VPN myths debunked
We have noticed a disturbing trend in the VPN industry. More and more VPN providers are promising an “anonymous” or “no logging” VPN service while providing minimal, or zero, transparency about how they actually handle your data. These so called “anonymous” VPN providers fall into two categories:
- They advertise an “anonymous service” on their website but the fine print in their privacy policy suggests they log a significant amount of customer data.
- They advertise an “anonymous service” on their website, but their privacy policy simply says “we don’t log” without further explanation or detail.
We aren’t the only ones who question the “anonymous” or “no logging” VPN providers:
[i]f someone tells you ‘you will be completely anonymous, [because] you’ll have VPN running all the time’, that’s a lie.
SpiderOak, VPN, privacy and anonymity
…you have absolutely no way to know for sure how safe a “No logs” claim really is. Trusting your life to a no logs VPN service it is like gambling with your life in the Russian roulette
Wipe Your Data, “No logs” EarthVPN user arrested after police finds logs
[a]nyone who runs a large enough IT infrastructure knows that running that infrastructure with ZERO logs is impossible.
The “anonymous” or “no logging” VPN Providers have diverted privacy-conscious VPN users to focus on the false promise of anonymity instead of focusing on what really matters when choosing a VPN provider: transparency, trust, ease of use, performance and reliability. We hope dispelling some of these common myths will lead to a more transparent and frank discussion about privacy in the VPN industry and on the Internet in general.
The Myths
- Myth #1: I can be anonymous on the Internet
- Myth #2: Anonymity and privacy are the same
- Myth #3: When my VPN provider advertises an “anonymous” service, that means they don’t log any identifying information about me
- Myth #4: When my VPN provider’s privacy policy says they “don’t log,” that means I am anonymous
- Myth #5: Even if my VPN provider uses hosted or cloud-based VPN servers I can still be anonymous
- Myth #6: Even if my VPN provider doesn’t own and operate the network I can still be anonymous
- Myth #7: Any VPN logging is bad
- Myth #8: Privacy companies don’t collect or sell my data
- Myth #9: All VPN software is the same
- Myth #10: Tor is a better alternative than a VPN
Myth #1
I can be anonymous on the Internet
Anonymity is defined as not being named or identified. You are not anonymous when you are online, even when using privacy tools like Tor, Bitcoin or a VPN. Every service has at least one piece of information that can be used to distinguish different users, whether it’s a set of IP addresses (VPN and Tor) or a wallet (Bitcoin). This information alone may not reveal any private details about the user, but it can be associated with other similar information to eventually identify an individual.
Several publications have correctly pointed out that neither Tor nor Bitcoin make you anonymous.
A VPN doesn’t make you anonymous either, but does greatly increase your privacy and security online. A VPN is similar to the curtains for the windows of your house. The curtains provide privacy for activities happening inside your house – even though your house address is public.
Privacy is a more realistic goal, not anonymity. Privacy is inherently personal and has different definitions for different people, but privacy generally means the ability to exclude information about yourself. Privacy can also mean the right to express yourself:
[p]rivacy is your right and ability to be yourself and express yourself without the fear that someone is looking over your shoulder and that you might be punished for being yourself, whatever that may be.
Evan Greer, Fight for the Future, Panelist at Golden Frog’s
“Take Back Your Internet Privacy Panel” at SXSW 2014
What Golden Frog does:
Golden Frog doesn’t advertise or promise that VyprVPN makes you anonymous on the Internet. Golden Frog does advertise that VyprVPN will greatly improve your privacy and security online.
Myth #2
Anonymity and privacy are the same
Services that claim to make you anonymous attempt to eliminate any identifying data (which is not a realistic goal, as discussed in Myth #1). However, services designed to protect privacy instead allow users to control access to their personal data, but do not eliminate all identifying data.
Internet users can use private web browsers, proxies, Tor, encrypted messaging clients, VPNs and other great tools to increase their privacy online. These privacy tools help defend against mass surveillance by governments or by private corporations “deputized” to collect information at the direction of the government (in the United States companies such as AT&T, Verizon, Time Warner, Comcast). But none of these tools, alone or in any combination, make you anonymous. Online privacy through secure communications is a realistic goal, but anonymity is a false promise.
Edward Snowden recently encouraged Internet users to focus on increasing privacy to defeat “mass surveillance:”
…basic steps will encrypt your hardware and … your network communications [making] you…far, far more hardened than the average user – it becomes very difficult for any sort of a mass surveillance. You will still be vulnerable to targeted surveillance. If there is a warrant against you, if the NSA is after you, they are still going to get you. (emphasis added) But mass surveillance that is untargeted and collect-it-all approach you will be much safer.
As one of Golden Frog’s founders posted to the Usenet, “You are not anonymous on the Net. You can run, but you can’t hide.”
Myth #3
When my VPN provider advertises an “anonymous” service, that means they don’t log any identifying information about me
Several VPN providers advertise an “anonymous service” on the marketing pages of their website, but have terms in the fine print of their privacy policy indicating they do log.
A VPN Provider in the UK that advertised an “anonymous service” on its website was outed for turning over customer information about a LulzSec Hacker to the authorities. As you will read below, limited VPN logging is not necessarily bad, as it helps the VPN provider troubleshoot customer issues, prevent abuse of its IP space and network and offer different VPN plans (such as multi-device or GB limited plans). But advertising one service and delivering another service is wrong.
Here are some examples of VPN providers’ marketing messages that appear to contradict the fine print on the Privacy Policy page:
-
Express VPN:
Website: “surf anonymously”
Privacy Policy: “In addition to the information you provide through our order-form, we may store the following pieces of data: IP address, times when connected to our service, and the total amount of data transferred per day. We store this to be able to deliver the best possible network experience to you. We keep this information secure and private. If we receive complaints regarding copyrighted materials such as music and movies being shared over our network, we may filter traffic to see which account is sending it, and then cancel that account.”
-
Pure VPN:
Website: “PureVPN anonymous VPN service;” “makes you anonymous;” “anonymous web surfing”
Privacy Policy: “…we will never release any information about you or your account to anyone except law enforcement personnel with the proper documentation and paperwork.”
“Furthermore, in the course of using PureVPN services, you or someone else on your behalf may give out information about yourself or give access to your system. This information may include, but not limited to:
- Names and IP addresses
- Operating systems
- Operational logs”
-
Zenmate:
Website: “surf anonymously;” “browse anonymously”
Privacy Policy: “In order to prevent attacks against ZenGuard your IP address will be saved temporarily on the server without being stored permanently or used for any other purposes.”
“When choosing an access point please note that only this server will process your IP address and request for the webpage you would like to access (the “Targeted Website”).”
“…on the server you selected, your site request and your IP address are received via an encrypted connection.”
-
CyberGhost:
Website: “surf anonymously;” “top notch security and anonymity”
Privacy Policy: “CyberGhost keeps no logs which enable interference with your IP address, the moment or content of your data traffic.”
Note: The CyberGhost privacy policy was updated recently but previously stated they “may process and use personal data collected in the setup and delivery of service (connection data). This includes Customer identification and data regarding time and volume of use.” Despite this privacy policy, they still advertised an “anonymous” service. Unfortunately, their newly updated privacy policy is confusing. It appears they say they don’t log the content of your traffic, but what about connection data such as IP address? Due to their previous marketing messages contradicting their prior privacy policy, we have concerns about their current privacy policy.
What Golden Frog does
Golden Frog doesn’t advertise or promise that its VyprVPN service will make you anonymous on the Internet and we clearly outline what we log in our privacy policy.
Myth #4
When my VPN provider’s privacy policy says they “don’t log,” that means I am anonymous
When a VPN provider simply says they perform “no logging” it does not guarantee online anonymity or privacy. Any systems or network engineer will confirm that some minimal logging is required to properly maintain and optimize systems or the network. In fact, any provider claiming “no logging” should cause you to immediately question what is happening with your private data. If a VPN provider kept absolutely no logs, they wouldn’t be able to:
- Offer plans with limits on GB usage or per user basis
- Limit VPN connections to 1, 3 or 5 on a per user basis
- Troubleshoot your connection or offer support for server-side problems
- Handle your DNS requests when using the VPN service. They might rely on a 3rd Party DNS provider that logs DNS requests
- Prevent abuse, such as spammers, port scanners and DDOS to protect their VPN service and their users
The logging issue is more complicated than placing a single line in your privacy policy stating “we don’t log” and then advertising your service as “anonymous.” There have been too many instances where user data was turned over by “no log” VPN providers, yet they continue to promise an anonymous service. For example, a “no-logging” VPN provider recently admitted that it used a packet sniffing software to monitor customer traffic to prevent abuse. VPN users should demand more transparency from their VPN providers.
What Golden Frog does
Golden Frog is transparent about what data we retain.
Golden Frog logs the following information and we only retain it for 30 DAYS:
- Customer’s source IP address (generally the IP address assigned by the customer’s ISP)
- VyprVPN IP address used by the user
- Connection start and stop time
- Total number of bytes used
Golden Frog logs this very minimal amount of data so we can deliver the best service and so users don’t have to sacrifice speed and performance to protect their privacy and security. We never make false promises of “total anonymity” or “no logging.”
Myth #5
Even if my VPN provider uses hosted or cloud-based VPN servers I can still be anonymous
Anyone that runs server infrastructure knows running infrastructure with ZERO logs is extremely difficult, if not impossible. Now imagine how hard it would be to eliminate logging if you DIDN’T run your own infrastructure and instead rented your VPN servers and network from 3rd parties! Aside from Golden Frog, virtually all VPN providers in the world do not run their own infrastructure. Instead, VPN providers “rent” their servers and network from a “landlord,” such as a hosting company or data center. When the VPN provider “rents” instead of “owns,” how can it guarantee that its “landlord” will respect the privacy of its VPN users?
Just last year, a Dutch customer of a “no log” VPN Provider was tracked down by authorities by using VPN connection logs after using the “no log” VPN service to make a bomb threat. The VPN provider’s data center provider (“landlord”) apparently seized the VPN server at the direction of the authorities. The data center provider was also keeping network transfer logs of the VPN provider.
The VPN Provider says they cancelled the contract with the data center but strangely didn’t address the other 100+ locations where they presumably rent VPN servers. Did they cancel contracts with those data centers too? Predictably, this same VPN Provider still prominently advertises an “anonymous VPN service” and claims it keeps “absolutely no logs.”
In the forum of a different VPN Provider, a discussion thread conveniently disappeared when a user questioned whether users can trust data centers to not log.
Some questions to ask about VPN Providers who “rent” servers include:
- How can the “Server Renters/Cloud” protect their users from their hosting companies taking snapshots of their machines for backup purposes, DDOS purposes, or at the direction of law enforcement?
- How can “server renters” prevent a live migration of the hosted VPN server in which an entire image is taken of the computer, including operating system memory and hard drive, especially when live migrations can be invisible to the VPN Provider?
- What happens to the data when the hosted machine is no longer used by the VPN provider?
- If you don’t own the server, how can you be sure your landlord doesn’t have a key or backdoor into the hosted server?
What Golden Frog does
Golden Frog doesn’t “rent” servers but instead owns and operates 100% of our VPN servers, secured physically using keys, biometrics and software. Together with our sister companies, Data Foundry – a global data center provider and Giganews – the world’s leading Usenet Provider, we have been in the Internet business since the dawn of the Internet over 20 years ago.
We have the experience to run our own infrastructure on a worldwide basis, and the financial stability to make the financial investments to engineer privacy into our infrastructure. It is impossible to engineer privacy into your service if you don’t own and operate your own infrastructure.
Myth #6
Even if my VPN provider doesn’t own and operate the network I can still be anonymous
Most VPN providers (except Golden Frog of course!) don’t run their own network and instead let hosting providers run the network for them. “Running your own network” means you own and operate the router and switches. If your VPN provider does not run its own network, you are susceptible to their hosting company listening for traffic on both inbound and outbound connections. Listening to Internet traffic allows for a tremendous amount of correlation and identification of user activity.
For example, if you listen to two people talk in a restaurant you can learn enough from the conversation to identify who is talking – even if you don’t know their identity when you start listening. If a VPN provider does not run its own routers, then it can’t control who is listening to its users. Even worse, a “no-logging” VPN provider recently admitted that it used a “packet sniffing” software to monitor traffic to prevent abuse.
What Golden Frog does
We own and operate our worldwide network. Besides faster speeds and increased reliability, running our own network offers VyprVPN members more privacy. Imagine if you connected at home directly to the backbone Internet providers allowing you to bypass your snooping ISP. That is effectively what happens when you connect to VyprVPN.
Not only do we encrypt the connection from your house to our servers, we connect to multi-backbone Internet providers. This makes it impossible for someone to listen to inbound connections and exceedingly difficult for anyone to listen to outbound connections because we typically have three different paths to the Internet backbone from our servers. This is a large part of what it means to run your own network.
Myth #7
Any VPN logging is bad
By logging a minimal amount of data, VPN providers can vastly improve your experience when using a VPN. VPN providers should only retain the minimum amount of data to operate their business and delete that data as soon as they don’t need it.
Edward Snowden recently said at SXSW 2014:
“One of the things I would say to a large company is not that you can’t collect any data [but] that you should only collect the data and hold it for as long as necessary for the operation of the business.”
Minimal logging provides VPN users the following benefits:
- Improved speed and performance by allowing VPN providers to optimize network connections
- Improved reliability by allowing VPN providers to identify and fix low level service issues to prevent outages
- Troubleshooting of specific customer issues, including speed, connection and application issues
- Different levels of accounts to meet customer needs, such as connection limited accounts and byte limited accounts
- Protection against abuse from spammers, port scanners, DDOS, etc, so VPN providers can terminate customers who are abusing other Internet users
- Termination of malicious users so VPNs remain a respected Internet tool for preserving users’ right to privacy, and so VPN users are not blocked from websites and services
What Golden Frog does
Golden Frog only retains the minimum amount of data to operate our business and we delete the data as soon as we don’t need it.
We log the following information and only retain it for 30 days:
- Customer’s source IP address (generally the IP address assigned by the customer’s ISP)
- VyprVPN IP address used by the user
- Connection start and stop time
- Total number of bytes used
That’s it. That’s all we we log.
So, we do NOT log:
- The content of your communications
- The websites that you visit
- The services that you use
- Your physical location
- Any other personal information
We own our own servers, our own DNS (VyprDNS) and manage our own network so we can deliver on this promise to our customers. In addition, Golden Frog is incorporated in Switzerland, which offers favorable online privacy laws that we use to protect users. We are committed to operating a blazing fast, high quality infrastructure that allows VyprVPN to remain a respected tool for online privacy and freedom.
Myth #8 New
Privacy companies don’t collect or sell my data
We have noticed a disturbing trend of “so-called” privacy companies offering free services so they can snoop on users. Just because a company offers a privacy product or service does not mean they will keep your data private. This is especially true for companies that offer free services to users. When you use a privacy tool you are often are required to give access to more information than the tool can protect, so you need to trust the company. Marketing companies have rushed into the privacy space and are abusing that trust. Here are some examples:
-
Onavo (by Facebook)
Facebook bought a VPN app called Onavo in 2013. Why would Facebook buy a VPN app? Because the VPN functionality gives the app visibility into the network connection for the entire phone. Consequently, information such as URLs and app usage is exposed, and Facebook can examine user activity for their own purposes. The price of free is just too high.
Privacy Policy: “When you use the Apps, you choose to route all of your mobile data traffic through, or to, Onavo’s servers. As a result, we receive information regarding you, your online activities, and your device or browser when you use the Services.”
-
Hola
Hola is yet another offender masquerading as a privacy company. Hola offers “secure browsing” to its users, but was recently revealed to be selling the bandwidth of its free users without their knowledge, effectively turning them into a botnet.
Privacy Policy: “The Personal Information we collect and retain include your IP address, your name and email address in case you provide us with this information (for instance when you open an account or if you approach us through the “contact us” option), screen name, payment and billing information (if you purchase premium services) or other information we may ask from time to time as will be required for the Services provisioning.”
-
VPN Defender (by App Annie)
App Annie is a mobile analytics firm that collects and sells app usage data to companies, such as venture capitalists, for competitive research. App Annie bought VPN Defender last year presumably, just like Facebook, so they could collect more app usage data. In the analytics industry, this practice is called “selling the insides.”
Privacy Policy: “Analyzing your use of mobile applications and data, which may include combining such information (including personally identifying information) with information we receive from Affiliates or third parties; Providing market analytics, business intelligence, and related services to Affiliates and third parties; Operating the Services, such as virtual private networks and device monitoring.”
-
Web Proxy Services
Most proxies don’t encrypt your Internet connection, and to operate they have visibility to each and every URL you visit. A recent blog post that analyzed the security of free proxy services determined that only 21% of the over 400 services examined weren’t “shady,” and over 25% of proxies modified the web code to inject ads. Many companies who offer services to help you be “anonymous” online actually collect a great deal of personal and identifying information on their users – information which they could sell.
What Golden Frog does
Golden Frog supports its mission and is dedicated to keeping your data private and secure. We are a trustworthy provider with over 6 years of experience in the business. We log a minimal amount of information to increase performance and reliability, and offer different levels of service to prevent abuse. Our logging policy is explicitly outlined in our privacy policy.
Myth #9 New
All VPN software is the same
As a recent study pointed out, some VPN products can suffer from IPv6 leakage and DNS vulnerabilities, causing many users to think twice about relying on a VPN to protect them online. However, not all VPNs are created equal. When it comes to the IPv6 leak, only VPNs that run through IPv6 are in danger, and those that use 3rd-party clients (which Golden Frog does not do) are most at risk. As for the DNS vulnerabilities, most VPN providers don’t offer their own DNS servers like Golden Frog does. When DNS requests are sent over 3rd-party networks to 3rd-party DNS servers, users are more vulnerable to monitoring, logging or manipulation.
What Golden Frog does
Golden Frog’s apps are built by an in-house Dev team to deliver better control over security, such as preventing IPv6 leakage. Golden Frog runs its own DNS service, called VyprDNS, so DNS requests cannot be monitored, logged or manipulated by 3rd parties.
Myth #10 New
Tor is a better alternative than a VPN
Tor is frequently cited as an alternative to using a VPN. However, as several publications have correctly pointed out, Tor doesn’t make you anonymous. Even Tor admits that it can’t solve all anonymity problems and cautions users to proceed accordingly. Tor is difficult for the average Internet user to setup, and users often complain that Tor is slow. One publication even said “If you still trust Tor to keep you safe, you’re out of your damn mind.”
Leave a reply