What Is Logging?
The way a virtual private network works is that it reroutes and secures your connection, making you much harder to track. However, VPNs aren’t bulletproof and there’s a weak link in this process, namely their logs. In this case, logs are a record of who connected to the VPN’s servers and when, as well as a full list of all the sites visited and other activities.
Logs would make you very easy to track, which is why VPNs pledge not to keep them and are what’s called no-log VPNs. As you can imagine, though, the practice of not keeping logs is a thorn in the eye for a number of people and institutions, not the least of which is law enforcement, which would very much like everybody to be trackable.
Though part of their reasoning, especially in repressive countries like China, may be to keep an eye on what people are up to, in most cases the reasons are a little more prosaic: criminals use VPNs to hide what they’re doing. If it weren’t for VPNs, the police could likely solve cybercrimes much more easily.
VPNs and the Police
The relationship between VPNs and law enforcement is a tricky one: on the one hand, as companies that promise privacy, they don’t want to share anything with the police. On the other, though, like anybody else, they need to cooperate with any and all valid warrants sent their way. It’s their legal duty.
For example, Switzerland-based Proton, the company behind ProtonMail and ProtonVPN, has had data about VPN users requested through the Swiss court system, but Proton says it does not keep data and none was provided.
(Speaking of Proton: In one case, Proton was forced to cooperate with the apprehension of a climate activist when Swiss authorities were asked to execute a French warrant. Though the company did try to fight the order, the judge ruled against the company, and the man was arrested. It’s worth noting that this case was about ProtonMail and not ProtonVPN. Proton says that “Under current Swiss law, email and VPN are treated differently, and Proton VPN cannot be compelled to log user data.”)
Not all VPN services will go to bat for you in the same way, though: For example, PureVPN helped the FBI catch a cyberstalker in 2017 without any pressure from a warrant. A year earlier, IPVanish furnished Homeland Security with the logs of another U.S. resident without batting an eyelid—though it should be noted that the company has changed hands since then.
Logging Legislation
Of course, if you want information on a VPN user, as a cop or lawmaker you probably don’t want to rely only on warrants and goodwill. Until recently, the only countries that actively wanted VPNs to log users are repressive places like Russia, China, and other countries where VPNs are borderline illegal.
However, right now, at least one democracy is planning to crack down on VPNs: India. Starting in late June 2022, VPNs will have to register and log users. However, it remains to be seen how effective the law will be as there are a lot of legal issues with its implementation as well as court challenges to be fought, but it’s alarming nonetheless. If India’s new law is successful, there’s little doubt other countries will follow.
Not Just Cops: VPNs and Torrenters
In the west right now, it isn’t legislation that may prove the death knell to VPN privacy: Instead, it’s lawsuits. In a bid to crack down on the piracy of their movies, Hollywood has taken VPN providers to court several times. So far, it’s lost all the bigger cases against large VPN providers, but it’s won a number of smaller victories that may be troubling signs of things to come.
For example, LiquidVPN, a small up-and-coming provider, was sued for its marketing, which touted it as a great way to pirate movies and TV shows. The case ended with a $10 million judgment against LiquidVPN and the service shut down entirely as a result.
The case of LiquidVPN isn’t the only example of Goliath pulverizing David. The same group behind that suit also went after TorGuard, a small independent VPN based out of Orlando, Florida. Unsurprisingly, TorGuard couldn’t face up to that kind of judicial firepower and caved. It will now block all torrenting traffic on its U.S.-based servers, something the company confirmed in an email.
Much the same happened to another small provider, VPN Unlimited (part of KeepSolid), which now also blocks all torrent traffic on its U.S. servers. It also prohibits users in the United States from torrenting through blocks implemented in its protocols, according to company spokeswoman Liza Shambra.
Keeping Logs?
More worrying, though, is a similar case where the judge ordered VPN.ht—a really small provider—to not just block torrent traffic, but also keep logs on its U.S. servers. In a way, this is the most terrifying of the three cases we have discussed as this is the one that really attacks not just what you can do with a VPN—bad enough in itself—but will also attack users’ privacy.
As with all landmark decisions, it remains to be seen if this judgment is just a blip or if we’re standing at the top of a slippery slope and slowly starting our slide downward. However things turn out, one thing is for sure: we will never be taking the privacy VPNs provide us for granted anymore.