People choose to use VPNs for a wide range of reasons, from expats who want to access their home country content – newspapers, media streaming sites, online radio – while living in another country, to people who live under authoritarian regimes and want to use restricted social networks, or access blocked news websites. Regardless of their motives for doing so, people generally use VPNs based on the assumption that they are paying for extra security, and that once they are wearing the protective veil of the VPN, their online behavior is safe from prying eyes. Unfortunately, this is not always the case.
The majority of VPN providers claim that they don’t store any user logs, but the reality is that many of them are based in countries where internet laws legally require them to log data for a specified time. VPN users should be extremely careful when choosing a third party VPN vendor, or risk being mislead about their online privacy.
The truth behind VPN protection
A common misconception is that only people who want to make themselves anonymous on the internet, enter questionable websites, or harbor extreme views have use for VPN services. The reality is that anyone who uses public WIFI, online banking, or e-commerce should consider protecting themselves with an encrypted VPN tunnel.
Regardless of whether their internet activity is illegal or not, there are many people who value free speech and privacy to the extent that they are willing to pay a small monthly fee to protect it. However, many people fool themselves into a false sense of security that if they pay to use a VPN service to effectively mask their internet activity, their online behavior is totally private.
The reality is that many VPN providers are based in countries where they are legally required to log user information. Under the pretence of combatting international terrorism and organized crime, law enforcement agencies throughout the world are pushing for invasive laws that force internet and telecom companies to continuously collect and store records that document the online activities of millions of ordinary users.
The European Union is well known for its extensive and highly controversial mass surveillance legislation, the mandatory Data Retention Directive (DRD), which was rolled out in March 2006 and legally requires internet companies to save user information for six to twelve months.
Countries like the UK, Canada and Australia make it compulsory for net-based companies including VPNs to log certain personal data for a time period. Some highlights about data retention laws in the UK, USA, Canada and Australia are:
- DRIP (The Data Retention and Investigatory Powers Act 2014) is an Act of the Parliament of the United Kingdom that received Royal Assent on 17 July 2014, after being introduced on 14 July 2014. The purpose of DRIP Act is to allow security services to continue to have access to phone and internet records of individuals.
- Beginning October 13 2015, every phone call, text message and email will be tracked by the government under a new metadata retention law in Australia. Essentially all law enforcement and security agencies, including local police, all the way up to the Australian Federal Police and ASIO, will have access to this information.
- Canada has a range of mandatory data retention laws. There are several Acts like Bill C-30 (the Protecting Children from Internet Predators Act) and Bill C-11 (The Copyright Modernization act) which limit online privacy. Canada’s Copyright Act, came into force in November 2012 and forces ISPs to keep logs, which must be handed over to copyright enforcers on demand.
- The United States doesn’t have mandatory Data Retention Laws, but all internet companies including VPN providers are bound to monitor and store users’ log according to the Stored Communications Act. All companies are required to then hand these over on receipt of a court order from a law enforcement agency.
- In addition to this, any legal prosecutor or investigator can ask any VPN provider to spy on any of their individual users and keep a record of his/her online activities and credit card details for 90 or more days. And, if the National Security issues a letter under the Patriot Act, the provider is forbidden to inform the users that they are being watched.
- The FBI can collect any information from any U.S. based company by means of National Security Letter (NSL).
What can we do to protect our information?
95% of VPN providers claim that they don’t store any user logs, however, as I’ve discussed, this is simply not the whole truth.
When searching for a “safe” VPN service, users should search for a company that is not based in a country with mandatory data retention laws. The top five countries for ensuring your VPN is not logging data are:
- Hong Kong
The five “safe” countries outlined above have been highlighted for a number of reasons. They have high levels of internet freedom, there are no data retention laws and these countries are not part of the international surveillance agencies partnership known as “five eyes”.
The Freedom on the Net report from 2014 lists the countries that have the highest and lowest levels of internet freedom based on blocked social networks, online surveillance by government bodies, cyberattacks, and the intimidation and arrests of journalists and digital activists. While Iceland, Estonia, Canada, Australia, and Germany top the list, prospective VPN users should note that Germany is the only country on the list that has resisted the E.U. DRD mandate, but has seen many cases of arrests which have come to fruition from government monitoring online. Just because you are allowed to view content does not mean that your online behavior is not being logged.
Regardless of your reasons for wanting more security online, the lesson to be learned is simple: Before choosing your VPN, you should carefully check where the provider is based, and that this country has high levels of internet freedom, and does not have data retention laws. If you choose not to follow this advice, then you should accept that your online information is most likely vulnerable to snooping eyes.