Skip to main content
internet security

“A simple VPN system, even if they’ve promised not to log or retain data, is still subject to (a) lying, (b) being compromised by a third-party attacker, (c) being compelled by, say, a legal process to collect data.”

Last month, Ryan Dochuk told me about his company's new privacy policy. Companies change their privacy policies all the time, of course, but Dochuk doesn't just work for any company. He co-founded and operates the VPN service TunnelBear. And privacy, for TunnelBear's users, is a very, very big deal.

VPN stands for Virtual Private Network – for many people, better known as that thing you use to watch U.S. Netflix. But how it makes this possible is by creating a private, secure tunnel between your computer and a faraway server that is connected to the Internet, effectively shielding your traffic from eavesdropping or interception before sending it out the other end. Once used primarily to remotely access corporate networks from home or while travelling, now anyone can use a VPN to make their coffee shop or library connections more secure.

But depending on the terms of service you agreed to when you signed up, funnelling all your Internet activity through another company – one that isn't your ISP – can create some privacy risks.

"The VPN operator has the same access to your traffic as your ISP would if you were not using a VPN: they can see what sites you connect to, read (and modify!) any unencrypted traffic, potentially redirect your traffic to phishing or malware sites if they were extremely malicious, etc." wrote Ian Goldberg, a well-known cryptographer and professor at the University of Waterloo, in an e-mail.

"A simple VPN system, even if they've promised not to log or retain data, is still subject to (a) lying, (b) being compromised by a third-party attacker, (c) being compelled by, say, a legal process to collect data."

Any VPN service announcing changes to their privacy policy or terms of service, then, could easily be cause for concern. Had TunnelBear suddenly decided to track my browsing habits and sell that data to advertisers for money? Had the company been sold? Far from it. Rather, Dochuk wanted to reduce the (already small) amount of data the company collects, and make the service's privacy policy even more transparent so that users knew exactly what information was collected, and why – a more difficult task than you might think.

"Privacy decisions have a real business impact on decisions that we make at our company, and we do make sacrifices to make sure that we respect those policies," Dochuk, said.

Nearly every online service collects some data on its users – but when you run a business committed to your user's privacy, you're naturally limited in what you can collect. You'd be hard-pressed to find a reputable, privacy-conscious VPN service that actively logs the activities and browsing habits of its users – in other words, knows what sites you visit or apps and services you use. But that's not to say that many VPN services – particularly those that care less about privacy than giving users access to foreign soccer or Netflix streams – don't collect and track other stuff.

"The challenge there is, from an operational perspective, logs are very valuable or important. They tell you what's going on with the service," said Mark Nunnikhoven, vice president of cloud and emerging technologies at security software company Trend Micro. "If those logs aren't there, it's a lot harder to figure out what's going wrong."

The reasons a company might log are numerous: it can help in making decisions about how to improve network infrastructure and solve technical problems. It can also be used to help detect and prevent fraud. Most services will store, at the very least, a user's e-mail address to send subscription and payment information and promotional information about the product. Some services will store credit card payment data themselves, while others will put it in the hands of a third party so that payment information can't be linked to an account.

Besides appealing to privacy-conscious users, there is an advantage to logging as little as possible from a legal perspective too. It means that, when law enforcement ask your VPN provider for records or information – or an attacker gains access to your VPN provider's infrastructure – they won't be able to find anything because there won't be anything there.

TunnelBear also stores operational data that includes whether or not the user was active that month – stored as a binary value – the total amount of data used over the lifetime of the account, and the number of successful connections (nothing is timestamped). In the VPN business – especially compared to, say your typical startup or mobile app – that's actually quite tame.

"You can imagine, if our wish list was a hundred pieces of data long, we shrunk those down to five as being kind of our what exactly the minimum we need to operate our network," Dochuk said.

Beyond that is where logging can get murky. Some services will timestamp when you connect or disconnect from the network, and when data is sent and received. Many will track and store a user's originating IP address and the outgoing IP address, which might obscure your activities in the moment from others on your network, but not from law enforcement or government agencies who approach the company after to connect the dots.

And that's just the data that relates to your connection. I've seen come services that share your e-mail with marketing affiliates – or, worse, "aggregate or non-personally identifiable information," such as how many people visited Facebook on a given day or month, but not who. One service, Hola Unblocker, collects URL requests "randomly from [a] minor percentage of Hola's users for statistics only." You can also sign up for Hola Unblocker using Facebook – a potential privacy nightmare which links all sorts of information from the social graph to your account.

Besides appealing to privacy-conscious users, there is an advantage to logging as little as possible from a legal perspective too. It means that, when law enforcement come to your VPN provider and ask for records or information, they won't be able to turn anything over – because they can't.

"We keep no logs. We don't retain data. We don't know when our user's log, we don't know why they use our service. They don't even have to sign-in with an e-mail address. And we work with a third-party payment provider so we cannot associate your name with an account," says Selena Arsene, who handles Marketing at the German-Romanian VPN service Cyberghost.

"We had to do anonymous surveys for marketing purposes, because we don't know who are users are. We don't know their age. We don't know anything about them. We don't even know the basic stuff for marketing."

Trend Micro's Nunnikhoven says that some companies try and get around this marketing-privacy quagmire by logging information with the caveat that it will be retained for no more than a few hours at most. But this distinction between not logging something and not retaining something can be dicey. For example, while it might be difficult to compel a VPN provider to start logging information in court – they could argue their service isn't built or designed for logging, and that it would be too onerous to build that functionality in – if a law enforcement agency knows that information is retained, even just for a few hours, they might have an easier time convincing a judge to extend the time data is retained. Someone with unauthorized access to a VPN company's servers could just as easily extend the length of such a retention period too.

When a provider says they don't log, Nunnikhoven says, you're "trusting that provider, that that's what they've actually got setup."

According to Dochuk, the plan over the next six to 12 months is to introduce a TunnelBear feature he calls full-radical transparency – another way of showing users what data is logged, and why. "You'll be able to log into our site and literally in real time see 100 per cent all the data that we have on you, full-stop," Dochuk says.

After all, if you're going to re-route all of your Internet traffic through the servers of another company, it  better be one you can trust.

Interact with The Globe