All you need to know about logs when choosing a VPN service

Maximilian Holm, about Online Privacy

We often get inquiries about our logging policy, in addition to the logging policy of other companies and how we can guarantee that no logs are stored. Logging can be quite a complicated issue, as there are some things that need to be logged somewhere in order to provide a reliable service. How companies handle this issue differs from company to company, but we have a very strict policy when it comes to logging. We believe that a company should seek to log the bare minimum required to run their service, and customers should opt-in for any additional information stored on the servers. As a rule of thumb, less is better – but none is impossible.

no logs for VPN providers is important

There are plenty of VPN companies that have a "no-logging" policy (us included), but there are very few VPN companies who actually state what they log. In order to run any service, there are some things that are required to be logged. Therefore, we want to clarify a few things about our own logging policy, and also hope to help you, the reader, to better be able to identify whether or not your VPN provider lives up to their promises.

When it comes to VPN services, there are generally three categories of what may or may not be logged in their database.

User information

General information about a user. This generally consists of one or more of the following:

  • Username - Your username for the service
  • Password - Your password for the service
  • Email - Your email address
  • Payment details - Credit card information, PayPal information etc.
  • Purchase history - Any purchased subscriptions or services
  • Subscription time - Remaining subscription time
  • Full name - First/last name
  • Address - Your home address
  • Country - Country you currently reside in

Connection logs

Connection logs are simple records of incoming/outgoing connections to a VPN server. They generally consist of the following:

  • Incoming IP address - Your computer's IP address, normally the one assigned to you by your ISP
  • Outgoing IP address - Outgoing IP address - The IP address assigned to you by the VPN server
  • Timestamp - start date and end date of a VPN connection
  • Data transferred - Amount of data transferred during the session

These logs are stored on an OpenVPN server by default. We do not log this information, which you can read about in the following blog post.

VPN usage logs

A VPN provider generally has access to the same information about your internet usage that your internet service provider does. In countries where an internet service provider have to log your internet usage — and if VPN service provider were to log this information — this is what they could log:

  • Lists of websites visited - Listed by domain
  • Downloaded files - Name and size of files you have downloaded, as well as their hash value
  • Software and protocols used - For example, BitTorrent, Skype, Netflix, PlayStation 4

Using this information, they can find out a lot of things about you. For example, they could figure out if you have any health problems, get an idea of your political affiliations, sexual preferences, and more. This information could then be sold for marketing purposes. If you're not paying for a VPN with money, you're most likely paying them with your private information. As is so often mentioned when talking about free services, if you do not pay for the product, you are the product.

What does OVPN log?

Our policy is the following: unless something is required to be logged in order to run the service, we do not log it. As a bare minimum, we need a username and a password. While we do ask for an email address, this is optional.

Once you're connected to our servers, we log the following:

  1. The number of connected devices — we only add/subtract once it connects or disconnects, no other information about the device is stored.This log is necessary as a user otherwise could connect with an infinite amount of devices.

  2. Whether a customer has ever successfully connected — This is only kept as a measure to see whether a customer has successfully managed to connect. If this number during a period is ever unreasonably high, it probably means new customers encounter problems, and measures need to be taken to prevent that in the future, allowing for a better experience for all of our customers. It is stored as a boolean value, where 0 represents false, and 1 represents true. If a customer has — at any point in time — managed to connect to one of our servers, the boolean will be changed to true. It holds no other identifying information, such as when the connection occurred.

If you decide to purchase a subscription, we store the related payment in our database to keep track of active subscriptions. We also store the subscription period so that we can know if a customer has an active subscription or not. This is why we generally recommend anonymous payments.

On our website, we store a cookie stating whether you're logged in to your account or not, in order to give you access to your account details. This cookie is not used for anything other than giving a customer access to their account, and the cookie is only stored locally on your computer.

That's it, we do not require any other information. We never log the IP address you connect from, nor the address you are assigned by us. The only exception to this is when using our add-on service Public IPv4, where we are required to store what Public IPv4 address you are assigned by us. However, given that you only sign up using username and password and then pay for your subscription using cash or BitCoin there is no way to connect this address to your person. This is why we recommend anyone using the add-on service public IPv4 to pay for it anonymously.

Due to our logging policy, we have been asked how we handle requests from law enforcement agencies. While we find certain crimes to be absolutely heinous, we stand tall by our principles to not log our users. If we were to keep logs for any reason, it would mean we compromise the security and integrity of every customer – not only the customers under investigation. We simply can not, in good faith, risk the integrity of every customer for the crimes of a select few individuals.

How do I know what a VPN logs?

Unfortunately, this is a very hard question to answer, as very few VPN companies explicitly state what they log and do not log. As a matter of fact, some VPN providers claim to have a no-logging policy, but when approached by law agencies, they turn over a whole bunch of logs they supposedly do not have.

There are, however, some things you can look for in your quest to find a trustworthy VPN provider – and let's face it, choosing a provider is all about trust.

They have a bandwidth cap — In order to cap your bandwidth, the VPN provider has to be able to measure your speed. To do this, they're required to keep connection logs, even if they're just temporary. Any log, even if just temporary, can be acquired from a server.

They have a data cap — This is even worse than a bandwidth cap, as it most certainly requires prolonged storage of the data their customers have used. There simply is no way to keep track of this information without storing logs.

They use customer speed as a marketing scheme — A lot of VPN providers make it readily available for other users to see the top speed of other users connected to their various servers. In order to do this, they actively have to measure the speed of all of their connected users. The statistics you can find on our status page does not contain the bandwidth of specific users. Instead, it is the aggregated bandwidth currently used by the server.

They use customer data as a marketing scheme — Like using customer speed as a marketing scheme, this also requires logging. Not only does it require connection logs, it also requires cumulative logging of user data in order to provide this information. The statistics you can find on our status page does not contain the data usage of specific users. Instead, it is the total data processed by the servers.

Their Privacy Policy states they only log what's necessary by law — This is a very murky statement, as it essentially states that they may store whatever asked to store by law agencies. This most likely includes connection times, IP-address you were assigned, IP-address you had when connecting to their servers, and in the worst case, it also includes websites you visit and services you use.

Their privacy policy has no mention of their logging policy — At best, as bad as the aforementioned. At worst, even worse than the aforementioned. This applies to most free VPN providers, who may log as much as they can about you, and sell it for marketing purposes.

The VPN provider rent their servers instead of hosting their own infrastructure — Not only do you have to trust that your VPN provider keeps a minimal amount of logs on their servers, you also have to trust that the company they rent their servers from does not keep any connection logs, or don't have a backdoor into the servers.

What else can I do to avoid VPN logging?

In most situations, using a search engine to search for a VPN company's logging policy can reveal a lot of information about them. If you can find no mention of their logging policy, it is almost always a bad sign.

We also strongly recommend you ask the VPN provider what their logging policy is, as well as any other question you may have concerning their service. Any VPN company that is serious about their customers' security and integrity will be more than happy to answer any questions or concerns that potential customers may have.

The best way to ensure that a malicious VPN company does not excessively log your information and use it/sell it for marketing purposes is to avoid free VPN services. Remember: Running a secure and stable VPN infrastructure costs money. Even services with minimum staff have to pay other bills somehow. Don't let the cost be your integrity, safety, and privacy.

Maximilian Holm