Privacy by policy vs. privacy by design: At SpiderOak we always preach privacy by design, we don’t *choose* to not see your data, we just *can’t*.
Sadly, a lot of online services cannot take on that philosophy, simply because of how the internet works right now. This is the case of VPN. VPNs are a great service, but depending on what you want or need, they might have some drawbacks, as we commented on our VPN, privacy and anonymity post.
If after understanding the contents of that post, you still want to use VPN, you will want to use one that is run by someone or some company that is trustworthy, because they will *choose* to protect your privacy. We believe IVPN is a really good example of how this kind of services should be run, so without further ado, we continue this post with a few words from Nick from IVPN. – Tomas
This article was written by IVPN’s Nick Pearson. IVPN is a privacy-orientated VPN platform, an Electronic Frontier Foundation member, dedicated to protecting online privacy.
For many years commercial Virtual Private Network companies have promised customers freedom from online surveillance and data retention practices. But with the government seemingly waging war on online privacy, is it really possible for a VPN company to protect its users – and how do you know which VPNs actually take online privacy seriously?
How secure is a VPN?
Firstly, any individual who has a critical need to avoid surveillance, such as political dissidents or anyone whose life may be at risk, should not rely on a single privacy tool to protect them – whether it’s a VPN, a free tool like The Onion Router, or I2P. In such scenarios, advanced set-ups, involving compartmentalization and isolation via a combination of virtual machines, VPNs and Tor, would be required (you can check out IVPN’s guide to advanced privacy solutions here). It’s also worth noting that even highly sophisticated set-ups probably won’t protect you from targeted surveillance by global-scale intelligence agencies, which can marshal a level of resources and expertise far beyond any individual or company.
However, generally speaking, most potential VPN customers simply want to avoid data retention at the ISP level and circumvent internet censorship. In this case a VPN service would be sufficient. But only if the company running the VPN actually takes privacy seriously in the first place.
For instance, most VPN companies shield users from data retention by allowing them to circumvent their ISPs ability to log their IP address and connections to other websites. By using a VPN your ISP can only see that your connected to the VPN’s servers and not the website that you’re browsing. But for this system to work, the user has to trust the VPN company not to log IP addresses and connections itself.
The sad fact is many VPN companies – and indeed some of the most popular VPNs on the market – do in fact log and store customers’ data. Some VPNs will even retain this data longer than many ISPs. Perhaps even worse is that some VPNs are not upfront about their data retention practices and do not state in their privacy policies exactly what data they store and for how long (some VPNs don’t even have privacy policies).
A VPN company should wipe its data logs regularly, ideally within hours of them being created, so that any requests for the data cannot be met. However, even if a VPN doesn’t store data, users’ privacy can still be compromised. Any company could be subpeoned by local authorities and forced into recording data on particular user. There are precedents for this, such as the Lulzsec fiasco, which saw a US-based VPN forced into logging data by the FBI. It’s therefore good to know what jurisdiction your VPN operates within, so you can get an idea of how local authorities behave toward them. This is a grey area, as there are no countries (that we’re aware of) that will protect a VPN’s right to not log data. All you can do is try to avoid those countries whose authorities have a track record in zealous online surveillance.
What questions do you need to ask?
So if you’re thinking of signing-up to a VPN service what questions should you ask in order to determine whether or not they take privacy seriously. Here’s a few suggestions.
How long do they retain logs? The vast majority of VPNs will log data for network troubleshooting purposes. However, there’s no reason to store data longer than a few days, unless the company is eager to comply with requests from authorities or from other third parties such as copyright holders. Ideally, a VPN should be wiping logs within hours. If the VPN doesn’t say how long it retains data then ask them directly. A good place to start is this list of VPNs that don’t log data.
What country is the VPN registered in? Knowing what country the VPN is registered in will let you research the country’s laws pertaining to online privacy. As mentioned above, there are no countries that offer complete sanctuary for VPNs who don’t want to log data, but some are better than others.
What other personal data will the company retain? It’s important to know whether a VPN can link your account to a real identity. Does the VPN require an address, or credit card information? Can you use a more anonymous form of payment such as Bitcoin?
What will the VPN do if laws change? With governments around the world cracking down on online freedoms, it’s quite possible that VPNs could come under scrutiny. It’s therefore important that a VPN company notify its customers of any change in local laws, which may affect its ability to protect user privacy.