VPN privacy policies decoded: WiTopia
This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.
WiTopia has a very well-written and comprehensive policy. Nevertheless it contains some worrying elements that don’t sit well with a service supposedly designed to protect user privacy. For instance, when it comes to advertising-related data, take a look at this section on the information WiTopia discloses to “outside parties.”
“It may be necessary, at times, to share certain personal information with trusted third parties who assist us in conducting our business or providing our services. These companies are authorized to use information only as necessary to provide services to us.”
“If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer information to the acquiring company.
When it comes to logging data WiTopia says it does not “monitor, record or store the content of a customer’s internet activities.” It only stores the following:
“(1) the time and network location from which a VPN connection was made; (2) the duration of the VPN connection.”
However, it prefaces this with “during normal duties,” which is could be seen as a get-out clause to allow WiTopia to store your data whenever it, or other entities, sees fit. This is further expanded upon here:
“We may release personal information, when we believe in good faith that release is necessary, to comply with legal process (such as a subpoena or court order), to protect our rights or property, to enforce the Terms of Service, or protect your safety or the safety of others.”
It’s also worth noting that even during normal duties WiTopia stores your web logs (i.e. the sites you’ve visited, dates, times, etc) for 30 days. Storing this information for so long is not necessary to troubleshoot a network. The main reason for this 30 day data retention could likely be to track down and identify users if they break terms and agreements.
To sum up…
WiTopia has a very well-written policy that gets straight to the point. But WiTopia’s policy presents the same privacy issues that we saw with HideMyAss and, to a lesser extent, StrongVPN. WiTopia’s section on DMCA takedowns doesn’t really say how a user’s privacy will be affected. WiTopia also doesn’t say what will happen if laws in its jurisdiction change, although it does appear to suggest it will comply with law enforcement if they request data.