[SOLVED] A few questions about VPN`s

[Nordlicht1984]

Hey guys,

I hope to find a few helpful answers here about the usage of a VPN. Maybe I can find one (or a few) more technically skilled user(s) on this matter.
Let's assume User X uses a VPN service headquartered in the British Virgin Islands. This service states that it does not keep any logs that could identify a user. The traffic is also obfuscated by the fact that many users of the service share the same IP address of a server. Furthermore, the service states that it does not use hard disks, but RAM-only servers in its entire server network, which irretrievably delete all data after every boot.

My questions are the following:

1.) Most European countries have some form of data retention. What about a no-logs VPN that has its server physically located in such a country?

2.) With a no-log VPN, are there any countries you should prefer or disregard connecting to for privacy reasons?

3.) Switzerland, for example, recently passed an amendment to its Telemedia Act (Büpf). There, it is regulated that every VPN service that is operated in Switzerland must log for investigating authorities. VPN providers with headquarters in Switzerland have already largely admitted this (for example, Monsoon Networks, which operates "Swiss VPN"). But what about a VPN provider that has its headquarters offshore (Panama or British Virgin Islands) and has only rented a server in Switzerland?

4.) What about server operators? I have now read a lot of negative reports in various forums about a very large operator based in the UK (but has Servers in many different countries) that is accused of HAVING to arouse interest for secret services just by the amount of encrypted connections. Can such an operator effectively undermine the privacy of the VPN?

Perhaps someone will be able to give me a semi-conclusive answer to these questions. Thank you very much for all the answers in advance!

 

[Ralston18]

This:

"This service states that it does not keep any logs that could identify a user. "

1.) You have no way of knowing what the VPN really does or does not do. Or may be pressured to do.

2.) You have no way of knowing what any given country or hosted VPN is truly doing with respect to VPN practices, SOPs, and personal data. And they may not know themselves - especially if other entities are hacking or otherwise accessing the data.

3.) International laws are both complicated and varying. You have no way of knowing the end results of some legal language that requires operators to log information for potential investigative purposes. Likely many loopholes and/or just upfront manipulation of the rules. Especially if not clear and consistent. Some companies may simply ignore and disregard the laws.... Easy to stave off any legal actions against them.

4) Operators: They may or may not be held accountable due to local laws, loopholes, graft, corruption, incompetence. You have no way of knowing just how well (or not) they actually protect end users' privacy. Whether they want to or not.

Just my thoughts on your questions.

 

[Nordlicht1984]

Hi Ralston18,

thank you for your thoughts! I really appreciate it!

In essence, you confirm my suspicions. I am also generally quite suspicious and I know that many things are pure advertising promises (such as absolute anonymity). A VPN is nothing more than a tool to increase data protection and privacy, and that is exactly what is important to me.

I have a few comments that I would like to explain briefly.

This:

"This service states that it does not keep any logs that could identify a user. "

1.) You have no way of knowing what the VPN really does or does not do. Or may be pressured to do.

I am absolutely aware of that. Many VPN on the market caught lying already. The one I am interested in had one of its servers seized in a assasination case of a Russian Ambassador in 2017 based in Turkey by authorities and nothing was found there (most probably you will know the service I`m interested in now anyways!). For many, it is THE proof that the provider delivers what it promises. In addition, how do you rate security audits by security companies for such providers in general? Is this serious or is it simply a snapshot where the provider has at worst ensured optimal conditions during the audit?

2.) You have no way of knowing what any given country or hosted VPN is truly doing with respect to VPN practices, SOPs, and personal data.l And they may not know themselves - especially if other entities are hacking or otherwise accessing the data.

The provider itself advertises the highest security standards and constant maintenance, which the audits also prove, apart from minor weaknesses. Of course, it is always possible to hijack a system.

In addition, there are some countries with higher data protection than others - for example, Germany, Iceland, Romania and Estonia. Wouldn't a provider in such a country also have to comply with these regulations? For me, however, this is contradictory in that the positive (data protection) is claimed, but the negative (possible data retention) is excluded.

4) Operators: They may or may not be held accountable due to local laws, loopholes, graft, corruption, incompetence. You have no way of knowing just how well (or no) they actually protect end users' privacy. Whether they want to or not.

I also thought about this. The thing that I am asking myself is the following: Could such an operator, with headquarters in the UK, deliver any kind of useful information to British authorities due to british law ALTHOUGHT he has its physical server for the VPN in another country (lets say Switzerland)?

 

[Ralston18]

With the necessary amount of money, intent, corruption, incompetency, any laws, rules, or policies can be bypassed, ignored, abused, etc..

Goes beyond just VPN.

Besides, if useful information is not found, someone is likely to just make things up. [Cynicism conceded.]

All in all it depends on the laws in place and what any two countries decide to do that is in their mutual best interests.

And remember that is it not uncommon for someone to give up information as a means to get themselves out of trouble.

Using VPN is a technical matter. The consequences are legal matters.

 

[Old Molases]

The aspect of keeping logs is associated with relation a service provider has with 5 Eyes, 9 Eyes, and 14 Eyes. Most of the VPNs states that dont keep any logs, but they do. You need to be sure that you opt for a provider that is beyond such jurisdictions. Quoting my personal experience, I am using Ivacy for the past year for streaming blocked content, torrenting and accessing the geo blocked content. I haven't had any notices from my ISP or DMCA for that fact. You just need to be sure that you opt for a provider that is beyond such limitations and boundaries.

 

[Ralston18]

For the record:

https://nordvpn.com/blog/five-eyes-alliance/