Everything You Need to Know About VPN Log Policies
The records that VPNs might keep illustrate how, when, and from where users connect and what they do while the VPN is running, but not all VPNs keep such data.
This is good, because if user information is available to authorities, or is accessible by a skilled hacker, users’ data is just as unsafe as if they didn’t have protection.
Therefore, savvy VPN customers will take up with a service that limits the information they gather, or doesn’t keep tabs at all.
What Are Logs?
Logs are the records that some VPN services keep about their users. There are two main types—connection logs and usage logs—and both disrupt the dual value proposition of VPNs: anonymity and safety.
People use VPNs to prevent third parties from matching their IP address with their identity, and advertisers or hackers from targeting them, but keeping logs even without the intention of sharing them is still a massive risk.
An individual VPN service’s log policy (and terms and conditions) states which types of logs it keeps (if at all), and why.
Connection logs are digital records that show inbound and outbound connections to a VPN server, and it keeps mostly basic information like:
- Users’ inbound IP address
- Users’ new outbound IP address
- The connection’s time stamp
- How much data was transferred
These connection logs can be queried and searched by VPN providers in their own database, but one will notice that the information kept in connection logs is relatively shallow.
It doesn’t indicate specific user activity while the VPN is running, though it can match a user to his or her home IP address.
Usage logs record the information that is most valuable to authorities looking to prosecute torrent or darknet activity, or advertisers who need to know users’ browsing habits.
VPN providers who keep usage logs have all the information kept in connection logs, but also store the following data:
- Browsing history
- Specific software and applications used
- Specific files downloaded and uploaded
This data is more sensitive as it directly highlights individual user activity and not just their IP address.
Customers searching for a proper VPN should avoid those that keep usage logs, and even those who say they don’t keep them but are based in a country with data retention laws.
VPNs in countries with unfriendly data privacy policies may be compelled by law to keep records, even against their own policies.
Why Keep Logs?
VPN services that are based in countries with data retention laws must keep user logs, or risk being shut down by the government.
Many of these countries are also some of the world’s largest economies, but their progressiveness will surprise you.
The United States, for example, has no data retention regime despite its reputation as a highly surveilled society.
The British Virgin Islands is another geography where there are no data retention requirements and is home to some of the best logless VPNs available even though in the greater UK VPNs must cooperate with the government universally.
While the government might not have direct access to logs, it can demand records by VPN services who must maintain compliance.
VPN services are choosing to avoid these jurisdictions when incorporating and establishing headquarters. This is because storing records at all is a risk as hackers may get access by illicit means.
VPN services might also keep logs intentionally, which they can then sell to data science companies or third party advertisers.
Usage logs are valuable to major corporations as evidenced by companies like Amazon who make billions every year from selling their own.
Other VPN services keep no connection or usage logs for any purpose, but will keep some harmless metadata to better serve customers and keep the network running efficiently.
It’s best to find a VPN service that is headquartered in a data retention-free country, is not a member of any ‘data alliance’, and keeps absolutely no harmful logs.
How to Avoid Logging
The best way to keep your usage and connection data from being stored is to pick a VPN that is established in a country with favorable laws, but one that also has a transparent log policy.
Offshore VPNs with no logs are most favored in the online anonymity community.
VPNs from countries that are part of the ‘Five Eyes’ agreement should be shunned, as they might make data retention a legal necessity, and could be forced to share relevant data with the other four countries in the group.
This doesn’t mean they do, however. Ideally, a VPN shouldn’t know the usage activity and the connection details of subscribers, nor even their IP addresses, which could expose them to increased scrutiny.
While one might prefer to choose VPN services that don’t keep logs, note that VPNs choosing to keep some minimal user data may have better service because of it.
ExpressVPN, for example, is one of the best VPNs that doesn’t keep logs, but still records some anonymous metadata so that customer service representatives and IT team members can focus their efforts and provide quality services.
Overall, you’re likely in good shape if you choose one that doesn’t keep usage logs or know the IP addresses of users, because this protects you against the majority of threats.