By now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.
To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.
Unfortunately, not all VPN services are as anonymous as they claim, as several incidents have shown in the past.
By popular demand we now present the fourth iteration of our VPN services “logging” review. In addition to questions about logging practices, we also asked VPN providers about other privacy sensitive policies, so prospective users can make an informed decision.
1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?
2. Under what jurisdiction(s) does your company operate?
3. What tools are used to monitor and mitigate abuse of your service?
4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users?
5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?
6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened?
7. Does your company have a warrant canary or a similar solution to alert customers to gag orders?
8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?
9. Which payment systems do you use and how are these linked to individual user accounts?
10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?
11. Do you use your own DNS servers? (if not, which servers do you use?)
12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located?
Below is the list of responses we received from various VPN providers, in their own words. In some cases we asked for further clarification. VPN providers who keep logs for longer than 7 days were excluded, and others who simply failed to respond.
Please note that several VPN companies listed here do log to some extent. We therefore divided the responses into a category of providers who keep no logs (page 1/2) and one for who keep usage and/or session logs (page 3). The order of the VPNs within each category holds no value.
VPNs That keep No Logs
1. We do not log, period. This includes, but is not limited to, any traffic data, DNS data or meta (session) data. Privacy IS our policy.
2. We choose to operate in the US in order to provide no logging service, as there is no mandatory data retention law in the US. Additionally, our beloved clients are given access to some of the strongest consumer protection laws, and thus, are able to purchase with confidence.
3. We do not monitor our users, period. That said, we have a proprietary system in place to help mitigate abuse.
4. We utilize SendGrid as an external mailing system and encourage users to create an anonymous e-mail when signing up depending on their adversarial risk level. Our support system is in-house as we utilize Kayako.
5. We have a proprietary system in place that allows us to comply in full with DMCA takedown notices without disrupting our users’ privacy. Because we do not log our users’ activities in order to protect and respect their privacy, we are unable to identify particular users that may be infringing the lawful copyrights of others.
6. We do not log and therefore are unable to provide information about any users of our service. We have not, to date, been served with a valid court order that has required us to provide something we do not have. (update: PIA has received subpoenas but since the requested information was not on file the company had nothing to produce in response.)
7. We do not have a warrant canary in place at this time as the concept of a warrant canary is, in fact, flawed at this time, or in other words, is “security theater.”
8. We do not attempt to filter, monitor, censor or interfere in our users’ activity in any way, shape or form. BitTorrent is, by definition, allowed.
9. We utilize a variety of payment systems including, but not limited to, PayPal, Stripe, Amazon, Google, Bitcoin, Stellar, CashU, Ripple, Most Major Store Bought Gift card, PIA Gift cards (available in retail stores for “cash”), and more. We utilize a hashing system to keep track of payments and credit them properly while ensuring the strongest levels of privacy for our users.
10. The most secure VPN connection and encryption algorithm that we would recommend to our users would be our suite of AES-256, RSA 4096 and SHA1 or 256. However, AES-128 should still be considered quite safe. For users of Private Internet Access specifically, we offer addon tools to help ensure our beloved clients’ privacies including:
– Kill Switch : Ensures that traffic is only routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic would simply not be routed.
– IPv6 Leak Protection : Protects clients from websites which may include IPv6 embeds which could leak IPv6 IP information.
– DNS Leak Protection : This is built in and ensures that DNS requests are made through the VPN on a safe, private no-log DNS daemon.
– Shared IP System : We mix clients’ traffic with many clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.
11. We are currently using our own DNS caching.
12. We utilize third party datacenters that are operated by trusted friends and, now, business partners who we have met and completed our due diligence on. Our servers are located in: USA, Canada, UK, Switzerland, Amsterdam, Sweden, Paris, Germany, Romania, Hong Kong, Israel, Australia and Japan. We have over 2,000 servers deployed at the time of writing with over 1,000 in manufacture/shipment at this time.
1. We never keep traffic logs, and we also don’t keep any logs that might enable someone to match an IP and timestamp back to a user. We work entirely on the basis of shared IPs, meaning that a single IP does not track back to an individual user. For the purpose of improving network resource allocation, we record aggregate data-transfer amounts and choice of server location, neither of which are data points that can identify a specific user as part of an investigation.
2. We are incorporated in the British Virgin Islands and operate according to BVI laws.
3. We block outgoing connections to port 25 to prevent SMTP abuse, and we use firewall rules to prevent some types of DOS attacks.
4. We use Zendesk for support tickets, and SnapEngage for live chat. We believe these to be secure, and if we had any indication that our customer communications were compromised on either of these channels, it would be straightforward to migrate to a different platform.
5. There is nothing to take down, as we are not a content host. We maintain the anonymity of our customers and would not attempt to identify users on the basis of DMCA notices.
6. This hasn’t happened to date, but we would need to receive a court order from the BVI.
7. Not yet, although we are trying to understand how it would be practical to implement one. We do strongly support Twitter’s lawsuit against the US Justice Dept. and their battle to allow greater transparency when it comes to publicizing secret government legal processes.
8. We allow BitTorrent and other file sharing traffic from all of our servers. We respect our customers’ freedom to use these services and their right to privacy from ISPs and other parties who attempt to monitor such traffic.
9. VISA, Mastercard, Paypal, American Express, Discover, JCB, Diners Club, Alipay, UnionPay, CashU, Webmoney, Yandex Money, Ukash, Giropay, Sofort, Maestro, Carte Bleue, Interac Online, Mint, FanaPay, OneCard, Tenpay, iDeal (we do store name and address as it relates to credit card billing information). And most importantly for privacy focused users, Bitcoin via BitPay.
The information you are required to submit varies with the payment method selected. With Bitcoin we require only an email address so we can communicate with you, and no other personally identifying information.
10. This depends on the platform, but most of our apps use OpenVPN by default, and that’s also our recommendation for best security. Some of our apps have DNS leak protection and maintain VPN routes even when a connection has unexpectedly dropped. We’re actively working on making these features more complete and easier for customers to understand what they do and when they’re active.
11. This depends on the platform, but for most users DNS queries go through our own DNS servers. Sometimes we also recommend Google DNS.
12. We work with multiple data centers in 78 countries around the world. In our most popular server locations, we use only premium providers with strong security practices and wholly owned data centers. Our data center partners do not have access credentials to ExpressVPN servers, and because we don’t keep logs, we are able to mitigate the threat to our users’ privacy.
1. No logs are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network because since day one we engineered every aspect of the operation from the ground up, permitting us full control over the smallest details. In addition to a strict no logging policy we run a shared IP configuration that provides an added layer of anonymity to all users. With hundreds of active sessions sharing a single IP address at any given time it becomes impossible to back trace usage.
2. At the time of this writing our headquarters currently operates from the United States. Due to the lack of data retention laws in the US, our legal team has determined this location to be in the best interest of privacy for the time being. Although TorGuard’s HQ is in the US, we take the commitment to user privacy seriously and will uphold this obligation at all costs, even if it means transferring services or relocating company assets.
3. Our network team uses a combination of open source monitoring apps and custom developed tools to mitigate any ongoing abuse of our services. This allows us to closely monitor server load and uptime so we can pinpoint and resolve potential problems quickly. If abuse reports are received from an upstream provider, we block them in real-time by employing various levels of firewall rules to large blocks of servers. Should these methods fail, our team is quick to recycle entire IP blocks and re-deploy new servers as a last resort.
4. For basic troubleshooting and customer service purposes we utilize Livechatinc for our chat support. TorGuard staff does make use of Google Apps for company email, however no identifying client information like passwords, or billing info is ever shared among either of these platforms. All clients retain full control over account changes in our secure member’s area without any information passing through an insecure channel.
5. Because we do not host any content it is not possible for us to remove anything from a server. In the event a DMCA notice is received it is immediately processed by our abuse team. Due to our shared network configuration we are unable to forward any requests to a single user. In order to satisfy legal requirements from bandwidth providers we may temporarily block infringing protocols, ports, or IPs.
6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of a shared IP configuration and the fact that we do not hold any identifying logs. No, we remain unable to identify any active user from an external IP address and time stamp.
7. No, at this time we do not have a warrant canary.
8. Yes, TorGuard was designed with the BitTorrent enthusiast in mind. P2P is allowed on all servers, although for best performance we suggest using locations that are optimized for torrents. Users can find these servers clearly labeled in our VPN software.
9. We currently accept over 200 different payment options through all forms of credit card, PayPal, Bitcoin, altcoins (e.g. dogecoin, litecoin + more), Paysafecard, Alipay, CashU, Gift Cards, and many other methods. No usage can be linked back to a billing account due to the fact that we maintain zero logs across our network.
10. For best security we advise clients to use OpenVPN connections only and for encryption use AES256 with 2048bit RSA. Additionally, TorGuard VPN offers “Stealth” protection against DPI (Deep Packet Inspection) interference from a nosey ISP so you can access the open web freely even from behind the Great Firewall of China. These options are available on select locations and offer excellent security due to the cryptography techniques used to obfuscate traffic. Our VPN software uses OpenVPN exclusively and features built in DNS leak protection, an App Killswitch, and a connection Killswitch. We have also just released a built in WebRTC leak block feature for Windows Vista/7/8 users.
11. Yes, we offer private, no log DNS servers which can be obtained by contacting our support desk. By default we also use Google DNS and OpenDNS for performance reasons on select servers.
12. TorGuard currently maintains 1000+ servers in over 44 countries around the world and we continue to expand the network every month. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by our in house networking team via a single, secure key. We have servers in Australia, Belgium, Brazil, Canada, China, Costa Rica, Czech Republic, Denmark, Egypt, Finland, France, Germany, Greece, Hong Kong, Iceland, India, Indonesia, Ireland, Italy, Japan, Korea, Latvia, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Norway, Panama, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Tunisia, Turkey, United Kingdom, USA, and Vietnam.
1. Do we keep logs? What is that? Seriously, we have a strict no-logs policy over our customers. The only information we keep is customers’ e-mail addresses which are needed for our service registration (we keep the e-mail addresses until the customer closes the account).
2. NordVPN is based out of Panama.
3. No tools are used to monitor our customers in any case. We are only able to see the servers’ load, which helps us optimize our service and provide the best possible Internet speed to our users.
4. We use the third-party live support tool, but it is not linked to the customers’ accounts.
5. When we receive any type of legal notices, we cannot do anything more than to ignore them, simply because they have no legal bearing to us. Since we are based in Panama, all legal notices have to be dealt with according to Panamanian laws first. Luckily they are very friendly to Internet users.
6.If we receive a valid court order, firstly it would have to comply with the laws of Panama. In that case, the court settlement should happen in Panama first, however were this to happen, we would not be able to provide any information because we keep exactly nothing about our users.
7. We do not have a warrant canary or any other alert system, because as it was mentioned above, we operate under the laws of Panama and we guarantee that any information about our customers will not be distributed to any third party.
8. We do not restrict any BitTorrent or other file-sharing applications on most of our servers.
9. We accept payments via Bitcoin, Credit Card, PayPal, Banklink, Webmoney (Paysera). Bitcoin is the best payment option to maintain your anonymity as it has only the paid amount linked to the client. Users who purchase services via PayPal are linked with the usual information the seller can see about the buyer.
10. We have high anonymity solutions which we would like to recommend to everyone seeking real privacy. One of them is Double VPN. The traffic is routed through at least two hoops before it reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays. Both of these security solutions give a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Furthermore, our regular servers have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP.
In addition to that, we have advanced security solutions, such as the “kill switch” and DNS leak protection which provide the maximum possible security level for our customers.
11. NordVPN has its own DNS servers, also our customers can use any DNS server they like.
12. Our servers are outsourced and hosted by a third parties. Currently our servers are in 26 countries: Australia, Austria, Brazil, Canada, Chile, France, Germany, Hong Kong, Iceland, Isle of Man, Israel, Italy, Liechtenstein, Lithuania, Netherlands, Panama, Poland, Romania, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, United Kingdom and United States.
1. IPVanish has a zero-log policy. We keep NO traffic logs on any customer, ever.
2. IPVanish is headquartered in the US and thus operates under US law.
3. IPVanish monitors CPU utilization, bandwidth and connection counts. When thresholds are passed, a server may be removed from rotation as to not affect other users.
4. IPVanish does not use any external support tools that hold user information. We do, however, operate an opt-in newsletter that is hosted at Constant Contact. Customers are in no way obligated to sign up for the newsletter.
5. IPVanish keeps no logs of any user’s activity and responds accordingly.
6. IPVanish, like every other company, follows the law in order to remain in business. Only US law applies.
8. P2P is permitted. IPVanish does not block or throttle any ports, protocols, servers or any type of traffic whatsoever.
9. Bitcoin, PayPal and all major credit cards are accepted. Payments and service use are in no way linked. User authentication and billing info are also managed on completely different and independent platforms.
10. We recommend OpenVPN with 256 bit AES as the most secure VPN connection and encryption algorithm. IPVanish’s service and software also currently provide DNS leak prevention. We are developing a kill switch in upcoming releases of our software.
11. IPVanish does use its own DNS servers. Local DNS is handled by the server a user connects to.
12. IPVanish is one of the only tier-1 VPN networks, meaning we own and operate every aspect of our VPN platform, including physical control of our VPN servers. This gives IPVanish users security and speed advantages over other VPN services. IPVanish servers can be found in over 60 countries including the US, UK, Canada, Netherlands and Australia.
2. We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. We will not disclose the exact hierarchy of our corporate structures, but will say the main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.
3. We do not monitor any customer’s activity in any way. We have chosen to disallow outgoing SMTP which helps mitigate SPAM issues.
4. No. We do utilize third party email systems to contact clients who opt in for our newsletters.
5. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session, otherwise we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we ALMOST NEVER receive a VALID DMCA complaint while a user is still in an active session.
6. Our customer’s privacy is of top most importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. We would not rule out relocating our businesses to a new jurisdiction if required.
7. Yes. We maintain a passive warrant canary, updated weekly, and are investigating a way to legally provide a passive warrant canary which will be customized on a “per user” basis, allowing each user to check their account status individually. It is important to note that the person(s) responsible for updating our warrant canary are located outside of any of the countries where our servers are located.
8. Yes, all traffic is allowed.
9. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America and the other platform is operated out of Nevis. We offer the ability for the customer to permanently delete their payment information from our servers at any point. All customer data is automatically removed from our records shortly after the customer ceases being a paying member.
10. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and it uses the AES-256-CBC algorithm for encryption.
Our Windows and Mac client incorporates IP and DNS leak protection which prevents DNS leaks and provides better protection than ordinary ‘kill-switches’. Our IP leak protection proactively keeps your IP from leaking to the internet. This was one of the first features we discussed internally when we were developing our network, it is a necessity for any good VPN provider.
12. We run a mix. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties until we have enough traffic in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We run an algorithm to randomly reboot each server on a regular basis so we can clear the ramdisk.
2. Gibraltar. In 2014 we decided to move the company from Malta to Gibraltar in light of the new 2015 EU VAT regulations which affect all VPN service providers based in the EU. The EU VAT regulations now require companies to collect two pieces of non-conflicting evidence about the location of a customer; this would be at a minimum the customer’s physical address and IP address.
3. We have built a number of bespoke systems over the last 5 years as we’ve encountered and addressed most types of abuse. At a high level we use Zabbix, an open-source monitoring tool that alerts us to incidents. As examples we have built an anti-spam rate-limiter based on iptables so we don’t have to block any email ports and forked a tool called PSAD which allows us to detect attacks originating from our own network in real time.
4. No. We made a strategic decision from the beginning that no company or customer data would ever be stored on 3rd party systems. Our customer support software, email, web analytics (Piwik), issue tracker, monitoring servers, code repo’s, configuration management servers etc. all run on our own dedicated servers that we setup, configure and manage.
5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we never store the IP addresses of customers connected to our network nor are we legally required to do so.
6. That would depend on the information with which we were provided. If asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and asked for the customer’s identity then we reply that we do not store any personal data, we only store a customer’s email address. If the company were served with a valid court order that did not breach the Data Protection Act 2004 we could only confirm that an email address was or was not associated with an active account at the time in question. We have never been served with a valid court order.
7. Yes absolutely, we’ve published a canary since August 2014.
8. Yes, we don’t block BitTorrent or any other protocol on any of our servers. We do kindly request that our customers use non-USA based exit servers for P2P. Any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.
9. We accept Bitcoin, Cash and Paypal. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin (See part 7 of our advanced privacy guides). With Paypal we store the subscription ID in our system so we can associate incoming subscription payments. This information is deleted immediately when an account is terminated.
10. We provide RSA-4096 / AES-256 with OpenVPN, which we believe is more than secure enough for our customers’ needs. If you are the target of a state level adversary or other such well-funded body you should be far more concerned with increasing your general opsec than worrying about 2048 vs 4096 bit keys. The IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible (DNS, network failures, WebRTC STUN, IPv6 etc.). It also has an ‘always on’ mode that will be activated on boot before any process on the computer starts. This will ensure than no packets are ever able to leak outside of the VPN tunnel.
11. Yes. Once connected to the VPN all DNS requests are sent to our pool of internal recursive DNS servers. We do not use forwarding DNS servers that forward the requests to a public DNS server such as OpenDNS or Google.
12. We use dedicated servers leased from 3rd party data centers in each country where we have a presence. We employ software controls such as full disk encryption and no logging to ensure that if a server is ever seized it’s data is worthless. We also operate a multi-hop network so customers can choose an entry and exit server in different jurisdictions to make the adversaries job of correlating the traffic entering and exiting our network significantly more complicated. We have servers located in Switzerland, Germany, Iceland, Netherlands, Romania, France, Hong-Kong, USA, UK and Canada.
1.We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user of our service. The only thing we log are e-mails and user names but it’s not possible to bind an activity on the Internet to a user on PrivateVPN.
2. We operate in Swedish jurisdiction.
3. If there’s abuse, we advise that service to block our IP in the first instance, and second, we can block traffic to the abused service.
4. No. We use a service from Provide Support (ToS) for live support. They do not hold any information about the chat session. From Provide support: Chat conversation transcripts are not stored on Provide Support chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email according to the user account settings, and then destroyed.
5. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our response was to close P2P traffic in those countries.
6. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there.
7. We’re working on a solution where we publish a statement that we haven’t received legal process. One we receive a legal process, this canary statement is removed.
8. Yes, we allow Torrent traffic.
9. PayPal, Payson, 2Chrckout and Bitcoin. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us.
10. OpenVPN TUN with AES-256. On top is a 2048-bit DH key. For our Windows VPN client, we have a feature called “Connection guard”, which will close a selected program(s) if the connection drop. We have no tools for DNS leak but we’re working on a protection that detects the DNS leak and fixes this by changing to a secure DNS server.
11. We use a DNS from Censurfridns.
12. We have physical control over our servers and network in Sweden. All other servers and networks are hosted by ReTN, Kaia Global Networks, Leaseweb, FDCServers, Blix, Zen systems, Wholesale Internet, Creanova, UK2, Fastweb, Server.lu, Selectel, Amanah and Netrouting. We have servers located in: Sweden, United States, Switzerland, Great Britain, France, Denmark, Luxembourg, Finland, Norway, Romania, Russia, Germany, Netherlands, Canada and Ukraine.
3. Our own.
5. We do not care about DMCA.
6. We only require a working e-mail address to be a customer, no other information is kept.
8. As long as the usage doesn’t violate the ToS, we do not care.
9. None of the payment methods are linked to a user.
10. OpenVPN, customers have to monitor their service/usage.
12. Everything is inhouse in Sweden.
1. No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users sharing addresses, both for IPv4 and IPv6.
3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.
4. We do use external providers and encourage people sending us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.
5. There is no such Swedish law that is applicable to us.
6. We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.
7. Under current Swedish law there is no way for them to force us to secretly act against our users so a warrant canary would serve no purpose. Also, we would not continue to operate under such conditions anyway.
9. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.
10. OpenVPN (using the Mullvad client program). Regarding crypto, ideally we would recommend Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN. We therefore recommend and by default use RSA-2048, D-H (DHE) and AES-256-CBC-SHA. We have a “kill switch,” DNS leak protection and IPv6 leak protection (and IPv6 tunnelling).
11. Yes, we use our own DNS servers.
12. We have a range of servers. From on one end servers lovingly assembled and configured by us with ambitious physical security in data centers owned and operated by people we trust personally and whose ideology we like. On the other end rented hardware in big data centers. Which to use depends on the threat model and performance requirements. Currently we have servers hosted by GleSYS Internet Services, 31173 Services and Leaseweb in Sweden, the Netherlands, USA and Germany.
2. Malaysia. This may change in the near future and we will post an announcement when this is confirmed.
3. We do monitor general traffic patterns to see if there is any unusual activity that would warrant a further investigation.
4. We use ZenDesk and Zopim but are moving to use OSTicket which is open source. This should happen in the next 1-2 months.
5. Generally we work with the providers to resolve the issue and we have never given up any of our customer information. Generally we terminate our relationship with the provider if this is not acceptable. Our US servers under DMCA jurisdiction or UK (European equivalent) have P2P locked down.
6. This has not happened yet but we do not keep any user logs so there is not much that can be provided especially if the payment is via an anonymous channel. One of our founders is a lawyer so such requests will be examined on their validity and we will resist such requests if done without proper cause or legal backing.
8. Yes it is allowed except on those marked Surfing-Streaming only which are restricted either due to the provider’s policies or limited bandwidth.
9. We use MolPay, PayPal, Coinbase, Coinpayments and direct deposits. On our system it is only marked with the Invoice ID, the account it’s for, the method of payment and whether it’s paid or not. We however of course do not have control of what is stored with the payment providers.
10. Our Cloak configurations implement 256 bit AES and a SHA-512 HMAC combined with a scrambling obfuscation layer. We do have a lock down/kill switch feature and DNS leak protection.
11. Yes we do use our own DNS servers.
12. Our VPN servers are hosted by third parties however for competitive reasons, we rather not mention our providers (not that it would be hard to find out with some digging). However none of these servers hold anything sensitive as they are authenticated purely using PKI infrastructure and as long as our users regularly update their configurations they should be fine. We do however have physical control over the servers that handle our customer’s information.
1. We don’t keep any logs with IP addresses. The only information we save is an email. It’s impossible to connect specific activity to a user.
2. Our company is under Seychelles jurisdiction.
3. We do not monitor any user’s traffic or activity for any reason.
4. We use third-party solutions for user communications and emailing. Both are running on our servers.
5. We have small amount of abuses. Usually we receive them through email and all of them are bot generated. As we don’t keep any content we just answer that we don’t have anything or ignore them.
6. It has never happened for 8 years. We will ignore any requests from all jurisdiction except Seychelles. We have no information regarding our customers’ IP addresses and activity on the Internet.
7. No, we don’t bother our users.
8. Yes we support all kind of traffic on all servers.
9. We are using PayPal but payment as a fact proves nothing. Also we are going to expand our payment types for the crypto currencies in the nearest future.
10. We are recommending to use the most simple and secure way — OpenVPN with AES-256 encryption. To protect the torrent downloads we suggest to create a proxy SSH tunnel for your torrent client. In this case you are encrypting only your P2P connection when your browser or Skype uses your default connection. When using standard VPN in case of disconnection your data flows unencrypted. Implementing our SSH tunnel will save from such leaking cause traffic will be stopped.
11. Yes. We are using our own DNS servers.
12. We use third party datacenters for VPN and SSH data transmission in the USA, UK and Netherlands. The whole system is located on our own servers.
1. We do not keep any log at all.
2. Republic of Seychelles. And of course, every jurisdiction where each of our servers are, for their specific cases.
3. IPtables, TCPdump and Wireshark, for which their use is always informed at least 24 hours in advance via our Network Alerts and/or Transparency Report.
4. All our emails, panels and support are in-house. We host our own WHMCS instance for billing and support. We host server details, project management and financial management on Redmine that we of course self-run. The only third-party connections we have are Google Analytics and Google Translate on our public website (not panel), for obvious convenience gains, but the data they fetch can easily be hidden or faked. We may also sometimes route email through Mandrill but never with user information. We also have our OpenVPN client’s code hosted at Github, but this is because we are preparing to open source it.
5. We block the affected port and explain to upstream provider and/or complainant that we cannot identify the user who did the infringement, and we can therefore not pass the notice on. We also publish a transparency report and send a copy to the Chilling Effects Clearinghouse. If there are too many infringements, we may block all ports and strengthen firewall rules to satisfy upstream provider, but this may lead us to simply drop the server on short-term due to it becoming unusable.
6. We first post the court order to public and inform our users through our blog, much-followed Twitter account, transparency report and/or network alert. If we are unable to do so, we use our warrant canary. Then, we would explain to the court that we have no technical capacity to identify the user and we are ready to give access to competent and legitimate forensic experts. To this date, no valid court order has been received and acknowledged by us.
7. Yes, proxy.sh/canary.
8. We do not discriminate activity across our network. We are unable to decrypt traffic to differentiate file-sharing traffic from other activities, and this would be against our ethics anyway. The use of BitTorrent and similar is solely limited to the fact you can whether open/use the ports you wish for it on a selected server.
9. We support hundreds of payment methods, from PayPal to Bitcoin through SMS to Ukash and Paysafecard. We use third-party payment providers who handle and carry themselves the payments and the associated user information needed for them (e.g. a name with a credit card). We never have access to those. When we need to identify a payment for a user, we always need to ask him or her for references (to then ask the payment provider if the payment exists) because we do not originally have them. Last but not least, we also have an option to kill accounts and turn them into completely anonymous tokens with no panel or membership link at all, for the most paranoid customers (in the positive sense of the term).
10. We currently provide Serpent in non-stable & limited beta and it is the strongest encryption algorithm we have. We also openly provide to our experienced users ECDH curve secp384r1 and curve22519 through a 4096-bit Diffie-Hellman key. We definitely recommend such a setup but it requires software compiling skills (you need OpenVPN’s master branch). This setup also allows you to enjoy OpenVPN’s XOR capacity for scrambling traffic. We also provide integration of TOR’s obfsproxy for similar ends. Finally, for more neophyte users, we provide 4096-bit RSA as default standard. It is the strongest encryption that latest stable OpenVPN provides. Cipher and hash are the strongest available and respectively 256-bit CBC/ARS and SHA512. Our custom OpenVPN client of course provides a kill switch and DNS leak protection.
11. Yes, we provide our own OpenNIC DNS servers as well as DNSCrypt capacity.
12. We use a mix of collocation (physically-owned), dedicated and virtual private servers – also known as a private/public cloud combination. All our VPN servers are running from RAM and are disintegrated on shutdown or reboot. About two-third of them are in the public cloud (especially for most exotic locations). Our network spans across more than 40 countries.
2. We operate under US jurisdiction.
3. We would have to get into details of each individual point of our ToS. For basics like P2P and torrent traffic on servers that do not allow for such transmissions or connecting to more than three VPN servers at the same time by the same user account. But we do not monitor users’ traffic. Also, since our users use shared IP address of VPN server, there is no way any third party could connect any online activity to a user’s IP address.
4. We are using Google apps for incoming mail and our own mail server for outgoing mail.
5. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the data center or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which make impossible to track who downloaded any data from the internet using our VPN.
6. We would reply that we do not have measures that would us allow to identify a specific user. It has not happened so far.
7. Currently not. We will consider if our customers would welcome such a feature. So far we have never been asked for such information.
8. This type of traffic is welcomed on our German (DE VPN) and Dutch (NL VPN) servers. It is not allowed on US, UK and Canada servers as stated in our ToS – reason for this is our agreements with data centers. We also have a specific VPN plan for torrents.
9. Currently HideIPVPN accepts the following methods: PayPal, Bitcoin, Credit & Debit cards, AliPay, Web Money, Yandex Money, Boleto Bancario, Qiwi.
10. We would say SoftEther VPN protocol looks very promising and secure. Users can currently use our VPN applications on Windows and OSX systems. Both versions have a “kill switch” feature in case connection drops. Also, our apps are able to re-establish VPN connection and once active restart closed applications.
Currently our software does not provide DNS leak protection. However a new version of VPN client is in the works and will be updated with such a feature. We can let you know once it is out. At this time we can say it will be very soon.
11. For VPN we use Google DNS servers, and for SmartDNS we use our own DNS servers.
12. We don’t have physical control of our VPN servers. Servers are outsourced in premium datacenters with high quality tier1 networks. Countries now include – US/UK/NL/DE/CA
1. We do not keep any logs whatsoever.
2. United States
3. Custom programs that analyze traffic on the fly and do not store logs.
4. No, all data is stored on servers we control.
5. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.
6. We would take every step within the law to fight such an order and it has never happened.
8. Yes, all types of traffic our allowed with our services.
9. We accept PayPal and Bitcoin. All payments are linked to users’ accounts because they have to be for disputes and refunds.
10. We recommend OpenVPN and 128-bit blowfish. We offer instructions for some third party VPN monitoring software.
11. We use our own DNS servers.
12. We have physical control over all our servers. Our servers we offer services with are located in the Netherlands, Canada, and Singapore. Our mail servers are located in Luxembourg.
The gateway servers keep the currently authenticated customers in the server’s RAM so they can properly connect and route incoming traffic to those customers. Obviously, if a server is powered down or restarted, the contents of the RAM are lost. We keep gateway performance data such as CPU loading, I/O rates and maximum simultaneous connections so that we can manage and optimize our network.
2. We operate two independent companies with different ownership structures – a network operations company and a marketing company. The network operations company operates out of Nevis. The marketing company operates under US jurisdiction and manages the website, customer accounts and support. The US company has no access to network operations and the Nevis company has no customer account data.
3. We are not in the business of monitoring customer traffic in any way. Spam emails were our biggest issue and early on we decided to prevent outgoing SMTP. Otherwise, the only other abuse tools we use are related to counting the number of active connections authenticated on an account to control account sharing issues. We use a NAT firewall on incoming connections to our gateways to add an extra layer of security for our customers.
4. No. We do use a service to send generic emails.
5. Due to the structure of our network operations company, it is unusual that we would receive a notice. There should be no cause for the marketing company to receive a notice. If we receive a DMCA notice or its equivalent based on activity that occurred in the past, we respond that we do not host any content and have no logs.
If we receive a DMCA notice based on very recent activity and the customer’s current VPN session during which it was generated is still active on the gateway, we may put the account on hold temporarily and notify the customer. No customer data is used to respond to DMCA notices.
6. Our customers’ privacy is a top priority for us. We would proceed with a court order with complete transparency. A court order would likely be based on an issue traced to a gateway server IP address and would, therefore, be received by our our network operations company which is Nevis based. The validity of court orders from other countries would be difficult to enforce. The network company has no customer data.
Our marketing company is US based and would respond to an order issued by a court of competent jurisdiction. The marketing company does not have access to any data related to network operations or user activity, so there is not much information that a court order could reveal. This has not happened.
7. We are discussing internally and reviewing existing law related to how gag orders are issued to determine the best way to offer this measure of customer confidence.
8. Yes. We operate with network neutrality except for outgoing SMTP.
9. Bitcoin and other cryptocurriences such as Darkcoin, Credit/Debit Card, and PayPal. If complete payment anonymity is desired, we suggest using Bitcoin, DarkCoin, or a gift/disposable credit card. Methods such as PayPal or Credit/Debit card are connected to an account token so that future renewal payments can be properly processed and credited. We allow customers to edit their account information. With our US/Nevis operating structure, customer payment systems information is separate from network operations.
10. We recommend using the AES-256-CBC cipher with OpenVPN, which is used with our client. IPSec is available for native Apple device support and PPTP is offered for other legacy devices, but OpenVPN offers the best security and speed and is our recommended protocol
We provide both DNS and IP leak protection in our Windows and Mac OctaneVPN client. Our OpenVPN based client’s IP leak protection works by removing all routes except the VPN route from the device when the client has an active VPN connection. This a better option than a ‘kill switch’ because our client ensures the VPN is active before it allows any data to leave the device, whereas a ‘kill switch’ typically monitors the connection periodically, and, if it detects a drop in the VPN connection, reacts.
11. Yes and we physically control them. You can choose others if you prefer.
12. In our more active gateway locations, we colocate. In locations with lower utilization, we normally host with third parties until volume at that location justifies a physical investment there. The hosted locations may have different providers based on geography. We operate gateways in over 44 countries and 90 cities. Upon booting, all our gateways load over our encrypted network from a master node and operate from encrypted ramdisk. If an entity took physical control of a gateway server, the ramdisk is encrypted and would vanish upon powering down.
3. We haven’t needed to use any tools for abuse. Our entire network is deployed with live firewall hardware. For any unusual activity firewalls can act automatically to mitigate any abuse. There also no logs kept in any of any of our firewall hardware activity.
4. We use support tools for support email ticket and chat requests from users.
5. We have never received any DMCA notices! All pf our Torrent/P2P network are deployed in Torrent allowed networks.
6. Never happened. There is also no possible way to identify any of our users as no logs are being kept.
7. No, we don’t. FBI has never been here! Our experts find warrant canary is not effective, is very questionable and it’s made primarily for marketing purposes.
8. BitTorrent and P2P is only allowed on specific networks which are designed for BitTorrent. This provides better speed for our users that are not using BitTorrent mainly and keeps both our network and users more secure while sharing files.
9. We accept PayPal and all major credit cards. Financial information is kept by the processing services. All we keep is the transaction IDs lined to users as this is needed for cancellations or refunds.
10. Our service setup, based on OpenVPN, is the following: 4096 bit RSA keys size, AES-256-CBC Data Channel. Also we provide SSTP, L2TP and PPTP protocol access depending of our users needs.
11. Yes, we use our own DNS servers.
12. Yes, we own all our physical servers and we have access to them physically. All our servers are collocated in secure cages in data centres which comply to technical and privacy requirements. Also only our Level4 Network engineers have access to our servers for high security reasons. We have servers located in Argentina, Australia, Brazil, Canada, China, France, Germany, Hong Kong, India, Ireland, Italy, Japan, Mexico, Netherlands, New Zealand, Norway, Panama, Russia, Saudi Arabia, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom and United States. Our servers are located in specifically selected data centres, such as IBM, nForce, Leaseweb, Voxility, Amanah, Quadranet, HugeServers, Serveria, YesUp, Micfo.