What Information do VPN’s Really Log?

Nearly every VPN provider is making claims about VPN logs (or lack thereof). There’s been a huge uptick in VPN services advertising a no logs policy.

But is that an industry-standard term? Or just hollow marketing? The truth is, it depends. But what you should know is not all logging claims are created equal, and there are plenty of services that store identifying metadata about your connection history and still claim to be ‘zero log.’

So what should you do if you want real, authentic privacy? Read this guide and educate yourself of course.

We’ll Cover:

1. The two types of VPN Logs
   • Metadata ‘connection’ Logs
   • Activity / Usage Logs
2. How logging undermines privacy
3. Other considerations
   • Retention period
   • Jurisdiction
   • Five Eyes / Thirteen Eyes countries
4. Logging Policies for Popular VPNs

What information do VPNs log?

Your VPN provider has full access to your data stream, so they could log literally any piece of data you transfer through their network. Fortunately, most don’t log invasive personal data like your browsing activity.

VPN Log data consist of two types:

1. Metadata / Connection Logs: These logs include data about your connection, rather the content of your VPN sessions. IP addresses, server location, time of connection and data usage are common examples.
2. Activity / Usage Logs: This type of logging is much more invasive, and includes the actual content of your encrypted VPN session. Examples include: browsing history, file downloads, app usage.

Connection Logs

Connection logs are the most common type of logfile, and a lot of VPNs keep them (even some that claim to be ‘zero-log’).

What are connection logs? They consistent of connection metadata. They include information about the VPN session, rather than the actual content.

How metadata logs affect privacy – Metadata isn’t as harmless as VPN companies (and the many government agencies) want you to believe. Metadata alone is enough to identify individual VPN users, even when sharing IP addresses with 100’s of other users.

Some VPNs that do keep metadata logfiles may state that it’s ‘not capable of identifying any specific user’. You should be skeptical of any provider making similar claims.

IP Addresses are not harmless metadata. If your VPN logs your real IP address, you have no real privacy. Your IP is assigned by your internet service provider and can directly identify a specific subscriber.

Metadata logs can be combined from multiple sources. Timestamps and server location metadata are enough to identify specific user if combining logs from other services as well. For example, one Cyberstalking VPN subscriber was unmasked by combining Gmail logs with VPN metadata from PureVPN (who claimed at the time not to keep logs).

Activity / Usage Logs

The more invasive type of logging includes the actual content of your encrypted VPN session. Some people new to VPN technology incorrectly believe VPN encryption is ‘zero-knowledge’ (meaning your VPN provider can’t read your traffic). This is false.

Your VPN provider knows the decryption key for your secure tunnel, and does actually decrypt 100% of your traffic at the server endpoint. They then forward it to it’s actual destination. So VPNs absolutely have the ability to log your browsing activity if they want to.

Thankfully, most reputable VPN providers don’t log this invasively (that we know about). But many still do, especially free VPNs, which often monetize your privacy instead of subscription revenue.

What data are in VPN activity logs?

Activity & usage logs could encompass almost anything (or everything) you do online.

Activity logs could include:

Does this list scare you?

The good news is few reputable VPN companies log this sort of data. At VPNUniversity, we only recommend companies that limit logs to metadata only, or no logs at all.

The bad news is that your Internet Service Provider might be stockpiling data like this. So that’s one more compelling reason to get a VPN.

Other logging considerations

There are a couple other things to be aware of when choosing a VPN. The most important of these is the legal jurisdiction that governs your VPN provider.

Why jurisdiction matters:

1. Five Eyes / Fourteen Eyes – There is a loose intelligence alliance of 5 and 13 countries that share intelligence data, including captured telecommunications data. It’s unproven, but privacy activists worry if VPNs in those countries could be forced to provide backdoor encryption keys.
2. Data Retention Laws – Does the jurisdiction have data-retention rules for ISPs and other telecommunications companies? Do those rules apply to VPN services? What data are they required to log and how long must they be stored?

Five Eyes / Fourteen Eyes

Five Eyes (FVEY for short) is an intelligence alliance comprised of five countries:

• United States
• United Kingdom
• Canada
• Australia
• New Zealand

Its roots trace back as far as World War II. Today, its official purpose is to enhance the national security of member nations by freely sharing intelligence between them, and thus pooling resources to gather and process more intel than they could separately.

As Edward Snowden noted, however, this arrangement could also be used to circumvent restrictions regarding spying on one’s own citizens.

Nine/Fourteen Eyes – Intel sharing doesn’t stop with just five member nations. The Nine-Eyes alliance adds: Denmark, France, The Netherlands and Norway. The Fourteen Eyes further includes an additional five: Belgium, Germany, Italy, Spain, Sweden.

How this affects VPNs

A big part of signals intelligence is monitoring and decrypting web traffic, including VPNs. In fact, the NSA may have signification decryption capabilities. In several member nations (including the USA) there is an increasing push for encryption backdoors. Privacy advocates worry this could include VPN services (if it doesn’t already).

To reduce this risk, some users opt for an offshore VPN service like NordVPN, which is based in Panama.

Data Retention Laws

In some areas of the world, running a non-logging VPN service simply isn’t possible (at least not legally). That’s because some jurisdictions treat VPNs as ‘Internet Service Providers’ and require them to maintain connection logs. Yet some VPNs subject to these rules still claim to be logless, but really they only mean they don’t log VPN activity.

Fortunately, VPNs aren’t subject to these rules in most first-world countries, including the United States and European Union.

That’s why many logless VPN services are actually based in the U.S.

These include:

• Private Internet Access
• IPVanish
• Torguard

Warrant Canaries – Useful or not?

One worry, is that an otherwise logless VPN might be forced by a government agencies to log or share subscriber activity. In fact, this may have already happened.

But how would you know? What if you could be alerted that something had chanced?

That’s what a warrant canary is for.

The basic premise of a warrant canary is this: a document that states something like…

This service has not been the subject of a court-ordered subpoena since…(insert date)

The idea is that even though it may be illegal to directly divulge the receipt of a subpoena, the warrant canary could serve as a workaround. Several prominent companies used to use them, including Apple, Silent Circle, and Reddit. But those canaries have all been taken down.

Historically, a few VPNs have tried to use them, including NordVPN, Surfshark the now-defunct Proxy.sh. It’s likely they were deemed either ineffective or a legal risk. Or possibly, they just draw unwanted scrutiny that doesn’t outweigh the publicity benefits.

In any case, there are few remaining VPNs that use one, and I’m not convinced it would offer any real protection anyway.

Logging Incidents – a history

In recent years, several high-profile court cases have cast doubt on the validity of some providers’ logging claims. Others have bolstered them. For example, Private Internet Access has now won two court cases validating their lack of logs.

PureVPN controversy

In 2017, Ryan Lin was arrested an charged with Cyberstalking. The details of the charge or grotesque, and I want to make clear that I don’t defend Mr. Lin’s actions in any way. What’s relevant is the way he was unmasked, because he was using PureVPN. At the time, PureVPN claimed to be a ‘non-logging’ VPN.

But as it turned out, PureVPN apparently kept server logs, including timestamps and IP addresses. These logs were combined with records from Gmail and Rover.com to positively identify Mr. Lin as the perpetrator.

PureVPN, for their part, tells a different story than the common narrative. They try to spin their logs as separate ‘networking logs’ which aren’t tied to an individual user account. And while they would like us to believe these logs are insufficient to identify a specific user, it’s clear that they can identify a user with the aid of additional data points (gmail and rover.com in this case).

Key Takeaway: Some VPNs claim to be ‘no log’ but they really just mean ‘we don’t log your activity‘ while still keeping connection logs. You can’t take logging claims at face value.

Private Internet Access court cases

Private Internet Access is one of the most popular VPNs in the world, and among the first to adopt a ‘zero log’ policy. And to date, they’re one of the only such VPNs to successfully defend these claims in court.

And they did it twice.

In 2016, Private Internet Access successfully refuted a subpoena on the grounds that they did not have any relevant data to turn over. That case related to a bomb threat that was allegedly made by a subscriber.

And then in 2017, PIA was unable to link any of their accounts to an alleged hacker, using data provided by the FBI.

Key Takeaway: You can never be certain about the non-existence of something, but Private Internet Access has done more to prove their claims than any other VPN. They are based in the USA, however, which as I mentioned is a Five-Eyes member.

Summary & Key Takeaways

Logging policies are a hot topic in the VPN industry, and every VPN provider is trying to one-up the competition with their privacy claims.

But not all ‘non-logging’ claims are equal, and it’s important to closely read the privacy policy of VPN before subscribing. Or just trust our reviews, and let us do the reading for you.

What you should know:

1. There are two types of logs: Connection logs & Activity Logs.
2. ‘Activity Logs’ are much more invasive, and contain actual records of your browsing and internet usage.
3. Some VPNs claim ‘no logs’ but still keep connection logs, or as PureVPN called them, ‘Networking Logs’.
4. Warrant Canaries could be the best defense against governmental spying, but they’re few and far between in the industry.
5. Do your research. Read the privacy policy. Consider a VPN’s reputation ahead of things like price.

Questions? Tips? Let us know in the comments below.