VPN privacy policies decoded: VyprVPN

Privacy & Security Posted on October 23, 2013

This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.

VyprVPN is a popular and long-running VPN service set-up by Golden Frog, which also runs the Dump Truck secure online storage service. Golden Frog and VyprVPN are headquartered in the US and operate servers in across Asia, Europe and North America. So how does VyprVPN’s privacy policy stack-up?

Clarity

First of all, VyprVPN has done a good job at making its privacy policy comprehensive and easy-to-read. Unlike many other privacy policies we’ve reviewed you’re not left wondering where VyprVPN stands on the key issues. There are a few things that could’ve been included, such as how VyprVPN will react to changes in VPN-related laws in its jurisdiction, but overall the language used is very clear and the policy gets straight to the point.

Logging

VyprVPN is pretty upfront about what data it collects and says the following:

[Session data] is maintained for use with billing, troubleshooting, service offering evaluation, TOS issues, AUP issues, and for handling crimes performed over the service. We maintain this level of information on a per-session basis for at least 90 days. We may keep upload & download bytes at an aggregate level for longer periods of time.

As we’ve outlined more than once in this series, there’s no real reason to log data for much longer than a couple of weeks - if your aim is troubleshooting network issues and other such maintenance. A three month retention period will be implemented to help VyprVPN determine if anyone is violating its terms of service (which it clearly states in the above paragraph). This is where you have to ask yourself just how private VyprVPN service really is. The TOS include the following prohibited activities:

Most of that seems reasonable enough, but there’s always going to be grey areas. “Abusive language,” for instance, covers a very wide-spectrum of behavior and can mean different things to different people. “All other illegal activities” can mean different things in different jurisdictions. A relevant example is the internet TV service Aereo, which while legal in a number of states in the US, is currently facing challenges to its legality in other states.

Cookies and data

VyprVPN and Golden Frog uses cookies on its site to collect data on users, but it’s very clear about not sharing “personally identifiable” information with “affiliates, independent contractors, business partners or outside entities for marketing purposes or otherwise.” This is good to hear. A Ghostery check reveals seven trackers on the main site, including Doubleclick, which does not necessarily share data with third parties, but it can if the publisher is part of an ad network.

Criminal and civil investigations

One welcome aspect of VyprVPN’s privacy policy, which is often not included by other VPNs, is a clear outline of how it responds to civil and criminal investigations. Basically Golden Frog says it will only release personally identifiable information if served with a subpoena. But the key point to remember is that VyprVPN will have at least three months of activity logged and ready to hand over. There are plenty of other VPNs out there that don’t store this information for any significant length of time.

To sum up…

VyprVPN is honest, upfront and clear in its privacy policy, but its 90 day data retention period leaves a lot to be desired, especially when there are many other VPNs out there who only store data for network troubleshooting purposes.

Privacy
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.

1 Comments

Dundale

24.10.2013

So basically you are paying really for encryption that can still be read if required.

Tsk, I would never sign up for one like that. Glad ivpn is honest also about its logging of private information.

IVPN News

Independent security audit concluded

By Nick Pestell

IVPN News

IVPN applications are now open source

By Viktor Vecsei

Releases

Beta IVPN Linux app released

By Viktor Vecsei

IVPN TunnelCrack vulnerability assessment Privacy & Security

IVPN TunnelCrack vulnerability assessment

Posted on September 7, 2023 by IVPN Staff

Context TunnelCrack is the combination of two independent security vulnerabilities (LocalNet attack and ServerIP attack) that affect VPN applications. The research paper detailing these vulnerabilities was published and presented on 11 August 2023. IVPN apps were not tested by the researchers, and unlike other providers, we did not receive a vulnerability disclosure.
Most people don't need a commercial VPN to work from home securely Privacy & Security

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.
Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.