4 red flags to watch out for in VPN privacy policies
What's lurking within?
When you're trying to keep your browsing data private, today's best VPNs are an essential part of your toolkit. It hides your data from your ISP, keeps it encrypted in transit, and masks your IP address.
However, not all VPN services can be trusted with your personal data. Although most VPNs claim to abide by a no-logs policy, it only takes a few minutes to read through their privacy policies and check whether they're telling the truth.
You don't have to be a cybersecurity expert to evaluate these privacy policies, either. I've put together a guide to the biggest red flags you're likely to come across – so you know what to look for when vetting how a VPN handles your data.
Red flag 1: it's short, incomplete, or missing
A VPN's privacy policy is your guide to what the provider is doing with your data. The more detail a provider can offer, the better informed you are about what data you're handing over when you use the service.
As such, a solid privacy policy needs to be thorough. After reading through it, you should be aware of which data is collected, how it is used, and why the VPN is collecting it in the first place.
While there's value in making a privacy policy concise, VPN providers with poor data collection policies will often try to obfuscate their anti-privacy practices by cutting important information out of the policy. Oh, and it goes without saying, but if the VPN in question doesn't have a privacy policy at all – steer clear.
The same thing applies if critical information is missing. At a minimum, you should expect a VPN provider to outline exactly which data it collects from you while using the service.
It should also explain its processes for sharing data if and when approached by a third party – especially if this comes in the form of a law enforcement request. If a VPN glosses over these details, or fails to address them altogether, it could mean that your data is being handed over without any safeguards.
The VPN provider needs to be precise when outlining this information, too. If you see ambiguous language, it's entirely possible that the provider is trying to meet its legal obligations without explicitly informing you which data is being gathered.
There's no good reason for a VPN not to be totally transparent, so avoid the service if you see vague promises in the field.
Red flag 2: it's data-hungry
A VPN needs to log some data in order to function properly. For instance, to monitor how many simultaneous connections are in play, a provider could use a metric like connection times to enforce device subscription limits. The collected data should always be minimal and relevant, however.
A VPN that collects sensitive data, such as your IP address, browsing history, or DNS queries, is better off avoided.
The VPN doesn't need this information to operate – and collecting it directly compromises your privacy, creating a record of your online activities.
Wondering which VPNs do the most to keep your personal data under lock and key? We've got you covered. Check out our guide to today's most secure VPNs.
Even if we assume that the VPN isn't logging your traffic to trawl for passwords, or other malicious acts, a hacker could still steal your logged data for themselves. Even worse, law enforcement might be able to simply serve a warrant and walk out with your browsing data.
This is usually the case with free VPNs. They monetize their free plans, collecting your data, packaging it up, and serving it to third-party advertising partners.
If a VPN collects and retains more data than is absolutely necessary, it's better to look for a more privacy-conscious alternative – no matter how good the deal is.
Red flag 3: it claims to collect nothing
It's impossible to run a truly 100% log-free VPN by design. There's no way to build a VPN protocol that doesn't, at the very least, capture minimal information from the user.
Today's most reliable VPNs try to keep this data logging to an absolute minimum, but they won’t claim to collect absolutely nothing at all. A VPN needs to log connection details to ensure that its servers run smoothly and that users aren't abusing the services, after all.
To be clear, connection logs do not contain information about the content of your browsing activity. We’re talking about data points like bandwidth usage and timestamps, not the websites you've visited or what you've sent to them. Usage logs like these are a serious privacy red flag and should never be retained by any VPN.
Therefore, if a provider does claim that it collects absolutely no data on you, whatsoever, including connection logs, you should treat it with suspicion.
It's an outright lie – so, if it's willing to lie about the data it collects, who's to say it's not also willing to lie about selling it on to third parties?
Red flag 4: the VPN is based in a privacy-unfriendly jurisdiction
Different VPN jurisdictions have different data laws. This all depends on where the VPN provider is headquartered – and means that it could be subject to hugely varying regulations when it comes to data processing and privacy.
Then, there are the operational realities of setting up shop in certain countries.
For example, most countries in Europe are subject to the EU's GDPR directive which requires companies to abide by fairly strict rules when it comes to who can collect your data and how it can be accessed by a third party. However, a strong privacy policy is only as effective as the legal framework that supports it.
Although VPNs based in countries like the United States or the UK may benefit from strong privacy laws, the governments of these countries have a history of heavy-handed data collection and surveillance. Essentially, a VPN in these countries could be forced to retain logs or hand over data even if their policy claims otherwise.
Why do VPN privacy policies matter?
Okay, let's address the elephant in the room – VPN privacy policies are often long, boring documents stuffed with techy jargon. Even so, they're worth reading.
Without a privacy policy, there's no way of telling what user data the service collects, how it is used, and under what conditions it might be shared with third parties.
These policies also vary significantly from one provider to the next – which is why it's important to go through them carefully.
A provider might casually mention that it actually hands over your browsing data to an ad partner, for example, meaning that the VPN is actively harvesting your data to build a user profile. It's the last thing you'd expect a privacy-first VPN to be doing – so it really does pay to pay attention.
Sam Dawson is a cybersecurity expert who has over four years of experience reviewing security-related software products. He focuses his writing on VPNs and security, previously writing for ProPrivacy before freelancing for Future PLC's brands, including TechRadar. Between running a penetration testing company and finishing a PhD focusing on speculative execution attacks at the University of Kent, he still somehow finds the time to keep an eye on how technology is impacting current affairs.