VPN privacy policies decoded: Boxpn
This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.
However, as we’ve seen with other VPN privacy policies, Boxpn is also a bit vague on its logging practices. Here’s what it says:
“boxpn global network firewalls and security softwares only collect network utilisation data which is strictly necessary for the technical functioning of the service, for example IP address and hardware utilisation.”
As we’ve explained previously, collecting and storing network data is a very common practice for VPNs, because it allows us to optimise the network and troubleshoot any problems. So it’s fine that Boxpn is doing this. However, the key issue is what data is being stored and – more importantly – how long is that data being stored for?
For example, with Hide My Ass we found out server connection times were being stored for two years. Such a long period of data retention is not really necessary for troubleshooting a network and only really makes sense if you want to provide a third party with historical information to track users’ web activity. Most VPNs serious about privacy will not store this data for any more than a week or so and ideally less than 24 hours. We can give Boxpn the benefit of the doubt, but on this point, it should be clearer.
Cookies and ads
When it comes to advertising data and cookies Boxpn says this:
“boxpn will not sell, rent, or give away any of your personal information without your consent. It is our overriding privacy principle that any personal information you provide to us is just that: private. We do not presume that you are granting us permission to share your personal information with third parties wanting to sell you products or services that you have not requested.”
Unlike some of the other VPNs we’ve looked at, this paragraph shows Boxpn is serious about the collection of ad data. However, we did run Ghostery on Boxpn’s site and found a couple of ad trackers present, such as Doubleclick, which collects anonymous data. Doubleclick does not necessarily share data with third parties, but it can if the publisher (i.e. Boxpn) is part of an ad network. The Guardian sums this up pretty well here.
When it comes to entities trying to obtain user data Boxpn says this:
“Pressure from private actors to obtain any data (including but not limited to IP address of users) if it’s an illegal act and boxpn, in order to protect its business and the users’ privacy, reserves the right to inform the competent authorities and prosecute the private entities responsible for such illegal acts [sic].”
“Pressure from private actors to obtain any data (including but not limited to IP address of users) is an illegal act and Air, in order to protect its business and the users’ privacy, reserves the right to inform the competent authorities and prosecute the private entities responsible for such illegal acts.”
So despite the grammatical inaccuracies Boxpn’s policy, once understood, is on the side of its users.
To sum up…
Overall Boxpn does seem to take privacy seriously, but it could be more clear with regards to how long it logs data and in other sections. There’s also no information on what happens if laws change in Boxpn’s jurisdiction regarding VPN services.