VPN privacy policies decoded: Introduction
As we’ve mentioned before on this blog, not all commercial VPN services are concerned about protecting your privacy, with some platforms presenting just as many surveillance risks as a regular ISP.
VPN services are, of course, free to log your data and there’s nothing dishonest about this practice if it’s openly disclosed. However, these days the acronym “VPN” has almost become a synonym for “online privacy” and many VPN companies appear to trade on this association, even if what they offer is not a real privacy service.
In this series of posts we’re going to take a closer look at some of the most popular VPN services. We will break down their privacy polices and see if they are really focused on protecting your personal data.
Privacy policies: The key elements to consider:
Clarity of policy and language used
Type of data being logged
What kind of data is being stored by the VPN service? Are they keeping logs of websites visited? Do they know your IP address and the times that your connecting to their servers? What about billing information and data used for advertising purposes? Of course, every VPN service will capture some data on its users. But we need to determine what data is most sensitive in terms of your privacy, what reason they have for collecting that data, and to what extent is the data anonymised.
Duration of data retention
Many VPN services store logs for a temporary period in order to troubleshoot problems and detect abuse on their networks. But beyond a couple of weeks, such data retention is not really necessary – unless it’s being used for potential surveillance scenarios. It’s therefore very important to know how long a VPN service retains data.
Data sharing with third parties
Does a VPN service share data with third party advertisers or other companies? What data is it sharing? What will happen if the company is acquired by a different company that wants to share data – will the user be told? Advertising data is not as sensitive as your web logs or email logs, but how a VPN service treats such data – even if it collects it at all – is a good indication of how serious it is about online privacy.
Approach to DMCA notices
DMCA stands for the Digital Millennium Copyright Act. A DMCA notice is – for our purposes – a legal tool used by copyright holders to force online services providers to disclose information on individuals suspected of copyright infringement. It’s therefore important to know how a VPN service will respond to such notices, what information it is able to disclose and whether it will protect the privacy of its users.
Behaviour when surveillance legislation changes
Surveillance across the world is undergoing something of an overhaul, as governments attempt to keep up with new tools of communication. Therefore it’s a possibility laws will change in a VPN services jurisdiction, which may impact its ability to protect its users privacy. Will the VPN inform customers of any impending changes that may affect its service? How will it adapt to the changes and will subscribers get a refund?