Prompted by a high-profile case of an individual using an ‘anonymous’ VPN service that turned out to offer less than expected protection, TorrentFreak decided to ask a selection of VPN services some tough questions.
With our findings we compiled a report of VPN providers that due to their setup were unable to link their outbound IP addresses with user accounts. Ever since we have received countless emails demanding an update.
Update: New 2014 update is out.
It’s taken a long time but today we bring the first installment in a series of posts highlighting VPN services that take privacy seriously. Our first article focuses on anonymity and a later installment will highlight file-sharing aspects and possible limitations.
We tried to ask direct questions that left VPN service providers with little room for maneuver. Providers who didn’t answer our questions directly, didn’t answer at all, or completely failed by logging everything, were simply left out. Sadly this meant that quite a few were disregarded.
This year we also asked more questions, which are as follows:
1. Do you keep ANY logs which would allow you or a 3rd party to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold?
2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?
3. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?
4. Which payment systems do you operate and how are these linked to individual user accounts?
The list of VPN providers is a tiny sample of the thousands out there today and is not comprehensive by any means. VPN Providers not covered this time around will be added during the coming weeks. All responses listed below are in the words of VPN services themselves and the order of the list does not carry any meaning.
1. We absolutely do not maintain any VPN logs of any kind. We utilize shared IP addresses rather than dynamic or static IPs, so it is not possible to match a user to an external IP. These are some of the many solutions we have implemented to enable the strongest levels of anonymity amongst VPN services.
2. Our company currently operates out of the United States with gigabit gateways in the US, Canada, Germany, France, UK, Switzerland, Sweden, the Netherlands and Romania. We chose the US, since it is one of the few countries without a mandatory data retention law. We will not share any information with third parties without a valid court order. With that said, it is impossible to match a user to any activity on our system since we utilize shared IPs and maintain absolutely no logs.
3. We are in compliance with DMCA as all companies, world-wide, must be. We have proprietary technology and an experienced legal team which allows us to comply without any risk to our users.
4. We accept many payment methods directly, including PayPal, CC, Google, Amazon, Bitcoin, Liberty Reserve, OKPay, and CashU. Further, we would like to encourage our users to use an anonymous e-mail and pay with Bitcoins to ensure even higher levels of anonymity should it be required. We only store the minimal information required to provide customers refunds.
1. No information is being held at all. Everything runs from a RAM and service does not use HDD.
2. We operate under Panama jurisdiction. We are unable to share any information to anyone because we do not keep anything.
3. They are ignored because we do not comply with those laws.
4. The payment methods are wire transfers, PayPal, 2CHECKOUT. We are currently implementing Bitcoin. Additional payment methods are available upon a contact to us. We only require a working e-mail address to be a customer.
Update: Following EFF’s feedback Proxy.sh has updated its ethical policy and no longer uses Wireshark to respond to abuses as it did before. The updated policy is explained here, and there is also a transparency report where all abuse inquiries are reported.
1. No information whatsoever is being recorded or held in our facilities. Our services are run from RAM and all our system services come with state-of-the-art configuration that ensures nothing is left after usage. The only information we have about our customers is an e-mail address and the name of the payment method.
2. We are based in Seychelles and we do not communicate with external governments or authorities unless when required by law, or when our ethics tell us to do so (note: read this policy for more details), that is precisely when activities such as child pornography or human rights violation are being reported. But once again, there is very little we can actually share about. And we will always keep you informed of such communication, either via our transparency report, our network issues or our warrant canary.
3. We provide a fully transparent and privacy-oriented compliance with laws of jurisdictions in which our servers are located. When the law, or its enforcement, leads to compromising the privacy of our users, we simply shut down the affected servers and move them to another jurisdiction that provides better protection of privacy.
4. We offer more than 85 different payment methods such as Bitcoins, SMS, phone calls, prepaid cards, PayPal, WebMoney, virtual cash, credit cards, bank transfer or yet again OTC (over-the-counter) options such as by going to your local post office. Payments are only linked to the customer’s e-mail address while VPN access accounts are randomly and independently generated.
1. We do not keep any logs whatsoever.
2. The jurisdiction is Canada. Since we do not have log files, we have no information to share. We do not communicate with any third parties. The only event we would even communicate with a third-party is if we received a court order. We would then be forced to notify them we have no information. This has not happened yet.
3. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.
4. At the moment we only accept Paypal and Bitcoin. We have plans to accept alternative credit card processing in the near future.
BTguard website (with discounts)
1. TorGuard doesn’t store IP’s or time stamps on our VPN/proxy servers, not even for a second. It’s impossible to match what is not there. Since some people tend to misbehave when using a VPN , this raises the obvious question: how do we maintain a fast, abuse-free network? If even our network engineer can’t back track the abuser by IP, then how do we stop it?
Through packet level filtering at the firewall it’s possible to apply rules to an entire shared server, blocking the abuse immediately. For example, let’s say someone decides to use TorGuard to unlawfully promote their Ugg boots business (spam). In order for us to block this one individual, we simply implement new firewall rules, effectively blocking the abused protocol for everyone on that VPN server. Since there are no user logs to go by, we handle abuse per server, not per user.
2. TorGuard recently went through some corporate restructuring and has now moved its parent company to Nevis, West Indies. Our company abides by all International laws and data regulations imposed within our legal jurisdiction. We don’t share any information with anyone regarding our network or its users and won’t even consider communicating with a 3rd party unless they’ve first obtained adequate representation within our legal jurisdiction. Only in the event of an official court ordered ruling would we be forced to hand over blank hard drives. There’s nothing to hand over but an operating system.
3. TorGuard complies immediately (24 hours or less) with all DMCA takedown notices. Since it’s impossible for us to locate which user on the server is actually responsible for the violation, we block the infringing protocol in its entirety, whatever it may be – Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc. This ensures the content in violation is immediately removed from that server and no longer active on our network.
4. We accept all forms of credit card, Visa, Amex, Mastercard, Discover, PayPal , Google Checkout and Bitcoins. We also accept anonymous payments through our pre-paid PIN system. These pre-paid service PIN numbers can be purchased from one of our participating online resellers and redeemed during checkout on our website.
Our client billing area and VPN/Proxy user auth servers are two completely separate systems. This is to ensure the privacy and securities of our customer’s accounts are upheld at all times. While the customer’s chosen payment method will be linked to the client billing area login, this information is kept completely separate from their VPN/Proxy network. In this way, it’s virtually impossible to “connect the dots” of a paying customer with that of someone who is using the servers. This can become a pain for clients as they are required to remember two sets of logins/passwords, but trust us – it’s in the best interest of security.
(Use the promo / coupon code TorrentFreak to get a 20% discount at Torguard.
2. Our company is based on Seychelles. We do not disclose any information to 3rd parties and this can be done only in case of a certain lawsuit filed against our company.
3. If we receive a notice about DMCA infringement, our team of lawyers solves it immediately without any blocking of servers or protocols. We don’t store any content on our servers, users are anonymous, so, there are no problems with it. We promise our customers that they will not have problems with the DMCA.
4. PayPal and CommerceGate.
2. IPVanish is headquartered in the US and thus operates under US law.
3. We do not host content of any kind and have nothing to take down or remove.
4. We currently accept all major credit cards, PayPal and UltimatePay (which includes 85 different payment methods from 190 countries). UltimatePay also provides many anonymous cash payment options like Western Union, Alipay, Skrill and PaySafeCard.
2) Privacy IO is an Australian Registered business. Under no circumstances will we provide any 3rd party information about our users. We are unable to comply with DMCA or equivalent as we have no access or power to do anything about it. As we keep no logs we can not link it to a user to apply said request. If the law attempts to make us do such things, we will move our business to a location where that can not occur, and if that fails we will close up shop before we provide any information.
3) See answer to question 2
4) At present we only accept PayPal and CC (processed by PayPal), but we are looking into alternative types of payments. We go out of our way to make sure that PayPal transactions are not linked to the users, we generate a unique key per transaction to verify payment for the account is made, and then nuke that unique key.
1) We do not log any user activity at all. We don’t know what IP addresses our own users connect from. We have a shared IP address for our users, further increasing their anonymity We also generate false traffic.
2) We currently operate out of the United States. The United States does not have any mandatory data retention laws, which allows us not to log anything. If we receive a valid warrant, we will turn over all required records, that we have available; we don’t have any records available, because we don’t log anything.
3) DMCA notices have some legal requirements that basically make them not apply to us. We don’t host any content at all, we only provide bandwidth. Also, a DMCA notice requires the notifier to positively identify an infringing individual – which is impossible given our security model. Basically, it’s impossible to send us a valid DMCA notice.
4) We’re just getting started, so we’re currently simply taking credit cards. Accepting bitcoin is a near term goal for us. We’d also like to start accepting really exotic forms of payment like cash.
1. We store a users E-mail and username, that´s it. This means that we do not store, or have access to, any traffic logs of any kind. By traffic logs we mean, any kind of data that has the potential to, directly or indirectly, match a users original ip or identity with one of our IPs.
2. It is important to remember that we do not store any traffic logs, and therefore it would be physically impossible for us to hand something like that over to a 3rd party. This, next to the encryption, is the core of the entire anonymity aspect of the service. This is possible by the fact that we operate under Swedish jurisdiction and Swedish law.
3. Our no logging policy has never really caused us any trouble since we never have received any official requests to hand over any traffic logs.
4. We accept credit card payments through Paypal and Payson. For Swedish users we also accept payments through sms and phone. We do not store data from these services. However, each of these services store various types and amounts of data related to the payment, and the payment only, which we do have access to. This is what allows us to perform refunds, or to provide adequate support services etc.