The revelations around the NSA’s secret spying program have thrust the issue of online surveillance into the public consciousness like never before. Over the coming years it’s reasonable to expect more people will start using privacy tools, such as Virtual Private Network services, to protect their online data from surveillance.
But as a previous post on Invisibler rightly mentioned, VPNs cannot always be trusted – many log data and cooperate with authorities in the same way as an Internet Service Provider (ISP). Are all VPN services therefore unable to protect your privacy?
As the CEO of IVPN, I am obviously somewhat biased on this issue, but I would argue commercial VPN services can be very effective privacy tools. The only problem is, you have to trust the service your using. Before signing-up to a VPN there are three main questions you need to ask and in this article will go over them.
What data does a VPN log?
Firstly, you need to know what data a VPN logs and stores. If you are paying via any mainstream payment platform, such as credit card or PayPal, then your billing data will be stored with the VPN – it’s unavoidable. However, if the VPN accepts BitCoin, then no information linked to your real world identity will be stored.
But even if you can’t find a VPN that accepts BitCoin as a form of payment, it is worth keeping in mind that your use of your credit card only proves that you are using a VPN service – that in itself is no grounds for suspicion. This information will also be discoverable via your ISP’s logs.
VPNs will also usually store your IP address in some form, but you need to make sure that the stored IP address is anonymised. Logs of the websites you visit will also typically be stored in order to troubleshoot network issues. But if the VPN is serious about privacy, then this period of storage will be so small that it does not compromise your privacy (for instance, IVPN’s logs are wiped every 10 minutes), and the logs won’t be able to be linked to your IP address. If logs are held for any more than a few days, steer clear.
What happens if law enforcement demands data?
As long as the above data is not stored for a significant amount of time then the authorities cannot access it – even if they seize a VPN’s servers – because it won’t exist. In the case of Hide My Ass (one of the most popular VPN services) data is stored for two years, which is obviously a security risk.
What happens if laws change?
The world is currently in the middle of a communications revolution and governments are trying to desperately catch-up by implementing new surveillance laws – from CISPA in the US, to the CCDP in the UK. It’s therefore very important to know how your VPN will behave if the laws in its jurisdiction change in a way that impacts your privacy. Will the VPN notify you of any impending changes? Will you be able to cancel your subscription and get your money back? These are the questions you should be asking. Also, in light of PRISM, and previous scandals such as the NSA wiretapping controversy, it is safe to say that the US is no longer a jurisdiction that can be trusted.
If you can get satisfactory answers to these three questions then you can be confident the VPN takes privacy seriously. At the end of the day there are many VPNs that are not really privacy services (they simply rely on the acronym ‘VPN’ being synonymous with the concept of online privacy). But there are VPN services that have built their whole reputations and business on the principals of online privacy. Obviously, this is an issue of trust. Emailing or talking to the individuals behind the VPN service, as well as researching their reputation, can help reassure you they have your best interests at heart. For more information on how to choose a VPN take a look at our ongoing article series on understanding VPN privacy policies.
Image Credit: Terry Johnston