Prompted by a high-profile case of an individual using an ‘anonymous’ VPN that turned out to offer less than expected protection, TorrentFreak decided to ask a selection of VPN providers some tough questions.
With our findings we compiled a report of providers that due to their setup were unable to link their outbound IP addresses with user accounts. Ever since we have received countless emails demanding an update. It’s taken a long time but today we bring the first installment in a series of posts highlighting providers that take anonymity seriously.
We tried to ask direct questions that left providers with little room for maneuver. Providers who didn’t answer our questions directly, didn’t answer at all, or completely failed by logging everything, were simply left out. Sadly this meant that quite a few were disregarded.
This year we also asked more questions, which are as follows:
1. Do you keep ANY logs which would allow you or a 3rd party to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold?
2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?
3. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?
4. Which protocols do you support?
5. In which countries do you operate exit servers?
6. Which payment systems do you operate and how are these linked to individual user accounts?
7. Is file-sharing traffic allowed?
8. Is traffic throttled in any way?
9. What is the maximum connection throughput?
The list of providers is a tiny sample of the thousands out there today and is not comprehensive by any means. Providers not covered this time around will be included in a future edition. All responses listed below are in the words of the providers themselves.
In alphabetical order:
1) We do not keep any logs on our servers. Neither us nor 3rd parties are able to match IPs to a username.
2) Privacy IO is an Australian Registered business. Under no circumstances will we provide any 3rd party information about our users. We are unable to comply with DMCA or equivalent as we have no access or power to do anything about it. As we keep no logs we can not link it to a user to apply said request. If the law attempts to make us do such things, we will move our business to a location where that can not occur, and if that fails we will close up shop before we provide any information.
3) See answer to question 2
4) We provide PPTP and OpenVPN.
5) Our servers are currently located in Sweden and Netherlands, but we plan to be expanding soon.
6) At present we only accept PayPal and CC (processed by PayPal), but we are looking into alternative types of payments. We go out of our way to make sure that PayPal transactions are not linked to the users, we generate a unique key per transaction to verify payment for the account is made, and then nuke that unique key.
7) We do not block any ports (including file sharing)
8) No traffic throttled.
9) This is not a question that can be easily answered, many factors can play their part here. Latency between you and the VPN servers, Latency between the VPN and the destination. We don’t apply any speed / cap limits with our accounts, and users should be able to obtain max speeds in some scenarios. but with any VPN, some speed decreases can be had.
1. We don’t keep any log that can allow a 3rd party to do that.
2. AirVPN operates in Italy. The applicable laws can be those of the countries where the servers are physically located (old issue about jurisdiction vs. applicable law). Since we don’t hold any information (we don’t even require a valid e-mail address) we are unable to share anything that may compromise privacy about VPN usage.
3. DMCAs are just ignored: no private entity claim can be considered a proof of anything (even in light of the paper by the University of Washington “Tracking the trackers – Why My Printer Received a DMCA Takedown Notice”) and the details given in DMCA notices (pertaining to p2p) lack any substantial proof of any infringement. We sometimes ask for a proof of the alleged claim, just to try to see which methods are used to make up an infringement claim, but so far all private entities have poorly failed to respond with any proof or even with technical details on how such claims are fabricated.
4. We support OpenVPN. Our customers can use any higher layer protocol over UDP or over TCP, as they prefer, on a variety of ports to mitigate or solve censorship or bandwidth capping (port shaping). We also accept connections over TOR, any proxy or over any other VPN (examples OpenVPN over TOR, TOR over OpenVPN, OpenVPN over OpenVPN over http or socks proxy etc. etc.). In the coming weeks we’ll support directly OpenVPN over SSL and OpenVPN over SSH.
5. We operate exit servers in Germany, Italy, Luxembourg, Netherlands, Romania, Singapore, Sweden, Switzerland, United Kingdom and United States of America.
In each country we have servers in network neutral data centers (we only choose network neutral data centers), with POP connected directly to at least one tier1 provider. We only pick countries where a VPN service is not forced by law to keep any log, solving in this vital case any potential conflict between jurisdiction and applicable law.
6. We accept payment via Bitcoin, Liberty Reserve, PayPal and credit cards. Bitcoin and Liberty Reserve are not linked to accounts: we provide coupon codes (even through independent resellers) that can be used to activate any account. Therefore the link between a payment and an account does not exist.
With PayPal, we don’t keep such information but PayPal does, just like any bank or financial institution. However, a PayPal payment shows that a person sent money to use AirVPN services, but it does not show how the VPN has been used by that person and not even IF that person has ever connected to a VPN server. The same considerations apply to credit cards transactions. Anyway we don’t (and we don’t want to) directly process credit cards, so we don’t keep any credit card database.
Of course, usage of Bitcoin (and if you’re paranoid, Bitcoin over TOR) is recommended.
7. File-sharing traffic is allowed. We don’t monitor traffic (not even traffic type) and we don’t discriminate against any protocol or application.
8. No traffic is throttled.
9. The theoretical maximum throughput is 1 Gbit/s, therefore 500 Mbit/s to the client for how an OpenVPN server works. Currently our infrastructure has always enough bandwidth to allow up to 200 Mbit/s throughput per client during any time, including peak times (for this performance it is required that the client picks an appropriate server). According to our ToS we’ll never allow this value to go under 16 Mbit/s throughput in the worst case scenario. Customers can verify that we don’t perform overselling with our real time servers monitor.
1. We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user our service. The only thing we log are e-mails and user names but it’s not possible to bind a activity on the Internet to a user. This applies to all our servers except our U.S. servers.
Note: We’re logging IP addresses and time stamp on the incoming connection for our U.S. servers. We offer no anonymity on our U.S. servers.
2. We operate in Swedish jurisdiction. Since we do not log any IP addresses we have nothing to disclose. Circumstances doesn’t matter in this case, we have no information regarding our customers’ IP addresses and activity on the Internet. Therefore we have no information to share with any 3rd party.
3. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our respone was to close p2p traffic on those countries.
4. Our protocols are OpenVPN and PPTP (Soon l2TP).
5. Exit servers are placed in Sweden, United States, Switzerland, Netherlands, Great Britain, Germany, France, Denmark, Luxembourg, Finland, Norway, Romania, Russia, Canada. New servers 2013 Q1: Italy, Spain, Ukraine.
6. No one can bind a payment to a IP you’ll get from us when you connect to our service.
7. File-sharing is allowed except on UK, Finland and U.S. exit servers.
8. No traffic is throttled at all.
9. Throughput depends on which server you use (some have 100 mbit and some 1gbit) and the routing between your Internet Service Provider and our Internet Service Provider. We always offer a free 24 hour trial of our service and connection speeds for interested users.
1. No logs are held or kept.
2. We operate in Swedish jurisdiction. We do not give out any information, since we do not have any information to give out.
3. We do not care or get scared about the DMCA.
4. We offer OpenVPN.
5. Our exit servers are in Sweden.
6. We accept Wiretransfer, Bitcoin and Bankgiro. We only require a working e-mail address to be a customer.
7. All file-sharing traffic is allowed.
8. No traffic is throttled.
9. The only shaping that is done is the bandwidth depending on the package the customer orders.
1. We keep no logs. This would make both us and our users more vulnerable so we certainly don’t.
2. We operate under Swedish jurisdiction. We will not expose data to third parties. First of all we take pains to not actually possess information that could be of interest to third parties, to the extent possible. In the end there is no practical way for the Swedish government to get information about our users from us.
3. There is no Swedish law equivalent to the DMCA that is applicable to us.
4. We support OpenVPN. We also offer PPTP but recommend against it.
5. We operate exit servers in Sweden and the Netherlands.
6. We accept Bitcoin, cash (in the mail) and PayPal / credit cards. Our accounts are just numbers with no personal information attached, not even an email address. Still, paying through Paypal allows them to associate the account number with the payment forever. People who do not like that should pay with cash or Bitcoin.
7. All file-sharing traffic is allowed.
8. No traffic is throttled.
9. Maximum throughput is theoretically 1 Gbit/s under ideal circumstances but much less in
practice, depending on many things.
1. We keep connection logs in our system, but they contain only depersonalized data, that allows us to optimize traffic routes and make connection more fast. These logs are stored for 7 days, but they are not interesting for anyone. In the event we are sued we can deliver only this information.
2. Our company based in Cyprus. Our servers are located in Netherlands and USA and we operate under jurisdictions of these countries [for these servers]. We don’t store any information that’s useful to 3rd parties. Any talk about this is possible only by court order.
3. We don’t have any mechanics to block users, we also have no information about which user the complaint is against but we are developing a system to alert our users in case there is a complaint about their activities.
4. We support OpenVPN and PPTP protocols.
5. We have exit servers in Netherlands and USA.
6. We use Plimus Payment System for all user accounts. iPhone / iPad / iPod users can purchase a subscription from an application that can be installed from Apple AppStore. Payment is made through the AppStore billing system. Users of devices based on Android can purchase a subscription from an application that can be installed from Google Play. Payment is made through Google Checkout.
All user accounts have their own payment history. We store only date, amount and rate for eash order.
7. File-sharing traffic is allowed for our customers.
8. Customers who purchase a subscription do not have restrictions on protocols and traffic. Free trial accounts are limited by traffic to 2Gb of web browsing and mail.
9. Maximum connection throughput up to 100 Megabits.
1. TorGuard doesn’t store IP’s or time stamps on our VPN/proxy servers, not even for a second. It’s impossible to match what is not there. Since some people tend to misbehave when using a VPN , this raises the obvious question: how do we maintain a fast, abuse-free network? If even our network engineer can’t back track the abuser by IP, then how do we stop it?
Through packet level filtering at the firewall it’s possible to apply rules to an entire shared server, blocking the abuse immediately. For example, let’s say someone decides to use TorGuard to unlawfully promote their Ugg boots business (spam). In order for us to block this one individual, we simply implement new firewall rules, effectively blocking the abused protocol for everyone on that VPN server. Since there are no user logs to go by, we handle abuse per server, not per user.
2. TorGuard recently went through some corporate restructuring and has now moved its parent company to Nevis, West Indies. Our company abides by all International laws and data regulations imposed within our legal jurisdiction. We don’t share any information with anyone regarding our network or its users and won’t even consider communicating with a 3rd party unless they’ve first obtained adequate representation within our legal jurisdiction. Only in the event of an official court ordered ruling would we be forced to hand over blank hard drives. There’s nothing to hand over but an operating system.
3. TorGuard complies immediately (24 hours or less) with all DMCA takedown notices. Since it’s impossible for us to locate which user on the server is actually responsible for the violation, we block the infringing protocol in its entirety, whatever it may be – Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc. This ensures the content in violation is immediately removed from that server and no longer active on our network.
4. We fully support OpenVPN, L2TP and PPTP as well as offering Socks5 torrent proxy services. Our OpenVPN offers both UDP/TCP connection options and is configured to work in countries like China, Iran, Syria, or UAE where VPN protocols and ports are heavily filtered by ISPs at government request. Since most of our OpenVPN servers are setup to run disguised over SSL ports, this also means you can browse the latest cat memes freely from within strict corporate, school or government firewalls.
5. TorGuard operates high speed exit servers in the United States, Canada, UK, Netherlands, Romania, Russia, Switzerland and New Zealand.
6. We accept all forms of credit card, Visa, Amex, Mastercard, Discover, PayPal , Google Checkout and Bitcoins. We also accept anonymous payments through our pre-paid PIN system. These pre-paid service PIN numbers can be purchased from one of our participating online resellers and redeemed during checkout on our website.
Our client billing area and VPN/Proxy user auth servers are two completely separate systems. This is to ensure the privacy and securities of our customer’s accounts are upheld at all times. While the customer’s chosen payment method will be linked to the client billing area login, this information is kept completely separate from their VPN/Proxy network. In this way, it’s virtually impossible to “connect the dots” of a paying customer with that of someone who is using the servers. This can become a pain for clients as they are required to remember two sets of logins/passwords, but trust us – it’s in the best interest of security.
7. File-sharing traffic is allowed on all of our servers except USA, UK and NZ. These servers are optimized for streaming services like Netflix, Hulu or BBC, not P2P.
8. We do not shape traffic or throttle connections on any of our servers. This allows for fast connections and unlimited bandwidth/speeds.
9. Maximum connection throughput depends heavily on the speed of the client’s connection as we don’t limit the connection throughput at all on our end. All of our servers feature gigabit+ port speeds, so download rates can vary from 5mbps – 30mbps depending on your connection speed and ping.
1. On our Privacy servers we don’t log anything that can identify a single user, but on our US, Canada, UK, Germany & Singapore servers where we don’t allow file-sharing we do log the internal RFC1918 IP that is assigned to the user at a specific time. We never log the real external IP address of the user.
We also hold a username and email address of our subscribers, the times of connection and disconnection to our services along with bandwidth consumption.
2. We now operate under the jurisdiction of Hong Kong because we worry what the lawmakers in USA and Europe may introduce to make things difficult for proxies and VPNs. We will fiercely protect the privacy and rights of our users and we will not disclose any information on our users to anyone, unless forced to by law enforcement personnel that have produced a court order.
3. On our Privacy servers DMCA does not apply (eg USA DMCA to our Swiss server). If we receive a DMCA on our other servers (US, UK, Canada, Germany & Singapore) we generally give the user one warning that they are violating our TOS and their account may be terminated.
4. We support OpenVPN, IPSec & PPTP (users can connect with any/all protocols). We are also releasing a dd-wrt router with an always-on VPN connection for devices like media players & consoles.
5. We operate exit servers in the Netherlands, Switzerland, UK, USA, Canada, Estonia, Lithuania, Singapore, Ukraine, Russia, Panama, Luxembourg and Germany.
6. Our payments systems are PayPal, Bitcoin & Liberty Reserve. We have an internal database linking payment references to user accounts. Bitcoin is the most private way to pay, for other payment systems all private billing information is stored with them.
7. File-sharing is allowed on our Privacy Servers (Netherlands, Switzerland, Estonia Lithuania, Ukraine, Russia, Panama, Luxembourg)
8. Traffic is not throttled in any way.
9. Speeds will be different for everyone but most of our servers have 100 mbit connections.
Private Internet Access
1. We absolutely do not maintain any VPN logs of any kind. We utilize shared IP addresses rather than dynamic or static IPs, so it is not possible to match a user to an external IP. These are some of the many solutions we have implemented to enable the strongest levels of anonymity amongst VPN services.
2. Our company currently operates out of the United States with gigabit gateways in the US, Canada, Germany, France, UK, Switzerland, Sweden, the Netherlands and Romania. We chose the US, since it is one of the only countries without a mandatory data retention law. We will not share any information with third parties without a valid court order. With that said, it is impossible to match a user to any activity on our system since we utilize shared IPs and maintain absolutely no logs.
3. We are in compliance with DMCA as all companies, world wide, must be. We have proprietary technology and an experienced legal team which allows us to comply without any risk to our users.
4. We support OpenVPN, L2TP/IPsec+PSK, PPTP and SOCKS5 (Proxy). We strongly advise our clients to use the OpenVPN protocol, however, as it provides the most security when compared to the others.
5. We operate exit servers in US, Canada, Germany, France, UK, Switzerland, Sweden, the Netherlands and Romania.
6. We accept many payment methods directly, including PayPal, CC, Google, Amazon, Bitcoin, Liberty Reserve, OKPay, and CashU. Further, we would like to encourage our users to use an anonymous e-mail and pay with Bitcoins to ensure even higher levels of anonymity should it be required. We only store the minimal information required to provide customers refunds.
7. We do not monitor or censor the type of traffic which goes through our servers.
8. We do not throttle any type of traffic going through our servers.
9. The maximum throughput really depends on the customer’s connection. All of our gateways are at minimum 1Gbps, and we have the largest private VPN network in the world. Some providers make claims of having certain amounts of bandwidth, but this is simply the amount of bandwidth their providers have and not their own. We, on the other hand, truly have 90,000Mbps of bandwidth direct to our gateways. We’ve had customers report up to 90Mbps throughput on a 100Mbps connection.