When and why NordVPN (and other VPNs) would log your data
Posted onAuthorLeonora W. DownsComments Off on When and why NordVPN (and other VPNs) would log your data
The rise of VPN services in recent years has less to do with privacy than you might think. Most people use them to unblock video streaming services, websites, and other online services, but that’s really a side benefit: they’re designed to provide extra layers of privacy when using the Internet.
They do this by encrypting data sent to and from your computer, phone, or tablet so that your internet service provider can’t see what you’re doing (like they can if you’re not using a VPN).
But by using a VPN, you route all that data through a server owned by the VPN service. The very fact that the data must be decrypted when it reaches the VPN server before being sent to its final destination means that the VPN service box see what you are doing. Except that this is usually not possible, since most of this data is already encrypted (because of https and other web technologies), so the VPN encrypts data that is already encrypted.
Additionally, any reputable VPN service will be configured to operate in such a way that none of this data is ever stored or logged. This is what a no-logs policy refers to. This means that no information about the websites you visit, when you log in and out, or the files you download, and certainly not your IP address (which may link this activity to you) is recorded or retained.
Some VPN services, including NordVPN, have gone so far as to remove hard drives from their servers or make them read-only to ensure that data is not accidentally saved. Servers operate by using RAM as temporary storage for files needed to run the service, and if this server were ever seized by authorities, all data in RAM would vanish when unplugged.
For the most part, this is standard industry practice, and everything is anonymous, so cannot be traced back to a specific user. Almost always this is done to monitor the performance of the service and improve it.
The types of things that are recorded are the types of devices people use, such as an iPhone, Windows laptop, or Amazon Fire TV Stick; the servers they connect to (to see which are the most popular, in order to add more in locations that need them most) and to enforce the number of simultaneous connections.
NordVPN, for example, allows up to six connections to the service at a time. If it literally didn’t log anything, it would have no way of knowing how many devices you had connected to its service, and therefore no way to prevent you from connecting more than six devices.
Dominik Tomaszewski / Foundry
An audit is all well and good, but if you dig even deeper into the fine print, you might find wording like this, on NordVPN’s Warrant Canary page: privacy and security, we never log their activity unless ordered by a court in a proper and lawful manner.”
This would rightly worry you. It seems to say “We have a very good zero logs policy but we will log your data if a court asks us to”.
But isn’t NordVPN based in Panama precisely to prevent such court orders in the first place? The wording of this webpage originally stated that NordVPN would not comply with the request of foreign governments and law enforcement, but it was changed in January 2022, although the page itself is still dated June 20, 2017.
The change was fairly widely reported in the tech press – including PCMag – at the time, and even now the same wording is being sent by NordVPN’s support team when asked if it will log data. . What isn’t particularly clear, and doesn’t really help NordVPN, is that this is the case with all other legal and legitimate VPN services and, more importantly, it’s very rare that a court make such a request.
You might be wondering what kind of situation would require a court to issue a data recording order. Would it be to monitor suspected criminal activity? Very probably. Could this criminal activity be something like the illegal downloading of movies? Almost certainly not.
Alternatively, an order may not refer to a person, but everything users of a VPN service. A country may change its laws and make data retention mandatory. And along with many others, NordVPN took down its Indian servers and refused to comply.
We spoke to NordVPN’s PR manager, Laura Tyrylyte, to get some clarification on the wording. She said Technical Adviser“NordVPN is a legitimate company, operating in compliance with all laws and regulations. We do not log our customers’ data and our entire infrastructure is built around privacy because of our values and because we can legally operate this way. However, as [with] any other legitimate company, we must comply with legitimate requests if such requests are made following all appropriate legal procedures.
“This means that in theory a court could issue a binding order requiring a company to modify infrastructure in order to record customer data. Courts can order just about anything, again, in theory and in very specific circumstances. Such [an] the order would be unprecedented, extremely unlikely and very difficult to issue. We would challenge him until we exhausted all available options to defend ourselves, but (and again) in theory, it is possible.
“The same goes for any other company in the world. In 10 years of operation, being the largest VPN service provider in the world, we have never come close to such a situation, but we do not want to mislead our customers, by giving the impression that we can operate above the law. No legitimate company can.
Theoretically, NordVPN and any other reputable VPN service could be forced to log customer data and change their hardware and software if necessary to do so.
But in reality, the likelihood of being asked to do so is low and even if it did happen, this VPN service would have to fight the demand as hard as possible.
You can also check pages like NordVPN’s Warrant Canary to see if a request has been made, and can then decide whether or not to continue using the service.
As of July 14, 2022, NordVPN claims to have:
NOT received any National Security Letters;
NOT received gag orders;
NOT received money orders from any government organization.
For most people – and we’re talking consumers here – a VPN should be seen as an extra layer of privacy and security when using the internet. It is important to understand their limitations and what they can and cannot do.
It’s a shame that many still claim to make you anonymous online, which is not true. They also won’t prevent your ISP from seeing how much data you’re downloading or when you’re using the Internet.
What they are is a useful tool, whether you’re just unblocking US Netflix or hiding your activity from a government that wants to monitor everything their citizens do.
The cryptocurrency industry was no different from the rest of the financial market when the recession hit it, and 2022 was no exception. However, the economic downturn could be used as an asset to make more profits for investors who know how to play the crypto game. While innovation and innovative approaches are essential for […]
Audit logs provide a rich source of essential data to prevent, detect, understand and minimize the impact of network or data compromise in a timely manner. Collection logs and regular review are useful for identifying baselines, establishing operational trends and detecting anomalies. In some cases, logging may be the only evidence of a successful attack. […]
Stocks closed higher on Monday but still posted their worst monthly loss since the early days of the pandemic, as Wall Street closed a tumultuous January wracked by fears that impending interest rate hikes could make everything in the markets more difficult. The S&P 500 rose 1.9%, but is still down 5.9% since setting a […]