An important factor to consider for many when in the process of choosing a VPN service, is security. After all, many VPN service providers promise, to some degree or other, to protect your security online. In essence, the popularity of VPN services is that they provide privacy from your internet provider, what sites you visit, browsing history etc. A VPN provider effectively routes all of your internet traffic through one encrypted pipe - this makes it very difficult for any interested party to see which sites you are visiting, for example.
Which leads us to the question of zero logs. If you're not setting up your own free VPN and rely instead on a third-party VPN service, your browsing history from your internet provider is shifted to your VPN provider. If that VPN is marketing itself as a zero log provider then they should not be logging every site a user visits. And so any potential breach to a VPN service will inevitably cause alarm if it is believed that hackers have been able to access some user data (especially alarming if the zero logs policy turns out to not be 100% true). Ultimately VPNs are bound by legal notices - if they receive one then they are legally bound to hand over the data. However, if they haven’t kept the data in the first place, then they are not bound to hand over any data.
Sebastian Schaub is the founder of hide.me VPN.
All of this was perfectly illustrated recently with media reporting on such a breach against NordVPN, a tier one provider in many people’s eyes. The reported attack was against a server based in Finland and whilst NordVPN downplayed the damage caused, security researchers warned that they were ignoring the larger issue of the attacker’s possible access across the entire network. With the topic of security clearly a major cause for concern, what can users and those looking to choose a provider, do to ensure that their chosen provider is as safe as their marketing copy says that they are?
Well, for one thing you can consider the topic of audits. Increasingly in the world of VPNs, audits are being bandied about as providers seek to legitimise their claims and offer up a transparency of sorts to calm the nerves of any potential suitor, especially in a world where VPNs for Windows 10 are becoming more common. Independent auditing is certainly one way for VPN service providers to test their security features, providing their customers with peace of mind - or do they?
Let’s be clear here. Audits are certainly useful (for those wanting some kind of reassurance) but they are far from perfect. And don’t forget that there are many different types of audits - for example one type could be a penetration test / security audit to identify certain vulnerabilities. Whilst such tests might help in building trust, they are no guarantee to eliminate ALL issues. We mentioned No-log audits previously, but these audits can only evaluate the state of the system at one specific time. Ultimately a user is still required to trust the VPN because there is nothing to stop that VPN to re-enable logging once the audit has been completed. A long term trust record counts here.
With respect to this notion of trust comes organisational transparency - for instance some well-known VPNs claim to operate out of Central America, without any physical presence or public knowledge regarding their leadership. The fact is that they operate out of Eastern Europe and through VPNs in China - if you are trying to build trust, but are camouflaged behind offshore entities, whilst your actual company is operating somewhere else, and not being open about it all, then this surely belies trust?
In a similar vein, Yahoo did not disclose details regarding several hacks to the public which ultimately hurt their valuation during acquisition and caused them to lose trust from their remaining users (GDPR has tried to fix this by introducing a mandatory reporting requirement when any personal information regarding European citizens is breached).
There is no one-bullet-for-all solution here. If you're not using your own VPN router to set up your own service then you should certainly be asking these questions of your chosen VPN;
Has the VPN kept logs in the past?
There seems to be a groundswell currently for VPNs to proudly announce, “we are a zero-log VPN company now”. Many well-known VPN providers have announced the results of audits with claims of zero-log policies and no recording of users’ online activity. We had our audit done nearly 4 years ago so why has it taken others companies so long to catch up? Using a no log VPN service should mean that your provider does not collect or log any of your activity online. But there are plenty of well-known VPNs that do keep logs of your browsing sessions. For peace of mind (and maximum privacy) it is sensible to choose a no log VPN provider.
Did the VPN ever hand out user data?
Perhaps a strange question to ask but some announcements regarding VPN audits have to be taken with a pinch of salt. It wasn’t that long ago that it was reported that PureVPN were caught out by handing over user information to the FBI (no zero logs here then). Again, that word trust. How do you know that such a provider would not do the same again?
How trustworthy is the auditor and how detailed is the audit?
What about the credentials of any company carrying out these types of audits? How robust is their reporting? Any solid certification should rate VPN providers on both users security and the privacy of users’ data. Categories should then have a set of criteria upon which these providers can be rated. Providers who could fulfill all criteria are ideal candidates for certification. The audit should include security testing to determine the level of web application security and that no medium-to-high risk vulnerabilities are detected. Source code security analysis is also important here to determine that best security practices are being used in application development along with correctly implemented security measures.
Sebastian Schaub is the founder of hide.me VPN.
- Check out the best VPN for gaming.