The rise of VPN services in recent years has less to do with privacy than you might assume. Most people use them for unblocking video streaming services, websites and other online services, but that’s really a side benefit: they’re designed to offer extra layers of privacy while you use the internet.
They do this by encrypting the data being sent to and from your computer, phone or tablet so that your internet service provider cannot see what you’re doing (as it can if you don’t use a VPN).
But by using a VPN, you are routing all that data via a server owned by the VPN service. The very fact that the data must be decrypted when it reaches the VPN server before it is sent onto its final destination means the VPN service can see what you’re up to. Except it can’t for the most part because much of that data is already encrypted (because of https and other web technologies), so the VPN is encrypting already-encrypted data.
Plus, any reputable VPN service will be configured to run in such a way that none of this data is ever stored or saved. This is what a no-logs policy refers to. It means that no information about which websites you visit, when you connect and disconnect or which files you download, and certainly not your IP address (which can link that activity to you) is ever recorded or kept.
Some VPN services – including NordVPN – have gone as far as either removing hard drives from their servers or making them read-only to ensure data isn’t accidentally logged. The servers run using RAM as temporary storage for the files needed to operate the service and, if that server was ever seized by authorities, any data in RAM would disappear when it was unplugged.
But if you run a fine-toothed comb over the privacy policy of a VPN service – which includes details about any no-logs policy – you’ll often find that some data is recorded.
For the most part, this is standard practice across the industry, and it’s all anonymous, so can’t be traced back to any specific user. Almost always, this is done to monitor the performance of the service and improve it.
The kinds of things that are recorded are the types of devices that people are using, such as an iPhone, a Windows laptop or an Amazon Fire TV Stick; the servers they’re connecting to (to see which are the most popular, so more can be added in the locations which most need them) and to enforce the number of simultaneous connections.
NordVPN, for example, allows up to six connections to the service at any one time. If it logged literally nothing whatsoever, it would have no way of knowing how many devices you had connected to its service, and therefore no way to stop you connecting more than six devices.
In many cases, you have to trust that a VPN service is sticking by what it states in its privacy policy, but NordVPN and certain others employ outside companies – auditors – to poke around and verify that they are indeed operating according to those policies. This is one of the things we look for when we review a VPN service.
NordVPN’s iPhone app
Dominik Tomaszewski / Foundry
An audit is all well and good, but if you dig even further into the small print you might find phrasing such as this, on NordVPN’s Warrant Canary page: “We are 100% committed to our zero-logs policy – to ensure users’ ultimate privacy and security, we never log their activity unless ordered by a court in an appropriate, legal way.”
You’d be rightly worried by this. It appears to say “We have a really great zero-log policy but we’ll log your data if a court tells us to”.
But isn’t NordVPN based in Panama precisely to prevent such court orders in the first place? Originally, the wording on this web page said that NordVPN wouldn’t comply with request from foreign governments and law enforcement agencies but it was changed back in January 2022, even though the page itself is still dated 20 June, 2017.
The change was reasonably widely reported by the tech press – including PCMag – at the time and, even now, the same wording is being sent out by NordVPN’s support team when asked whether it will log data. What isn’t particularly clear, and which isn’t really helping NordVPN, is that this is the case with all other legal, legitimate VPN services and – more importantly – it is very rare that a court would ever make a request like this.
You might be wondering what sort of situation would cause a court to have to issue an order to log data. Would it be to monitor suspected criminal activity? Quite possibly. Would that criminal activity be something like downloading movies illegally? Almost certainly not.
Alternatively, an order may not refer to an individual, but all users of a VPN service. A country may change its laws and make data retention mandatory. And along with many others, NordVPN removed its Indian servers and refused to comply.
We spoke to NordVPN’s head of public relations, Laura Tyrylyte to get a bit of clarification on the wording. She told Tech Advisor, “NordVPN is a legitimate company, operating according to all the laws and regulations. We do not log our customer data and our whole infrastructure is built around the notion of privacy because of our values and because we legally can operate this way. However, as [with] any other legitimate company, we must comply with the legitimate requests if these requests are issued by following all appropriate legal procedures.”
“That means that, in theory, a court could issue a binding order, compelling a company to modify the infrastructure in order to log customer data. Courts can order just about anything, again, in theory and under very specific circumstances. Such [an] order would be unprecedented, extremely unlikely and very difficult to issue. We would challenge it until the exhaustion of all available options to defend, but (and once again) in theory – it is possible.”
“The same applies to any other company in the world. Throughout 10 years of operations, being the largest VPN service provider in the world, we never got even close to such a situation, however we don’t want to mislead our customers, creating the impression that we can operate above the law. No legitimate company can.”
Theoretically, then, NordVPN and any other reputable VPN service could be forced to log customer data and change their hardware and software if necessary to do so.
But in reality, the likelihood of it being asked to is remote and even if it happened, that VPN service should fight the request as hard as it can.
You can also check pages such as NordVPN’s Warrant Canary to see if a request has been made, and can then decide whether or not to continue using the service.
As of 14 July 2022, NordVPN says it has:
NOT received any National Security letters;NOT received any gag orders;NOT received any warrants from any government organization.
For most people – and we’re talking consumers here – a VPN should be considered as an additional layer of privacy and security while using the internet. It’s important to understand their limitations and what they can and can’t do.
It’s a shame that many still claim to make you anonymous online, which isn’t true. They won’t stop your ISP from seeing how much data you’re downloading or when you’re using the internet, either.
What they are is a useful tool whether you’re just unblocking US Netflix or hiding your activity from a government that wants to monitor everything their citizens get up to.
