back to article Seven 'no log' VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet

A string of "zero logging" VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet. This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to …

Page:

  1. DS999

    White label VPN service

    I suppose you can say "Alpha VPN Service doesn't keep logs" and aren't technically lying, even if you are reselling Beta VPN service which does. Heck, Alpha VPN Service might not even KNOW what sort of logging Beta VPN does, all the better for deniability.

    1. Maelstorm Bronze badge

      Re: White label VPN service

      To expand on that, if the reselling VPN provider uses multiple VPN vendors, each vendor could be logging different things. Then nobody would know who is logging what.

  2. Maelstorm Bronze badge
    Joke

    In Soviet Russia, you do not log the VPN connections, the VPN connections log YOU.

    1. Anonymous Coward
      Anonymous Coward

      s/Soviet Russia/UK,USA,Australia,....../

      1. Imhotep Silver badge

        Or Hong Kong-China in this case.

    2. Tail Up

      Up # двадцать девять.

  3. ecofeco Silver badge

    Oh FFS

    See title.

  4. Throatwarbler Mangrove Silver badge
    Facepalm

    Duh, and also . . .

    Thinking about how VPNs work, this issue seems like it was going to crop up eventually. It's a question of trust: whoever owns the endpoint of your Internet connection has the ability to collect a ton of information about your Internet traffic. The average punter is sold on the notion that their traffic is "protected," but the question is, from whom? If you don't trust your ISP for whatever reason, then you need to make an informed choice about the VPN provider, as mentioned in the article. Unfortunately, it seems like a lot of people aren't familiar with the technical and security merits of the various providers, which leads me to my second point.

    The other use of VPN software is to make it appear that your Internet connection is somewhere different, e.g. the United States instead of Morocco. While there are free speech uses of this technology, other popular use cases are accessing media content that is region-locked or obfuscating BitTorrent traffic, and I think it's to the latter users that low-cost VPN providers primarily cater. Someone who is concerned about their ISP or government spying on them is more likely to pick a more carefully vetted VPN, while illicit users of Netflix and BitTorrent seem more likely to care primarily about superficially masquerading their location.

  5. David 132 Silver badge

    So, recommendations?

    Which VPN providers are trustworthy?

    I use Private Internet Access (PIA) based on recommendations here & elsewhere; anyone got solid evidence that I should switch?

    1. NetBlackOps Bronze badge

      Re: So, recommendations?

      They're the only one to prove in court that, at those times (of course), they don't keep logs. Which is why I've stayed with them. I certainly would never trust a free provider. I'd add ProtonVPN as a best alternative given their track record and domicile.

      1. julian.smith
        Thumb Up

        Re: So, recommendations?

        + 1 AirVPN

        They shut down all of their HK servers recently just after the Chinese takeover of HK

        Been with them for years

        Seem technically competent

        Never a breath of scandal

    2. tommitytom

      Re: So, recommendations?

      I also use PIA, but it's worth noting they recently got bought out by Kape technologies who have a history of embedding malware in their VPN software

      1. FatGerman

        Re: So, recommendations?

        I stuck with PIA but I use it exclusively on an Ubuntu machine where I set the connection up manually, I never use their client software, but thanks for the heads-up.

    3. Anonymous Coward
      Anonymous Coward

      Re: So, recommendations?

      I am considering switching from CyberGhost to Mullvad. The latter doesn't even ask for your details (and also allows payment in cryptocurrency or cash, in an envelope).

      They support OpenVPN and WireGuard protocols, support IPv4 + IPv6 and have sorted out a lot of other tech stuff pretty well. They are sponsors of the TOR project and score pretty well in the VPN matrix of ThatOnePrivacySite.

      1. Anonymous Coward
        Anonymous Coward

        Re: So, recommendations?

        I did loads of research and moved from PIA after they were bought by Kape.

        I ended up with AirVPN. Loads of options, works with everything and speeds are exeptional.

        It seems that there's a huge industry in affiliate links so it's hard to evaluate each provider. I used ThatOnePrivacySite along with Tom Spark's YouTube channel to reach a conclusion.

      2. Anonymous Coward
        Anonymous Coward

        Re: So, recommendations?

        I was looking for the Mullvad plug. They are adding new servers frequently and have never asked for my information. Even if they do log (they say they don't and I believe it), there is no user data other than my ID that their servers ingress, and you can change your ID at any time and pay with crypto.

        There is no bandwidth or throughput limiting so my speeds are never impacted, they don't track how much you use anyway. Highly recommend,

        1. Hol314

          Re: So, recommendations?

          I went with Mullvad based on the thorough review by "That One Privacy Guy", who seems trustworthy... Still, I was comforted in my choice when I learned that Mozilla teamed up with Mullvad to offer their vpn service!

      3. Anonymous Coward
        Anonymous Coward

        Re: So, recommendations?

        +1 airvpn.

        I was with cyberghost, but they don't allow incoming connections, and switched off ip6 without warning, they said when I contacted them it was an upgrade, but it was still down weeks later.

    4. Aristotles slow and dimwitted horse Silver badge

      Re: So, recommendations?

      AirVPN.

    5. Anonymous Coward
      Anonymous Coward

      Re: So, recommendations?

      Bought a VM in the country where I wanted the VPN, spooled up a copy of Debian, cooked my own. That still doesn't preclude traffic logging by the provider, but that's why you choose a decent country first and you can set up a few things on the box itself to mess up the statistics.

    6. JCitizen Bronze badge
      Megaphone

      Re: So, recommendations?

      Check Point is the only one I'd trust, they kept the Chinese out of my network for five years, when the PRC finally gave up. I only used their hardware too.

      But if you are in Hong Kong, you might as well forget it; although if I were a protester, I'd have a plan to roll my own using friendly advice; and open source methods. None of the details, which I'd discuss in public anyway.

  6. W.S.Gosset Silver badge
    WTF?

    Side-door

    That last tweet's note re dual-homing is hair-raising. That means you can get around a VPN user's firewall & NAT by simply signing up to their VPN service, then directly attacking their naked machine.

    Yeek.

  7. quartzz

    any ideas on Vypr VPN? I spent more than a year subscriptions worth on 1 month trials of a few (6?) different VPN's. surfshark, vypr and one other (IVPN was almost useable) were the only ones I found even slightly useable. express, nord and cybervpn were virtually unuseable.

    my vypr connection seems to hang after a while, so I'm ending up not using my VPN much. I've found a VPN connection isn't suitable for general surfing, I only enable it when necessary. I suppose at some point in the 21st or 22nd century, these services might actually become regulated

    1. Flocke Kroes Silver badge

      Re: these services might actually become regulated

      Regulation = (Billing information + Complete logs → GCHQ)

    2. Anonymous Coward
      Anonymous Coward

      AirVPN

      I use air vpn. Open vpn based client. Multiple exit nodes by country.

      I tried a few. The usual suspects as well as Relakks, SwissVPN. Air has been pain free.

      Different strokes for different folks. I use it on Linux, iOS and windows.

  8. eldakka Silver badge
    Coat

    Ah, so these aren't Virtual Networks that are Private. They are Networks that are Virtually Private.

  9. amanfromMars 1 Silver badge

    Harsh maybe but perfectly understandable, given the mountains of evidence freely available

    "The vast majority of companies that operate these services use patently false marketing, have very murky corporate provenance, and in some cases are literally run by convicted financial crime felons, so of course they will claim 'strong privacy and security' protections when in fact they offer neither," he continued.

    So, just exactly like Parliamentary and Presidential style democracies then which are forever reneging on fantastic election promises once feeling secure in executive office with even the slimmest of majorities/greater number of delinquent votes.

    If truth be told, they be as Ripe Rotten Skunk Works and therefore wholly unworthy of SMARTR* Futures Support.

    * .... SMARTR Mentoring Analysis Reporting Titanic Research

  10. StrangerHereMyself

    It's pretty clear that China is forcing Hong Kong VPN providers to log everything and that their services are therefore moot.

    It's pretty shocking that these providers are logging passwords in plaintext as well, although I wouldn't be surprised if some big U.S. internet giants do this as well.

    1. Anonymous Coward
      Anonymous Coward

      Airvpn discontinued their hong kong server for those reasons.

  11. Kevin McMurtrie Silver badge

    We can't have good things

    True "no-log" VPN providers don't have routing for long. They're used for computer intrusion and, since there's no logging, the VPN provider can't determine which customers are doing it. BOFH doesn't want to hear excuses.

    1. gnasher729 Silver badge

      Re: We can't have good things

      I know a guy who went through logs to see which of his customers thought it was funny to make five hundred or so fake 999 calls with their software. I think the police didnt have a warrant yet, but T&Cs allowed them to identify the cretin, and they did.

      1. Sir Runcible Spoon Silver badge

        Re: We can't have good things

        Personally I'm ok with a company being able to identify a VPN user after being served a lawful warrant to that effect. It's the casual 'spying on everyone because we can' that I object to, it changes the nature of the relationship between people and the state (i.e. nothing to do with that 'nothing to hide, nothing to fear' bollocks).

  12. Anonymous Coward
    Anonymous Coward

    Logs could be pretty predictable though.

    ..mainly bound for pornhub servers

  13. Anonymous Coward
    Anonymous Coward

    They are all liars........

    The toss pots in HK claim they shut up shop becasue of the CCP..., more like they were harvesting data for the CCP....

    1. Anonymous Coward
      Anonymous Coward

      Once "On-The-Net", there is NO such thing as "Privacy". Regardless of Who-You-Are or What-You-Do. Your details and GaZillion Others, are then, "Awaiting-for some 2-bit Crook to Target You". The Kicker is that you are paying for ALL this, aka Mesmerised to Imagine that "Perfection" is Ownable/Purchase-able. Like it and Believe It or NOT.

  14. Anonymous Coward
    Anonymous Coward

    1999

    https://www.wired.com/1999/01/sun-on-privacy-get-over-it/

    *

    Is this VPN piece actually news?

  15. tfb Silver badge
    Big Brother

    Building your own VPN

    I am possibly being stupid here, but my understanding is that the purpose of a VPN is to tunnel network traffic between two points, with the traffic usually being encrypted in the tunnel (I suppose that if it was not encrypted that would be a VN and I can imagine uses for those but they don't matter here). Let's call the end points A (you) and B (the far end). Now, surely, half the point of the thing is that if someone can snoop traffic from B, they can't easily know that it comes from A (and there are lots of caveats here because if they can see the connection from A to B then they can probably work out interesting things from traffic analysis even without being able to decrypt the traffic, so that all has to be hidden somehow, but I don't want to worry about that).

    So, if B is owned by some VPN provider, anyone who is watching its traffic knows only that it originates from one of the VPN providers many customers, not who they are. So that reveals a little information but not much. And if there are no logs then even a later attack on the VPN provider (a legal attack say) doesn't tell them any more.

    But if I want to roll my own VPN, then I'm going to need to pay for the end-point, B. And I'm the only person using this end-point. So anyone who can extract from whatever hosting provider is selling me B information about who is paying them for B knows who the traffic originating from B belongs to. Which kind of defeats at least some of the the point of a VPN.

    1. Graham Cobb Silver badge

      Re: Building your own VPN

      So anyone who can extract from whatever hosting provider is selling me B information about who is paying them for B knows who the traffic originating from B belongs to. Which kind of defeats at least some of the the point of a VPN.

      Some, but not all. If you don't need to protect against legal threats then that VPN is still useful. In particular, if you are just using the VPN to appear to be located in another country, and it is unlikely anyone will take legal action against you, then paying for your endpoint works fine. In that case, the biggest problem is that the easily available paid-for endpoints (like AWS) are often blocked by the sites most often targetted for this (for example, BBC). But it is often still possible to find a smaller provider that is not blocked, And any foreign provider will do if you aren't violating copyright and just don't like allowing GCHQ to collect all your browsing data with no probable cause.

      On the other hand, if you don't need to protect against legal threats, and you are just using it for something fairly innocuous, then you don't need a "nolog VPN provider" either - any VPN provider will do and they will probably handle getting around blocks better than you can because that is how they get you to pay.

      The situation changes, of course, if you are doing something illegal, or likely to end up in court, or something blackmailable (in which case the VPN or hosting provider themselves may be your most serious threat).

      1. Anonymous Coward
        Anonymous Coward

        Re: Building your own VPN

        @Graham_Cobb

        Quote: ".....don't like allowing GCHQ to collect all your browsing data..."

        *

        They can collect what they like......but can they read it?

        *

        0ew61eMr1XPV1Nel1lB70BU20czu0qyk1MLn02o8

        0VrT0GCO0aoU02Sq00JJ0HCr0e9u0BYK00oA1gcA

        1LNb1kcn18w00Nch0ly219QW1bpN08VC0AXo1PJu

        0B4908ED1mr31U0=11zJ0A820OUy0IuV1XbX1K9u

        06hw1FbK05qn1Eq00jjY1ICG0goU1Za70OFj1eSs

        0lwl1O=90DGL0EQL168$14Bs1DJR0h161Ls=121K

        19yC11MH0nm00CcN1PWc0qtT1lp01g$60T801eZQ

        0Ye71Y4l0TTV0ZrA0xhl0eZp0l5m1Q851HR10UMx

        1a1R00N=0v1e1avj0=jj1jA61a$m1ARn0t4T0rDb

        0TGj

        *

        1. David 132 Silver badge
          Black Helicopters

          Re: Building your own VPN

          0ew61eMr1XPV1Nel1lB70BU20czu0qyk1MLn02o8

          0VrT0GCO0aoU02Sq00JJ0HCr0e9u0BYK00oA1gcA

          1LNb1kcn18w00Nch0ly219QW1bpN08VC0AXo1PJu

          0B4908ED1mr31U0=11zJ0A820OUy0IuV1XbX1K9u

          06hw1FbK05qn1Eq00jjY1ICG0goU1Za70OFj1eSs

          0lwl1O=90DGL0EQL168$14Bs1DJR0h161Ls=121K

          19yC11MH0nm00CcN1PWc0qtT1lp01g$60T801eZQ

          0Ye71Y4l0TTV0ZrA0xhl0eZp0l5m1Q851HR10UMx

          1a1R00N=0v1e1avj0=jj1jA61a$m1ARn0t4T0rDb

          0TGj

          That is just depraved. You should be ashamed of yourself. That poor dwarf. How could you stoop so low?

          Signed,

          Your friends at GCHQ.

          PS: You need to change your mouse batteries, you left your car lights on, and for what it's worth, that shirt really doesn't suit you.

    2. spireite

      Re: Building your own VPN

      I'm lucky enough to be able to work from home in my second country.

      Before I left my home country, I setup all the necessary stuff using Ubuntu, OpenVPN, DDNS and a few other things.

      So, I have my own VPN, so when it comes to streaming the Beeb/Sky all appears hunky dory.

      Downside, I have to leave my kit on back home, so thats 'paying' for it....

      I do realise that most peopel will need a third-party one for reasons of streaming from another region for the TV / Kodi rather my genuine 'WFH' reason.

      I do realise though that this is something of a minefield!

    3. bdg2

      Re: Building your own VPN

      I use a VPN when I'm away from home on unsecured Wi-Fi or on a network of unknown security.

      For my purposes my own VPN server back in my home is just as good as using any service would be. Plus I can get access to my NAS and other things that are on my network at home without having to forward ports in to them which would put them at risk of being hacked.

  16. NotTrustworthy

    Money Talks ...

    I'm surprised that people actually believe paid-for VPN services don't log anything.

    The first rule of business is that you protect your business, and by extension it's revenue stream.

    That statement is so true. It's been the one constant that I've found of every business I've worked for during my adult life.

    The notion that some subscription VPN business is going to use all its profits (and potentially go into debt) to hire a legal firm and fight off a single legal challenge (read: one VPN subscription) is just not a reality. Every business I've worked for has been more than happy to find the cheapest way to settle a legal problem (in general, not brought by me), if it means they can continue to operate and make money.

    If you're paying for a VPN service and the VPN business owner has any business sense, then they'll keep logs, if for no other reason than as an insurance policy to stop some costly legal challenge, or to keep themselves out of jail. I'm convinced that the only reason VPNs don't roll over on their customers more frequently, is because prosecutions are usually underfunded. That can change in a single moment though. As for reputational damage after a sell-out, I doubt they'd ever even acknowledge it was them.

    The only truly secure VPN is one you've set up yourself using payment methods and addresses that don't link back to you.

    1. Jimmy2Cows Silver badge

      Re: Money Talks ...

      The point is these VPN providers shouldn't bullshit their customers, usually the one's who aren't IT-literate, by saying they don't log anything when they blatantly do (and, depending on jurisdiction, legally must do).

      We know it's naive at best to think VPN providers won't log everything, even if only to cover their own arse. Many people looking for a VPN provider won't know that.

  17. BPontius

    naive

    Anyone who really believes that any online company does not log or store data about your activity is naive. All this no logging and don't sell my information is nothing more than marketing, as will they continue to collect and sell your data. Expect to be logged, tracked and your information sold.

    1. Anonymous Coward
      Anonymous Coward

      Re: naive

      @BPontius

      Generally true. But suppose I'm in an internet cafe, reading El Reg, and posting an encrypted message (see below) using El Reg, directed to my secret buddy. I'm just wondering a few things:

      1. Does logging help anyone find out WHO I AM?

      2. Does logging help anyone identify my buddy?

      3. Can anyone read my book cipher message?

      4. And supposing I'm a VERY BAD PERSON...can any of the above be done in time to make any difference?

      *

      1ljP046a1XPV1Nel0Bjc0$Sl0Fe813O0082L1QFq

      1b=71Asd0v$I1SE00WuY0JpF0e9u1bJe16gu1gcA

      0UcW0e2R097F1Vjy1Qmr0EgR0yWw1SFE0ZZW0aVp

      08F510$E1a8W0SVJ0Lau17v=1ery0glv0uCs1K9u

      0h2A0auY0xBF0aA30rRH120p0sEv13IC0H2q1ES8

      1TqU1T7$0YJu0ncF0Khi1Jp00Or30$qn0pfF1e6T

      19yC11MH0eXX1TL90ZRE0oCr1d7J0Uli0szH0jAF

      0i$60D2g005a1Knl1MWy0Ovo0l5m1Q850Yvi04SA

      1eXt0pXw06171cLt1NQg14Fm0qpn1cuT15Fk

      *

      1. Jimmy2Cows Silver badge

        Re: naive

        1. Combined with timestamped endpoint IP logging, up-to-date geographical data for IP assignments, and timestamped CCTV at said endpoint... perhaps.

        2. See 1 (caveat: endpoint may not have CCTV).

        3. Only if they've obtained that cipher alreadys.

        4. Probably not. Perhaps if 3 is true. But this assumes security services give a shit about doing anything in time to make a difference. They don't. The miniscule possibility of doing stopping "terror" is the carrot to gain ever-widening snoop powers. The stick is "look what happened because we didn't have blanket access to XYZ".

  18. sitta_europea

    I want a VPN, where should I go for a provider?

    I know! Hong Kong!

    1. FatGerman

      To be fair, 99.99999% of the people signing up for this crap don't know or check where the company is based, they just click 'give me the privacy for the warez'.

    2. Anonymous Coward
      Anonymous Coward

      re. where should I go for a provider? I know! Hong Kong!

      I would guess that most customers didn't even notice their "secure" vpn is HK based, and if they did, they thought "oh, how cool is that!" 1st case scenario is "normal, average behaviour", 2nd is "due diligence".

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020