Millions of Internet users around the world use a VPN to protect their privacy online.
Unfortunately, however, not all VPN services are as private as you might think. In fact, some are known to keep extensive logs that can easily identify specific users on their network.
This is the main reason why we have launched a yearly VPN review, asking providers about their respective logging policies as well as other security and privacy aspects. This year’s questions are as follows:
1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user/users of your service? If so, what information do you hold and for how long?
2. What is the registered name of the company and under what jurisdiction(s) does it operate?
3. Do you use any external visitor tracking, email providers or support tools that hold information about your users/visitors?
4. In the event you receive a takedown notice (DMCA or other), how are these handled?
5. What steps are taken when a valid court order or subpoena requires your company to identify an active user of your service? Has this ever happened?
6. Is BitTorrent and other file-sharing traffic allowed (and treated equally to other traffic) on all servers? If not, why?
7. Which payment systems do you use and how are these linked to individual user accounts?
8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?
9. How do you currently handle IPv6 connections and potential IPv6 leaks? Do you provide DNS leak protection and tools such as “kill switches” if a connection drops?
10. Do you offer a custom VPN application to your users? If so, for which platforms?
11. Do you have physical control over your VPN servers and network or are they hosted by/accessible to a third party? Do you use your own DNS servers?
12. What countries are your servers located in?
—
Below is the list of responses from the VPN services in their own words. Providers who didn’t answer our questions directly or failed by logging extensively were excluded. We specifically chose to leave room for detailed answers where needed. The order of the list holds no value.
Private Internet Access
1. We do not store any logs relating to traffic, session, DNS or metadata. There are no logs for any person or entity to match an IP address and a timestamp to a user of our service. In other words, we do not log, period. Privacy is our policy.
2. Private Internet Access is operated by London Trust Media, Inc., with branches in the US and Iceland, which are a few of the countries that still respect privacy and do not have a mandatory data retention policy. Additionally, since we operate from the countries with the strongest of consumer protection laws, our beloved customers are able to purchase with confidence.
3. All of our VPN systems and tools are proprietary and maintained in house. We utilize some third-party tools in order to provide a better customer experience. By Q3 2017, all of these third party tools will be transitioned to in-house solutions.
4. We do not monitor our users, and we keep no logs, period. That said, we have an active, proprietary system in place to help mitigate abuse.
5. Every subpoena is scrutinized to the highest extent for compliance with both the “spirit” and “letter of the law.” While we have not received valid court orders, we periodically receive subpoenas from law enforcement agencies that we scrutinize for compliance and respond accordingly. This is all driven based upon our commitment to privacy. All this being said, we do not log and do not have any data on our customers other than their signup e-mail and account username.
6. BitTorrent and file-sharing traffic are allowed and treated equally to all other traffic (although it’s routed through a second VPN in some cases). We do not censor our traffic, period.
7. We utilize a variety of payment systems, including, but not limited to: PayPal, Credit Card (with Stripe), Amazon, Google, Bitcoin, CashU, and any major store-bought gift card and OKPay. Payment data is not linked nor linkable to user activity.
8. Currently, the most secure and practical encryption algorithm that we recommend to our users would be our cipher suite of AES-256 + RSA4096 + SHA256.
9. Yes, our users gain a plethora of additional protections, including but not limited to:
(a) Kill Switch: Ensures that traffic is routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic will not route.
(b) IPv6 Leak Protection: Protects clients from websites which may include IPv6 embeds, which could lead to IPv6 IP information coming out.
(c) DNS Leak Protection: This is built-in and ensures that DNS requests are made through the VPN on a safe, private, no-log DNS daemon.
(d) Shared IP System: We mix clients’ traffic with many other clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.
(e) MACE™: Protects users from malware, trackers, and ads
10. We have custom applications to which our users have left amazing reviews. PIA has clients for the following platforms: Windows, Mac OS X, Linux, Android, iOS and a Chrome Extension (Coming soon). Additionally, users of other operating systems can connect with other protocols including OpenVPN, SOCKS5 (unencrypted), and IPSec, among others.
11. We utilize our own bare metal servers in third-party datacenters that are operated by trusted friends and, now, business partners whom we have met and on which we have completed serious due diligence. Our servers are located in facilities including 100TB, Choopa, Leaseweb, among others.
We also operate our own DNS servers on our high throughput network. These servers are private and do not log.
12. As of the beginning of 2017, We operate 3283 servers across 37 locations in 25 countries. For more information on what countries are available, please visit our network information page.
Private Internet Access website
ExpressVPN
1. ExpressVPN is an anonymous, offshore, zero-log VPN service provider. We are in the business of keeping our customers private and secure.
We do not possess information that would enable us to identify a user by an IP and timestamp produced as part of an investigation. ExpressVPN IPs are shared among customers, and we don’t have the ability to match a customer to an IP address. We designed our network to maximize privacy protection for our customers.
2. Express VPN International Ltd. is a BVI (British Virgin Islands) company. The BVI is a small, independent nation in the Caribbean renowned as an offshore jurisdiction with strict privacy regulations and no data retention laws.
3. We use 3rd party website analytics tools such as Google Analytics. We use Zendesk for support tickets and Snapengage for live chat. We believe that these are secure platforms.
Information about how you use the VPN itself (such as browsing history, traffic data or DNS queries) is never revealed to 3rd parties and is never logged or stored by ExpressVPN.
4. As we are a network service provider rather than a content host, there is nothing to take down. We also do not attempt to identify an ExpressVPN user in this case, report the user, or otherwise restrict service. Our customers should rest assured that their anonymity is protected.
5. VPN companies receive subpoenas and other legal requests as a matter of regular occurrence. This is one of the most significant advantages of our BVI jurisdiction. A court order would need to take place in the BVI for it to be legally valid. If we receive a request from another jurisdiction, we let them know that we don’t maintain logs that would enable us to match an IP address to an ExpressVPN user.
6. ExpressVPN allows all traffic including BitTorrent from all VPN servers and does not impose restrictions based on the type of traffic our users send.
7. ExpressVPN accepts all major credit cards including VISA, MasterCard and American Express. We also accept PayPal and a large number of local payment options. For users who want maximum privacy and don’t want to send us personally identifying payment information, we recommend bitcoin. In fact, we’ve written a complete guide to protecting your financial privacy with bitcoin.
8. In most cases we recommend (and default to) OpenVPN UDP. Our apps use a 4096-bit CA, AES-256-CBC encryption, TLSv1.2, and SHA512 signatures to authenticate our servers.
9. Yes, we call this leak protection feature “Network Lock”, and it is turned on by default. Network Lock prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when your Internet connection drops or in various additional scenarios where other VPNs might leak.
10. ExpressVPN has award-winning apps for Windows, Mac, iOS, Android, Linux, and routers. Our apps are designed to make it easy for users to choose a VPN location and get connected. They also offer much better security and privacy protection than manually configuring a VPN. With the ExpressVPN App for Routers, we make it easy to protect every device in your home using a VPN that is always connected.
11. Our VPN servers are hosted by trusted data centers with strong security practices. The data center employees do not have server credentials, and the server disks are fully encrypted to mitigate any risks from physical seizure. We run our own zero-knowledge DNS on every server (no 3rd party DNS).
12. ExpressVPN has thousands of high speed servers in 145 locations across 94 countries. See the full list here.
ExpressVPN website
NordVPN
1. As stated in our terms of service, we do not monitor, record or store any VPN user logs. We do not store connection time stamps, used bandwidth, traffic logs, or IP addresses.
2. The registered company name is Tefincom co S.A., and it operates under the jurisdiction of Panama.
3. We use Google Analytics and a third-party ticket/live chat tools (Zendesk/Zopim). Google Analytics is used to improve our website and provide our users with the most relevant information. The ticket/live chat tool is used to provide the best support in the industry (available 24/7), but not tracking our users by any means.
4. We operate under Panama’s jurisdiction, where DMCA and similar orders have no legal bearing. Therefore, they do not apply to us.
5. If the order or subpoena is issued by a Panamanian court, we would have to provide the information if we had any. However, our zero-log policy means that we don’t have any information about our users’ online activity. So far, we haven’t had any such cases.
6. Yes, we allow P2P traffic. We have optimized a number of our servers specifically for file-sharing; ensuring other servers, which are meant for streaming and other purposes, have uninterrupted speeds. In any case, we do not engage in bandwidth throttling for P2P users.
7. Our customers can pay via credit card, PayPal and Bitcoin. We do store the standard billing information for refund purposes, but it can not be related to any Internet activity of a particular customer. Bitcoin is the most anonymous option, as we do not link the payment details with the user identity or other personal information.
8. NordVPN uses NGE (Next Generation Encryption) in IKEv2/IPsec. The ciphers used to generate Phase1 keys are AES-256-GCM for encryption, coupled with SHA2-384 to ensure integrity, combined with PFS (Perfect Forward Secrecy) using 3072-bit Diffie Hellmann keys. IKEv2 protocol is used by default in our OS X and iOS apps, and it can be manually setup on Windows and Android OS. We are also exploring possibilities to develop IKEv2 based apps for Android and Windows. At the moment, Windows and Android apps are using AES-256-CBC encryption with 2048-bit key.
9. Yes, we do provide both an automatic app-level kill switch and a feature for DNS leak protection. Our OS X, Windows, iOS and Android apps have IPv6 leak protection implemented. NordVPN service will not leak IPv6 address.
10. We have custom VPN applications for Windows, MacOS, Android, and iOS. All NordVPN apps are very easy to install and use, even with no previous experience with VPN services.
11. We use a hybrid model, whereby we control some of our servers but also partner with premium data centers with strong security practices. Furthermore, due to our special server configuration, no one can retain or collect any data. All servers have been set up with a zero logs policy. We do have specific requirements for network providers to ensure highest service quality for our customers. We do have our own DNS servers, and all DNS requests go through those.
12. At the moment, we have 741 servers in 58 countries. You can find the full list here.
NordVPN user reviews
TorGuard
1. No logs or time stamps are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network. In addition to a strict no-logging policy we run a shared IP configuration across all servers. Because there are no logs kept and multiple users share a single IP address, it is not possible to match any user with an IP and time stamp.
2. TorGuard is owned and operated by VPNetworks LLC under US jurisdiction, with our parent company VPNetworks LTD, LLC based in Nevis.
3. We use anonymized Google Analytics data to optimize our website and Sendgrid for transactional email. TorGuard’s 24/7 live chat services are provided through Livechatinc’s platform. Customer support desk requests are maintained by TorGuard’s own private ticketing system.
4. In the event a valid DMCA notice is received it is immediately processed by our abuse team. Due to our no log and no time stamp policy and shared IP network – we are unable to forward any requests to a single user.
5. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of our network and shared IP configuration and the fact that we do not hold any identifying logs or time stamps to pinpoint any specific user. We have never been able to identify any active user from an IP and time stamp.
6. Yes, BitTorrent and all P2P traffic is allowed. By default we do not block or limit any types of traffic across our network.
7. We currently offer over 200 different payment options. This includes all forms of credit card, PayPal, Bitcoin, altcoins (e.g. Ether, litecoin + more), Alipay, UnionPay, CashU, 100+ Gift Card brands, and many other methods local payment options. No user can be linked back to a billing account because we maintain zero logs across our network.
8. For best security, we advise clients to use OpenVPN and select the cipher option AES-256-CBC, with 4096bit RSA and SHA512 HMAC. We use TLS 1.2 on all servers with perfect forward secrecy enabled. For faster speeds and “obfuscated” Stealth VPN access, we suggest using OpenConnect SSL VPN with cipher option AES-256-GCM. TorGuard offers a wide range of VPN protocols, including OpenVPN, L2TP, IPsec, SSTP, OpenConnect/AnyConnect (SSL VPN), and iKEV2 – we still offer PPTP for those of you who need it, but we don’t recommend it.
9. TorGuard’s VPN software provides strict security features by automatically disabling IPv6 and blocking any potential DNS or WebRTC leaks. We offer a full connection kill switch that safeguards your VPN traffic against accidental disconnects and can hard kill your interfaces if needed, and an application kill switch that can terminate specific apps if the VPN connection is interrupted for additional safety. All recommended security features are enabled the moment you install TorGuard to ensure by default you have max security while tunneling through our network.
10. TorGuard’s popular VPN client is available for all versions of Windows, Mac OSX, Linux, Android, and iOS. We also offer easy DDWRT and Tomato setup tools for VPN routers, and a Firefox/Chrome SSL proxy app. To stay up to date with current security threats, our VPN software is actively developed and constantly evolving.
11. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by TorGuard staff. Because there are no logs kept on any TorGuard VPN and Proxy servers, there is no risk of data theft should a machine become seized.
TorGuard VPN apps default to using internal secure no-log DNS servers that run on each VPN endpoint. We suggest this configuration for highest levels of privacy, however, clients can customize their DNS settings and choose from zero log TorGuard public DNS, Google DNS, Level3, or a customized DNS entry of their choosing.
12. TorGuard currently maintains thousands of servers in over 53 countries around the world, and we continue to expand the network every month. All customers get full access to our network.
TorGuard Reviews
Anonymizer
1. Anonymizer does not log ANY traffic that traverses our system, ever. We do not maintain any logs that would allow you to match an IP-address and time stamp to a user of our service.
2. Our company is registered as Anonymizer Inc. Anonymizer Inc. operates under U.S. jurisdiction where there are no data retention laws.
3. Anonymizer uses a ticketing system for support but does not request user verification unless it is needed specifically in support of a ticket. Anonymizer uses a bulk email service for email marketing but does not store any details on the individual email address that would connect them to being an existing customer.
Anonymizer uses Google Analytics and Google AdWords to support general marketing to new customers. Both of these tools do not store identifiable information on any unique customer or any way to identify a specific individual as a user of our service. We also actively ensure no link is created from the data in either system to any specific customer following a trial or purchase of our product.
4. Since Anonymizer does not log any traffic that comes over our system, we have nothing to provide in response to DMCA requests. None of our users have ever been issued a DMCA takedown notice or the European equivalent. We’ve been around for over two decades – making us one of the oldest services out there – and we’ve never turned over information of that kind.
5. Anonymizer Inc. is required by law to respond to all valid court orders and subpoenas. Since we do not log any traffic that comes over our system, we have nothing to provide in response to requests associated with service use. If a user paid by credit card we can only confirm that they purchased access to our service.
There is, and would be, no way to connect a specific user to specific traffic ever. There have been instances where we did receive valid court orders and followed the procedures above. In our 20 years of service, we have never identified details about a customer’s traffic or activities.
6. All traffic is allowed on all of our servers, so long as it complies with our EULA and Terms of Service.
7. Anonymizer Inc. uses a payment processor for our credit card payments. There is a record of the payment for the service and the billing information associated with the credit card confirming the service has been paid for. We also offer a cash payment option. Cash payment options do not store any details.
8. We would recommend OpenVPN for a user that is looking for the most secure connection. We feel it is the most reliable and stable connection protocol currently. Our OpenVPN implementation uses AES-256. We also offer L2TP/IPSEC.
9. Anonymizer’s client software does not support IPv6 connections. All customers are asked to disable IPv6 connections for the application to function. Our client software does have the option to enable a kill switch that prevents any web traffic from exiting your machine without going through the VPN.
10. We offer a custom VPN application for MacOS and Windows. Our default application log only logs fatal errors that occur within the application which prevents the application from running.
11. We own ALL of our hardware and have full physical control of our servers. No third party has access to our environment. We operate our own DNS servers.
12. We have servers in the United States and Netherlands.
Anonymizer website
Ipredator
1. No logs are retained that would allow the correlation of a user’s IP address to a VPN address. The session database does not include the origin IP address of the user. Once a connection has been terminated the session information is deleted from the session database.
2. The name of the company is PrivActually Ltd. which operates out of Cyprus.
3. We do not use any visitor tracking mechanism, not even passive ones analyzing the webserver logs. We run our own mail infrastructure and do not use 3rd party products like Gmail. Neither do we use data hogs like a ticket system to manage support requests. We stick to a simple mail system and delete old data after three months from our mail boxes.
4. The staff forwards DMCA notices to the BOFH Notices sent via paper are usually converted into energy by combustion … to power the data center in the basement where the BOFH lives. Digital SPAM^WDMCA notices are looped back into the kernel to increase the VPNs /dev/random devices entropy.
5. We evaluate the request according to the legal frameworks set forth in the jurisdictions we operate in and react accordingly. We had multiple cases where somebody tried but did not succeed to identify active users on the system.
6. Besides filtering SMTP on port 25 we do not impose any restrictions on protocols our users can use on the VPN, quite the contrary. We believe our role is to provide a net-neutral internet access. Every user is free to share his/her/its files. We are conservative people and firmly believe in the heritage of our society, which was built upon the free exchange of cultural knowledge. This new age patent system, and the idea that we need companies who milk creators are simply alien to us.
7. We offer PayPal, Bitcoins, Payza, and Payson fully integrated. OkPay, Transferwise, WU, PerfectMoney, Webmoney, Amazon Giftcards, Cash and Credit Cards on request. An internal transaction ID is used to line payments to their payment processors. We do not store any other data about payments associated with the user’s account.
8. We provide up to date config files and enforce TLS1.2 for the control channel on all supported systems. For further protection, we provide detailed setup instructions for our users. Besides the public and VPN internal DNS servers we also support DNSCrypt as a means to encrypt DNS requests. Howto’s for kill switches are available as well. We do not enforce a particular client.
9. Users can connect to a dual stack VPN pool that provides IPv4 as well as IPv6 connectivity. Unfortunately enabling IPv6 for all clients still breaks quite a few setups. Hopefully broader adoption of the OpenVPN 2.4 branch will allow us to work properly. Users can use this page to check for a number of leaks.
Kill switches that provide protection from connection drops are part of the client installation. There is not much we can do against that on the server side. If the user’s client of choice has built-in support for kill switches, he/she can just use that. If people use the vanilla OpenVPN client, the up/down script hooks provide everything needed to handle custom configs to terminate applications when the VPN connection drops.
DNS and IPv6 leaks are just two issues among many that users face in their quest for online privacy. Most privacy issues cannot be easily fixed by the VPN provider itself, but require knowledge and diligence of the users themselves. We therefore ask our users to go through our interactive checklist to improve their online piracy.
10. No, we do not offer a custom VPN application to our users. Users are free to choose which client they want to use. We think that giving users a closed source client is against our core principles.
11. We own our complete setup, network, and data center with everything in it – no 3rd parties are allowed access. We do not trust in 3rd parties operating our core infrastructure.
There are dedicated DNS servers that are given to clients for resolving DNS queries from within the VPN. Furthermore, we encourage users to use DNScrypt or similar technologies. Ideally splitting their DNS queries over multiple DNScrypt instances and running a local resolver to minimize DNS requests in the first place.
12. They are in Sweden due to the laws that allow us to run our service in a privacy-protecting manner. In times where basically everyone in the VPN market is advertising with servers in a gazillion countries, this might seem like a disadvantage. We see this very differently.
The core for any privacy service is trust in the integrity of the underlying infrastructure. Everything else has to build upon that. There is no way we could run such a tight ship and controlled environment with servers all over the world, and we will not compromise on the quality of our setup.
Ipredator website
SlickVPN
1. SlickVPN does not log any traffic nor session data of any kind.
2. Slick Networks, Inc. is our recognized corporate name. We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. The main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.
3. We utilize third party email systems to contact clients who opt in for our newsletters and Google Analytics for basic website traffic monitoring and troubleshooting.
4. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session. Otherwise, we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we ALMOST NEVER receive a VALID DMCA complaint while a user is still in an active session.
5. This has never happened in the history of our company. Our customer’s privacy is of top most importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. We would not rule out relocating our businesses to a new jurisdiction if required.
6. Yes, all traffic is allowed.
7. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America and the other platform is operated out of Nevis. We offer the ability for the customer to permanently delete their payment information from our servers at any point. All customer data is automatically removed from our records shortly after the customer ceases being a paying member.
8. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and it uses the AES-256-CBC algorithm for encryption.
9. Our Windows and Mac client disable IPv6 as part of our IP and DNS leak protection. Our IP leak protection proactively keeps your IPv4 and IPv6 traffic from leaking to untrusted networks. Your network will be disabled if you lose the connection to our servers and the only way to restore the network is manual intervention by the user.
10. Yes. Our users are provided with a custom client, designed by our in-house engineers. Currently, the client works with Windows and Mac products. Our client does NOT store logs on customer computers by default. We also provide guides for every other platform.
11. We run a mix. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties unless there is enough demand in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries.
In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We run an algorithm to randomly reboot each server on a regular basis so we can clear the ramdisk. DNS is assigned by the server when a user logs in.
12. At SlickVPN we actually go through the expense of putting a physical server in each country that we list. SlickVPN offers service in 40 countries around the world
SlickVPN reviews
Mullvad
1. No.
2. Amagicom AB, Sweden.
3. We have no external elements at all on our website. We do use external email and encourage people who send us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.
4. There is no such Swedish law that applies to us.
5. We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.
6. We do not block or throttle BitTorrent or other file-sharing protocols. All traffic is treated equally.
7. We explain that in more detail here, but we offer Bank Wire, Swish, PayPal (CreditCards), Bitcoin and cash. Cash and Bitcoin are the most anonymous. We run our own full Bitcoin node and don’t use third parties for any step in the bitcoin payment process, from the generation of QR codes to adding time to accounts.
8. OpenVPN, AES256, handshake encryption RSA-2048.
9. We offer the option to tunnel or not tunnel IPv6 (if not – IPv6 is blocked), and the kill-switch and DNS leak protection works the same for IPv6 as IPv4. There is both a kill switch in our client and a SOCK5 proxy that is only accessible via our VPN (i.e. if you set your browser to use it, the browser will not work if the VPN is down).
10. Yes: Windows, Mac, Linux
11. We have physical control at four sites. Three in Sweden and one in Amsterdam (I.e. all servers in Sweden and Amsterdam). The rest is hosted by carefully selected providers. Yes, we use our own DNS servers.
12. Australia, Austria, Belgium, Bulgaria, Canada, Czech Rep., Denmark, Germany, Lithuania, Israel, Italy, Netherlands, Norway, Romania, Singapore, Spain, Sweden, Switzerland, UK, USA
An up to date list is available here.
Mullvad website
BlackVPN
1. No. We purge all this information when the user disconnects from the VPN.
2. The name of the company is BLACKVPN LIMITED and is registered in Hong Kong and operates under the jurisdiction of Hong Kong.
3. We run our own email server plus support and live chat systems using open source tools. We use StreamSend for sending generic welcome and renewal reminder emails, as well as for the occasional news updates. We have Twitter widgets on our frontpage that may track visitors. We use Google Analytics as well as our own website analytics (Piwik).
4. We block the port on the server listed in the notice.
5. If we received a valid court order from a Hong Kong court, then we would be legally obliged to obey it. So far this has never happened.
6. Bittorrent traffic is not restricted in our Privacy VPN locations, but due to stricter enforcement of DMA notices in the USA and UK we restrict most BitTorrent traffic and only whitelist torrents of open source software.
7. PayPal, Bitcoin and PaymentWall (for Credit Cards and Bank Transfers). The transaction details (ID, time, amount, etc) are linked to each user account.
8. We recommend to use OpenVPN 2.4 and we support the new GCM cipher mode (AES-256-GCM) together with 4096 bit RSA and Diffie Hellman keys. With OpenVPN, we also enforce DHE/ECDHE enabled cipher suites and key exchange is done with Diffie-Hellman, providing forward secrecy.
9. For OpenVPN, we stop IPv6 leaks with the OpenVPN config, and we also disable and blackhole all IPv6 traffic server side. The open source OpenVPN client has DNS leak prevention built in and in most cases will not leak data during reconnections. Our upcoming custom VPN app will be able to provide 100% IPV6 and DNS leak protection client side and will also have a “kill switch”.
10. We have a custom open source Android app and we are working on custom Windows/MacOS app aswell. For the moment we build pre-configured versions of the open source OpenVPN clients for Windows and MacOS.
11. We use dedicated servers which are hosted in 3rd party data centers, but they do not have access to login or manage the server. We run our own DNS servers which do not save any logs.
12. USA, UK, Australia, Brazil, Canada, Czech Republic, Estonia, France, Germany, Japan, Lithuania, Luxembourg, Netherlands, Norway, Romania, Russia, Spain, Switzerland and Ukraine.
BlackVPN website
VPNArea
1. We do not keep or record any logs. We’re therefore not able to match an IP-address and a time stamp to a user of our service. We also do not keep or record any usage logs.
2. The registered name of our company is “Offshore Security EOOD” (spelled “ОФШОР СЕКЮРИТИ ЕООД” in Bulgarian). We’re a VAT registered business. We operate under the jurisdiction of Bulgaria.
3. The only external tool we use is Zopim LiveChat. Our email system is hosted on our own servers in Switzerland. We use Email and OsTickets for support which are hosted on our own servers in Switzerland. We also offer Skype as a support option.
4. DMCA notices are not forwarded to our members as we’re unable to identify a responsible user due to not having any logs. We would reply to the DMCA notices explaining that we do not host or hold any copyrighted content ourselves and we’re not able to identify or penalize a user of our service.
5. This has not happened yet. Shall it happen our attorney will examine the validity of the court order in accordance with our jurisdiction, we will then delegate our no logs policy to the appropriate party pointing out that we’re not able to match a user to an IP or timestamp due to not keeping or recording any logs.
6. BitTorrent/P2P is allowed on most of our servers but not all of them. Why not? Some servers that we use are not tolerant to DMCA notices, but some of our members utilize them for other activities not related to Torrenting. That is why we keep them in our network despite the inability to use P2P/torrents on them. Most of our VPN servers and locations do allow torrents and P2P.
7. We accept PayPal, Credit/Debit cards and Webmoney via 3rd party payment processor, Bitcoin, Payza. We do not require personal details to register an account with us. In the case of Bitcoin payments, we do not link users to transactions. In the case of PayPal/Payza/Card payments we link usernames to their transactions so we can process a refund. We do not have recurring payments system.
8. We use AES-256-CBC + RSA2048 + SHA256 cipher on all our VPN servers without exception. We also have Double VPN servers, where for example the traffic goes through Russia and Israel before reaching the final destination.
9. In both our Windows and Mac software we have the optional setting to disable IPv6 connectivity on the computer to prevent IPv6 leaks. We have DNS leak protection as an optional setting in our Windows, Mac and Android apps. We have Killswitch in our Windows and Mac software.
10. We do have custom VPN applications for Windows, Mac, Android. We’ve custom app for iOS too, which servers as a helper tool for “OpenVPN Connect”.
11. We work with reliable and established data centers. Nobody but us has virtual access to our servers. The entire logs directories are wiped out and disabled, rendering possible physical brute force access to the servers useless in terms of identifying users.
12. We currently have servers in 65 countries.
VPNArea website
IPVanish
1. IPVanish is a no log VPN.
2. Mudhook Marketing, Inc. The State of Florida
3. We use basic inbound marketing tools like Google Analytics, but we do not track or store personally identifiable information (PII) from these tools. We also do not track the browsing activities of users who are logged into our VPN service.
4. We do not store, host, stream or provide any content, media, images or files that would be subject to a properly formed takedown notice.
5. First, any request has to be a valid and lawful request before we will even acknowledge the request. If the request is for user data or identification of a subscriber based on an IP address, we inform the agency making the request that we do not keep any logs and we operate in a Jurisdiction that does not require mandatory data retention.
Sometimes, legal agencies or authorities may not be happy with this response. We politely remind them that IPVanish operates within the letter of the law and is a valid and needed service to protect the privacy of its subscribers.
6. Yes, BitTorrent and other file-sharing traffic is allowed.
7. Bitcoin, PayPal, and all major credit cards are accepted. Payments and service use are in no way linked.
8. We recommend OpenVPN with 256 bit AES as the most secure VPN connection and encryption algorithm.
9. IPVanish has a Kill Switch feature that terminates all network traffic to prevent any DNS leaks in the event your VPN connection drops. We also have a user-enabled option that automatically changes your IP address randomly at selected time intervals. We currently do not support IPv6. This will be rolled in with an upcoming update. All traffic is forced over IPv4 to prevent IP leaks.
10. We offer a custom VPN application for iOS, Android, Windows, and Mac. IPVanish is also configurable with DD-WRT and Tomato routers (pre-configured routers available), gaming consoles, Ubuntu and Chromebook.
11. We own and have physical control over our entire operational infrastructure, including the servers. Unlike other VPN services, we actually own and operate a global IP network backbone optimized for VPN delivery which insures the fastest speeds of any VPN provider.
12. We have servers in over 60 countries including the US, Australia, United Kingdom, Canada and more. You can view the complete list on our VPN servers page.
IPVanish website
IVPN
1. No, not doing so is fundamental to any privacy service regardless of the security or policies implemented to protect the log data. In addition, it is not within our interest to do so as it would increase our liability and is not required by the laws of any jurisdiction that IVPN operates in.
2. Privatus Limited, Gibraltar.
3. No. We made a strategic decision from day one that no company or customer data would ever be stored on 3rd party systems. Our customer support software, email, web analytics (Piwik), issue tracker, monitoring servers, code repos, configuration management servers etc all run on our own dedicated servers that we setup, configure and manage. No 3rd parties have access to our servers or data.
4. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we inform them that we never store the IP addresses of customers connected to our network nor are we legally required to do so.
5. Firstly, this has never happened. However, if asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and we are asked for the customer’s identity, then we would reply that we do not store any personal data.
If the company is served with a valid court order that did not breach the Data Protection Act 2004, we could only confirm that an email address was or was not associated with an active account at the time in question.
6. Yes, all file sharing traffic is permitted and treated equally on all servers. We do encourage customers to use non-USA based exit servers for P2P as any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.
7. We accept Bitcoin, Cash, PayPal and credit cards. When using cash, there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin. When paying with PayPal or a credit card a token is stored that is used to process recurring payments. This information is deleted immediately when an account is terminated.
8. We provide RSA-4096 / AES-256 with OpenVPN, which we believe is more than secure enough for our customers’ needs. If you are the target of a state level adversary or other such well-funded body you should be far more concerned with increasing your general opsec (e.g. $5 wrench – https://xkcd.com/538/) than worrying about 2048 vs 4096 bit keys.
9. This is a huge problem for most VPN providers as shown by the comprehensive tests undertaken at VPNtesting.info (IVPN sponsored this project).
The IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible including IPv6, DNS, network failures, WebRTC STUN etc.). It is impossible to any data to leak if a connection drops as the firewall will not deactivate until explicitly instructed to do so. It also has an ‘always on’ mode that will be activated on boot before any process on the computer starts to ensure than no packets are ever able to leak outside of the VPN tunnel, regardless of the connection state of the VPN.
10. Yes, we offer a custom OpenVPN client for Windows and MacOS which includes our advanced VPN firewall that blocks every type of possible IP leak. We have also recently released an iOS app and plan to release an Android version later this year.
11. We use bare metal dedicated servers leased from 3rd party data centers in each country where we have a presence. We install each server using our own custom images and employ full disk encryption to ensure that if a server is ever seized the data is worthless.
We also operate an exclusive multi-hop network allowing customers to choose an entry and exit server in different jurisdictions which would make the task of legally gaining access to servers at the same time significantly more difficult. We run our own network of log free DNS servers that are only accessible to our customers.
12. A full list is available here.
IVPN website
LiquidVPN
1. No we do not store any logs that could be used to match an IP address and timestamp back to a LiquidVPN user.
2. LiquidVPN INC. Cheyenne, Wyoming
3. We use Google Analytics on our front end web site. Everything else is self-hosted.
4. If the data center requires us to answer DMCA complaints, then we let them know that these files are not hosted locally and that because we do not keep logs on user activity it is impossible for us to investigate the DMCA complaint further.
5. No we have not received any court orders. We would have to explain to law enforcement that the only way we could provide information about a user on our network was if they were able to provide us with enough information to identify the user in our system. Basically they would need to provide billing information or the users registered email address.
If they were able to provide this information we would be required to hand over the user’s email address, registered first name and transactional information. There is no other way to identify a user on our system. We would publish any correspondence from law enforcement to our transparency section on the website and if we were not allowed to do that we would stop updating our Warrant Canary.
6. All file sharing traffic is allowed and given equal priority on any server within our network.
7. For anonymity, we recommend bitcoin which requires a first name and email address only. We accept PayPal which requires a first name and email address. Finally, when a user pays via credit card their address, first name and email address is required.
8. I would recommend users connect to any of our OpenVPN servers because they use 256 Bit AES / Camellia, 4096 Bit RSA keys, they use TLS-DHE-RSA-AES-256-CBC-SHA, SHA2 HMAC digest (SHA512) if they want added privacy we would recommend using IP Modulation which randomly modifies the source public IP address per packet on all of a user’s traffic.
9. IPv6 support is on the roadmap for this year. Until its fully supported IPv6 leaks are blocked via our client. We do provide DNS leak protection and a full on VPN firewall that goes well beyond the protection from a standard VPN killswitch.
10. Our custom applications work for Windows, Mac and Android.
11. All of our VPN servers are bare metal servers that we control. Our servers are not accessible by anyone except us. We do provide private DNS servers and SmartDNS for free. Users can access USA and UK content from any server on our network.
12. We have servers in 17 data centers and 11 countries in North America, Europe and Asia.
LiquidVPN website
SmartVPN
1. We don’t have enough space on our servers PoPs to keep logs (True story).
2. The company name is Anonymous SARL and operates under the jurisdiction of the Kingdom of Morocco.
3. We use Google Analytics and Tawk live support.
4. What about ignoring them? Since there is nothing to takedown.
5. This has never happened before, but we won’t be able to cater to their demand as we can’t identify that user within our system.
6. BitTorrent and other P2P protocols are allowed on all our servers.
7. We use BitPay (BitCoins) and PayPal
8. We recommend OpenVPN for Desktop and IKEv2 for Mobile devices. For encryption we use the AES-256-CBC algorithm. DNS leak protection is already enabled however “kill switches” will be available soon.
9. We don’t provide IPv6 support as of now.
10. We provide a custom VPN application for Mac and Windows-based on OpenVPN, and Mobile apps (Android and iOS) based on IKEv2.
11. We have a mix. Physical control over most of our infrastructure and some exotic locations are hosted by 3rd party partners.
12. A full list is available here.
SmartVPN website
PrivateVPN
1. We do not keep ANY logs that allow us or a third party to match an IP address and a time stamp to a user of our service. We highly value the privacy of our customers.
2. Privat Kommunikation Sverige AB and we operate under Swedish jurisdiction.
3. We use a service from Provide Support (ToS) for live support. They do not hold any information about the chat session. From Provide support: Chat conversation transcripts are not stored on Provide Support chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email according to the user account settings, and then destroyed.
We’re also using Google Analytics and Statcounter for collecting static of how many visitors we have, popular pages and conversion of all ads. This data is used for optimization of the website and advertising.
4. We’ll say that we don’t store any logs of our customers’ activity. Privacy and anonymity of our customers are something we really value and due to our non-logging policy, DMCA notices will be ignored.
5. Due to our policy of NOT keeping any logs, there is nothing to provide about users of our service. To clarify, we do not log or have any data on our customer’s activities. We have never received any court order.
6. Yes, we allow Torrent traffic on all servers. All traffic is treated equally and we do not, under any circumstances, throttle our traffic. We buy high-capacity internet traffic so we can meet the demands. On some locations, we use Tier1 IP transit providers for best speed and routing to other peers.
7. PayPal, Stripe and Bitcoin. Every payment has an order number, which is always linked to a user. Otherwise, we would not know who has made a payment. To be clear, no one can link a payment to an IP address you get from our service or online user activity.
8. OpenVPN TUN with AES-256. On top is a 2048-bit DH key
9. For our Windows VPN client, we have a feature called “Connection guard”, which will close a selected program(s) if the connection drops. We have no tools yet for DNS leaks but the best way, which is always 100%, is to change the local DNS on the device to DNS servers we provide. Right now, our developers are working on a new feature that will protect from DNS leaks and a new version of the kill switch. Protection against IPv6 leaks will also be implemented in new VPN application.
10. Yes, we’re offering our own customized VPN application for Windows, iOS (iPhone/iPad), Android and MacOS(OS X) with features that help to protect our customers.
11. We have physical control over our servers and network in Sweden. We’re only using trusted data centers with strong security. Our providers have no access to PrivateVPN’s servers and most importantly, there are no customer data/activities stored on the VPN servers or on any other system we have.
12. See here and here.
PrivateVPN website
CryptoStorm
1. Nope, no logs. We use OpenVPN with logs set to /dev/null, and we’ve even gone the extra mile by preventing client IPs from appearing in the temporary “status” logs using our patch available at https://cryptostorm.is/noip.diff.
2. We’re a decentralized project, with intentional separation of loosely-integrated project components. We own no intellectual property, patents, trademarks, or other such things that would require a corporate entity in which ownership could be enforced by the implied threat of State-backed violence; all our code is published and licensed opensource.
3. No, we don’t use any external visitor tracking or email providers.
4. Our choice is to reply to any such messages that are not obviously generated by automated (and quite likely illegal) spambots. In our replies, we ask for sufficient forensic data to ascertain whether the allegation has enough merit to warrant any further consideration. We have yet to receive such forensic data in response to such queries, despite many hundreds of such replies over the years.
5. See above. We have never received any valid court orders requesting the identity of a user, but if we ever did receive such a request, it would be impossible for us to comply as we keep no such information.
6. Yes, all traffic is allowed.
7. We accept PayPal and payments using Stripe (includes Bitcoin), although we will manually process any other altcoin if a customer wishes. We don’t have financial information connected in any way to the real-life identity of our network members; our token-based authentication system removes this systemic connection, and thus obviates any temptation to “squeeze” us for private data about network membership.
We quite simply know nothing about anyone using our network, save for the fact that they have a non-expired (SHA512 hash of a) token when they connect. Also, we now process Stripe orders instantly in-browser.
8. We only support one cipher suite on-net. Offering “musical chairs” style cipher suite roulette is bad opsec, bad cryptography, and bad administrative practice. There is no need to support deprecated, weak, or known-broken suites in these network security models; unlike browser-based https/tls, there are no legacy client-side software suites that must be supported. As such, any excuse for deploying weak cipher suites is untenable.
Everyone on Cryptostorm receives equal and full security attention, including those using our free/capped service “Cryptofree.”
There are no “kill switch” tools available today that actually work. We have tested them, and until we have developed tools that pass intensive forensic scrutiny at the NIC level, we will not claim to have such. Several in-house projects are in the works, but none are ready yet for public testing.
We take standard steps to encourage client-side computing environments to route DNS queries through our sessions when connected. However, we cannot control things such as router-based DNS queries, Teredo-based queries that slip out via IPv6, or unscrupulous application-layer queries to DNS resolvers that, while sent in-tunnel, nevertheless may be using arbitrary resolver addressing. Our Windows client attempts to prevent some of this, but it’s currently impossible to do so completely.
We are saddened to see others who claim they have such “magical” tools; getting a “pass” from a handful of “DNS leak” websites is not the same as protecting all DNS query traffic. Those who fail to understand that are in need of remedial work on network architecture.
As we run our own mesh-based system of DNS resolvers, “deepDNS”, we have full and arbitrary control over all levels of DNS resolution presentation to third parties.
9. We only handle IPv4 connections, we are currently looking into IPv6, but that’s work in progress. Our widget prevents against IPv6 leaks, and we advise our customers on how to prevent leaks on other platforms.
10. We offer an open source application written in Perl (dubbed the “CS widget”), source code available at GitHub. Currently only for Windows, but we are working on porting it to Linux. The application is essentially an OpenVPN GUI with some tweaks here and there to prevent different types of leaks (DNS, IPv6, etc.) and to make connecting as easy as possible. Output from the back end OpenVPN process is shown in the GUI. When you exit the program, that data is forgotten.
11. We deploy nodes in commodity data centers that are themselves stripped of all customer data and thus disposable in the face of any potential attacks that may compromise integrity. We have in the past taken down such nodes based on an alert from onboard systems and offsite, independently maintained remote logs that confirmed a violation was taking place.
It is important to note that such events do not explicitly require us to have physical control of the machine in question: we push nameserver updates, via our HAF (Hostname Assignment Framework) out via redundant, parallel channels to all connected members and by doing so we can take down any node on the network within less than 10 minutes of initial commit.
We have constructed a mesh-topology system of redundant, self-administered secure DNS resolvers which has been collected under the label of “deepDNS”. deepDNS is a full in-house mechanism that prevents any DNS related metadata from being tied to any particular customer. It also allows us to provide other useful features such as transparent .onion, .i2p, .p2p, etc. access. There is also DNSCrypt support on all deepDNS servers to help protect pre-connect DNS queries.
12. Our server list is available here.
CryptoStorm website
BolehVPN
1. We do not keep any logs on our VPN servers that would allow us to do this.
2. BV Internet Services Limited, Seychelles
3. We use Zendesk to deal with support queries and do track referrals from affiliates. We however provide the option to send us PGP encrypted messages via e-mail and also Zendesk. We also do not use Cloudflare. We also have an opt-in only education/blog list that uses Hubspot. For announcements we use our own e-mail system.
4. We generally find providers that are friendly towards such DMCA notices or where it cannot be avoided, we just keep them as Surfing/Streaming servers with P2P disabled. These servers are more for geo-location or general purpose surfing rather than P2P. We at no times give out customer information to handle this.
5. There has been a German police request for certain information in relation to a blackmail incident. Despite it appearing legitimate, we could not assist as we did not have any user logs. We maintain a warrant canary at https://www.bolehvpn.net/canary.txt which we do update once a month or when there is a request for information (even if we have not complied with it).
6. Most servers support P2P except those marked as Surfing-Streaming which are with providers with strict DMCA requirements. All other servers support P2P and are not treated differently from any other traffic.
7. Paypal, Paymentwall, Coinpayments, Paydollar, MolPay and we also accept direct Bitcoin/Dash payments.
8. We recommend OpenVPN and our cloak servers that use AES-256 bit encryption and a XOR patch that obfuscates your traffic as being VPN traffic.
9. We provide IPv6 leakage protection.
10. We have a custom application for Windows and Mac and also a slightly modified version for Android.
11. They are bare metal boxes hosted in various providers. We do use our own DNS servers.
12. Canada, France, Germany, Italy, Japan, Luxembourg, Malaysia, Netherlands, Singapore, Sweden, Switzerland, United Ki