Global Security, Privacy, & Risk Management

How to choose a VPN that will protect your privacy (Guest Post by IVPN) June 2, 2013

This article is written by Christopher Reynolds, head of business development at IVPN – a VPN service, and EFF member, dedicated to protecting users’ online privacy.  I don’t often allow guest posts but Mr. Reynolds and IVPN have done a great job of providing valuable info.  Certainly worth taking a look!

Online privacy is coming under increasing attack from governments around the world. Legislation such as CISPA in the US, the CCDP in the UK and Australia’s data retention proposals, have generated real worry among privacy-conscious internet users over our law enforcement’s desire to increase their powers of surveillance to unprecedented levels. This culture of fear is driving more and more people toward commercial Virtual Private Networks (VPNs), which promise to protect user data and offer online anonymity. But choosing a VPN that actually protects privacy is not straightforward. In this blog post I will go over the key issues you must consider before signing up to any VPN service.

Data retention

The biggest issue when it comes to using a VPN in order to protect your privacy is data retention. Government surveillance is primarily facilitated by the data retention policies of your ISP. In Europe your ISP’s data retention policy is mandated by the EU Data Retention Directive, which forces all European ISPs to retain users’ personal information for between 6 months and 2 years after the user leaves the ISP’s service. This data includes web logs, which essentially means a record of every website you’ve visited and the times you visited them. The data your ISP holds won’t typically contain email logs – despite popular perception- unless you use your ISPs own email service. But it will include which third party email services you use and when you’ve used them.

In the US things are more complicated. The US government has not yet implemented a mandatory data retention law (although many US politicians would like to). However, US ISPs still retain data. As this article demonstrates the policies vary wildly, from six months to a year, while some, like AT&T don’t even disclose the time period.

So the biggest benefit of using a VPN, in theory, is that your data is no longer being retained by your ISP, as it’s being rerouted via the VPN service’s own network. However, the problem is that many VPNs – perhaps even a majority – retain data in the same way as an ISP. This completely negates their effectiveness as a privacy service.

So when choosing a VPN the first thing you must find out is the nature of the company’s data retention policy. Some VPNs are open about how they retain data and don’t specifically advertise themselves as privacy services. But others are not so honest. Read the terms and conditions. Most VPNs that are serious about privacy will not retain your data for more than a few hours at most. If the information is not there, then email the VPN and ask about their policy. If you don’t get a straightforward answer then do not sign-up.

Changing laws

As I mentioned at the beginning of this article, the laws around online surveillance are in a state of flux, with new legislation seemingly popping-up every month. This legislation could have a direct effect on the legality of your VPN service, depending on the jurisdiction it is operating in.

Most VPNs have servers located in multiple territories across the world. But the location of servers is not too important. If your VPN is not storing data then the seizure of servers will not impact your privacy. Privacy compromises will only occur if law enforcement forces a VPN to start logging data, without telling customers.

The fact is, laws that may affect your VPN service can change in any country. So while understanding current laws pertaining to the jurisdiction where your VPN is located is important, what really need to know is how the VPN will behave if any relevant changes occur. Will they keep customers informed of any impending changes and, if such changes impact your privacy, what measures will they take? Will they shut down? Will you get a refund for any subscription already paid? If you don’t get answers to these questions, you should definitely think twice about signing up.

Technology used

The final aspect you should consider when choosing a VPN is the type of VPN technology used. There are a few different types of VPN solutions, but by far the most secure is OpenVPN, an open source platform, which has become the standard in the industry. Without getting  bogged down in too much technical detail, OpenVPN has no major security vulnerabilities, unlike PPTP, which over the last few years has been generally regarded as insecure.

 OpenVPN also has the added benefit of using a wide range of encryption algorithms and is highly configurable. Luckily most VPNs will use OpenVPN, so it’s not something you need to worry about too much – but it’s always worth being aware.

Other option

There are a number of other privacy tools available online that can protect your identity and personal data, such as The Onion Router (TOR) and I2P. While both of these free platforms are frequently used by people looking to protect their identity, they’re not perfect. TOR in particular has serious security vulnerabilities, mainly because you don’t know who is running the exit nodes that your traffic is running through (and whether the traffic is being monitored). However, if you’re very concerned about privacy, all of these tools, as well as VPNs, and basic good online privacy practice, can be used in combination to greatly strengthen your data protection. Overall, the biggest problem with VPNs is not necessarily the technology used, but the policies of companies delivering them. That’s why you should always thoroughly research a VPN service before you subscribe.

Contact Chris directly at Chris (at) IVPN.net