Internet privacy concerns are at an all time high, and VPNs are being touted far and wide as the one-stop solution to keep internet providers, governments, hackers, websites, and advertisers out of our online lives. Believe the hype; a VPN can secure your internet connection from all of those entities and more.
It does this by encrypting your internet traffic and routing it through a remote server before it goes on to its destination. Your ISP can only see that traffic is passing through its network, but not its contents or final destination. After your traffic leaves that server, websites and apps can’t trace the source of the traffic back any further than the VPN server.
But what about the VPN providers themselves? What’s stopping them from mining your data, recording your online activity, and selling it off to third parties or using for other nefarious purposes?
In short: nothing. A VPN provider has the power to record each of their user’s browsing data and metadata. But reputable VPNs all tout an important policy: no logging. Logless VPNs don’t keep a record of their users’ activity–at least not with any personally-identifiable information.
Unfortunately, the term “log” isn’t entirely clear cut. There are two main types of logs, and many VPNs lay claim to a “no logs” policy while really only adhering to one.
Traffic logs, sometimes called usage logs, are the ones users should be most concerned about. They contain the contents of all your internet traffic–what websites you visit, emails, search queries, etc. A VPN provider that records this information isn’t doing its job and should be avoided at all costs.
Then there are metadata logs. These are also referred to as session logs, connection logs, or diagnostic logs. Metadata logs don’t contain the contents of your internet traffic, but instead record details about how you use the VPN. Sometimes, metadata logs are harmless and only contain non-personally identifiable information like how much bandwidth or data you use, timestamps of when you use the service, and which servers you connected to.
The type of metadata log we’re most concerned with are those containing users’ source IP addresses. If a VPN records your source IP, then there’s a good chance your activity can be traced back to your device.
- No traffic logs
- No source IP logs
- DNS leak protection
- Shared IP addresses
- Accepts bitcoin as payment
IPVanish maintains a true zero logs policy, meaning no traffic or metadata logs of any sort are recorded. The company is based in the United States, which might put off some users wary of the NSA and FBI, but the truth is that the US has no mandatory data retention laws. The company owns its global network of physical servers rather than renting, giving maximum control over who has access. Customers can pay in bitcoin and even hide the fact that their using a VPN using a special traffic obfuscation feature. Torrenting is allowed. Apps are available for Windows, iOS, MacOS, and Android.
READER DEAL: Save up to 60% on IPVanish here. This includes a 7-day money-back guarantee so you can try the service risk-free.
Read our full review of IPVanish.
NordVPN has a true zero logs policy. That means no traffic nor metadata logs are stored. Those who don’t want to leave a paper trail can pay with Bitcoin. NordVPN is incorporated in Panama, where there are no mandatory data retention laws. For the extra-cautious, users can connect to privacy-optimized servers featuring Tor over VPN and double VPNs. Torrenting is allowed and NordVPN can unblock a wide range of geo-locked streaming services like Netflix, Hulu, and more. Apps are available for Windows, MacOS, iOS, and Android.
Read our full review of NordVPN.
ExpressVPN doesn’t record or store any web traffic contents or personally identifiable information on its users. If you want to sign up anonymously, you can even use a burner email address, pay in Bitcoin, and register on its .onion website through Tor. Some diagnostic information, such as dates (not times), server, and the amount of data transferred is recorded but not associated with a specific IP address or any other personally identifiable information. The company is incorporated in the British Virgin Islands, which has no mandatory data retention laws. Torrenting is allowed and ExpressVPN is also great for unblocking geo-locked content on Netflix and Hulu when traveling abroad. Apps are available for Windows, MacOS, iOS, Android, Linux (command line), and certain wifi routers.
TRY IT RISK-FREE: Get 3 months free here with ExpressVPN’s annual plan. The deal includes a 30-day no-quibbles money-back guarantee so you’ll receive a full refund if unsatisfied
Read our full review of ExpressVPN.
StrongVPN claims it keeps no logs of any sort, traffic or metadata. The US-based provider owns its own servers, accepts bitcoin, and allows torrenting. Traffic obfuscation is available to those who want to hide the fact that they are using a VPN from their ISP. We’ve had decent luck in unblocking streaming services like Netflix and Hulu in web browsers when using StrongVPN. Torrenting is allowed. Apps are available for Windows, iOS, MacOS, and Android.
DISCOUNTED OFFER: Save 41% with StrongVPN’s 1-year deal here. This includes a 7-day money-back guarantee so you can try the service risk-free.
Read our full StrongVPN review.
Private Internet Access, or PIA for short, keeps no logs of any sort. It even once published a court order to hand over customer records to prove it. Because it doesn’t log, it had nothing to give up. The company is based in the US. It accepts payment in bitcoin. Torrenting is allowed. Apps are available for Windows, MacOS, iOS, Android, and Linux. It’s not the most user-friendly but is a good low budget option.
Read our PIA review.
READER DEAL: PIA is currently discounting the annual plan by 52% bringing it down to $3.33 per month.
VPNs with a history of logging
HMA was implicated in the arrest of a Lulzsec hacker due to its poor logging policy. HMA complied with a court order to hand over data related to one of its users, Cody Kretsinger. Kretsinger was involved in a cyber attack on Sony Pictures and used HMA to conceal his identity. HMA says it never stores the contents of users’ internet traffic, but it does record detailed metadata logs that contain users’ real IP addresses, which was enough to eventually land Kretsinger in jail.
VyprVPN is a solid VPN save for one thing: it logs source IP addresses. This has led many users to complain about receiving letters demanding they stop torrenting, even though they only do so when connected to the VPN.
VPNBook logs source IP addresses and connection timestamps, which are deleted weekly. In early 2013, however, hacking collective Anonymous accused VPNBook of being a honeypot for law enforcement. Anonymous stated user logs “appeared in the court discoveries and indictments of some Anons facing prosecution for their involvement in #Anonymous activities.”
Can I trust my VPN?
No matter what their privacy policies say, using a VPN that claims to be logless still requires a certain degree of trust. There’s simply no way to know whether a company stays true to its word or how it will respond when confronted with a court order. VPN providers are also vulnerable to internal abuse and external coercion.
But for the most trusted VPN companies, it’s simply not in their best interests to keep logs. It opens them up to government demands, requires time and resources to collect and store data, and can irreparably damage their reputations, resulting in a loss of business.
While you can never be 100 percent confident that a VPN won’t log, there are a few key signs to look for in those that don’t.
A VPN provider’s torrenting policy is often a good indicator of whether it stores any identifying logs or not. When a VPN user downloads copyrighted content illegally using BitTorrent, there’s a good chance someone working on behalf of the copyright owner will notice and take action. This could come in the form of a settlement letter asking for compensation or a DMCA takedown request.
Depending on the VPN provider’s country, they might be legally obligated to forward these letters and requests to the user. But if the provider has no log of who downloaded what, they can’t possibly know who to forward that information to and the request is dead on arrival. A VPN that does log, however, might forward those letters or requests to their customers or send its own cease-and-desist notice.
Related: Best VPN for torrenting and some to avoid.
Country of incorporation
Some countries require all types of internet service providers, including VPNs, to record and store logs for specified period of time and make those logs available to law enforcement upon request. This was the case with HideMyAss, a UK-based VPN provider now notorious for its logging practices, which are mandated by the UK government. HMA’s logs allegedly led to the arrest of a UK-based Lulzsec hacker using its service.
This is the reason why many VPNs are incorporated in seemingly odd locations. ExpressVPN is incorporated in the British Virgin Islands (not part of the UK), and NordVPN in Panama, for example.
The United States has no such data retention laws that apply to VPNs, but a healthy dose of skepticism should still be applied. It’s not unprecedented for US law enforcement and intelligence agencies to work with tech companies to spy on customers behind closed doors, as we now know thanks to Edward Snowden.
All of the VPNs on this list either rent or own physical server hardware. This gives them maximum control over who can access the information on that server. Some VPN companies cut costs by using virtual servers, which can add another undesired player into the mix. If a provider only owns a virtual server, then the physical operator could plausibly install some sort of network analysis tool to capture traffic and metadata.
So physical servers are a must for those concerned about privacy. But whether those servers should be owned or rented is up for debate. There are arguments to be made for both. Obviously, owning a physical server gives the greatest amount of access control. Renting a server could allow intruders to plant backdoors before the VPN company leases it, or steal user data left on the server after the lease ends. However, if a data center suddenly changes its policy on traffic logging, it’s much easier to end the lease for a server in that data center and switch to a new one.
Shared IP addresses
Shared IP addresses have become the universal default for most commercial VPN providers these days. A shared IP address works like this: when you connect to a VPN, your outward-facing IP address is changed to that of the VPN server. There may be dozens or even hundreds of other VPN users also connected to that server, all of whom are also assigned the same IP address. That makes it almost impossible to trace any of those users’ activity back to a single person, unless the VPN is storing logs.
VPNs also tend to use dynamic IP addresses, which means these shared IP addresses change periodically. Shared IP addresses are a win-win for both users and VPN providers because they not only increase privacy but are cheaper to maintain for the VPN provider.
A handful of VPNs offer dedicated IP addresses. These are usually static, meaning they don’t change, and might be assigned to a single user. This is useful for a handful of cases, such as setting up a peer-to-peer gaming network or repeatedly logging into a banking website that requires a specific IP. But for most users, shared, dynamic IP addresses are the way to go.
DNS leak protection
When you load a website, your browser first sends a DNS request that resolves the website domain (“www.comparitech.com”) into a numerical IP address. Sometimes these requests are sent outside the VPN tunnel and instead go to your ISP’s DNS servers. That means even with the VPN enabled, your DNS requests can still reveal what websites you are visiting to your ISP.
That’s why all of the VPNs we recommended on this list have apps with built-in DNS leak protection. They ensure that DNS requests are sent through the VPN and go to the provider’s private DNS servers instead of your ISP’s.
Sometimes, however, this doesn’t always work. In particular, Windows 10 computers have an issue with IPv6 DNS requests being sent over the unencrypted ISP network even while connected to VPNs that claim to have DNS leak protection. To resolve this, we recommend disabling IPv6 in your network settings.
Related: Best VPNs for Windows 10 and some to avoid.