VPN privacy policies decoded: AirVPN

Privacy & Security Posted on June 21, 2013

VPN privacy policies decoded: AirVPN

This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.

EDIT AirVPN has disputed some of this review. You can read our responses at the end of the post

AirVPN is VPN service started by a “small group of activists” in 2010 and is based in the Italy. The company has servers across Asia, Americas and Europe. Lets take a look at its privacy policy

Out of the three VPN privacy policies we’ve looked at so far in this series AirVPN takes the most sensible and privacy-orientated approach to its customer’s data. But while AirVPN seems to take user privacy seriously, it is let down by some vague language.

Logging practices

Here’s what AirVPN says about the data it logs:

“Air servers and software procedures acquire only personal data which are strictly necessary for the technical functioning of the service, for example IP address. These data are not collected to identify, through elaboration or any other technique, users' personal identities. These data are not transmitted to third parties. "

We’re lacking specifics here. In particular, AirVPN does not say how the IP address is stored and if it is anonymised. The policy continues:

“Data transmission is performed between Air servers network exclusively in order to erogate efficiently the AirVPN service. Data are deleted as soon as they are no more necessary for such purposes.”

Again, AirVPN needs to be more specific and say exactly how long it retains data for. “Data are deleted as soon as they are no more necessary for such purposes” is far to vague to be taken seriously and there is no mention of data retention periods anywhere in the privacy policy. Someone who has little knowledge of how VPNs work also has no idea how long data is typically stored for troubleshooting.

Also, as the above quote shows, AirVPN’s policy uses somewhat broken English (what does “erogate” mean exactly in this context?). Any legally binding policy needs to be clearly written and easily understood. In this respect, AirVPN is lacking.

Missing info

As we mentioned, the biggest oversight in AirVPN’s privacy policy is its lack of info on data retention periods. But AirVPN also doesn’t mention how it responds to DMCA notices and, like most other services we’ve looked at, it also doesn’t mention what it would do if laws in its jurisdiction change. AirVPN also suggests that it doesn’t retain web logs, but because it’s not specific, the policy is left somewhat open to interpretation. Unlike some other VPNs we’ve looked at, AirVPN seems to be a privacy conscious service, but it’s let down by a badly-written policy.


EDIT : AirVPN’s rebuttal and our response

We wrote: “AirVPN is VPN service started by a “small group of activists” in 2010 and is based in the Netherlands.”  However, AirVPN is in fact based in Italy. This is our oversight and has been corrected. We apologise to AirVPN for this error.

AirVPN writes: “These data are not collected to identify, through elaboration or any other technique” has an unequivocal legal meaning in the EU. It means that personal data, including IP addresses (regardless of the debate whether an IP address is a personal data or not), are not collected at all and in any way. Therefore not only we legally state that they are not stored when a client accesses a VPN service, but we also say that they are not even sent to third-parties WHILE a client is connected to a VPN server, which is a higher privacy condition. It seems, to say the least, bizarre that a higher privacy protection policy is interpreted as a lower one.

AirVPN is somewhat missing the point of these reviews, as stated in our guidelines. The vast majority of people reading such privacy policies do not have a grasp of the legal intricacies and directives being mentioned, and that this has led to false expectations around VPN services.  We believe it’s the VPN’s job to state clearly and in plain English what their practices are. The main point of this review wasn’t to say AirVPN is guilty of logging data, but that its policy is not clear enough in this regard. The point still stands.

IVPN: “Data transmission is performed between Air servers network exclusively in order to erogate efficiently the AirVPN service. Data are deleted as soon as they are no more necessary for such purposes."

AirVPN writes: Once again, the sentence has a very precise legal meaning in the EU. The service is erogated when a client is connected, therefore when a client is disconnected the service is not erogated, ergo when a client disconnects those data are no more on the servers and the data retention period is, in the worst case, the timeout period (up to 60 seconds), in the best case 0 seconds.

Same point as above.

IVPN “AirVPN doesn’t mention anything regarding cookies, affiliates and ad data."

False. The Privacy Notice states, since three years ago:

Yes, this was a mistake by us. We’ve made the correction and offer our apologies to AirVPN.

IVPN: AirVPN also doesn’t mention how it responds to DMCA notices

That’s true and IT MUST BE SO. We will never mention how we “respond” to laws that are outside our jurisdiction and that are therefore inapplicable, simply because we are not forced to and we MUST NOT comply (and of course we must not even “respond”) to such laws. An USA Act “has jurisdiction” on the USA. We are not subject to every single law existing in the world and we will NEVER mention them as if we recognized their validity. Doing so would imply an utter incompetence on the legal field. Ironically, we would like to ask to IVPN staff why they do not state in their policy how they “respond” to every single law in the world which makes VPN business illegal.

DMCA notices are an issue that’s very important to individuals looking for a VPN service and those concerned with online freedoms.  Acknowledging that DCMA notices exist, and are an issue customers want to know our stance on,  is hardly legal incompetence. It’s about giving your users relevant information to help them make an informed decision about your service.

IVPN: AirVPN’s policy uses somewhat broken English (what does “erogate” mean exactly in this context?).

We recommend IVPN people to open a dictionary, for example the Webster dictionary, and search for “erogate”, which means “give, lay out, provide, deal out”.

“Erogate” is not a term that’s commonly used in English. There’s a dozen other words or phrases that could have been used that are better understood by the majority of people. One of the main criteria in our reviews is using plain English.

Privacy
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.

24 Comments

Steven

09.07.2013

I’m not sure why you expected them to give you reasonable responses. You start off the article by claiming the aim of your series is “to find out whether the VPN takes customer privacy seriously,” but instead you’re cherry picking things that are or are not missing in their policies.

This, along with various mistakes about them (including where they are based, cookies, affiliates), should have been enough for you to just apologize for advertising mistruths.

They spoke about DMCA when asked by Torrentfreak (https://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/) and their response was extremely reasonable:

DMCAs are just ignored: no private entity claim can be considered a proof of anything (even in light of the paper by the University of Washington “Tracking the trackers – Why My Printer Received a DMCA Takedown Notice”) and the details given in DMCA notices (pertaining to p2p) lack any substantial proof of any infringement. We sometimes ask for a proof of the alleged claim, just to try to see which methods are used to make up an infringement claim, but so far all private entities have poorly failed to respond with any proof or even with technical details on how such claims are fabricated.

And then you continue to insult them about their general English. For me personally, I’d much rather someone that is knowledgeable but has broken English as opposed to some commercialized company with great English.

Stop reviewing platforms with garbage journalism. Either address the topics you intended to (“find out whether the VPN takes customer privacy seriously”) or don’t write anything at all.

Dennis Kügler

09.07.2013

Thanks for the input Steve.

First re: cherry picking/address the topic: If you read our full guidelines for these reviews, linked to at the top of every post, you’ll see the aim is to see if a VPN takes privacy seriously - as you mentioned -and to try and educate readers about how to read VPN privacy policies for themselves (i.e. get them thinking about what questions they need to ask). However, the explanatory paragraph at the top of each review could be amended to better reflect the full guidelines. If you read this review of AirVPN, we say AirVPN “seems to take privacy seriously”, and that it has the best privacy policy out of all those we’ve reviewed so far, but it’s let down by being vague - we say this twice in the review. Clarity is one of the most important points of any privacy policy. I don’t think that’s unreasonable.

re the errors: Yes we completely apologise for these two errors and we’ve corrected them. The cookies/ad data error was a bad mistake to make - I hold up my hands on that one. But that doesn’t invalidate the whole series of reviews, nor is it a good argument for us to stop. No one’s really reviewed VPN privacy policies before and tried to educate people on them, so we think this is a valid endeavour. The criticism from AirVPN has been incredibly useful and will definitely affect the way we approach further reviews.

Re TorrentFreak/DMCA - I don’t think customers should have to search around other websites to find out a service’s policy on relevant issues.

John

15.07.2013

“Erogate” is Italian, it means “provide.” With that known the construct of the sentence works.

Joe Bones

21.07.2013

I’ve got a different take on your input, Steve.

I think the author’s errors were honest, I read his stance to be surprisingly objective, and I felt his were criticisms valid and worthy of being pointed out.

For just one example, the use of the word “erogate” works great in Poindexterland. But here in PlainSpeak, USA. it’s pretentious. Just saying “provide” works better for the average person. (In fact, legislation actually had to force credit card companies to abandon endless boilerplate and sesquipedalian jargon in favor of simpler easier-to-understand phrasings.) For me, whether it’s brain surgery or paying for a VPN service, I want simple words that convey lucid concepts.

And talk of insults and apologies is a bit silly. It’s an unemotional, academically-toned analysis, not “playing the dozens”.

The right of people to have privacy in conducting their affairs is being undermined and eroded on every side, on most continents, by most governments. When Delta Airlines fires a stewardess because she complains online about the company (a situation often repeated in the years that followed) it is high time to look closer and think more deeply. And as the “HideMyAss” fiasco proved (whose owners must have been prescient when they chose that rather crude name, as they promptly got “ripped a new one”), our level of protection is only as strong as individual VPN policies designate.

Personally, I have no interest in wading through seas of jargon to distill the vapor trails that define how well my privacy is being looked after. I consider it grand good luck to have a review that is done in such a methodical, incisive fashion. For my part, I am impressed by a service that is willing to raise the issue of privacy to a higher level of public scrutiny. It is revealing, and I hope it puts the feet of other VPN services to the fire.

Criticism is essential, Steve. I don’t argue that. However, groundless nit-picking is pointless and discouraging. And when it comes to important articles, I find it irritating because it may bring a premature and entirely unwarranted end to them.

I urge the author to keep up the good work, because he is definitely being read and considered — especially in the United States, where the ill-conceived Homeland Security Act is continuing to force privacy issues into the courts.

Dave

01.08.2013

This is a really good series, Dennis, and I look forward to your analysis of more privacy policies. You do the right thing by acknowledging any mistakes and rectifying them. I feel you’ve been very fair and objective.

As a layperson in these matters, I agree that clear and precise language is invaluable when choosing a VPN service.

Again, much appreciated and keep up the good work.

Krieg

20.09.2013

Complaining about their English is extremely lame considering it is a “foreign” (read non-US) company and the person’s first language is not English. People who speak ESL make those “mistakes” quite often when they have words in their languages that sound similar but unfortunately that word in English is not that common and they might sound pretentious. But anyone with some level of understanding would realize it is just the language barrier.

Considering what it’s happening to privacy in the first world English speaking countries the future of VPNing is most probably in “unfamiliar” countries, so better get used to “broken” English.

MODERATOR: The rest of this comment was edited due to the author’s use of homophobic insults

Laura

24.09.2013

It’s like the italiano word “erogare”, but “to erogate” is english, which is supposed to be the native language of the people here.

Lucifer Stevenson

07.10.2013

Joe Bones, excellent response. I thoroughly enjoyed the read.

Jabba

22.10.2013

This review is utter crap and I can’t believe Dave is thanking Dennis for this. AirVPN is one of the best VPN providers out there and if you take a look yourself at them instead of believing what is being written here, your eyes will be opened… Anyway.. I’m out. Peace.

Dennis Kügler

23.10.2013

Jabba, this isn’t intended as a review of AirVPN, just a review of its privacy policy. We’re really not out to attack anyone here, the main goal is to get people thinking about how to read and judge privacy policies - which is incredibly important if you’re choosing a VPN. We did make a couple of bad errors on this post, which i apologise for, but they were rectified immediatedly.

Aurelio

17.04.2014

I wish my Italian were as good as their English!

John G

26.06.2014

AirVpn is a scam. When I went to sign up they put my account on hold after debiting my credit card. They claim their processor is responsible. They sent an email claiming I need to send them banking information with my personal info and/or a copy of a drivers license or passport. I submitted a screenshot of the debit to my card showing the transaction ID and they refused to open my account until I showed them my personal ID and who I was.

Their response was they have the legal right to request all the information per terms of service agreement and under no obligation to protect privacy of its users. Definitely go to another service. A true company that protects your privacy would not be asking for state identification.

Topkek

03.09.2014

To John G: The real question should be “why in god’s name aren’t you using Bitcoin???”

Anonymous Fr3@k

03.10.2014

Just a quick note I understand you are doing a review of only AirVPN’s Privacy Policy, However there is a flaw I never seen mentioned on AirVPN’s Website that should have been addressed. As a customer of AirVPN which unfortunately I paid for multiple months upfront and I am stuck with it. I recently decided to see if I could track back through the data I was receiving and transmitting. Well I was able to trace not only my personal IP instead of the IP I was Stealthed under, worse then that I could trace it all the way back to my Exact Location. To find out that I could be tracked so easily horrified me. I now use a free VPN with option to pay for more bandwidth and server connections I will not name it because I am not trying to advertise for the company. Needless to say this free VPN has Better then DoD Encryption as well and I was unable to track back past the IP I was Stealthed under. I also could not even get any data(Encrypted or Not). I just thought this would be the best place to address this after reading others comments as well as your review of AirVPN’s Privacy Policy.

I was a happy customer for a good bit of time, however I no longer am. I will not be renewing my subscription.

Eric

24.12.2014

Then what VPN we could be trust ? I think my ISP more reasonably good for me if I skip torrenting .

jjolla

10.05.2015

Dont be fooled, Bitcoin is not as anonymous as you may believe.

The coins are identifiable and therefore traceable back to whoever purchased them. And please, don’t mention exchanges … they are being snooped big time: each swap is absolutely noted.

In fact, someone did a very detailed study and found that under certain situations Bitcoins provide LESS anonymity than your Credit Card.

Also, don’t ignore that the more suspect your activity (eg using Bitcoins) the more reason you are giving the NSA or whoever to snoop on you first.

tim

24.09.2015

please tell me exactly how a bitcoin is traced back to a real person if you are making a new wallet with a computer never purchased in your name or used for anything with any private data and everything thru TOR and VPN and purchase if from a private party such as thru classided like craiglist? If you name or anyting identifing you is not used how excactly will they ever get that info? All the BITcoin data is related to the wallet used and if a new wallet is used for each transaction I can not see how it could be traced unless bit coin itself has trojan or seach capabilities which would be huge news if it was the case.

tim

24.09.2015

I did want to add that the one thing that is still the most untraceable is plain old cash. Yes it has issues if it gets stolen in the mail but if its packaged well you have good chances if you are dealing with a honest company. For someone that is really concerned about privacy and amoninity the less than 1% chance of say losing $100 is not much of than a iritation when compared to the security it gives interms of privacy and non traceability. You could even pay a bit more and you can exhance it for a another currency thus making it than much harder to even know the country of orign of the payee. Add in a remailer for good measure. AGain it all comes down to how much trouble you are willing to go thru.

tim

24.09.2015

In terms lof privacy and the EU what effects has the new law the EU passed that required two nonconflicting data points to be taken and held for each customer? Is that the correct interpetation of that law and if so does that not mean that all EU member countries regardless of their own internal privacy laws are required to keep this data for even VPN providers? That would mean I think a email adresss and IP or physical address? If this is correct then Sweden etc located VPNS do not have the protections they use to have? Again I am not saying this is fact but more a ? /confirmation. I would think the use of a TOR prior to VPN would to some extent take care of the tracking but then that leaves some with nedding to actually go bridge>tor>VPN or VPN with no tracking> tor> vpn if you want the most privacy.

nobody

29.06.2016

Their servers worked well enough for 2+ months, then connection problems started occurring more and more often. Today I posted a message on their forum telling that service is down again, and called it a “great service”. Do you know what happened? They instantly banned me on the forum, closed my VPN account (I paid for 12 months of service) and this is it!

Needless to say, they ignore all my emails and refund requests, so stay away from this “company”. Otherwise, your account will be closed and they will keep all your money in case you complain about their service.

Hopefully this post will save money of any person who has AirVPN account and thinks about making a complaint of their poor service. If you really want to send them a message about poor connections, be ready to get your account terminated in 15 minutes (this is how long it took for my account to be cancelled).

Per

24.08.2016

Great read! I love that you’re pointing out the dodgy language. I really don’t understand why people are getting butthurt over it.

I’ve spent a lot of hours reading about different VPN services, and there’s just too many with vague privacy descriptions and bad language. They should thank you for pointing that out. It probably saves them a lot of time answering e-mails and questions from people wondering what the hell they mean.

Stéphane

20.09.2016

Stay away from AirVPN. They deleted 2 of my support tickets without any comment or explanation. Later they deleted a forum post and put me on moderation queue. After they wrote me that they never deleted any tickets. I sent proof (screenshots) to them but they still claimed they didn’t do anything. AirVPN was good a few years ago. But now something very fishy is going on. I don’t trust them anymore.

Gary

01.01.2017

Stéphane, do you have any proof (valid screenshot) that correlate your accusation on AirVPN like that? If yes, why don’t you just show us if it’s ‘REAL’.? Bring it on.

Nick

02.01.2017

What a said attempt from iVPN, at reviewing of anything. I would say the intention was good though.

As for some of the comments on AirVPN from the “haters”, let me just say that the reason you ran into issues and then got into trouble for it, was probably because you guys (@nobody, @Anonymous Fr3@k, @John G), was because you guys fall under the category called: “Complete *ffing *bleep bleep bleep* fools”, if you get what I’m saying. I won’t insult you further, in case this post gets moderated - so that it’ll be easy for the mods to cut out the insults, if it’s still over the top. But it just has to be said, that you 3 are probably your own worst enemies.

Judging by your posts, you’re the types who, when they run into trouble the first time, instantly go onto a forum and complain very loudly about it. Without being very polite and most definitely without saying what went wrong exactly or providing any “actionable intelligence” that the community or Air support can use to help you. Thus, when you act impatiently and aggressively, you just get banned and/or muted. As you should, really. Yeah, it sucks if you paid for 12 months, but how about checking out how to behave properly then? It stands to reason, that if Air always banned everyone who asks questions, they wouldn’t have a forum or indeed a company. But they do and it’s quite successful.

It’s still true that Air is one of the best VPN companies out there. Why? Because they make everything secure by default, as much as possible. They stick to secure protocols, follow best-practices in their client (it’s open-source for example) and the server infrastructure is superb; high-speed connections, quality data-centers, rock-solid policies regarding *where* they are willing to set up servers and much much more. In a VPN, you should look for: transparency, good security practices (using OpenVPN, 256-bit AES encryption, etc.) and general honesty, without being contradictory. For example, if a VPN claims they respect your security/privacy/anonymity, then check that they do! If they run Google Analytics or have Facebook plugins on their site for example, that’s directly contradictory to being respectful of your privacy, as those things track you. Air has no such things on their site, by comparison.

So, to those 3 critics, get your facts straight. Because you’re wrong. I mean really, one of you claim you now use a free VPN, as if it’s an upgrade! I LOL’ed at that. Thanks for a laugh. How do you think a free VPN pays the bills? Prayers to Jesus? No. Likely by several forms of spying/advertising - and you’re the product. You worry about Air leaking your IP address and then start talking about other places having better encryption? Okay, one problem there: those things aren’t related lol. You can have the best encryption in the world and still leak your IP address, because you’re incompetent. REMEMBER: AirVPN (or any VPN) try to secure your connection to their servers. They don’t try to fix your incompetent use of a computer. Thus, if you’ve got tons of malware installed, you’re doomed. But really, it’s simple - just check ipleak.net and if you leak, turn on AirVPN network lock :p. Done. As for all the credit card stuff and support tickets - pictures or it didnt happen.

ciao.

IVPN News

Independent security audit concluded

By Nick Pestell

IVPN News

IVPN applications are now open source

By Viktor Vecsei

Releases

Beta IVPN Linux app released

By Viktor Vecsei

IVPN TunnelCrack vulnerability assessment Privacy & Security

IVPN TunnelCrack vulnerability assessment

Posted on September 7, 2023 by IVPN Staff

Context TunnelCrack is the combination of two independent security vulnerabilities (LocalNet attack and ServerIP attack) that affect VPN applications. The research paper detailing these vulnerabilities was published and presented on 11 August 2023. IVPN apps were not tested by the researchers, and unlike other providers, we did not receive a vulnerability disclosure.
Most people don't need a commercial VPN to work from home securely Privacy & Security

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.
Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.