Not all VPN platforms are created equal, so make sure you know what to look for to keep your business and data safe.
Although a virtual private network (VPN) application is intended to give you a private, anonymous and secure connection to the internet, not all VPN services are the same. Any VPN is capable of tracking all of your internet activity, just like your internet service provider (ISP) would, and some services use a VPN log, which tracks how you use that service and keeps a record of the data.
There are a few VPN log types, and each records multiple types of internet activity. Some VPN logs outright defeat the purpose of using a VPN by capturing specific user information and keeping a record of it, while others put artificial user restrictions in place. However, there's a lot of confusion stemming from VPN logs, because some VPN providers are making false claims of "no log" or "logless" services, despite creating a limited record of user information.
A VPN service that logs user activity can keep those records pretty much indefinitely, although some perform regular data purges anywhere from daily to every two weeks. And the data itself can be used for several reasons, some far more damaging than others. Let's take a closer look at the different types of logs and what kinds of information they track.
VPN usage logs
A VPN usage log is arguably the most comprehensive logging system a network would use, and that's not necessarily a good thing. A usage log tracks all your activity, including your IP address, your uploads and downloads, your entire browsing history, specific applications you used while connected and other highly detailed metadata. In effect, the information in a usage log could technically be considered personal identifiable information (PII), because the data can be linked to an individual account.
Businesses should usually avoid VPNs that use these usage logs because of the intrusive level of detail they gather. Yet many VPN providers, ranging from prominent companies like Microsoft and Amazon all the way down to independent free services, still keep usage logs. Organizations do this because they tend to sell either advertising or your data (or sometimes both) to make a profit or to keep their services up and running.
A VPN provider that keeps a usage log presents substantial security concerns, mostly because it fails to provide actual privacy. Once there's enough information gathered in a usage log, anyone could create a user profile that contains your personal information. And once that profile exists, it could be sold to third-party advertisers (a common practice among free VPNs) or fall victim to a hacker attack, leading to a stolen identity.
VPN connection logs
A connection log focuses mostly on technical information used to improve the performance of a given service or to provide data that helps with troubleshooting. The activity a connection log tracks consists of how much data you used while connected to a VPN server, how long you're connected, which servers you're using, connection timestamps and the actual internet protocol (IP) address that a given service has assigned to you.
A lot of services that claim to offer "logless" or "no log" VPN solutions tend to use a connection log, which creates a lot of confusion. While a connection log may offer a lower-risk method of tracking customer information, it's still susceptible to hacker attacks, and it can be sold to advertisers that would use the extra details to analyze your internet behaviors. Worse yet, a VPN provider could simply hand it over to a website requesting your identity.
One distinction to keep in mind, though, is that companies don't define "connection log" consistently. Some providers, like ExpressVPN, use an IP address log in a way that's nearly identical to a connection log. However, an IP log doesn't necessarily tie an IP address to a user; this type of logging is only looking for performance analytics to help improve service. Data such as browsing history, data content, DNS queries, your original IP address and the IP address assigned to you are not typically tracked in an IP log.
Why would a VPN provider keep logs?
As previously mentioned, many free VPN services keep logs to sell that information to third parties, but one of the biggest reasons a VPN provider keeps any kind of activity log is that it's legally required in some countries. If a provider is headquartered in a region where severe data retention laws exist – like the U.S., Australia and France – or areas that suffer from oppression or censorship, that provider needs to keep comprehensive VPN logs for legal compliance.
Naturally, there are legal loopholes that some companies try to use to avoid a local region's compliance standards and protect their clients. However, regular audits need to be conducted by external independent agencies to not only prove the claims of a given VPN service but also make sure that it followed legal procedures along the way.
A VPN service might also keep logs to restrict bandwidth, throttle connection speeds or limit how many people can access a server under a given account. National spy agencies – like the National Security Agency (NSA) in the U.S. and the Government Communications Headquarters (GCHQ) in the U.K. – also rely on VPN logs to target and monitor specific suspects or a given organization's server network.
The ideal way to deal with VPN logs
The VPN platforms that are frequently recommended are the ones that are truly logless. Services such as NordVPN, CyberGhost VPN and IPVanish VPN have been extensively audited and thoroughly verified not to use any sort of activity logs, preventing security issues such as stolen data and identity theft. Because the VPNs don't create connection logs or usage logs, there's nothing to steal if your VPN provider suffers a cybersecurity breach.
In fact, police in Turkey recently seized an ExpressVPN server to gather customer data for an ongoing investigation. However, because ExpressVPN uses a logging type that keeps the bare minimum of technical performance data, it doesn't identify which customer is assigned to a given IP. In this instance, authorities weren't able to extract any PII for the case because that data didn't exist.
When investigating whether a VPN is truly logless, start by looking at the location of the company's headquarters. If a VPN provider is based out of a privacy-friendly country or region – such as Switzerland, Moldova, Romania, the British Virgin Islands or Panama – there's a good chance that the log-free claims are easy to prove.