47

I know there are 2 services of VPN (free and paid). Normally, free VPNs need money from somewhere and sometimes they can sell your information to any agency that needs it.
Now, if we are talking about a paid VPN where they use encryption and don't keep any logs or information about the user, IP addresses, or what you're doing, how can a hacker be traceable? Then, the best hackers who have been caught must have been a free VPN, because they were too cheap to pay 7-10$/month or I'm missing something.

An excerpt from the FAQs of one of these VPN services. They have it in the privacy policy.

enter image description here

SEJPM
  • 9,500
  • 5
  • 35
  • 66
jcho360
  • 813
  • 2
  • 8
  • 12
  • 28
    How can you be sure that they're not keeping logs? Unless you see their actual infrastructure/code, you'll never know for sure. – Simon Jul 30 '13 at 13:10
  • 5
    How about to find a chain of few countries with do not have any diplomatic relations and use VPN over VPN over VPN... each in those countries? – Michał Šrajer Jul 31 '13 at 13:07
  • Has anyone checked out Hide.io? They're a Hong Kong based service which claims not to keep logs. I've looked at the small print on their ToS page (https://www.hide.io/page/legal) and it seems to imply that no logs are taken or can be given, and if the law changes there, they will close down the service. Can anyone verify that this is actually a VPN which really doesn't keep logs and therefore would be unable to comply with a court order? – Josh Aug 12 '13 at 09:46
  • How about to find a chain of few countries who do not have any diplomatic relations... and are willing to sell you out in exchange for cold, hard currency since there are absolutely no laws preventing foreign entities from setting up shop and filtering all paranoid traffic. Money talks, free untampered communications walks in the lands where kickbacks are king. – Fiasco Labs Aug 12 '13 at 14:54
  • 2
    Roll the dice, pay the price. Expect some level of risk when engaging in risky activity. – Seth Ludwig Sep 04 '13 at 04:18
  • 1
    All modern VPN providers keep your log. Not limit to your IP, target IP, domain, protocol type, packet size. – Shiji.J Oct 05 '16 at 18:35
  • @MichałŠrajer that's possible, in an ideal situation. But there are other clues. such as card transactions, Paypal, System/Browser/Plugin/Software update traffic. – Shiji.J Oct 05 '16 at 18:48

8 Answers8

83

Update/Note: This is not to discourage VPN usage. I personally use one of the providers mentioned below, and I'm very happy with it. The important point is not to have an illusion of being 100% protected by the VPN provider. If you do something bad enough that state actors are after you, the VPN provider aren't going to risk themselves for you. If those coming after you are motivated enough, they'll exert all possible legal (and not so legal) powers they have. Downloading torrents or posting on anarchist forums is probably not motivating enough, but death threats to up-high politicians on the other hand... If there's one thing to take from this post is this: Use common sense.

I've researched this subject for more than 3 years*: Looking for VPN providers, reading through their Privacy Policy and Legal pages, contacting them, contacting their ISPs when possible, and I've concluded the following:

I was able to find zero reputable/trustworthy and publicly-available (free or paid) VPN service provider that:

  • Actually doesn't keep usage logs.

  • Actually doesn't respond with your personal information when presented with a subpoena.

I'm not exaggerating, absolutely none, zero, nada, nula, nulla, ciphr, cifra.

* Obviously not a dedicated research for 3 years

Update: Regarding "super awesome Swedish VPN service providers". Swedish service provider obey the 'Electronic Communications Act 2003 389'. Sections 5, 6, and 7 under "Processing of traffic data" completely protect your privacy, but go a little further and read section 8

The provisions of Sections 5 to 7 do not apply

  1. When an authority or a court needs access to such data as referred to in Section 5 to resolve disputes.

  2. For electronic messages that are conveyed or have been dispatched or ordered to or from a particular address in an electronic communications network that is subject to a decision on secret wire-tapping or secret tele-surveillance.

  3. To the extent data as referred to in Section 5 is necessary to prevent and expose unauthorised use of an electronic communications network or an electronic communications service.

In case the authorities order secret wire-tapping, the service provider shall not disclose information about it

Section 19 An operation shall be conducted so a decision on secret wire-tapping and secret tele-surveillance can be implemented and so that the implementation is not disclosed.

Update 2: Regarding other highly recommended super anonymous VPN services (I'll go over only the top two)

BTGuard: You only need to take one look at the Privacy Policy to know that there's something shady going on.

  • Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.

  • We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.

  • We will only retain personal information as long as necessary for the fulfillment of those purposes.

  • We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.

You can clearly see the intentionally vague language: "fulfilling those purposes specified by us", what are those purposes specified by them? Nobody knows. They even clearly say that they'll collect personal information when required by the law. In the last point they even state that they even don't have to inform you about the collection of your personal information unless it's "appropriate".

PrivateInternetAccess: This is probably one of the easiest legal language in the business.

You agree to comply with all applicable laws and regulations in connection with use of this service. You must also agree that you nor any other user that you have provided access to will not engage in any of the following activities:

  • Uploading, possessing, receiving, transporting, or distributing any copyrighted, trademark, or patented content which you do not own or lack written consent or a license from the copyright owner.

  • Accessing data, systems or networks including attempts to probe scan or test for vulnerabilities of a system or network or to breach security or authentication measures without written consent from the owner of the system or network.

  • Accessing the service to violate any laws at the local, state and federal level in the United States of America or the country/territory in which you reside.

If you break any of their conduct conditions (mentioned above)

Failure to comply with the present Terms of Service constitutes a material breach of the Agreement, and may result in one or more of these following actions:

  • Issuance of a warning;
  • Immediate, temporary, or permanent revocation of access to Privateinternetaccess.com with no refund;
  • Legal actions against you for reimbursement of any costs incurred via indemnity resulting from a breach;
  • Independent legal action by Privateinternetaccess.com as a result of a breach; or
  • Disclosure of such information to law enforcement authorities as deemed reasonably necessary.
Adi
  • 43,808
  • 16
  • 135
  • 167
  • Could you elaborate what the problem with f.e., https://www.ipredator.se/ is? Would you count it as not trustworthy? – ungerade Jul 30 '13 at 19:52
  • 9
    @ungerade - You must be joking, right? It's a subscription based service, and that means they by necessity keep subscription related data, and they also keep access logs, not even hiding it in their [legal](https://www.ipredator.se/page/legal). It is, of course, wrapped in language that would make it appear their services are reasonably safe to use, if you're incapable of reading between the lines (asking yourself, which information isn't provided and why, not which one is). The lack of information there is apparent, and doesn't exclude (not mentioned) third party involvement at all. ;) – TildalWave Jul 30 '13 at 21:53
  • @ungerade I've update my answer to cover the case of that provider and other Swedish service providers. Case #1 is a general case when it comes to court orders, and case #3 talks specifically about the "unauthorised use of an electronic communications" which is the legal jargon for hacking/cracking. – Adi Jul 30 '13 at 22:10
  • 3
    The VPN service I use, https://www.privateinternetaccess.com/pages/privacy-policy/, claims `PrivateInternetAccess.com does not collect or log any traffic or use of its Virtual Private Network ("VPN") or Proxy. ` – Andreas Bonini Jul 31 '13 at 09:20
  • 1
    Do you not have any results of your 'research' you can provide us with? Not that I'm sceptical but I feel you should be providing at least citations that can contradict the numerous claims that many VPN providers linked by Torrentfreak (https://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/) keep absolutely zero logs. – deed02392 Jul 31 '13 at 09:53
  • 2
    @deed02392 I understand your skepticism and you have every right to be skeptical. Unfortunately, I don't have solid evidence other than the companies' own ToS and Privacy Policy (which is more than enough, IMO). I wrote a second update especially to cover link you mentioned. – Adi Jul 31 '13 at 10:34
  • @Adnan thx for your answer, so your conclusion to be more secure(anonymous) the best way is to use TOR? Thanks. – jcho360 Aug 02 '13 at 12:44
  • 1
    @jcho360 Exactly. This will decentralize the whole process; there won't be a just single point where authorities can present a subpoena. Granted, this won't make you 100% safe, but it's by far one of the best options. – Adi Aug 02 '13 at 13:26
  • Re: comments made by @AndreasBonini and deed02392, I'm puzzled by how a logless VPN provider such as Private Internet Access could hand over a user's data if "We absolutely do not maintain any VPN logs of any kind. We utilize shared IP addresses rather than dynamic or static IPs, so it is not possible to match a user to an external IP...We will not share any information with third parties without a valid court order. With that said, it is impossible to match a user to any activity on our system since we utilize shared IPs and maintain absolutely no logs." – nitrl Aug 10 '13 at 23:51
  • Source: http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/ – nitrl Aug 10 '13 at 23:52
  • @nitrl Well, presumably they risk getting sued for doing this then - they cannot meet requirements under law to provide an audit trail as to who accessed what. – deed02392 Aug 11 '13 at 19:25
  • @nitrl Please have a look at Private Internet Access own ToS and Legal pages. You can clearly see that they're keeping logs and they're not trying to hide it. They clearly tell you if you do something against our rules we'll inform the authorities. Now think about it, how would they know that you're doing something illegal and what would they tell the authorities if they're not keeping _some_ logs? I've mentioned all of that in my answer and I've bolded the important parts. – Adi Aug 11 '13 at 19:43
  • @Svetlana That was what was confusing me- the fact that they claim to be "logless" and yet somehow maintain the ability to suspend abusive users or provide logs when subpoenaed. I suppose they're simply lying.. – nitrl Aug 11 '13 at 23:18
  • @TildalWave PrivateInternetAccess IS a subscription service but they don't keep ANY subscriber information. You can pay for the service with a gift card from almost anywhere completely anonymously. I paid for my subscription with a Target gift card I bought with cash at 7-11. Of course they know the IP address I connect from, but only if they keep logs which goes back to the OP's question. – dslake Nov 07 '14 at 05:25
  • Ever heard of [PRQ](http://www.prq.se/?intl=1)? – Cole Tobin Dec 03 '14 at 01:57
  • @ColeJohnson Yes, and this answer applies to it. PRQ operates in Sweden, which means they're forced under "Lag (2003:389) om elektronisk kommunikation", that explained in the post, to cooperate with law enforcement to give information about and trace hackers and other users who commit illegal activities. In fact, in [their very own ToS](http://www.prq.se/prq-av-en.txt) you can read that. "PRQ shall keep confidential and not disclose information regarding the Customer **except where this required by law**". Actually, their ToS even specifies hacking as something they don't allow. – Adi Dec 03 '14 at 04:28
  • [ProtonVPN has had their actual no log policy audited](https://protonvpn.com/blog/no-logs-audit/) – Einliterflasche Aug 20 '22 at 23:57
30

Most anonymizing services who claim that they "don't keep logs" actually do keep logs, because otherwise they would be in even deeper trouble when the Feds drop on them at 6:00 AM with terrorism charges. A VPN service like the ones you quote is basically saying: "yeah, we accept to take full legal responsibility for everything you do online for only 7$ per month". Does this really sound... plausible ?

Also, paying involves transactions, and transactions include logs. Everywhere. To a large extent, stolen credit card information mitigates the risks of being caught through these logs, but add extra risks (i.e. there is now credit card fraud, and this enlists some other three-letter agencies in the pursuit of the perpetrator).

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    Unless they are in a jurisdiction that does not experience that type of government interference, like the Seychelles. – schroeder Jul 30 '13 at 15:16
  • 20
    Iraq and Afghanistan were jurisdictions which theoretically did not occur interference from US government. Practice may differ from theory. – Tom Leek Jul 30 '13 at 15:18
  • 10
    Oooook. So, when the US invades the Seychelles, I'll switch providers ... All you needed was a reference to Nazi's and you would have had the ultimate trump card there ... – schroeder Jul 30 '13 at 17:28
  • Sarcasm notwithstanding (and I am pretty sure that Nazis predates the Internet by some decades), there is a point to consider there: for an anonymous VPN, you need the VPN provider never to give logs to authorities; not now, but not next year either. The trust in the VPN provider is not limited to the present. This means that a provider-switching strategy is not enough: you might have to switch providers _now_ because your provider _will be "invaded"_ in a few months... and you cannot know that yet. – Tom Leek Jul 31 '13 at 17:52
  • There are plenty of Western jurisdictions that don't have a law saying that you are responsible to the extend that you aren't able to provide logs. I don't even think that it works that way in the US. In the US a company violates the law if the don't do everything in their power to answer to a National Security Letter. – Christian Dec 17 '13 at 21:15
  • Astrill actually.. : https://www.reddit.com/r/technology/comments/20k0i0/which_vpn_services_take_your_anonymity_seriously/ – Shiji.J Oct 05 '16 at 18:49
15

More precisely, from the privacy policy for the VPN service:

We will store a time stamp and IP address when you connect and disconnect to our VPN service together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service.

In other words, they log that user X (identified by his account information and client IP address) used VPN endpoint V from time T1 to time T2.

Now suppose the authorities want to know who did something, and they know that the culprit was coming from V at time T. They will ask the VPN provider, who can tell them which user was using V at that time.

A VPN only provides one level of insulation between the user's identity and the services that the user accesses. In a situation where law enforcement becomes involved, that's not much. If anonymity can be achieved at all, it requires using multiple hops, preferably in as many different jurisdictions as possible. Read on how Tor works.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • 1
    I used Tor, but I didn't like it what I found there... you know what I'm talking about...so there's no Secure VPN? it doesn't matter if you pay or not? – jcho360 Jul 30 '13 at 14:54
  • 1
    @jcho360 Secure against what? If you want to be anonymous from law enforcement, you'd have to find a VPN that doesn't keep logs (illegal or legally risky in most jurisdictions), and whose ISP and routing peers don't keep logs either. – Gilles 'SO- stop being evil' Jul 30 '13 at 15:06
  • 5
    @jcho360 If you're looking for _that_, then _that_ what you'll find. Tor or not. It's not like you connect to Tor and suddenly your computer is full of CP. – Adi Jul 30 '13 at 15:11
  • 1
    @Adnan what is CP? – jcho360 Jul 30 '13 at 15:54
  • 2
    @jcho360 The things you're "finding" on Tor. – Adi Jul 30 '13 at 15:55
12

When you're wondering about that kind of thing, it really pays to go and read the full privacy policy. It details what they keep in the log.

Specifically, speaking about HMA, they keep a log of what IP address was assigned to you. This means that, given a court order, they will (be required to) provide your real identity to law enforcement agencies. Other (serious) VPN providers do the same thing.

Peter Mortensen
  • 877
  • 5
  • 10
Stephane
  • 18,557
  • 3
  • 61
  • 70
  • 1
    HideMyAss _has_ done this before. Which is [how some LulzSec members got arrested](http://www.theregister.co.uk/2011/09/26/hidemyass_lulzsec_controversy/). – Michael Hampton Jul 31 '13 at 22:43
9

None of these answers are actually answering the question, and nobody is mentioning the power behind meta data. Let's go into detail as to how this can be done.

How can you be caught using Private VPN when there's no logs about who you are?

Generally speaking, there are logs about who you are, even if your VPN provider isn't logging anything about your connections. Other companies are logging other information about you. Advertisers, etc.

While a VPN provider may claim not to provide connection logs, their internet service provider may do it. They may be telling you the truth, but not the whole truth.

But to answer your question, let's approach this subject from the assumption that your VPN provider is not logging anything.

Metadata is far more powerful than most people realize

Meta data is powerful. When metadata can match you to other data sources, finding you is not difficult.

I created a very dumbed-down flowchart to help explain how this can happen. Sure, different operating systems make this harder, but in general, it's much easier to find a Mac or Windows user, or a mobile device user than it is a Linux user.

Before you read, assume Device ID could be anything: your windows key, your hardware device information communicated to providers, your MAC addresses used, IP addresses, browser fingerprints, whatever. It could be any number of things.

How to donate your organs

What kind of account information could assist in giving you away?

Any service you use online for which you log into an account for. These include, but are not limited to:

  1. Skype
  2. Steam
  3. Battle.Net
  4. Origin
  5. Email accounts
  6. Xbox Live
  7. Discussion forums
  8. Windows update
  9. Nvidia drivers

If you connect to any of those while connected to a VPN -- and many of these are automatic connections that re-establish themselves once you connect to the VPN -- a clear pattern has arisen.

And that's just a tiny list. There's a countless number of services which will do the same thing. Those service providers will log your access attempt, and they're required by law in most countries to turn over that data if requested.

Conclusion

In most cases, you can run... but you can't hide. :) Sure, there are ways around this, but the vast majority of VPN users aren't really aware of this. This is one of the many reasons how those "hiding behind 7 proxies" keep getting caught.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • What if multiple users use the same vpn ip? How can you know that a torrent download was done by the same user that did windows updates? Not all requests will send a device id. – Laurence May 05 '16 at 11:03
  • I think I gave a better explanation [here](https://security.stackexchange.com/questions/121733/how-can-meta-data-be-used-to-identify-users-through-chained-vpns/121738#121738). Right, not all requests will will send a device ID, but if you're connected to Windows Update at the time, they can narrow down a list of potential suspects. Over time, through a process of elimination and mapping out patterns, they'll getcha. – Mark Buffalo May 05 '16 at 12:08
  • Not to mention time ranges. – Mark Buffalo May 05 '16 at 12:16
9

Like I've stated in the comment section, you can never be sure that your VPN provider doesn't log any information that could be leaked to the government or any party that has enough power.

Another way to use a VPN would be to rent a VPS and setup your own VPN service on it. However, you would need to make payments by a prepaid credit card and not provide any personal information. Bitcoins are often referred to as an anonymous way to make payments but have been proven to not be so anonymous after all.

Keep in mind that this solution might still not be perfectly anonymous, unless you never divulge your information when you connect to your VPS (IP, location, etc.), perhaps by using Tor like others mentioned.

Simon
  • 3,182
  • 4
  • 26
  • 38
  • Why would you need to make sure not to divulge your IP to your own VPS? Wouldn't simply clearing any logs on it be sufficient? – xasthor Nov 19 '17 at 05:04
8

Also keep in mind that it only takes a single mistake to get caught. Make a single visit to a target site without enabling your VPN first and they've got your real IP address. If you do any attacking in that session, have any identifying data persist from the non-VPN to VPN session (or vice versa) such as a cookie of any type or browser settings data, or a user name (IIRC one of the Anonymous busts was from a single non-VPN login to IRC) investigators can connect your VPN activity to you even if it really is as opaque as the marketing promises claim.

Peter Mortensen
  • 877
  • 5
  • 10
Dan Is Fiddling By Firelight
  • 1,382
  • 10
  • 14
3

Even if the service that you are using does everything in it's power to protect your privacy, they can be hacked.

If you have a big VPN company whose users think they can use the VPN to hide their identities, they are a high value target for the NSA and other major intelligence agencies.

Christian
  • 1,876
  • 1
  • 14
  • 23