Image courtesy IVPN

Image courtesy IVPN

With new threats to online freedoms appearing with frightening regularity (from SOPA to ACTA, and from the TPP to the recent PRISM scandal), it's logical to assume internet users will increasingly turn toward privacy tools to protect their online data over the coming years. While the free-to-use TOR platform remains the most popular way to protect your online identity, many people choose to use commercial Virtual Private Networks (VPNs), primarily because of their faster connection speeds. However, a significant number of commercial VPN services offer little privacy protection to users, despite advertising themselves as privacy services. In this article we're going to explore the questions you need to ask when deciding what VPN to choose and what you need to look out for.

What is a VPN?

A VPN is a private network that lets you send data securely over the internet. When you use a VPN service, all the data sent between your computer and the VPN server is encrypted. VPN technology uses a concept known as tunnelling. To use an analogy this is a bit like taking a letter inside an envelope, putting the envelope inside a box with a new source and destination address and then locking it with a key that only the VPN has access to. When the VPN server receives the letter, it opens the box and decrypts the contents, so it knows where to route the data. By doing this, the ISP can only see that you're communicating with the VPN server and has no way of determining which web services you are communicating with.

What's the problem?

The biggest vulnerability of this system is that the company providing the VPN service can monitor and log the IP address and the connection information of its users (such information is already logged by most Internet Service Providers and can be used to identify who you are emailing and what websites you visit). If a VPN is recording and storing this metadata then its ability to provide a privacy service is heavily compromised, as any government can simply force the VPN to hand over the data. The only way to effectively prevent this is to ensure the data doesn't exist in the first place.

For example, HideMyAss.com, arguably the most popular VPN service on the market, has a privacy policy that clearly states it stores user information for up to two years. The platform came under much criticism in 2011 when it handed over data on Cody Kretsinger, a member of the hacker team Lulzsec, to the FBI, leading to his arrest. But at least HideMyAss is clear about its data logging practices. Many VPNs are not so forthcoming in their privacy policies.

Questions to ask?

So what should you look out for when choosing a VPN service for privacy reasons? Here are three main points you need to consider.

What data does the VPN record?

Is the VPN recording web logs? Does the VPN know your IP address and the times that you connect to their servers? What about billing information (is there the option to use Bitcoin if you're not happy using PayPal or other services that store your address)? Also, what kind of advertising data does the VPN service store and does it hand that data over to third parties? You may think it's odd that a 'privacy service' is prepared to sell data to advertisers, but many VPN services do just this and state it in their privacy policies. So read the small print.

How long does the VPN store data?

Nearly all VPNs will store some data in order to troubleshoot network issues. However, the duration of that storage plays a key role in terms of the privacy protection afforded to users. After all, if the data has been deleted, then it cannot be accessed by a third party. Ideally, a VPN should be wiping user data within hours of it being recorded. If a VPN is storing data for anything more than a few days then beware.

Will a VPN keep you informed?

As SOPA, ACTA, TPP and PRISM illustrate, world governments are busy trying to keep-up with the internet by implementing new legislation. It's also possible that such legislation could affect the way a VPN operates and its ability to protect the anonymity of its users. Therefore – while maybe not as essential as the above points – it's important to know how a VPN will react to such changes and whether it will keep its customers informed. Will you be told that your privacy is at risk due to changes in laws? Will you be given the opportunity to get your money back on any subscription if this is the case? These are all relevant questions you should ask.

Read the privacy policy carefully

So if you're thinking of signing-up to a VPN service in order to protect your privacy online, then your first port of call is the company's privacy policy. If you don't find the answers to your questions in their privacy policy then ask them directly, or steer clear. For more information, and to put you on the right track, take a look at TorrentFreak's handy list of VPNs that don't log data.

 

This is a guest article written by Nick Pearson, founder of IVPN, a VPN privacy platform. EFA does not endorse the services provided by IVPN.  We always welcome guest articles on relevant topics. Please contact us if you'd like to submit one.

1 comment

  1. This article could also mention that US security agencies were heavily involved in the writing of many internet cryptography protocols, including that used by VPN. This means they are suspected of having backdoors into them and are able to break the crypto.
    In addition the NSA spends plenty of time leaning on service providers forcing them to provide keys to encrypted traffic. Example: lava.com - encrypted email and of course many others as detailed by Snowden.

    Comment by A Name on 29 November 2013 at 14:23