Source: TorrentFreak Original Author: Ernesto Post Date: March 15, 2014 Link in TorrentFreak: Which VPN Services Take Your Anonymity Seriously? 2014 Edition
Quote:
Millions of people use a VPN service to protect their privacy, but not all VPNs are as anonymous as one might hope. In fact, some VPN services log users' IP-addresses for weeks. To find out how secure VPNs really are TorrentFreak asked the leading providers about their logging policies, and more.
By now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.
To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.
Unfortunately, not all VPN services are as anonymous as they claim.
Following a high-profile case of an individual using an ‘anonymous’ VPN service that turned out to be not so private, TorrentFreak decided to ask a selection of VPN services some tough questions.
By popular demand we now present the third iteration of our VPN services “logging” review. In addition to questions about logging policies we also asked VPN providers about their stance towards file-sharing traffic, and what they believe the most secure VPN is.
—
1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?
2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?
3. What tools are used to monitor and mitigate abuse of your service?
4. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?
5. What steps are taken when a valid court order requires your company to identify an active user of your service?
6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?
7. Which payment systems do you use and how are these linked to individual user accounts?
8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?
—
What follows is the list of responses from the VPN services, in their own words. Providers who didn’t answer our questions directly or failed by logging everything were excluded. Please note, however, that several VPN companies listed here do log to some extent. The order of the lists holds no value.
Private Internet Access
1. We absolutely do not log any traffic nor session data of any kind, period. We have worked hard to meticulously fork all daemons that we utilize in order to achieve this functionality. It is definitely not an easy task, and we are very proud of our development team for helping Private Internet Access to achieve this unique ability.
2. We operate out of the US which is one of the few, if only, countries without a mandatory data retention law. We explored several other jurisdictions with the help of our professional legal team, and the US is still ideal for privacy-based VPN services.
We severely scrutinize the validity of any and all legal information requests. That being said, since we do not hold any traffic nor session data, we are unable to provide any information to any third-party. Our commitment and mission to preserve privacy is second to none.
3. We do not monitor any traffic, period. We block IPs/ports as needed to mitigate abuse when we receive a valid abuse notification.
4. We do not host any content and are therefore unable to remove any of said content. Additionally, our mission is to preserve and restore privacy on the Internet and society. As such, since we do not log or monitor anything, we’re unable to identify any users of our service.
5. Once again, we do not log any traffic or session data. Additionally, unlike the EU and many other countries, our users are protected by legal definition. For this reason, we’re unable to identify any user of our service. Lastly, consumer protection laws exist in the US, unlike many other countries. We must abide by our advertised privacy policy.
6. We do not discriminate against any kind of traffic/protocol on any of our servers, period. We believe in a free, open, and uncensored internet.
7. Bitcoin, Ripple, PayPal, Google Play (Mobile), OKPay, CashU, Amazon and any major Gift Card. We support plenty of anonymous payment methods. For this reason, the highest risk users should definitely use Bitcoin, Ripple or a major gift card with an anonymous e-mail account when subscribing to our privacy service.
8. We’re the only provider to date that provides a plethora of encryption cipher options. We recommend, mostly, using AES-128, SHA1 and RSA2048.
Private Internet Access website
BTGuard
1. We do not keep any logs whatsoever.
2. The jurisdiction is Canada. Since we do not have log files, we have no information to share. We do not communicate with any third parties. The only event in which we would even communicate with a third-party is if we received a court order. We would then be forced to notify them we have no information. This has not happened yet.
3. If serious abuse is reported we enable tcpdump to confirm the abuse and locate the user. These dumps are immediately removed. If the user is abusing our service they will be terminated permanently but we have never shared user information with a 3rd party.
4. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.
5. We take every step within the law to fight such an order.
6. Yes, all types of traffic our allowed with our services.
7. We accept PayPal and Bitcoin. All payments are linked to users accounts because they have to be for disputes and refunds.
8. 256-bit AES is the most secure. However 128-bit blowfish is plenty good. If you’re concerned about surveillance agencies such as the NSA, their capabilities are shrouded in secrecy and claiming to be able to protect you is offering you nothing but speculation. As far as what’s publicly available for deciphering encryption, both of the encryptions I mentioned are more than sufficient.
BTGuard website
TorGuard
1. TorGuard does not store any IP address or time stamps on any VPN and proxy servers, not even for a second. Further, we do not store any logs or time stamps on user authentication servers connected to the VPN. In this way it is not even possible to match an external time stamp to a user that was simultaneously logged in. Because the VPN servers utilize a shared IP configuration, there can be hundreds of users sharing the same IP at any given moment further obfuscating the ability to single out any specific user on the network.
2. TorGuard is a privately owned company with parent ownership based in Nevis and our headquarters currently located in the US. Our legal representation at the moment is comfortable with the current corporate structuring however we wouldn’t hesitate to move all operations internationally should the ground shift beneath our feet. We now offer VPN access in 23+ countries worldwide and maintain all customer billing servers well outside US borders.
We would only be forced to communicate with a third-party in the event that our legal team received a court ordered subpoena to do so. This has yet to happen, however if it did we would proceed with complete transparency and further explain the nature of TorGuard’s shared VPN configuration. We have no logs to investigate, and thus no information to share.
3. Our network team uses commercial monitoring software with custom scripts to keep an eye on individual server load and service status/uptime so we can identify problems as fast as possible. If abuse reports are received from an upstream provider, we block it by employing various levels of filtering and global firewall rules to large clusters of servers. Instead of back tracing abuse by logging, our team mitigates things in real-time. We have a responsibility to provide fast, abuse-free VPN services for our clients and have perfected these methods over time.
4. In the event of receiving a DMCA notice, the request is immediately processed by our abuse team. Because it is impossible for us to locate which user on the server is actually responsible for the violation, we temporarily block the infringing server and apply global rules depending on the nature of the content and the server responsible. The system we use for filtering certain content is similar to keyword blocking but with much more accuracy. This ensures the content in question to no longer pass through the server and satisfies requirements from our bandwidth providers.
5. Due to the nature of shared VPN services and how our network is configured, it is not technically possible to effectively identity or single out one active user from a single IP address. If our legal department received a valid subpoena, we would proceed with complete transparency from day one. Our team is prepared to defend our client’s right to privacy to the fullest extent of the law.
6. BitTorrent is only allowed on select server locations. TorGuard now offers a variety of protocols like http/socks proxies, OpenVPN, SSH Tunnels, SSTP VPN and Stealth VPN (DPI Bypass), with each connection method serving a very specific purpose for usage. Since BitTorrent is largely bandwidth intensive, we do not encourage torrent usage on all servers. Locations that are optimized for torrent traffic include endpoints in: Canada, Netherlands, Iceland, Sweden, Romania, Russia and select servers in Hong Kong. This is a wide range of locations that works efficiently regardless of the continent you are trying to torrent from.
7. We currently accept payments through all forms of credit or debit card, PayPal, OKPAY, and Bitcoin. During checkout we may ask the user to verify a billing phone and address but this is simply to prevent credit card fraud, spammers, and keep the network running fast and clean. After payment it is possible to change this to something generic that offers more privacy. No VPN or Proxy usage can be linked back to a billing account due to the fact we hold absolutely no levels of logging on any one of our servers, not even timestamps!
8. For best security we advise clients to choose OpenVPN connections only, and if higher encryption is called for use AES256 bit. This option is available on many locations and offers excellent security without degrading performance. For those that are looking to defeat Deep Packet Inspection firewalls (DPI) like what is encountered in countries such as China or Iran, TorGuard offers “Stealth” VPN connections in the Netherlands, UK and Canada. Stealth connections feature OpenVPN obfuscation technology that causes VPN traffic to appear as regular connections, allowing VPN access even behind the most strict corporate wifi networks or government regulated ISPs.
TorGuard website
Privacy.io
1. We do not log any information on our VPN servers. The only scenario is if a technical issue arises, but we request permission from the user first, and we only do it for the duration of the job, and then it is removed.
2. We are in the process of moving jurisdictions away from Australia at present as we are unsure what our current government plans to do in regards to our privacy. We have not decided where yet.
3. Only SMTP port 25 is filtered to mitigate spam, but we are working on some tools to make it easier for users to send mail.
4. Any DMCA request is ignored, as we have no logs to do anything about them.
5. Same as above, as we do not log, so we are unable to provide any information. If the law attempts to make us do such things, we will move our business to a location where that cannot occur, and if that fails we will close up shop before we provide any information.
6. All protocols are allowed with our service, with the only exception of SMTP port 25 currently being filtered.
7. At present we only accept PayPal and CC (processed by PayPal), but we are looking into alternative types of payments. We go out of our way to make sure that PayPal transactions are not linked to the users, we generate a unique key per transaction to verify payment for the account is made, and then nuke that unique key. Bitcoin and Litecoin are also on the agenda.
8. At present we offer 128 bit for PPTP and 256 bit for OpenVPN, We plan to offer stronger encryption for the security conscious.
Privacy.io website
VikingVPN
1. No. We run a zero knowledge network and are unable to tie a user to an IP address.
2. United States, they don’t have data retention laws, despite their draconian surveillance programs. The only information we share with anyone is billing information to our payment gateway. This can be anonymized by using a pre-paid anonymous card. If asked to share specific data about our users and their habits, we would be unable to do so, because we don’t have any logs of that data.
3. That is mostly confidential information. However, we can assure our users that we do not use logging to achieve this goal.
4. In the event of a DMCA notice, we send out the DMCA policy published on our website. We haven’t yet received a VALID DMCA notice.
5. We exhaust all legal options to protect our users. Failing that, we would provide all of our logs, which do not actually exist. If required to wiretap a user under a National Security Letter, we have a passively triggered Warrant Canary. We would also likely choose to shut down our service and put it up elsewhere.
6. Yes. Those ports are all open, and we have no data caps.
7. We currently only take credit cards. Our payment provider is far more restrictive than we ever imagined they would be. We’re still trying to change payment providers. Fortunately, by using a pre-paid credit card, you can still have totally anonymous service from us.
8. A strong handshake (either RSA-4096+ or a non-standard elliptic curve as the NIST curves are suspect). A strong cipher such as AES-256-CBC or AES-256-GCM encryption (NOT EDE MODE). At least SHA1 for data integrity checks. SHA2 and the newly adopted SHA3 (Skein) hash functions are also fine, but slower and provide no real extra assurances of data integrity, and provide no further security beyond SHA1. The OpenVPN HMAC firewall option to harden the protocol against Man-in-the-Middle and Man-on-the-Side attacks.
VikingVPN website
IVPN
1. IVPN’s top priority is the privacy of its customers. We use non-persistent logs (stored in memory) which are deleted after 10 minutes. That tiny window gives us the ability to troubleshoot connection issues, whilst still making it practically impossible for any 3rd party to match an IP to a time-stamp.
2. IVPN is incorporated in Malta. We would ignore any request to share data unless it was served by a legal authority with jurisdiction in Malta in which case we would inform them that we don’t have the data to share. If we were served a subpoena which compelled us to log traffic we would find a way to inform our customers and relocate to a new jurisdiction.
3. We use a tool called PSAD to mitigate attacks originating from customers on our network. We also use rate-limiting in iptables to mitigate SPAM.
4. We ensure that our network providers understand the nature of our business and that we do not host any content. As a condition of the safe harbor provisions they are required to inform us of each infringement which includes the date, title of the content and the IP address of the gateway through which it was downloaded. We simply respond to each notice confirming that we do not host the content in question.
5. Assuming the court order is requesting an identity based on a timestamp and IP, our legal department would respond that we don’t have any record of the user’s identity nor are we legally compelled to do so.
6. We ‘allow’ BitTorrent on all servers except gateways based in the USA. Our USA network providers are required to inform us of each copyright infringement and are required to process our response putting undue strain on their support resources (hundreds per day). For this reason providers won’t host our servers in the USA unless we take measures to mitigate P2P activity.
7. We currently accept Bitcoin, Cash and PayPal. No information relating to a customers payment account is stored with the exception of automated PayPal subscriptions where we are required to store the subscription ID in order to assign it to an invoice (only for the duration of the subscription after which it is deleted). Of course PayPal will always maintain a record that you have sent funds to IVPN but that is all they have. If you need to be anonymous to IVPN and don’t wish to be identified as a customer then we recommend using Bitcoin or cash.
8. We recommend and offer OpenVPN using the strongest AES-256 cipher. For key exchange and authentication 2048-bit RSA keys are used (which RSA claims are sufficient until 2030).
IVPN website
PrivatVPN
1. We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user our service. The only thing we log are e-mails and user names but it’s not possible to bind an activity on the Internet to a user.
2. We operate in Swedish jurisdiction. Since we do not log any IP addresses we have nothing to disclose. Circumstances doesn’t matter in this case, we have no information regarding our customers’ IP addresses and activity on the Internet. Therefore we have no information to share with any 3rd party.
3. If there’s abuse, we advise that service to block our IP in the first instance, and second, we can block traffic to the abused service.
4. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our response was to close P2P traffic in those countries.
5. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there.
6. Yes, we allow Torrent traffic.
7. PayPal, Payson and Plimus. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us.
8. OpenVPN TUN with AES-256. On top is a 2048-bit DH key.
PrivatVPN website
PRQ
1. No. Wo do not log anything and we only require a working e-mail address to be a customer.
2. Swedish. We do not share information with anyone.
3. Not disclosed.
4. Put it in the trash where it belongs!
5. None, since we do not have any customer information and no logs.
6. We host anything as long as it’s not SPAM related or child porn.
7. Visa/Mastercard, Bitcoin, PayPal. No correlation between payment data and customer data.
8. We provide OpenVPN services (along with dedicated servers and other hosting services).
PRQ website
Astrill
1. We do not keep logs. Customers share the same public IP address by default, unless they opt for a dedicated IP. Therefore, technically, it’s impossible to trace online activity and link it with a real person. We collect personal information (Email, name, address, phone) which is used by our credit card processors. In a case customer pays using other means, we don’t need any such information, customers can enter any fake information as they desire.
2. We are a Seychelles company, therefore we will disclose information about a customer, if a customer can be identified at all, and only if this was requested through legal channels of the Republic of Seychelles.
3. We may enable logs on a server in case of network abuse reported by our Internet provider to identify the customer (for example spamming is the most frequent abuse). In some cases network abuses are not deliberately caused by customers, for example their system may be infected by malware sending spam. In such case, we will ask the customer to clean their system with an anti-virus software.
4. We do not store any files, we provide IP transit only. Therefore, we can’t fulfill any “takedown”. All P2P-related DMCA notices are trashed and customers will never see them. These complaints have no technical ground, IP addresses are not persons and most of DMCA notices are extortion attempts, therefore illegal. We have a strong legal team so DMCA notices are of least possible concern to us.
5. The majority of users use shared IP space therefore we are not able to identify the customer. Our answer is something like: “Unfortunately we were not able to identify the customer from the information you have sent us. Due to deficiency of IPv4 address space, thousands of customers share the same IP address. Therefore it’s impossible for us to provide further information.”
6. P2P activity is allowed on many of our servers in USA, Europe, Asia. On some servers, as we have to abide by AUP of our Internet providers, P2P is blocked in our firewall. This is something we hate to do.
7. We provide all popular payment methods, from credit cards, PayPal, Alipay to anonymous methods like BitCoin, Perfect Money and coupons which can be purchased through our resellers network. With standard payment methods, our credit card processors will keep transaction logs with all information provided by customers. There’s nothing we can do regarding that – credit cards are never meant to be anonymous payment methods. Therefore, we offer BitCoin, PM and coupons for customers who prefer complete anonymity. In such case they can provide no information or fake information, we don’t care.
8. We provide all standard VPN protocols: OpenVPN, SSTP, Cisco IPSec, L2TP/IPSec, PPTP. We offer all standard encryption algorithms, for example BlowFish 128-512 bit, AES 127-256 bit. We also offer European and Japanese standards, which are not “approved” by NSA. For example Camellia 128-256bit and CAST 128-512 bit (used also by PGP software). It’s up to the customer which standard they prefer, NSA approved AES or other algorithm. Of all VPN protocols, we don’t recommend PPTP. Other protocols are considered secure by security experts. AES-256 is used by banks.
Astrill website
Mullvad
1. No. This would make both us and our users more vulnerable so we
certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users share each address, both for IPv4 and our upcoming IPv6 support.
2. Swedish jurisdiction. Under no circumstance we will share information with a third-party. First of all we take pains to not actually possess information that could be of interest to third parties, to the extent possible. In the end there is no practical way for the Swedish government to get information about our users from us.
3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.
4. There is no such Swedish law that is applicable to us.
5. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our
users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.
6. Yes.
7. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.
8. We use OpenVPN. We also provide PPTP because some people want it but we strongly recommend against it. Encryption algorithms and key lengths are important but often get way too much attention at the expense of other important but harder to measure things such as leaks and computer security.
Mullvad website
BlackVPN
1. Yes. When a user connects we log the time stamp of their connection plus the internal IP address assigned (which can be mapped to a shared external IP address). This information is kept for 7 days on our Privacy locations and 30 days on our TV locations (USA, UK, Canada & Singapore). We NEVER log a users real IP address however we cannot guarantee that this information is not logged by someone else (such as the data center, NSA or GCHQ).
2. BlackVPN operates under the jurisdiction of Hong Kong since it has no Mandatory Data Retention laws and a strong Bill of Rights which protects its citizens’ freedom of speech. China and Hong Kong care little about copyright enforcement or US/UK demands – which was tested recently when Hong Kong rejected demands for the extradition of Edward Snowden. The ancient proverb still holds true today: The enemy of my enemy is my friend.
Only once we receive a valid court order from a Hong Kong court will we share any information with a 3rd party.
3. We have no way of detecting abuse other than complaints from 3rd parties which contain a BlackVPN IP address and a time stamp. If the complaint relates to a Privacy location then it must be less than 7 days old for us to act on it. Otherwise our only solution is to temporarily blacklist that site/service for all BlackVPN users until the offender goes away.
This is why we’ve had to permanently block SMTP (for sending email) on all of our servers – we have no way of knowing which user is spamming so unfortunately we have to block it for everyone.
We host our own website analytics software (Piwik) which is configured to only log the first two octets of an IP address (e.g. 63.122.0.0) plus our own support system (OSticket) which always logs 0.0.0.0 as the IP address. Fraud is monitored and managed by our payment providers (PayPal and CardPay). No other tools or logging (such as WireShark) have ever been used to monitor or spy on our users.
4. These are ignored on our Privacy locations as we have chosen countries which do not enforce them or downloading for personal use is legal. On our TV locations we warn all customers who were sharing that IP address at the time and will ban repeat offenders from our TV locations.
5. We have NEVER received a valid court order to identify any user. We have received requests from various European law enforcement agencies asking us to assist them without even having a local court order. Our response has always been to ask for a valid court order from Hong Kong, but so far none of them have complied.
If and when we do receive a valid court order then we will immediately comply and hand-over any information that we have – including connection timestamps, payment records and email addresses. We’re not here to help anyone get away with a serious crime but we are here to help users evading unjust censorship or copyright violations.
6. Yes it is allowed on our Privacy locations but not ALL locations. In the USA and UK the data centers that we work with are also under extreme pressure from the copyright cartel and lawmakers, so if we don’t take action our servers will soon get cut off.
7. PayPal, Credit Cards and Bitcoin. For each transaction we record the BlackVPN user ID, time stamp, payment method and the payment providers transaction ID so that we can process refunds and fix errors when the automatic process fails. Our payment providers don’t know which transaction belongs to which VPN account – that would require a Hong Kong court order for us to divulge.
8. OpenVPN is the best choice when available on your device. It’s easy to check that your VPN provider is using strong encryption algorithms and keys (like 256bit keys and AES encryption) by looking at the OpenVPN configuration files supplied by your VPN provider. Also it can be configured to use TCP on port 443 which makes it harder to block as the traffic looks like standard SSL traffic.
OpenVPN is slightly more effort to set up than L2TP/IPsec or PPTP (download and install a client for Windows, OS X, Linux, Android 4+ and IOS 5+) but it should be the default way for most people to connect to their VPN. We have been using OpenVPN securely (2048 bit RSA keys and AES-256) since our beginning in 2009 so previous traffic should still be secure from decryption.
BlackVPN website
Anonymizer
1. Anonymizer does not log ANY traffic that traverses our system, ever. We do log when a user connects, and the IP address they connected from(which is needed for customer support and ensure system optimization), but we purge that log every 24 hours. But that’s it. We don’t log when users disconnect, how much data they used, where they went, at anytime, ever. We would also like to point out that all of our customers exit out and share the same IP, which changes on a daily basis, and we don’t even track that. If asked what IP we used last week, we wouldn’t have any way to know for certain.
2. Anonymizer Inc operates under US jurisdiction. We never share information with third parties except those required to furnish services necessary to provide you with the products and services offered by us, and even then it is limited to the information needed for the third-party to furnish those services. The main example of this would be our credit card processor.
3. We can’t. We don’t monitor or log traffic or user activity. When we receive reports of abuse, we have no way to isolate or remediate it because we don’t monitor. It’s problematic at times, but we feel strongly about keeping our contract of ‘no monitoring’ with our customers, even when it’s inconvenient for us.
4. Since Anonymizer does not log any traffic that comes over our system, we have nothing to provide in response to DMCA requests. None of our users have ever been issued a DMCA take down notice or European equivalent. We’re over 18 years old now, and if not the oldest service out there, certainly one of the oldest, and we’ve never turned over information in a DMCA request.
5. Anonymizer Inc only responds to official valid court orders in which we comply with information that we have available. Since we do not log any traffic that comes over our system, we have nothing to provide in response to requests associated to service use. If a user paid by credit card we can confirm that they purchased access to our service only. There is, and would be, no way to ever connect a specific user to specific traffic.
6. BitTorrent and other file-sharing traffic is allowed on all of our servers. Due to not logging or monitoring any traffic on our system it would be impossible for us to know if any user were to be engaging in file sharing or BitTorrent activities on our service.
7. Anonymizer Inc. uses Stripe for any credit card payments. There is a record of the payment for the service and the billing information associated to the credit card to confirm the service has been paid for. We also offer Cash and will soon offer crypto-currancy options to include Bit-coin. Cash payment options will not store any details(e.g. Billing address and customer name) of the transaction beyond the account username and the service being payed for by cash; there would be no way for us to connect an individual to a specific account.
8. We would recommend OpenVPN for a user that is looking for the most secure connection. We feel it is the most reliable and stable connection protocol currently. Our OpenVPN implementation uses AES-256. We also offer L2TP, which is IPSEC.
Anonymizer website
Ipredator
1. We try to store the least amount of data legally possible anywhere. We keep a record of when you logged in for debugging, which happens encrypted and off-site in a different jurisdiction. IP addresses are encrypted and can only be decrypted by non-support staff to ensure a proper process. For example, to work around issues where the police ruffles up the support staff a bit to get data for an abuse report.
In the database we only store the details users give us on sign-up and a limited backlog of basic payment information (no PSP processor TX-IDs). We do not run a ticket system, all support emails are deleted after 3 months. Inactive accounts are deleted after 3 months. We do not track you on our website or keep any website logs. We do not rent servers and have control over our network infrastructure. Our primary objective is to protect your anonymity from legal abuse, but not to cover up ethically serious crimes. As stated in the past we are open to an audit of our infrastructure and processes by a trustworthy 3rd party.
2. We only operate servers in Sweden. This includes understanding jurisdictional limitations and engineering our environment according to them, not making claims we cannot hold when things get serious. Offenses penalized by anything less than prison time do not qualify for such a request.
For a valid request IPredator then has to hand over the subscription information entered by you, which is all that we are required to do.
3. We only use email to handle abuse related support issues. If a user decides to abuse one of our machines for a DOS attack we use rate limiters on the switches to mitigate this. So far no other tools are needed to deal with abuse.
4. For some reason they do not arrive, so we can’t tell you.
5. Please see question 2.
6. Besides filtering SMTP on port 25 we do not impose any restrictions on protocols our users can use on the VPN, quite on the contrary. We believe our role is to provide a net-neutral access.
7. We offer PayPal, Bitcoins, Payza, and PaySon fully integrated. OkPay, Transferwise, WU, PerfectMoney, Webmoney and Credit Cards on request. An internal transaction ID is used to link payments to their payment processors. We do not store any other data about payments associated with the users account.
8. At the moment OpenVPN with elliptic curve cryptography, ephemeral Diffie-Hellmann key exchange, and AES 128/256 seems to be the best default choice. Other configs are available on request.
Ipredator website
BolehVPN
1. No we do not keep logs. However as per our policy, if we do notice any unusual activity on our servers (high bandwidth loading, high number of connections or CPU usage) we may turn on logs temporarily to identify abuse of our services (such as DoS or spamming through our servers). Once the user is identified, we will terminate the offending user, issue him an e-mail for the reason of termination and wipe the logs from our system.
Turning on logs for troubleshooting is a very last resort and is necessary to ensure the integrity of our services. It has happened very rarely (only a handful of times in our 7 years of operation) and such information was not disclosed to third parties but merely used to terminate the offending user. In any case logs were usually enabled for not more than few hours and only for the particular server that was experiencing abuse.
2. We’re a Malaysian incorporated company which is not subject to any mandatory data retention laws. As we don’t keep logs, there is not much information to share even when requested.
3. Without disclosing too deeply into our methods, to identify abuse cases we generally look for abnormal activity in the traffic, sustained spikes in traffic, data packets and reports that we receive. It is always an evolving battle and a balance between maintaining our user’s privacy and preventing abuse.
4. In the event DMCA notices or similar are given to us, we normally respond that we don’t have such content hosted on our networks and if the provider is adamant, we will terminate our relationship with the server provider and find a new one. We will not reveal the user that generated that DMCA notice (nor can we with no logs taken). Over the years, we have identified server providers that we can work with who understand the nature of our business.
5. In the event there is a request for account data, BolehVPN’s policy is to notify members of requests for their data unless it is prohibited from doing so by statute or court order. In any case, as BolehVPN does not store any user identifiable data in relation to customer’s usage of the VPN, there is little data that can be given over and beyond the date that you paid and your payment details.
It is noted that we do not require you to specify a real name during account signup and only require a working e-mail address. For your protection, we may contact you to ask for further details should there be any disputes arising from your payment.
6. All P2P/file-sharing activities are allowed through our FullyRouted and Proxied servers, but not through our SurfingStreaming servers. SurfingStreaming servers are generally limited due to local laws or datacenter policy or have limited bandwidth capacity. These configurations are generally only there to help users access geo-restricted content as opposed to full-blown P2P.
7. We accept BitCoin, PayPal and MolPay (Malaysian online bank-ins) and also direct bank-ins for Malaysian users. Orders are merely marked as paid or not paid, the date and method of Payment. No other payment details are attached to the VPN account in our customer portal system. Depending on the payment provider chosen, the payment provider may of course retain certain details.
8. We believe that OpenVPN is the most secure VPN protocol available currently. Because of Snowden’s revelations, IPSEC may not be as secure as once thought. We also implement a modified version of OpenVPN that scrambles the packets (we call it xCloak) making it harder to identify as VPN traffic.
All our servers use the same encryption, 128 bit AES, as this provides the best blend of security and performance. Of course most experts consider 256 bit AES as more secure but we are confident that 128 AES is sufficiently secure. It is noted that 256 bit AES has a weaker key schedule than 128 bit AES. We are however currently evaluating CAMELLIA as an alternative to AES.
If we were to choose the most secure algorithm, we would pick either TwoFish or ThreeFish which are independently developed by Bruce Schneier and other well-known security specialists but this is not currently available in OpenVPN.
BolehVPN website
NordVPN
1. We do not keep any logs – no traffic logs, no timestamps, nothing. All of our logs are pointed directly to /dev/null so as much as third parties would want it is impossible to trace the user itself. In addition, our service has only a minimal configuration which does not give away any information about the user.
2. We operate under the jurisdiction of Panama. There is no data retention law in Panama hence we are allowed not to keep logs legally. We do not share any information with 3rd parties under any circumstances.
3. No tools are used to monitor our users at any case. However, we hope our users understand that any abusive action they perform through our servers could lead to the shutdown of the datacenter or the server in the particular country. At this point, we strongly believe our users understand what this could lead to and will not perform any abusive action on our servers.
4. All these notices are ignored as it has no law compliance with us. We are not a torrent hosting or promoting company. Furthermore, all our servers where P2P program usage is allowed operate in countries where there are no data retention laws. It is in our future plans to start announcing all these notices we receive just to prove our privacy policy. We care about the actual privacy of our users.
5. If we receive a valid court order at first it has to comply with the laws of Panama. In that case, the court should be settled in Panama and even if that happens we will not be able to provide any information because we keep exactly nothing about our users.
6. As stated above, the usage of BitTorrent and other file-sharing applications are allowed on certain servers. BitTorrent and other file-sharing applications are allowed on certain servers. We allow P2P traffic on servers that are located in the countries where there are no laws forbidding P2P traffic.
7. We accept payments via Bitcoin, PayPal, Paysera, WebMoney. Bitcoin is the best way of paying to maintain your anonymity as it has only the paid amount linked to the client. Users who purchase services via PayPal are linked with the usual information the seller can see about the buyer. Clients who subscribe to our services via Paysera are linked with their full name. However, even the VPN account is linked with the payment system account it is not linked with the performed activities on our servers.
8. Recently, we have added high anonymity solutions which we would like to recommend to everyone seeking real privacy. One of them is Double VPN. The traffic is routed through at least two hops and then reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays.
Both of these security solutions give a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Finally, our regular servers also have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP. Currently we are working on even higher security solutions which will be accessible through our software in the second quarter of 2014.
NordVPN website
TorrentPrivacy
1. We don’t store any logs, it’s impossible to track users’ activity through the TorrentPrivacy VPN.
2. We run our business as a Seychelles company. It is one of the safest and nicest places in the world. There haven’t been any lawsuits in Seychelles regarding online copyright infringement yet.
3. According to our Terms and Conditions it is not recommended to use the service for any illegal purposes, for example, for transmission or receipt of illegal material. But because we have a no logs policy we don’t monitor and store any information about users’ online activity.
4. If we receive a DMCA notice, our team of lawyers solves it immediately without blocking any servers or protocols. We don’t store any content on our servers, and users are anonymous. We promise our customers that they will not have DMCA related problems.
5. We have never received requests from any court. It is impossible to release personal information because we actually don’t have it.
6. BitTorrent and all traffic of such type is allowed on all of our servers.
7. CommerceGate and PayPal. We don’t store any information about user card details, all transactions are processed at the payment system side. The payment system just uses the username registered on our web-site and the filled in purchase form to link the payment to concrete user.
8. The most secure VPN protocol we provide for our service is OpenVPN. There are many benefits to using OpenVPN, one of them is an ability to use more bit count encrypted.
TorrentPrivacy website
Proxy.sh
1. We do not keep any logs and we do not record any IP-address, headers or anything. In terms of time stamp, we only record those associated with support tickets creation and update (invoices and renewals are only recorded by date) for management purposes. The only personal information we do record is an email address and a payment type, that corresponds to either the word “Money” or “Bitcoin”. This is made clear in our privacy policy. Our system will also hold services credentials, namely the account password and network login/password pair. All this data can be permanently removed at any time on customer’s request. All other data and information involved in our operations (connections, traffic, etc.) is neither monitored nor recorded.
2. We operate from the Republic of Seychelles and our staff members are residents in the following countries: Germany, Bulgaria, Switzerland, Ukraine, Philippines, Laos, Seychelles, Argentina and Croatia. We will only share information we hold with a third party when we are obliged by the law to do so, and only if we are able to alert our users in advance or in real time through our Transparency Report. If we are told that we cannot disclose anything, we will attempt to circumvent this illegitimate censorship with our Warrant Canary and ultimately, cease operations in the concerned jurisdiction.
3. When we need to respond to an abuse that our network is provoking or being victim of, we will simply block the related ports or protocols and see if the problem has been resolved by doing so. If not, we might temporarily install on the specific node a Wireshark or a TCPDump instance and we will play with various settings, mostly involving iptables, to mitigate the problem. We will never keep any logs generated during such interventions. We will always let know our members about such interventions through our Network Alerts, either in advance of several days or in real time, depending on the urgency of the matter. Our system will also tweet in real time about such interventions.
4. When we receive a DMCA takedown notice or any other similar copyright-related abuse notice, we will shut down the port related to the infringement, reset our customers’ accounts in order to prevent them from forwarding this port any further and we will publish a public report about both the notice and our intervention in our Transparency Report (https://proxy.sh/report) as well as at the Chilling Effects Clearinghouse. Our system will also tweet in real time about such interventions.
5. When we receive a valid court order asking to identify an active user of our services, we explain that we are technically unable to do so and we provide in return an open access of the related server to the competent domestic authority who may have more adequate forensic capacities to undertake such identification. We also publish a notice to our users into our Network Alerts that this node is now open to inspection by local and (potentially) international authorities. Our system will tweet in real time these notices. We will also consider shutting down the node and eventually ceasing full operations from the concerned jurisdiction depending how the intervention is carried out and the level of guarantee to privacy that is left offered after the intervention.
6. We do not undertake any segregation of usage type among our servers. Users are completely free and responsible to do whatever they want, including BitTorrent and any file-sharing activity. They are only subject to the restrictions we put to our network, which are limited to ports blocking and IP/range/domain destination blacklisting, initiated by our responses to abuse.
7. We accept no less than 90 different payment methods, including but not limited to PayPal, VISA, Mastercard, Discover, American Express, Maestro, UnionPay, WebMoney, SMS and phone payments, PaySafeCard, Ukash, Neosurf, Allopass, clickandbuy, Alipay, giropay, iDeal, bank transfers and various additional OTR methods as well as e-wallets. Of course, we also support Bitcoin payments. There is no link between user accounts and their payments, except a simple nomination known as either “Money” or “Bitcoin”. Invoice numbers and timestamps have sufficient discrepancies to not permit any relationship between panel/VPN accounts and payments. Moreover, we do not hold and manage directly the various payment methods offered: we use administrative and financial third parties such as our incubator, Three Monkeys International, and our processor, PaymentWall.
8. While we always recommend our most tech-savvy customers to get in touch with us to try out our latest encryption experimentations (Serpent, ECC-curve25519, etc.), we recommend the generally security-aware customers to use SHA-512/AES-256-CBC/DH-RSA-4096 combination (4096-bit RSA with strong cypher and strong auth security) made available across most of our network. For all our ‘normal’ customers, we still enforce SH1/AES-256-CBC/DH-RSA-4096 combination (4096-bit RSA with strong cypher and sufficient auth security) on them, which provides decent security and optimal stability. Both our system and software are designed in such a way that we will continuously increase our encryption levels when necessary. We also provide TOR bridges, exit nodes and OpenVPN compatibility as well as OpenNIC log-free DNS, SSH and SSL tunnels, to leverage the power of the OpenVPN encryption schemes our customers may use.
Proxy.sh website
HideIPVPN
1. We do not log users’ IP addresses. Since we are a company registered in the US we are not required to maintain such logs. Our logs only check account name (this is chosen by the user) and if a connection was established with the VPN server. This is the only way for us to help users in case of technical problems (we can check if there was any connection), also this helps us to refund money if a new customer was not able to connect to any of our servers. This information is automatically overwritten with new data after 3 days.
There is no way for any third-party to match a user IP to any specific activity on the internet.
2. We operate under US jurisdiction. The only way we would share our information is under court order (as would any other company).
3. We would have to get into details of each individual point of our ToS. For basics like P2P and torrent traffic on servers that do not allow for such transmissions or connecting to more than 3 VPN servers at the same time by the same user account. But we do not monitor users’ traffic. Also, since our users use shared IP addresses, there is no way any third party could connect any online activity to a user’s IP address.
As it would put us and our other user at risk we do not comment on our internal policies in this regard.
4. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the data center or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which make it impossible to track who downloaded any data from the internet using our VPN.
5. We would reply that we do not have such measures that would us allow to identify a specific user.
6. This type of traffic is welcomed on our German (DE VPN) and Dutch (NL VPN) servers. It is not allowed on US, UK and Canada servers as stated in our ToS – the reason for this is due to our agreements with data centers. We also have specific VPN plans for torrent users.
7. We currently accept payments via PayPal, Credit/Debit card, PayPro. Bitcoin acceptance is currently being tested. If it proves popular with our users it will stay with us.
8. We would recommend OpenVPN and SSTP protocols.
HideIPVPN website
SlickVPN
1. We do NOT have the ability to match an IP address with a time stamp to derive the identity of any user of our service. We utilize shared IP addresses, so it is not possible to match a user to an external IP. In addition, all of our gateways operate from RAM, so no data is written to disc. In case of theft or forceful shutdown, all data is lost.
2. We maintain server locations in various countries but we are a US-operated corporation so therefore we are not subject to data retention laws.
3. We do not allow outgoing SMTP which could open us up to SPAM issues. We do not actively check our service for abuse at the account level, instead we check at the server level. The difference is checking a server for real-time abuse instead of checking logs for historical abuse.
4. We do not have logging, but if a DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session.
5. We obviously have to comply with valid court orders, but without logging we can not identify users of past activity. We also offer the ability to sign up anonymously using BitCoin.
6. Yes
7. We accept PayPal, Credit Cards, and Bitcoin. We only store the minimal billing information required to provide customers refunds. We suggest users most concerned about privacy should sign up with Bitcoins and use an anonymous email address.
8. OpenVPN with AES256
SlickVPN website
OctaneVPN
1. No. We cannot locate an individual user by IP address and timestamp. There are no logs written on our gateways. Our gateways utilize shared IPs, so there can be more than one customer using an IP which further adds to privacy.
The gateway servers keep the currently authenticated customers in the server’s RAM so they can properly connect and route the traffic to those customers. Obviously, if a server is powered down or restarted, the contents of the RAM are lost. We keep gateway performance data such as CPU loading, I/O rates and maximum simultaneous connections so that we can manage and optimize our network.
Our business structure is divided into two independent companies that do not share information. One company manages the network and hardware. A separate independent company operates the website that customers use. Customer data is not shared between the two – only a token – so, in addition to not being able to locate a user by IP address and timestamp, the company that might receive such a request has no customer data to provide since customer data resides in another independent company.
2. We are US-based company. Our privacy policy prevents us from sharing customer confidential information with 3rd parties. The only situation where this occurs is in connection with supplying enough information for our fraud detection / payment processors to approve payment transactions. The US does not have laws requiring data retention.
3. Spam emails were our biggest issue and early on we decided to prevent outgoing SMTP. Otherwise, the only other abuse tools we use are related to counting the number of active connections authenticated on an account to control account sharing issues.
4. If we receive a DMCA takedown notice or its equivalent and the customer’s current session during which it was generated is still active, we put the account on hold and notify the customer.
5. As a US company, we would comply with a successfully executed subpoena issued by a court of competent jurisdiction in a request for specific information. There would likely be little useful information we could provide. The US does not have data retention requirements. If the subpoena were to be of a vague, general or fishing nature, we would likely push back and request specificity.
6. We operate with net neutrality, with the exception of outgoing SMTP.
7. Bitcoin, Credit/Debit Cards, PayPal. Our billing and account management systems are separate and use a token method. We are organized such that one company manages our network and another independent company with different beneficial ownership manages customer interaction. This divided arrangement provides another layer of anonymity. Bitcoin allows maximum anonymity since all that is needed is an email address. There are plenty of options for anonymous email addresses. Disposable/reloadable credit cards are another anonymity enhancing tool.
8. We recommend OpenVPN / AES-256. We offer IPsec as well, but typically OpenVPN offers more flexibility over IPsec. We also offer PPTP for compatibility with older devices, but would not recommend it if OpenVPN is an option. Our OpenVPN client also offers DNS leak protection.
OctaneVPN website
IPVanish
1. IPVanish has a no-log policy. We keep no traffic logs.
2. IPVanish is headquartered in the US and thus operates under US law.
3. IPVanish has no monitoring in place. To elaborate, IPVanish does not sniff or monitor any user’s traffic or activity for any reason.
4. IPVanish keeps no logs of any user’s activity and responds accordingly.
5. IPVanish, like every other company, has to follow the law in order to remain in business. Only US law applies.
6. P2P is permitted. IPVanish in fact does not block or throttle any ports, protocols, servers or any type of traffic whatsoever.
7. PayPal and all major credit cards are accepted. Payments and product use are in no way linked. User authentication and billing info are help on completely different and independent platforms.
8. OpenVPN generally provides the strongest encryption algorithm, so that is the recommended encryption protocol. IPVanish also allows a choice between TCP and UDP, and UDP is generally recommended for better speed.
IPVanish website
LiquidVPN
1. Absolutely not. We have customized our AAA (authorization, accounting and authentication) database so that there is very little data actually stored within the database. We have developed our own version of RADIUS for this very reason. Furthermore we us