When it comes to Virtual Private Networks (VPNs), no-logging policies are at the centre of privacy concerned customers attention. With the rise of social networks, Google and Facebook dominance, and Cambridge Analytica scandal, — netizen have become aware that their online data can be and is misused.
These reasons (along with the emergence of geographical restrictions) resulted in a monumental rise of a niche cybersecurity software, — VPN. However, many developers wanted to jump the train, and a lot of services were launched. Sadly, not all of them as concerned about your privacy as they state to be.
No-logs policies are directly related to privacy protection, and I have extensively written about the importance of VPNs jurisdiction, and audit practices that help identify a high-quality privacy protection product. This time I will overview no-logging practices from the Terms of Service or TOS perspective.
Why Terms of Service matters?
Internet technologies have developed so rapidly that it’s still hard to comprehend their influence over our lives. The services that we use, “agree” buttons that we click, — all establish a long-term relationship between your online activities and interested party. Sadly, research reveals that only 26% of users read privacy policies and average reading time of TOS is 51 second.
When it comes to VPNs skipping privacy policies and Terms of Service can be risky. One way or another, you accept to trust your VPN service provider, and sending all your online data through their servers is “an intimate” relationship. This is a cybersecurity software, and so it should be taken with utmost importance.
Another thing is exceptionally excessive marketing in the VPN competition. You’ll see catchwords like “no-logs” and “privacy” flashing in most ads and web pages. On the other hand, as per few examples I outlined in my mentioned articles, not all providers are willing to keep this promise. Reading carefully through privacy policies and TOS can give you a hint of what to expect from your VPN provider, so let’s dive into that.
Services picked for the analysis
First of all, I have not read through all the TOS and PP of all VPN providers but picked a few illustrative examples. The content may vary per case, although it’s my firm belief that most of the time it wouldn’t bear significant difference.
I picked ExpressVPN and NordVPN as good examples, mainly because they are market leaders and have proved their no-logs policies. I carefully read through Kaspersky (based in Russia) Secure Connection terms and found a link to Anchorfree (based in the United States), which also provides VPN services. As you will notice in the following paragraph, the difference is significant and important.
What to look for in the Terms of Service and Privacy Policies
TOS and PP must comply with marketing content because if there are any violations from the provider’s side, these documents can prove the legitimacy of their actions or otherwise. Regarding no-logs, there must be a clear statement of what kind of information is gathered, for what purposes, is it personally identifiable, is it shared with third parties, and for how long the data is kept.
Both in ExpressVPN and NordVPN TOS and PP, we can see clear statements regarding the gathering of data. For example, ExpressVPN states:
We ensure that we never log browsing history, traffic destination, data content, IP addresses, or DNS queries. Therefore:
We do not know which user ever accessed a particular website or service.We do not know which user was connected to the VPN at a specific time or which VPN server IP addresses they used.We do not know the set of original IP addresses of a user’s computer.
NordVPN in their PP states:
We do not store connection time stamps, session information, used bandwidth, traffic logs, IP addresses or other data. From the moment a NordVPN.com user turns on the NordVPN.com software, their Internet data becomes encrypted. Any online traffic coming from user’s device is no longer visible to ISP, third-party snoopers or cyber criminals. Further, NordVPN have a strict no logs policy when it comes to seeing user activity online: NordVPN is based in Panama, which does not require data storage.
In both cases, these statements have not been contradicted by any following additions. It’s essential to notice that when these service providers talk about collecting data, they are stating very clearly that data will be used solely for the maintenance of the service (payments, account details), and internal marketing strategies (which is a natural behaviour under current circumstances).
For “bad” examples I picked Kaspersky Secure Connection VPN because it operates under Russia’s jurisdiction. I found it hard to believe that there could be a privacy protection no-logs service in Russia; Vladimir Putin’s government is anything but respectful when it comes to surveillance.
While reading through “Kaspersky’s EULA — [Windows] [GDPR-ready]” for their Kaspersky Secure Connection product, I came upon a line: “5.2. Work of the VPN component is provided via access to service of a third party (hereafter “Third-Party services”), which is AnchorFree Inc: https://www.anchorfree.com." I visited anchorfree.com and noticed they are also offering their VPN services, — TouchVPN and VPN in Touch. Visited home pages of both VPNs and went to their privacy policies, which both redirected me to the same page:
I carefully read through the whole document and picked parts that represent the entire document. The first example states:
We are fiercely protective of the privacy of our users. If you use our VPN products, we protect your privacy by ensuring that we do not log or record online activities that you conduct over a VPN connection in any way that can be tied back to you.
This is an absolute standard in the VPN market. Service provider declares the no-logs policy, dedication to protecting users privacy and anonymity. However, in paragraph 7 called “Data retention”, near the end of the Privacy Policy, comes another statement.
AnchorFree generally retains your personal data for as long as is needed to provide the services to you, or for as long as you have an account with us. We may also retain personal data if required by law, or for our legitimate interests, such as abuse detection and prevention, and defending ourselves from legal claims. Residual copies of personal data may be stored in backup systems for a limited period as a security measure to protect against data loss.
A natural question arises, how can data retention take place, if the company doesn’t keep any logs? This is a contradictory statement. During the whole PP document, there are paragraphs that, in between the lines, state that they do collect data. Here’s an example regarding location data:
Location information. Unless otherwise expressly stated, we do not collect your location information based on your device’s GPS or other device sensor data. However, we may collect your approximate location by calculating an imprecise latitude and longitude based on your IP address to provide you with better service (e.g. to connect you to the nearest and fastest VPN server).
Once again, the beginning is promising, stating that they do not collect location information (regarding GPS), but they do collect via triangulation, which leads to the very same thing — your location may be exposed.
Due to the length of this article, I picked only the most representative examples, and I leave to the reader to check the backlinks provided for further information.
To conclude, contradictory statements are a red-flag when picking a no-logs service. If a VPN provider doesn’t keep any logs, you will find a concise explanation and a clear view of what data is collected and why. On the other hand, you may discover padding paragraphs and contradictory statements in a service that logs at least some information but markets itself otherwise.
Anchorfree privacy policy is ~5000 words long, while NordVPN ~1800, and ExpressVPN ~2800.