Understanding VPN logging and search warrants
VPNs may log certain user data when you sign up while others may log data about your browsing habits. There are VPN providers that claim to be 100% “logless” while others clarify their status on logging, making it clear what data they keep.
How does logging affect me?
Like many internet-related companies, VPN providers can be subject to warrants from authorities who may be investigating a particular user, a group of users, or even the entire company. They may need certain information that is held on a server.
This isn’t unique to the VPN space of course. Microsoft is currently fighting a case against the US authorities that want to access a server in a Microsoft data centre in Ireland. In Russia, officials are passing laws that state that the likes of Facebook and Twitter must store data on Russian users within Russia. This would make the data much more susceptible to search warrants from authorities.
Internet-based companies and users would understandably be concerned about government searches on personal data, warrant or no. The topic is now under more scrutiny than ever before in a world ridden with surveillance and data breaches.
What kind of information is logged?
HideMyAss! (HMA), one of the biggest VPN providers on the market, which was recently acquired by AVG, lays out its logging policy in detail online. HMA creates a timestamp of when you sign in to and disconnect from the VPN, it logs your IP address when you connect and the IP address of the server you connect to. It also logs the amount of data uploaded and downloaded while signed in.
This data is stored by HideMyAss! for between two and three months on secure servers. HMA says it may hold on to data for longer in “certain very limited circumstances” such as when a user breaches the terms of service. This includes illegal file sharing, spamming, and “illicit activity” as well as attempting to commit fraud.
VPN users have debated furiously over just how much data VPNs can and should collect and retain. Every year, Torrent Freak polls dozens of VPN providers on how they treat anonymity, security, and privacy. Other VPN providers are more upfront than others about whether or not they log and if so, what details they register. The survey gives users a snapshot of how VPN providers operate, especially the bigger ones on the market.
For example, Private Internet Access and IPVanish both claims to log no data whatsoever, often called a “zero logs” policy. IVPN denies any logging too. “No, this is fundamental to the service we provide. It is also in our interests not to do so as it minimizes our own liability,” it says.
A handful of VPNs on the other hand do log and are honest about it. PrivateVPN says it logs emails and usernames. TorrentPrivacy says it keeps your email and denies that it is possible to connect this to a specific user.
VPN providers, and various internet-based companies, try different things to dance around the minefield of potential legal inquiries. Privacy is one of the key selling points, if not the main selling point, and a VPN can run the risk of reputational damage if it gives over data to authorities, even if the situation is out of their hands. One of the methods for overcoming warrants, or at least partially so, is employing what is known as a warrant canary.
Named after the method of sending a canary into a coal mine to check for fatal gases, a warrant canary is intended to alert users of when the company has received a warrant of some kind from authorities. Typically a warrant gags the recipient from talking about it or alerting customers. Warrant canaries work in a reverse fashion of sorts. Every day or week or so, the VPN provider publishes a note that states the company has received no notices from authorities. If a warrant is ever received, these regular notices will stop, triggering an alarm to users that something isn’t quite right and you should cease using the service, if only temporarily.
LiquidVPN publishes a warrant canary every 48 hours with an update on its current status as too does VikingVPN. BolehVPN launched its own canary earlier this year while a number of smaller operators like Proxy.sh, Lokun, and iPredator all run their own warrant canaries.
The theory is patchy however and operates in a legal grey area. The canary only alerts users that it received at least one warrant of some kind. It provides no details on the nature of the warrant, the number of warrants, or how many users are affected. It’s also unclear as to whether the warrant is targeting the company itself or just a user. These concerns make it difficult to navigate the usefulness of a warrant canary and guarding privacy.
Warrants also hinge on where the VPN provider is based. Some providers raise concerns over being based in the US and subject to the Patriot Act meanwhile a provider like BolehVPN, which is based in Malaysia, may not have any such laws to contend with but may also lack a strong legal infrastructure that can prevent abuse by authorities.
Image attribution: “Filed Away” by Mark Crossfield licensed under CC BY-SA 2.0