How can you be caught using Private VPN when there's no logs about who you are?

  • I know there are 2 services of VPN (free and paid). Normally, free VPNs need money from somewhere and sometimes they can sell your information to any agency that needs it.
    Now, if we are talking about a paid VPN where they use encryption and don't keep any logs or information about the user, IP addresses, or what you're doing, how can a hacker be traceable? Then, the best hackers who have been caught must have been a free VPN, because they were too cheap to pay 7-10$/month or I'm missing something.

    An excerpt from the FAQs of one of these VPN services. They have it in the privacy policy.

    enter image description here

    How can you be sure that they're not keeping logs? Unless you see their actual infrastructure/code, you'll never know for sure.

    How about to find a chain of few countries with do not have any diplomatic relations and use VPN over VPN over VPN... each in those countries?

    Has anyone checked out Hide.io? They're a Hong Kong based service which claims not to keep logs. I've looked at the small print on their ToS page (https://www.hide.io/page/legal) and it seems to imply that no logs are taken or can be given, and if the law changes there, they will close down the service. Can anyone verify that this is actually a VPN which really doesn't keep logs and therefore would be unable to comply with a court order?

    How about to find a chain of few countries who do not have any diplomatic relations... and are willing to sell you out in exchange for cold, hard currency since there are absolutely no laws preventing foreign entities from setting up shop and filtering all paranoid traffic. Money talks, free untampered communications walks in the lands where kickbacks are king.

    Roll the dice, pay the price. Expect some level of risk when engaging in risky activity.

    All modern VPN providers keep your log. Not limit to your IP, target IP, domain, protocol type, packet size.

    @MichałŠrajer that's possible, in an ideal situation. But there are other clues. such as card transactions, Paypal, System/Browser/Plugin/Software update traffic.

  • Adi

    Adi Correct answer

    8 years ago

    Update/Note: This is not to discourage VPN usage. I personally use one of the providers mentioned below, and I'm very happy with it. The important point is not to have an illusion of being 100% protected by the VPN provider. If you do something bad enough that state actors are after you, the VPN provider aren't going to risk themselves for you. If those coming after you are motivated enough, they'll exert all possible legal (and not so legal) powers they have. Downloading torrents or posting on anarchist forums is probably not motivating enough, but death threats to up-high politicians on the other hand... If there's one thing to take from this post is this: Use common sense.


    I've researched this subject for more than 3 years*: Looking for VPN providers, reading through their Privacy Policy and Legal pages, contacting them, contacting their ISPs when possible, and I've concluded the following:

    I was able to find zero reputable/trustworthy and publicly-available (free or paid) VPN service provider that:

    • Actually doesn't keep usage logs.

    • Actually doesn't respond with your personal information when presented with a subpoena.

    I'm not exaggerating, absolutely none, zero, nada, nula, nulla, ciphr, cifra.

    * Obviously not a dedicated research for 3 years

    Update: Regarding "super awesome Swedish VPN service providers". Swedish service provider obey the 'Electronic Communications Act 2003 389'. Sections 5, 6, and 7 under "Processing of traffic data" completely protect your privacy, but go a little further and read section 8

    The provisions of Sections 5 to 7 do not apply

    1. When an authority or a court needs access to such data as referred to in Section 5 to resolve disputes.

    2. For electronic messages that are conveyed or have been dispatched or ordered to or from a particular address in an electronic communications network that is subject to a decision on secret wire-tapping or secret tele-surveillance.

    3. To the extent data as referred to in Section 5 is necessary to prevent and expose unauthorised use of an electronic communications network or an electronic communications service.

    In case the authorities order secret wire-tapping, the service provider shall not disclose information about it

    Section 19 An operation shall be conducted so a decision on secret wire-tapping and secret tele-surveillance can be implemented and so that the implementation is not disclosed.

    Update 2: Regarding other highly recommended super anonymous VPN services (I'll go over only the top two)

    BTGuard: You only need to take one look at the Privacy Policy to know that there's something shady going on.

    • Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.

    • We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.

    • We will only retain personal information as long as necessary for the fulfillment of those purposes.

    • We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.

    You can clearly see the intentionally vague language: "fulfilling those purposes specified by us", what are those purposes specified by them? Nobody knows. They even clearly say that they'll collect personal information when required by the law. In the last point they even state that they even don't have to inform you about the collection of your personal information unless it's "appropriate".

    PrivateInternetAccess: This is probably one of the easiest legal language in the business.

    You agree to comply with all applicable laws and regulations in connection with use of this service. You must also agree that you nor any other user that you have provided access to will not engage in any of the following activities:

    • Uploading, possessing, receiving, transporting, or distributing any copyrighted, trademark, or patented content which you do not own or lack written consent or a license from the copyright owner.

    • Accessing data, systems or networks including attempts to probe scan or test for vulnerabilities of a system or network or to breach security or authentication measures without written consent from the owner of the system or network.

    • Accessing the service to violate any laws at the local, state and federal level in the United States of America or the country/territory in which you reside.

    If you break any of their conduct conditions (mentioned above)

    Failure to comply with the present Terms of Service constitutes a material breach of the Agreement, and may result in one or more of these following actions:

    • Issuance of a warning;
    • Immediate, temporary, or permanent revocation of access to Privateinternetaccess.com with no refund;
    • Legal actions against you for reimbursement of any costs incurred via indemnity resulting from a breach;
    • Independent legal action by Privateinternetaccess.com as a result of a breach; or
    • Disclosure of such information to law enforcement authorities as deemed reasonably necessary.

    Could you elaborate what the problem with f.e., https://www.ipredator.se/ is? Would you count it as not trustworthy?

    @ungerade - You must be joking, right? It's a subscription based service, and that means they by necessity keep subscription related data, and they also keep access logs, not even hiding it in their legal. It is, of course, wrapped in language that would make it appear their services are reasonably safe to use, if you're incapable of reading between the lines (asking yourself, which information isn't provided and why, not which one is). The lack of information there is apparent, and doesn't exclude (not mentioned) third party involvement at all. ;)

    @ungerade I've update my answer to cover the case of that provider and other Swedish service providers. Case #1 is a general case when it comes to court orders, and case #3 talks specifically about the "unauthorised use of an electronic communications" which is the legal jargon for hacking/cracking.

    The VPN service I use, https://www.privateinternetaccess.com/pages/privacy-policy/, claims `PrivateInternetAccess.com does not collect or log any traffic or use of its Virtual Private Network ("VPN") or Proxy. `

    Do you not have any results of your 'research' you can provide us with? Not that I'm sceptical but I feel you should be providing at least citations that can contradict the numerous claims that many VPN providers linked by Torrentfreak (https://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/) keep absolutely zero logs.

    @deed02392 I understand your skepticism and you have every right to be skeptical. Unfortunately, I don't have solid evidence other than the companies' own ToS and Privacy Policy (which is more than enough, IMO). I wrote a second update especially to cover link you mentioned.

    @Adnan thx for your answer, so your conclusion to be more secure(anonymous) the best way is to use TOR? Thanks.

    @jcho360 Exactly. This will decentralize the whole process; there won't be a just single point where authorities can present a subpoena. Granted, this won't make you 100% safe, but it's by far one of the best options.

    Re: comments made by @AndreasBonini and deed02392, I'm puzzled by how a logless VPN provider such as Private Internet Access could hand over a user's data if "We absolutely do not maintain any VPN logs of any kind. We utilize shared IP addresses rather than dynamic or static IPs, so it is not possible to match a user to an external IP...We will not share any information with third parties without a valid court order. With that said, it is impossible to match a user to any activity on our system since we utilize shared IPs and maintain absolutely no logs."

    @nitrl Well, presumably they risk getting sued for doing this then - they cannot meet requirements under law to provide an audit trail as to who accessed what.

    @nitrl Please have a look at Private Internet Access own ToS and Legal pages. You can clearly see that they're keeping logs and they're not trying to hide it. They clearly tell you if you do something against our rules we'll inform the authorities. Now think about it, how would they know that you're doing something illegal and what would they tell the authorities if they're not keeping _some_ logs? I've mentioned all of that in my answer and I've bolded the important parts.

    @Svetlana That was what was confusing me- the fact that they claim to be "logless" and yet somehow maintain the ability to suspend abusive users or provide logs when subpoenaed. I suppose they're simply lying..

    @TildalWave PrivateInternetAccess IS a subscription service but they don't keep ANY subscriber information. You can pay for the service with a gift card from almost anywhere completely anonymously. I paid for my subscription with a Target gift card I bought with cash at 7-11. Of course they know the IP address I connect from, but only if they keep logs which goes back to the OP's question.

    @ColeJohnson Yes, and this answer applies to it. PRQ operates in Sweden, which means they're forced under "Lag (2003:389) om elektronisk kommunikation", that explained in the post, to cooperate with law enforcement to give information about and trace hackers and other users who commit illegal activities. In fact, in their very own ToS you can read that. "PRQ shall keep confidential and not disclose information regarding the Customer **except where this required by law**". Actually, their ToS even specifies hacking as something they don't allow.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM