Pretty much every single virtual private network on the market today advertises some sort of zero-log policy for their VPN on the homepage. But what does that really mean? And what can you learn by opening up and reading the VPN privacy policy? Here’s what you need to know and the two most important questions you need to ask.
We never log!
Independently audited!
A true no-log VPN!
ZERO Logs. But hold on…let’s rewind here and take a closer look at the fine print. We never log…except this minimal information about your usage.
We’re independently audited…but we do collect your GPS location data and promise not to share that with anyone. We’re a true no-log VPN, except for these mysterious cookies, your general location and system information.
How are VPN companies not getting slapped with false advertising lawsuits? It’s crazy, but this is what you need to understand as a privacy-conscious consumer as well as the two most important questions you need to ask about a VPN privacy policy before you trust any service.
Welcome to All Things Secured, my name is Josh and let me start by saying two things. First, this video is not meant to pick on any one VPN service because nowadays pretty much all VPNs market some no log language somewhere on their website. I can almost guarantee you that any VPN website you visit will list a “no logs policy” as one of their features.
Second, the next time you hear a VPN reviewer here on YouTube or anywhere else going on about how amazing it is that such-and-such VPN has a no-logs policy, just smile and nod. I mean, it’s not their fault, really. They’ve unwittingly become part of the marketing machine that has built up Virtual Private Networks to be more than they really are.
The glory days of big data companies are over, and the pendulum is now clearly on the other side where we as consumers are extremely sensitive about our privacy.
That’s why you’re seeing companies like Google publicly removing third party cookies and Apple making privacy front and center when it releases new OS updates. VPN companies have taken note of this trend and have had no choice but to follow along or be left behind.
The problem is that, for the most part, a lot of this is simply smoke and mirrors. Sure, Google is removing third party cookies from Chrome, but you better believe they’re still tracking you. Apple may not monetize your data, but you better believe they use it to draw you deeper into their ecosystem.
And no, it’s definitely not in the best interests of a commercial VPN company to log your data, but genuine zero-logging is practically impossible for companies that need to provide customer support, maintain a safe network and limit abuses.
Think about it. Most VPNs limit the number of simultaneous connections you can make, meaning how many devices can be connected to their VPN servers on the same account at the same time. How can they know that unless they’re logging at least your initial device connection in some way?
Every VPN company I know has an Acceptable Use Policy that gives the company the right to terminate your account if you use the service for illegal purposes. But how would that even be possible if there isn’t some way to track some part of the data?
Here’s the deal: when most VPN companies talk about no logging, what they really mean is that they don’t log identifiable data about you. And that’s a good thing. But the phrase “We don’t log personal data that can be traced back to your account” just doesn’t look as good on a website homepage or have the same ring to it as “We are ZERO LOG!”
So when you read a VPN review that simply puts a check mark on a list of features that says “they don’t log your data”, they’re actually doing you a disservice.
There are two questions you need to ask when it comes to your data, both with a VPN and even generally with a lot of data services we use nowadays.
The wording of the first question is important. The question is not “Does this company log any data”. The answer to that is easy: Yes, they do. Rather, the question you should be asking is “What kind of data is this company logging”.
The second question is equally important: how long are they retaining that data?
The answer to both of these questions can be found in the privacy policy of most any VPN service.
Let’s take ExpressVPN for an example, since they’re probably one of the more popular VPNs on the market today. If I navigate to their privacy policy page, you’ll see that they clearly state what data they collect: they collect my personal information when I sign up, such as my name, email, payment info, etc., aggregate usage statistics, anonymized app diagnostics used for quality control, and the IP address for those who use their MediaStreamer service.
NordVPN, another popular VPN service, states that they collect username and timestamp of the last session status in order to enforce their simultaneous connections limit, but that data is automatically deleted after 15 minutes once you get off.
Now I personally like both of these VPN services and I use them both regularly, and they’re also part of a growing trend of services that boast independent audits related to their privacy.
These are great, and certainly better than nothing, but when it comes down to it, all these audits prove is that at a particular moment in time, a moment that the company knew was coming and was prepared for, their servers didn’t show any signs of storing sensitive information.
That’s like telling my 9 year old son that I’m going to check that he made his bed at exactly 4pm in the afternoon and then using the results of my check to assume that his bed is always made throughout the day.
Did you make your bed today? Yea, I didn’t think so.
Again, these audits aren’t bad at all. But it’s really more marketing magic than anything else.
They’re doing everything they can to convince you that you can trust their company, their servers, and their people, with your personal data.
And that’s the biggest takeaway here: a VPN is not a privacy tool. Let me say that again in case you weren’t listening the first time. A VPN is NOT a privacy tool!
You are trusting a centralized entity with your data, so unless you combine that with Tor, or some sort of decentralized network, the privacy of your data is reliant on trust.
The bottom line: if you’re trying to use a VPN to do something illegal, don’t. If you think a VPN is trustworthy just because they say they have a zero-log policy, don’t.
But if you’re researching VPNs and you care about your data, read through the privacy policy and make sure you agree with how they’re collecting and storing your data.
I still use a VPN, and I’ll list a couple that I like in the description below, but as I’ve mentioned in this video before, I use a VPN to evade censorship and geoblocked services, not because I think it’s a cloak of anonymity.