Seven 'no log' VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet A string of "zero logging" VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet. This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to …
Thinking about how VPNs work, this issue seems like it was going to crop up eventually. It's a question of trust: whoever owns the endpoint of your Internet connection has the ability to collect a ton of information about your Internet traffic. The average punter is sold on the notion that their traffic is "protected," but the question is, from whom? If you don't trust your ISP for whatever reason, then you need to make an informed choice about the VPN provider, as mentioned in the article. Unfortunately, it seems like a lot of people aren't familiar with the technical and security merits of the various providers, which leads me to my second point.
The other use of VPN software is to make it appear that your Internet connection is somewhere different, e.g. the United States instead of Morocco. While there are free speech uses of this technology, other popular use cases are accessing media content that is region-locked or obfuscating BitTorrent traffic, and I think it's to the latter users that low-cost VPN providers primarily cater. Someone who is concerned about their ISP or government spying on them is more likely to pick a more carefully vetted VPN, while illicit users of Netflix and BitTorrent seem more likely to care primarily about superficially masquerading their location.
I am considering switching from CyberGhost to Mullvad. The latter doesn't even ask for your details (and also allows payment in cryptocurrency or cash, in an envelope).
They support OpenVPN and WireGuard protocols, support IPv4 + IPv6 and have sorted out a lot of other tech stuff pretty well. They are sponsors of the TOR project and score pretty well in the VPN matrix of ThatOnePrivacySite.
I did loads of research and moved from PIA after they were bought by Kape.
I ended up with AirVPN. Loads of options, works with everything and speeds are exeptional.
It seems that there's a huge industry in affiliate links so it's hard to evaluate each provider. I used ThatOnePrivacySite along with Tom Spark's YouTube channel to reach a conclusion.
I was looking for the Mullvad plug. They are adding new servers frequently and have never asked for my information. Even if they do log (they say they don't and I believe it), there is no user data other than my ID that their servers ingress, and you can change your ID at any time and pay with crypto.
There is no bandwidth or throughput limiting so my speeds are never impacted, they don't track how much you use anyway. Highly recommend,
Bought a VM in the country where I wanted the VPN, spooled up a copy of Debian, cooked my own. That still doesn't preclude traffic logging by the provider, but that's why you choose a decent country first and you can set up a few things on the box itself to mess up the statistics.
Check Point is the only one I'd trust, they kept the Chinese out of my network for five years, when the PRC finally gave up. I only used their hardware too.
But if you are in Hong Kong, you might as well forget it; although if I were a protester, I'd have a plan to roll my own using friendly advice; and open source methods. None of the details, which I'd discuss in public anyway.
Well, I think that you might want to revisit what your needs are before opting for one. For instance, (quoting my personal experience) I use Ivacy when it comes to my privacy and security. Its apps are ioXt certified and work flawlessly for streaming. I bought six months back when I came across TechRadar endorsing it for streaming functionality.
any ideas on Vypr VPN? I spent more than a year subscriptions worth on 1 month trials of a few (6?) different VPN's. surfshark, vypr and one other (IVPN was almost useable) were the only ones I found even slightly useable. express, nord and cybervpn were virtually unuseable.
my vypr connection seems to hang after a while, so I'm ending up not using my VPN much. I've found a VPN connection isn't suitable for general surfing, I only enable it when necessary. I suppose at some point in the 21st or 22nd century, these services might actually become regulated
"The vast majority of companies that operate these services use patently false marketing, have very murky corporate provenance, and in some cases are literally run by convicted financial crime felons, so of course they will claim 'strong privacy and security' protections when in fact they offer neither," he continued.
So, just exactly like Parliamentary and Presidential style democracies then which are forever reneging on fantastic election promises once feeling secure in executive office with even the slimmest of majorities/greater number of delinquent votes.
If truth be told, they be as Ripe Rotten Skunk Works and therefore wholly unworthy of SMARTR* Futures Support.
* .... SMARTR Mentoring Analysis Reporting Titanic Research
It's pretty clear that China is forcing Hong Kong VPN providers to log everything and that their services are therefore moot.
It's pretty shocking that these providers are logging passwords in plaintext as well, although I wouldn't be surprised if some big U.S. internet giants do this as well.
Personally I'm ok with a company being able to identify a VPN user after being served a lawful warrant to that effect. It's the casual 'spying on everyone because we can' that I object to, it changes the nature of the relationship between people and the state (i.e. nothing to do with that 'nothing to hide, nothing to fear' bollocks).
Once "On-The-Net", there is NO such thing as "Privacy". Regardless of Who-You-Are or What-You-Do. Your details and GaZillion Others, are then, "Awaiting-for some 2-bit Crook to Target You". The Kicker is that you are paying for ALL this, aka Mesmerised to Imagine that "Perfection" is Ownable/Purchase-able. Like it and Believe It or NOT.
I am possibly being stupid here, but my understanding is that the purpose of a VPN is to tunnel network traffic between two points, with the traffic usually being encrypted in the tunnel (I suppose that if it was not encrypted that would be a VN and I can imagine uses for those but they don't matter here). Let's call the end points A (you) and B (the far end). Now, surely, half the point of the thing is that if someone can snoop traffic from B, they can't easily know that it comes from A (and there are lots of caveats here because if they can see the connection from A to B then they can probably work out interesting things from traffic analysis even without being able to decrypt the traffic, so that all has to be hidden somehow, but I don't want to worry about that).
So, if B is owned by some VPN provider, anyone who is watching its traffic knows only that it originates from one of the VPN providers many customers, not who they are. So that reveals a little information but not much. And if there are no logs then even a later attack on the VPN provider (a legal attack say) doesn't tell them any more.
But if I want to roll my own VPN, then I'm going to need to pay for the end-point, B. And I'm the only person using this end-point. So anyone who can extract from whatever hosting provider is selling me B information about who is paying them for B knows who the traffic originating from B belongs to. Which kind of defeats at least some of the the point of a VPN.
So anyone who can extract from whatever hosting provider is selling me B information about who is paying them for B knows who the traffic originating from B belongs to. Which kind of defeats at least some of the the point of a VPN.
Some, but not all. If you don't need to protect against legal threats then that VPN is still useful. In particular, if you are just using the VPN to appear to be located in another country, and it is unlikely anyone will take legal action against you, then paying for your endpoint works fine. In that case, the biggest problem is that the easily available paid-for endpoints (like AWS) are often blocked by the sites most often targetted for this (for example, BBC). But it is often still possible to find a smaller provider that is not blocked, And any foreign provider will do if you aren't violating copyright and just don't like allowing GCHQ to collect all your browsing data with no probable cause.
On the other hand, if you don't need to protect against legal threats, and you are just using it for something fairly innocuous, then you don't need a "nolog VPN provider" either - any VPN provider will do and they will probably handle getting around blocks better than you can because that is how they get you to pay.
The situation changes, of course, if you are doing something illegal, or likely to end up in court, or something blackmailable (in which case the VPN or hosting provider themselves may be your most serious threat).
@Graham_Cobb
Quote: ".....don't like allowing GCHQ to collect all your browsing data..."
*
They can collect what they like......but can they read it?
*
0ew61eMr1XPV1Nel1lB70BU20czu0qyk1MLn02o8
0VrT0GCO0aoU02Sq00JJ0HCr0e9u0BYK00oA1gcA
1LNb1kcn18w00Nch0ly219QW1bpN08VC0AXo1PJu
0B4908ED1mr31U0=11zJ0A820OUy0IuV1XbX1K9u
06hw1FbK05qn1Eq00jjY1ICG0goU1Za70OFj1eSs
0lwl1O=90DGL0EQL168$14Bs1DJR0h161Ls=121K
19yC11MH0nm00CcN1PWc0qtT1lp01g$60T801eZQ
0Ye71Y4l0TTV0ZrA0xhl0eZp0l5m1Q851HR10UMx
1a1R00N=0v1e1avj0=jj1jA61a$m1ARn0t4T0rDb
0TGj
*
0ew61eMr1XPV1Nel1lB70BU20czu0qyk1MLn02o8
0VrT0GCO0aoU02Sq00JJ0HCr0e9u0BYK00oA1gcA
1LNb1kcn18w00Nch0ly219QW1bpN08VC0AXo1PJu
0B4908ED1mr31U0=11zJ0A820OUy0IuV1XbX1K9u
06hw1FbK05qn1Eq00jjY1ICG0goU1Za70OFj1eSs
0lwl1O=90DGL0EQL168$14Bs1DJR0h161Ls=121K
19yC11MH0nm00CcN1PWc0qtT1lp01g$60T801eZQ
0Ye71Y4l0TTV0ZrA0xhl0eZp0l5m1Q851HR10UMx
1a1R00N=0v1e1avj0=jj1jA61a$m1ARn0t4T0rDb
0TGj
That is just depraved. You should be ashamed of yourself. That poor dwarf. How could you stoop so low?
Signed,
Your friends at GCHQ.
PS: You need to change your mouse batteries, you left your car lights on, and for what it's worth, that shirt really doesn't suit you.
I'm lucky enough to be able to work from home in my second country.
Before I left my home country, I setup all the necessary stuff using Ubuntu, OpenVPN, DDNS and a few other things.
So, I have my own VPN, so when it comes to streaming the Beeb/Sky all appears hunky dory.
Downside, I have to leave my kit on back home, so thats 'paying' for it....
I do realise that most peopel will need a third-party one for reasons of streaming from another region for the TV / Kodi rather my genuine 'WFH' reason.
I do realise though that this is something of a minefield!
I use a VPN when I'm away from home on unsecured Wi-Fi or on a network of unknown security.
For my purposes my own VPN server back in my home is just as good as using any service would be. Plus I can get access to my NAS and other things that are on my network at home without having to forward ports in to them which would put them at risk of being hacked.
I'm surprised that people actually believe paid-for VPN services don't log anything.
The first rule of business is that you protect your business, and by extension it's revenue stream.
That statement is so true. It's been the one constant that I've found of every business I've worked for during my adult life.
The notion that some subscription VPN business is going to use all its profits (and potentially go into debt) to hire a legal firm and fight off a single legal challenge (read: one VPN subscription) is just not a reality. Every business I've worked for has been more than happy to find the cheapest way to settle a legal problem (in general, not brought by me), if it means they can continue to operate and make money.
If you're paying for a VPN service and the VPN business owner has any business sense, then they'll keep logs, if for no other reason than as an insurance policy to stop some costly legal challenge, or to keep themselves out of jail. I'm convinced that the only reason VPNs don't roll over on their customers more frequently, is because prosecutions are usually underfunded. That can change in a single moment though. As for reputational damage after a sell-out, I doubt they'd ever even acknowledge it was them.
The only truly secure VPN is one you've set up yourself using payment methods and addresses that don't link back to you.
The point is these VPN providers shouldn't bullshit their customers, usually the one's who aren't IT-literate, by saying they don't log anything when they blatantly do (and, depending on jurisdiction, legally must do).
We know it's naive at best to think VPN providers won't log everything, even if only to cover their own arse. Many people looking for a VPN provider won't know that.
Anyone who really believes that any online company does not log or store data about your activity is naive. All this no logging and don't sell my information is nothing more than marketing, as will they continue to collect and sell your data. Expect to be logged, tracked and your information sold.
@BPontius
Generally true. But suppose I'm in an internet cafe, reading El Reg, and posting an encrypted message (see below) using El Reg, directed to my secret buddy. I'm just wondering a few things:
1. Does logging help anyone find out WHO I AM?
2. Does logging help anyone identify my buddy?
3. Can anyone read my book cipher message?
4. And supposing I'm a VERY BAD PERSON...can any of the above be done in time to make any difference?
*
1ljP046a1XPV1Nel0Bjc0$Sl0Fe813O0082L1QFq
1b=71Asd0v$I1SE00WuY0JpF0e9u1bJe16gu1gcA
0UcW0e2R097F1Vjy1Qmr0EgR0yWw1SFE0ZZW0aVp
08F510$E1a8W0SVJ0Lau17v=1ery0glv0uCs1K9u
0h2A0auY0xBF0aA30rRH120p0sEv13IC0H2q1ES8
1TqU1T7$0YJu0ncF0Khi1Jp00Or30$qn0pfF1e6T
19yC11MH0eXX1TL90ZRE0oCr1d7J0Uli0szH0jAF
0i$60D2g005a1Knl1MWy0Ovo0l5m1Q850Yvi04SA
1eXt0pXw06171cLt1NQg14Fm0qpn1cuT15Fk
*
1. Combined with timestamped endpoint IP logging, up-to-date geographical data for IP assignments, and timestamped CCTV at said endpoint... perhaps.
2. See 1 (caveat: endpoint may not have CCTV).
3. Only if they've obtained that cipher alreadys.
4. Probably not. Perhaps if 3 is true. But this assumes security services give a shit about doing anything in time to make a difference. They don't. The miniscule possibility of doing stopping "terror" is the carrot to gain ever-widening snoop powers. The stick is "look what happened because we didn't have blanket access to XYZ".
Would anyone ever consider a VPN as a security measure?
It's a tool- and a great one- to get around region-locking and censorship. But you're just connecting through someone elses' computer (where the definition also includes network equipment smart enough to be a VPN endpoint). There's a huge amount of trust required there.
What do these companies do to convince their customers that they're trustworthy?
I must admit, sometimes, for the sheer hell of it, I use Opera's VPN on my phone passed through the free allowance of speedtest.net's vpn just to add a bit of obfuscation.
I'm sure it doesn't achieve anything really, but I do like to muddy my tracks. ( I also make random Google searches on my phone when I have a spare moment while stuff is happening. Think of a word, type it in to Google search).
Definition of fraud:
1a : deceit, trickery specifically :
intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right
How is this not fraud?
Will the owner(s) of these Virtual(ly) Public Networks be brought up on criminal fraud charges?
The nordvpn provider look like a honest one if you compare with this one : they deliberately log everything from their customer, even data with no use for debug / technical monitoring.
I can't see anything else than shady reason, if it is obvious that communication privacy, activity free of any log, anonymat... are purely commercial statement, the goal of this provider is far beyond making a juicy business. Another obvious red flag for this provider : VPN client closed source.
A efficient way to prove that the no log / ultimate privacy is a lie : Mass TCP port scan over a large netrange. If they don't log, monitor or trace who is doing what, you shouldn't be banned.
Torproject is one of the only service who can legitimately claim what all those brainwashing vpn provider said
As using a vpn rely on a blind trust of a third party, I would go for Mullvad
..... and easily fully compromised
Do you think El Reg is safe and secure and free from outside spooky interest and remote and ideally controlling interference?
Or is the opposite much more likely, given the common subject matters revealed in opinion pieces and information and intelligence reports and further discussed and expanded upon by commenting fans, both unusually known and secretive alike ..... the identifyingly handled and Anonymously Cowardly.
:-) Ever had a tap on the shoulder, El Reg, followed by an offer to not refuse.?
@amanfromMars 1
Quote: "...Do you think El Reg is safe and secure ..."
*
Do you think ANY internet service is safe and secure?
*
Well...........no I don't. But that's not the right question. Surely it's a question of RELATIVE security.
*
So......if you have a gmail (or FB, or WhatsApp, or LinkedIn or BT, or Vodaphone......) account in your ACTUAL NAME..........................then you've got a target right there on your back.
*
Anyone with an account/street address/credit card for their internet consumption.... is wide open for bad guys and/or spooks,
*
So........as an AC on El Reg.....if my anonymity is prejudiced, feel free to get in touch.
Do you think ANY internet service is safe and secure? ... Anonymous Coward
Since you ask, AC, and it is surely good for all to know about such as may be an entirely common place thing today too, I have no delusions about the possible complete lack of safety afforded to anyone who or anything which would think they are secure, relative or otherwise, and using remote virtual communications for practically surreal direct contact.
However, what is a constant source of wonder with ever greater wider and deepening divides providing private and pirate succour and customised safe harbour sanctuary in any number of visited ports, is the abject lack of super-talented intelligence use of the facility/utility/ability, and which one is well advised to constantly be on the look-out for vast and radical improvement in/on.
And that exciting change can, at it simplest and most worthy of forms, be manifested in a cogent and direct response to earlier supplied observation for embracing comment or ignorant denial and revealing silence, with the one supplying further remarkably profitable aid whilst the other renders extraordinary deficits creating crippling debts and overwhelming hardships.
And there's no point in being too anonymous and ridiculous to the point of a self-destructive personal corporate obsession about maintaining one's absolute safety and security, AC, if you have something exciting to tell which one can easily sell for an absolute fortune ........ although there will be those and that which will tell you that is a fundamental human weakness to be ruthlessly exploited and lavishly employed rather than an almighty complicate and empowering strength to be fielded and wielded
I guess it's all on how you word your response?
Advertised VPNs?
Are you serious? Naw, no, we don't share no data, no way, no how.
Months later, Ah, well um, I guess our marketing department promised something, something... shared something, contractually bound... it is all quite legal, we have it on paper!
7 thumbs down
Not sure if he uses VPN, because much of the lines of communication are cut up and rather random; but if you really want to communicate in a way that even the heavy deep state hitters find it hard to intercept you; do it the way the Dalai Lama does it. I'll just leave it at that - just think about it and you will figure it out. The PRC doesn't need to know. He is always two steps ahead of them, all the way!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
