A VPN is a powerful tool for keeping your private information under wraps, but what does it mean for you if your VPN is logging your data on its network?
By Chris Stobing
If you’re wondering what kind of data VPNs-free or paid-collect on you, you’re not alone. Why do some VPNs engage in this seemingly invasive practice, and what does it mean for your privacy? How much should you be worried? We’re here to explain.
First, it’s helpful to know what data a VPN may or may not log from your device, as well as what the service might do with it.
This metric can be something as innocuous (and necessary) as logging how much data you have used in a specific period-a requirement for free or paid VPNs that come with bandwidth caps on your plan. However, it can also extend to the way you use your VPN, including how often you sign in (or don’t), how long you stay connected to a VPN per session, or what devices you connect from most often.
VPNs may collect the data for perfectly legitimate reasons or for more questionable practices. Legitimate uses include limiting the number of simultaneous connections users have to the network, how many IP address blocks they’re requesting, or how much data they’ve used on the network in a particular amount of time.
Questionable, in this context, can mean anything from selling that usage metadata to third-party advertisers and marketing firms (this is especially prevalent in free options) to providing the data to law enforcement upon request. More on that specific point later.
Another logging policy you might object to is the tracking of browsing history and browsing data. This includes anything from URLs visited to DNS requests, and it can either be done voluntarily by the VPN company, or it may be requested by authorities; this would mean the VPN would need to start logging this activity for a user under legal duress.
However, there are a limited number of VPNs, such as Hide.me, that are incapable of logging this information due to the structure of their network. This is, of course, by design. If law enforcement does come knocking, Hide.me can refuse the request based on the fact that the network was built from scratch to make the practice effectively impossible.
Connection logging can be both beneficial and potentially detrimental to VPN users. The beneficial side of connection logging comes in the form of what’s known as server-level logging. This is data like bandwidth usage or dates and times of connections that are collected by the server that you’re connecting to. This is most often used to help VPN engineers improve the quality of the network or to specifically target bugs or routing errors that might be slowing a particular server. This kind of logging leads to greater health of the system and ensures that you’re always getting the most optimized performance from your VPN connection.
The less savory side of connection logs is what’s known as user-level logging. This can include identifying factors like a connected device’s originating MAC address or IP address. These two pieces of information, handed to law enforcement or accidentally leaked into the hands of hackers, could lead to the personal identification of the user connecting to the VPN network. You don’t often hear about this kind of identification in connection with VPNs, but it’s not unknown.
Arguably the best kind of logging (if there is such a thing, which is a hotly debated subject among privacy enthusiasts) is what’s known as aggregated logging. Aggregated logging can encompass all the types of logs mentioned above but with one important distinction: All identifying information is stripped out of the dataset and anonymized. This means that, for example, while a VPN provider may use something like your device’s IP address to initially improve some portion of their service, that IP address would be deleted right afterward.
Similarly, other datasets like connection times, browser logs, or bandwidth usage might be held onto by the service to improve performance. With aggregated logs, the user metadata is anonymized so that neither employees at the VPN company nor law enforcement can identify where the data originated from.
Now that we know what types of data might be logged by your VPN, how do you find out whether or not your VPN is even practicing logging in the first place? The answer is both simple and complex. At the most basic level, you should (in theory) only need to go to a VPN company’s terms of service, where you’ll generally find a section related to its logging practices.
For example, here’s a portion of what ExpressVPN has to say about its own logging practices:
“In order to maintain excellent customer support and quality of service, ExpressVPN collects certain information related to your VPN usage, as described below. This data is visible to our staff strictly on a need-to-know basis and may be shared with Service Providers for the purposes above, but are kept confidential at all times.”
ExpressVPN is considered one of the more transparent VPNs when it comes to its data logging practices, as you can see in the link above. The company offers an extensive amount of information that covers just about every potential data use case. If this kind of openness were available from all VPNs, it would be easy for users to understand who is logging their data, where it ends up, and how long it’s being stored (if at all).
However, this level of disclosure is not as common as you might hope. Other VPNs might only include a few lines (or less, in extreme cases) in their terms that explain whether or not they log any data, as well as what datasets they log if so.
When choosing a VPN, you’ll want to pick a service that’s transparent about its logging practices. ExpressVPN is a good example, and there are many other services that devote entire pages of their website to explaining in sometimes excruciating (but usually appreciated) detail exactly where your data ends up while you’re connected to their network.
For the privacy-obsessed, a no-log VPN is the gold standard in the industry. No-log VPNs like PrivadoVPN are exactly what they sound like: They store no information other than your email address and billing information. Keeping this information is standard practice; the companies use it to re-up your monthly subscription and give you access to your account.
The ultimate purists out there may want to look into using a privacy-centric email service like Proton Mail to attach to your VPN account, and also consider using an anonymous Visa debit card for payment. Many VPNs also accept cryptocurrencies like Bitcoin, which is just as near to anonymous as you’ll get for processing subscription fees online.
For the rest of us who just want a one-touch, turnkey solution, though, a no-log VPN is the best chance you’ll get at protecting the majority of your private information while connected to a virtual private network.
It’s important to understand the international nature of many providers, as well as the lack of any standards body. Since there’s no country or organization to stop them, VPN companies can define words like logs, activity, or connection information however they like in their advertising. There’s no law or regulation (beyond advertising laws) that dictates what a VPN company has to mean when it says, for example, it “doesn’t log your activity” on its network. Because in that sentence, the word “activity” can mean whatever the company wants it to. This can lead to some dodgy circumstances.
In 2020, for example, it was discovered that seven different no-log VPN services based in Hong Kong were anything but what they claimed. In that instance, the affected VPNs told customers they weren’t logging user information when, in reality, much of their most sensitive data was stored on a server in plaintext, according to an investigation by the website VPNMentor.
If you see a company use vague or limited language in its terms of service, it could mean they’re not telling the whole truth about their logging policies.
Company transparency and your own research are key here. There are independent third-party auditor services like Cure53, Deloitte, KPMG, and more that perform their own evaluations of VPN services and publish reports on their findings. We recommend that before you sign up for any VPN — no-log or otherwise — you verify they’ve gone through an audit process with a respected institution that can verify the company’s claims.
The most respected VPNs in the industry often link directly to these audit reports on their websites. This is a good sign that a company is sticking to its own advertised logging practices. For even more assurance, you can look at the audits themselves. We do! If the companies refuse to make their audits public, that’s also a potentially worrying sign.
Finally, if you see a company use vague or limited language in its terms of service, it could mean they’re not telling the whole truth about their logging policies in an effort to potentially mislead new or recurring customers.
Privacy experts will always debate whether VPNs should be logging your data and, if so, how much. But unless you’re committing serious levels of international cybercrime (we’re talking acts that would get you on an FBI watchlist), chances are that law enforcement officers won’t be knocking at your VPN company’s door looking for your name and address anytime soon. Still, there’s always the possibility of unprotected data falling into the hands of bad actors. By choosing a VPN that is upfront about its logging policies, you can at least be sure that your data is used exactly as advertised by the company you’re relying on to protect it.
To get started with this key privacy tool, you can read our article on the top 10 VPNs for some of the most transparent and thoroughly audited options available today. If you’ve already decided on a service, we have a thorough article on how to set up and use a VPN.