Is Your VPN Collecting Your Data? What You Need to Know
While some VPNs are great tools for protecting your browsing information and personal data, others exploit and resell them. How do you know if the one you're using is truly reliable and secure? Find out if you should trust your VPN provider.
In principle, a VPN allows you to keep your browsing private, in particular by hiding your real IP address from third-party sites and by encrypting data, both incoming and outgoing. But the virtual private network provider can collect your personal and activity information. This is the case, for example, with free VPNs, which make money by exploiting and reselling your data. But some paid VPNs can also collect and store data relating to your browsing. This is why it is important to choose a platform with a rigorous no-log policy, and above all audited by an independent body.
What data do VPNs record?
A VPN of course has access to all the personal information you give it, such as your email address, sometimes your name or your country of residence (for VAT purposes). There is usually no identity verification system, so you can use fake data to maintain your anonymity. You can also use a specially created email address to cover your tracks.
Then, the VPN can potentially obtain all the activity data, relating to your browsing and the device you are using. When these are associated with your identity information, they allow you to establish a complete profile of yourself. This can be sold to advertising agencies or provided to governments and intelligence agencies.
Your VPN service can access your real IP address, as well as the virtual IP addresses you used when using the platform. It can also access information related to the servers you connected to, as well as the precise timestamps of your connections. These connection logs can be collected by VPN services so they can improve their product, but a security breach would expose this data to malicious third parties.
You should especially avoid VPNs that keep activity logs of its users. Platforms that use this practice record the websites you visit, the files you download, and can analyze your traffic in detail. The amount of bandwidth used is also affected. In short, the confidentiality of your activity is absolutely not guaranteed.
Finally, a VPN provider is able to know the hardware and software characteristics of the device you are using: the type of device as well as part of its technical sheet (processor, RAM, etc.), the operating system installed, as well as the version of the VPN application. This data is useful for improving the service offered, but allows you to complete your user profile, which can fall into the wrong hands.
Is my VPN trustworthy?
The first thing to do before signing up for a VPN is to check its data collection and retention policy. The most reliable services have nothing to hide from their users and will clearly communicate how they handle information. If you can’t find a VPN provider’s privacy policy, or if the wording they use seems unclear, you should probably be wary of the platform.
Of course, it is easy to promise the moon to your customers without them being able to ensure the veracity of the statements. This is why it is important to choose a VPN that has been independently audited by a recognized organization, which can attest to the quality of the service and compliance with the privacy policies that it puts forward. For example, NordVPN's no-log policy has been audited and approved by the very reputable Deloitte firm. This ensures that your data is not stored and exploited by the platform.
During an audit, independent experts access the infrastructure and configuration of the servers, as well as technical logs, in order to verify that the data processing corresponds to what the VPN provider guarantees. The behavior of advanced privacy features, such as obfuscated servers (which hide the fact that you are using a VPN to redirect your online activity), double VPN connection, the Tor protocol or P2P servers are also particularly scrutinized. Finally, employees are questioned by the auditor's specialists.
Be sure to read what data is collected and why in the privacy policy of each VPN service you are interested in. Sometimes, some information may be retained, but it does not allow you to be identified. Depending on your level of sensitivity to data protection, you can accept this type of tracking or not.
The location of the VPN provider's headquarters is also a factor to consider. In many countries, companies are required by law to share certain data with states and their intelligence agencies if they request it. This is of course the case in countries like China or Russia, but also in Western nations like the United States or within the European Union.
Being based in Panama, NordVPN benefits from flexible data retention laws. Furthermore, Panama is not part of or partners with the 5 Eyes, 9 Eyes, and 14 Eyes surveillance and intelligence alliances. The provider can therefore implement its no-log policy without fear of pressure from the authorities. Some services also publish transparency reports to show their credentials.
To sum up, it is better to avoid free VPNs, which systematically collect and exploit your data. Opt for a provider that ensures a no log policy and that has been successfully audited several times by a recognized independent entity. At the beginning of 2024, NordVPN validated a fourth audit proving the absence of logs, it is towards this type of platform that we advise you to go.