Data privacy and security are very important to me, but I’m constantly challenged when I connect to the internet. My browsing history and location are constantly tracked, and my IP address is visible to third parties. One way I guard myself is by choosing the best VPN to protect me. However, several scandals in the VPN industry have prompted me to reconsider, and in some ways, I’m starting to trust a few of these VPN providers a bit less.
The goal isn’t to discard every VPN, but I believe there’s been enough evidence to warrant asking questions before accepting the marketing hype. I can’t trust blindly, and every VPN provider I decide to use should have truly earned it.
One scandal of many
The VPN scandal that shook my trust
Most VPNs have a no-logs policy, which is central to why many people trust them and prefer to route their data through the VPN rather than through their ISPs. No logs means the VPN isn’t recording or storing your internet data, which may include browsing history, connection timestamps, IP addresses, and data usage. This means that because the VPNs hold no such data, even if they’re compelled to turn over information by law, they have nothing to submit.
In 2017, PureVPN did something seemingly noble. It helped the FBI crack a cyberstalking case by providing connection logs that tied the suspect to his online activities. VyprVPN reported the story, stating that PureVPN’s no-logs claims had been invalidated. But the event itself isn’t as important as what happened afterward. PureVPN later admitted that it keeps logs, but only network, troubleshooting, or maintenance logs. It said these aren’t browsing logs and reveal nothing.
While they’re right that the logs they have reveal nothing—at least not on their own—in reality, these logs had user timestamps that became the final part of the puzzle. The FBI was able to compare these logs with Google’s records and confirm the identity of the individual behind the activities.
Most of us would assume that no logs means no type of information that can be traced. In this case, no logs seemed to point more in the direction of no information that can be linked to an individual on its own. If this is what VPN logs truly are, it makes you start thinking about the value and level of privacy they actually offer.
No logs policy
The problem with “no-logs” promises
When we hear no logs, we generally assume that if governments, advertisers, or hackers come knocking, there’s nothing to hand over. This is what we believe to be the ultimate privacy guarantee.
However, the problem is that it feels to the layperson like no logs can mean different things depending on the fine print. Not everyone understands the technicalities of the terms. For some VPN providers, a no-logs policy may imply they don’t record and keep the websites you visit or the files you download. Other providers may interpret it as no logs on browsing activity, but still hold connection timestamps and bandwidth usage for maintenance purposes. To the company, these may not be considered logs, but in a certain context, they can be combined to identify a user.
The marketing claim behind a service doesn’t always match the technical understanding of the user. Sadly, trust becomes the casualty when the average user’s understanding doesn’t match reality.
This doesn’t mean all VPNs are dishonest. Some have gone to great lengths to prove their claims are valid. Even PureVPN, after the 2017 incident, had independent audits to verify its claims (it is a no-log VPN these days!). Some companies relocate their headquarters to privacy-respecting countries and jurisdictions. But the fact that we’ve had scandals in the VPN industry highlights the structural issue: there isn’t a universal standard for what a no-logs policy should cover, and enforcement is largely based on trust.
The new ownership model
Common ownership creates a centralization risk
The VPN market seems to be a diverse one, but once you scratch the surface, you start to realize a lot of the providers have the same parent companies. I used ExpressVPN, CyberGhost, and Private Internet Access without knowing they’re all owned by Kape Technologies. There are other investment groups that manage clusters of additional providers.
What you thought was a bunch of options suddenly feels like you’re choosing from a handful of corporate entities. This doesn’t help trust because it gives the impression that market control is the priority, not necessarily you, the user.
Consolidation comes with its benefits. It often means financial stability for the different child companies and a larger server network. However, it also increases the likelihood of multiple providers following a similar corporate strategy. There’s a risk that we get served with uniform policies across the industry, and we begin to lose diversity in how privacy and security are handled.
What actually matters
Everyone who turns to a VPN is typically seeking similar things: privacy and data security. That’s all that matters, and some of these incidents that show you may not have as much data security and privacy as you hoped for make you question the purpose of using a VPN.
To build trust in a VPN, there should be transparency. A company’s no-logs policy must align with customers’ expectations. Independent audits should be the standard, and for an industry as sensitive as this, I’d rather lean more towards open-source software where there’s more transparency. This is probably why, after an in-depth review of Mullvad VPN, I’m leaning more towards it as a VPN provider. But in the end, remember that your VPN is not a one-click privacy solution.
