Despite the fact that a Virtual Private Network (VPN) is, by its very name, supposed to be private, some VPNs keep logs of users. This is common with free VPNs which often do so to sell data to third parties or create a profile for targeted advertising. Not all logging is quite so sinister, however. Some VPNs keep logs to monitor performance or to enforce usage limits.
Browsing the web is like taking a stroll on a beach. Every step you take (or website you visit), leaves a footprint that can be tracked. Your IP address acts like a digital footprint, revealing your approximate location and potentially your identity. You can use a VPN to hide your tracks and browse privately, as a VPN encrypts the data you send over the internet, making it unreadable to unauthorized users. VPNs also help prevent third parties such as your ISP, hackers, or snoopers from intercepting sensitive information, be it your passwords or credit card details.
The practice of data logging is concerning, particularly when logs link to your identity. Even the best VPN services can suffer a data breach with personal information surfacing on the dark web and used to commit identity theft. Browsing data may even be shared with governments which, in countries with widescale online censorship, could result in legal consequences.
What data might a VPN collect?
The data a VPN collects starts with signup. In the majority of cases, this is nothing nefarious. Most VPNs require you to provide an email address for communications and payment information for billing purposes.
Here’s some of the data a VPN may collect:
Connection logs
A VPN may keep connection logs to troubleshoot issues or to manage and optimize their network. Many VPNs keep connection logs although not all are identifying. Those that are should only be temporary and deleted at the end of each session. Types of connection logs include:
- IP addresses: Your original IP address and the IP addresses you’ve been assigned by the VPN. This is identifying and if logged, should only be done so temporarily.
- Timestamps: A record of when you connect and disconnect from the VPN servers. This information alone isn’t identifying.
- Server information: The VPN server to which you connect. Like timestamps, this information alone isn’t enough to identify you as a user.
Usage logs
Usage logs help enforce data limits, particularly in the case of free VPNs. However, VPNs keeping activity logs (the websites you visit) are best avoided as this data can identify you. Examples of this information include:
- Bandwidth usage: Monitoring the amount of data transferred during a session. This is non-identifying.
- Activity logs: A record of websites visited and data downloaded. Any VPNs keeping such logs should be avoided.
Device information
It’s not uncommon for VPNs to keep device information. However, as with connection logs, this may be to help a VPN provide better support or improve performance. This on its own is non-identifying and self-explanatory, examples of such information could be:
- Device type
- Operating system
- App version
How to find out what data your VPN is collecting
There are multiple avenues to find out if a VPN is collecting your data:
1. Read the VPN's privacy policy
Look for sections on data collection and how that data is used. Often the difference between a quality VPN and a shady service is how accessible and easy to understand this information is.
2. Check for third-party audits
An increasing number of VPNs are subjecting their logging policies to independent audits in order to verify their no-logs claims. These audits should be carried out by reputable security or accounting firms. For example, NordVPN’s no-logs policy has been audited by Deloitte.
3. Contact customer support
Privacy policies don’t always make for the easiest or most intelligible reading. If you have any doubts, get in touch with your VPN’s support. Their responsiveness and transparency can be an indicator of how seriously they take your privacy.
In exploring the above, you may encounter some warning signs. Here are a few to look out for:
- Vague privacy policy: A VPN privacy policy should be specific about the data that it does and doesn’t collect. Any vagueness (such as using broad terms) is a red flag.
- Free VPN service: Free VPNs often make money by logging and selling user data. Use caution with free VPNs and be sure to verify how they fund their free service.
- Inconsistent claims: Some VPNs have claimed to operate no-logs policies only for it to be proven otherwise. Be suspicious if there are inconsistencies between the VPN’s privacy policy and other sources.
- VPN provider location: A VPN may operate out of a country that compels it to keep logs. Check where your VPN is headquartered and how that may impact privacy.
Does data collection always put you at risk?
No, not all data collection puts you at risk. Some data is non-identifying and used for legitimate purposes such as managing a server network or enforcing connection limits. Yet some information, be it IP addresses or browsing history, can identify you. That’s why privacy policies are so important because they can help you determine if a VPN meets your privacy needs.
Why is a privacy policy important?
A VPN’s privacy policy is essential when trying to find out if your VPN is collecting your data. It does the following:
- Informs you about data collected (connection logs, usage logs, or personal information)
- Explains why this data is collected (for service improvement, security, or legal compliance)
A quality VPN privacy policy will raise awareness and build transparency through the use of clear, detailed language.
Not everyone will mind if a VPN logs some non-identifying data. The level of acceptable logging depends on your individual privacy requirements. Knowing where to look (as well as the warning signs to look for) helps you avoid any VPNs that are likely to compromise your privacy.
Mark is a Tech Security Writer for TechRadar and has been published on Comparitech and IGN. He graduated with a degree in English and Journalism from the University of Lincoln and spent several years teaching English as a foreign language in Spain. The Facebook-Cambridge Analytica data scandal sparked Mark’s interest in online privacy, leading him to write hundreds of articles on VPNs, antivirus software, password managers, and other cybersecurity topics. He recently completed the Google Cybersecurity Certificate, and when he's not studying for the CompTIA Security+ exam, Mark can be found agonizing over his fantasy football team selections, watching the Detroit Lions, and battling bugs and bots in Helldivers 2.