Can Commercial VPNs Really Protect Your Privacy?

from the it-depends dept

As Techdirt readers are no-doubt well aware, online surveillance laws are undergoing a major revamp across the western world. From Australia to the UK, law enforcement agencies are taking the opportunity to gain unprecedented powers over the data they can monitor, and are blaming the crackdown on everything from illegal file-sharing to terrorists. With western nations becoming increasingly hostile toward the concept of online anonymity, it's not unreasonable to suggest the use of commercial VPNs will likely gain more traction (indeed, there's already some evidence supporting this). But can VPNs really safeguard your privacy today and, in the future, what kind of protection can you expect with the legal landscape changing so rapidly?

VPNs under fire

VPNs have come under serious scrutiny since mid-2011 after one of the leading services on the market played a pivotal role in the arrest and prosecution of a member of hacker group Lulzsec. This kicked off the debate amongst filesharers and privacy groups over whether VPNs offered any real protection to their users at all. As TorrentFreak pointed out, many are no more effective than a regular ISP due to self-imposed data retention policies.

It's certainly true all VPNs have the ability to track users and log their data. Many do so because they don't consider themselves privacy services and logging helps identify repeat DMCA infringers and quickly troubleshoot network issues. Others do so seemingly because of a poor grasp of their country's laws.

Of course, anyone concerned about privacy should not sign-up to a service that's retaining data. Most privacy-orientated VPNs approach this issue by using a non-persistent log (stored in memory) on gateway servers that only stores a few minutes of activity (FIFO). That time window gives the ability to troubleshoot any connection problems that may appear, but after a few minutes no trace of activity is stored.

As you may know the EU's Data Retention Directive came into effect in 2006, requiring “public communications services” to hold web logs and email logs, amongst other data. IVPN, along with a number of other EU based VPNs, believe our services are excluded from this requirement and we do not abide by it. So far there's been no cases we're aware of compelling VPNs to retain this information. Indeed, from a user perspective, the presence or absence of retention laws seem rather arbitrary, given how many US-based VPNs willingly retain data, despite no government-mandated policy being in place (at least not yet).

When law enforcement and VPNs collide...

So what happens if a law enforcement agency approaches a VPN, serves a a subpoena, and demands a the company trace an individual, based on the timestamp and the IP address of one of their servers? VPN services, like all businesses, are compelled to abide by the law. However, there is no way of complying with the authorities if the data they require does not exist.

One of the few ways law enforcement could identify an individual using a privacy service, without logs, is if they served the owners a gag order and demanded they start logging the traffic on a particular server they know their suspect is using. We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same. So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react, your privacy would be protected.

A changing landscape...

But the biggest threat to VPN usage is the changing legal landscape. The waters around the issues presented by VPNs are still being tested and laws may indeed be amended in the future to prevent such services operating in certain jurisdictions. So how do you navigate all this?

In all honesty, there are no easy answers. Picking a host country based on their current laws isn't going to help much in the long term. By far the best measure you can take is to choose a VPN that demonstrates a commitment to user privacy. Examine the company's small print, or, better yet, contact the owners and ask them upfront how far they go to protect your personal data. Ensure the company is committed to keeping users informed of any emerging threats to its service and – before buying any lengthy subscription – make sure the VPN is willing to re-domicile should its host country change any relevant laws.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: local laws, privacy, vpn