145 locations across 94 countries. See the full list here.
1. No logs or time stamps are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network. In addition to a strict no logging policy we run a shared IP configuration across all servers. Because there are no logs kept and multiple users sharing a single IP address, it is not possible to match any user with an IP and time stamp.
2. TorGuard is owned and operated by VPNetworks LLC under US jurisdiction, with our parent company VPNetworks LTD, LLC based in Nevis.
3. We use anonymized Google Analytics data to optimize our website and Sendgrid for transactional email. TorGuard’s 24/7 live chat services are provided through Livechatinc’s platform. Customer support desk requests are maintained by TorGuard’s own private ticketing system.
4. In the event a valid DMCA notice is received it is immediately processed by our abuse team. Due to our no log and no time stamp policy and shared IP network – we are unable to forward any requests to a single user.
5. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of our network and shared IP configuration and the fact that we do not hold any identifying logs or time stamps to pinpoint any specific user. We have never been able to identify any active user from an IP and time stamp.
6. Yes, BitTorrent and all P2P traffic is allowed. By default we do not block or limit any types of traffic across our network.
7. We currently offer over 200 different payment options. This includes all forms of credit card, PayPal, Bitcoin, altcoins (e.g. Ether, litecoin + more), Alipay, UnionPay, CashU, 100+ Gift Card brands, and many other methods local payment options. No user can be linked back to a billing account because we maintain zero logs across our network.
8. For best security, we advise clients to use OpenVPN and select the cipher option AES-256-CBC, with 4096bit RSA and SHA512 HMAC. We use TLS 1.2 on all servers with perfect forward secrecy enabled. For faster speeds and “obfuscated” Stealth VPN access, we suggest using OpenConnect SSL VPN with cipher option AES-256-GCM. TorGuard offers a wide range of VPN protocols, including OpenVPN, L2TP, IPsec, SSTP, OpenConnect/AnyConnect (SSL VPN), and iKEV2 – we still offer PPTP for those of you who need it, but we don’t recommend it.
9. TorGuard’s VPN software provides strict security features by automatically disabling IPv6 and blocking any potential DNS or WebRTC leaks. We offer a full connection kill switch that safeguards your VPN traffic against accidental disconnects and can hard kill your interfaces if needed, and an application kill switch that can terminate specific apps if the VPN connection is interrupted for additional safety. All recommended security features are enabled the moment you install TorGuard to ensure by default you have max security while tunneling through our network.
10. TorGuard’s popular VPN client is available for all versions of Windows, Mac OSX, Linux, Android, and iOS. We also offer easy DDWRT and Tomato setup tools for VPN routers, and a Firefox/Chrome SSL proxy app. To stay up to date with current security threats, our VPN software is actively developed and constantly evolving.
11. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by TorGuard staff. Because there are no logs kept on any TorGuard VPN and Proxy servers, there is no risk of data theft should a machine become seized.
TorGuard VPN apps default to using internal secure no-log DNS servers that run on each VPN endpoint. We suggest this configuration for highest levels of privacy, however, clients can customize their DNS settings and choose from zero log TorGuard public DNS, Google DNS, Level3, or a customized DNS entry of their choosing.
12. TorGuard currently maintains thousands of servers in over 53 countries around the world, and we continue to expand the network every month. All customers get full access to our network.
1. Anonymizer does not log ANY traffic that traverses our system, ever. We do not maintain any logs that would allow you to match an IP-address and time stamp to a user of our service.
2. Our company is registered as Anonymizer Inc. Anonymizer Inc. operates under U.S. jurisdiction where there are no data retention laws.
3. Anonymizer uses a ticketing system for support but does not request user verification unless it is needed specifically in support of a ticket. Anonymizer uses a bulk email service for email marketing but does not store any details on the individual email address that would connect them to being an existing customer.
Anonymizer uses Google Analytics and Google AdWords to support general marketing to new customers. Both of these tools do not store identifiable information on any unique customer or any way to identify a specific individual as a user of our service. We also actively ensure no link is created from the data in either system to any specific customer following a trial or purchase of our product.
4. Since Anonymizer does not log any traffic that comes over our system, we have nothing to provide in response to DMCA requests. None of our users have ever been issued a DMCA takedown notice or the European equivalent. We’ve been around for over two decades – making us one of the oldest services out there – and we’ve never turned over information of that kind.
5. Anonymizer Inc. is required by law to respond to all valid court orders and subpoenas. Since we do not log any traffic that comes over our system, we have nothing to provide in response to requests associated with service use. If a user paid by credit card we can only confirm that they purchased access to our service.
There is, and would be, no way to connect a specific user to specific traffic ever. There have been instances where we did receive valid court orders and followed the procedures above. In our 20 years of service, we have never identified details about a customer’s traffic or activities.
6. All traffic is allowed on all of our servers, so long as it complies with our EULA and Terms of Service.
7. Anonymizer Inc. uses a payment processor for our credit card payments. There is a record of the payment for the service and the billing information associated with the credit card confirming the service has been paid for. We also offer a cash payment option. Cash payment options do not store any details.
8. We would recommend OpenVPN for a user that is looking for the most secure connection. We feel it is the most reliable and stable connection protocol currently. Our OpenVPN implementation uses AES-256. We also offer L2TP/IPSEC.
9. Anonymizer’s client software does not support IPv6 connections. All customers are asked to disable IPv6 connections for the application to function. Our client software does have the option to enable a kill switch that prevents any web traffic from exiting your machine without going through the VPN.
10. We offer a custom VPN application for MacOS and Windows. Our default application log only logs fatal errors that occur within the application which prevents the application from running.
11. We own ALL of our hardware and have full physical control of our servers. No third party has access to our environment. We operate our own DNS servers.
12. We have servers in the United States and Netherlands