VPN

WHICH VPN SERVICES TAKE YOUR ANONYMITY SERIOUSLY?

2014 EDITION

Millions of people use a VPN service to protect their privacy, but not all VPNs are as anonymous as one might hope. In fact, some VPN services log users’ IP-addresses for weeks. To find out how secure VPNs really are TorrentFreak asked the leading providers about their logging policies, and more.

boxedBy now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.

To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.

Unfortunately, not all VPN services are as anonymous as they claim.

Following a high-profile case of an individual using an ‘anonymous’ VPN service that turned out to be not so private, TorrentFreak decided to ask a selection of VPN services some tough questions.

By popular demand we now present the third iteration of our VPN services “logging” review. In addition to questions about logging policies we also asked VPN providers about their stance towards file-sharing traffic, and what they believe the most secure VPN is.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

3. What tools are used to monitor and mitigate abuse of your service?

4. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

5. What steps are taken when a valid court order requires your company to identify an active user of your service?

6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

7. Which payment systems do you use and how are these linked to individual user accounts?

8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

What follows is the list of responses from the VPN services, in their own words. Providers who didn’t answer our questions directly or failed by logging everything were excluded. Please note, however, that several VPN companies listed here do log to some extent. The order of the lists holds no value.

PRIVATE INTERNET ACCESS

1. We absolutely do not log any traffic nor session data of any kind, period. We have worked hard to meticulously fork all daemons that we utilize in order to achieve this functionality. It is definitely not an easy task, and we are very proud of our development team for helping Private Internet Access to achieve this unique ability.

2. We operate out of the US which is one of the few, if only, countries without a mandatory data retention law. We explored several other jurisdictions with the help of our professional legal team, and the US is still ideal for privacy-based VPN services.

We severely scrutinize the validity of any and all legal information requests. That being said, since we do not hold any traffic nor session data, we are unable to provide any information to any third-party. Our commitment and mission to preserve privacy is second to none.

3. We do not monitor any traffic, period. We block IPs/ports as needed to mitigate abuse when we receive a valid abuse notification.

4. We do not host any content and are therefore unable to remove any of said content. Additionally, our mission is to preserve and restore privacy on the Internet and society. As such, since we do not log or monitor anything, we’re unable to identify any users of our service.

5. Once again, we do not log any traffic or session data. Additionally, unlike the EU and many other countries, our users are protected by legal definition. For this reason, we’re unable to identify any user of our service. Lastly, consumer protection laws exist in the US, unlike many other countries. We must abide by our advertised privacy policy.

6. We do not discriminate against any kind of traffic/protocol on any of our servers, period. We believe in a free, open, and uncensored internet.

7. Bitcoin, Ripple, PayPal, Google Play (Mobile), OKPay, CashU, Amazon and any major Gift Card. We support plenty of anonymous payment methods. For this reason, the highest risk users should definitely use Bitcoin, Ripple or a major gift card with an anonymous e-mail account when subscribing to our privacy service.

8. We’re the only provider to date that provides a plethora of encryption cipher options. We recommend, mostly, using AES-128, SHA1 and RSA2048.

Private Internet Access website

BTGUARD

btguard1. We do not keep any logs whatsoever.

2. The jurisdiction is Canada. Since we do not have log files, we have no information to share. We do not communicate with any third parties. The only event in which we would even communicate with a third-party is if we received a court order. We would then be forced to notify them we have no information. This has not happened yet.

3. If serious abuse is reported we enable tcpdump to confirm the abuse and locate the user. These dumps are immediately removed. If the user is abusing our service they will be terminated permanently but we have never shared user information with a 3rd party.

4. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.

5. We take every step within the law to fight such an order.

6. Yes, all types of traffic our allowed with our services.

7. We accept PayPal and Bitcoin. All payments are linked to users accounts because they have to be for disputes and refunds.

8. 256-bit AES is the most secure. However 128-bit blowfish is plenty good. If you’re concerned about surveillance agencies such as the NSA, their capabilities are shrouded in secrecy and claiming to be able to protect you is offering you nothing but speculation. As far as what’s publicly available for deciphering encryption, both of the encryptions I mentioned are more than sufficient.

BTGuard website

TORGUARD

1. TorGuard does not store any IP address or time stamps on any VPN and proxy servers, not even for a second. Further, we do not store any logs or time stamps on user authentication servers connected to the VPN. In this way it is not even possible to match an external time stamp to a user that was simultaneously logged in. Because the VPN servers utilize a shared IP configuration, there can be hundreds of users sharing the same IP at any given moment further obfuscating the ability to single out any specific user on the network.

2. TorGuard is a privately owned company with parent ownership based in Nevis and our headquarters currently located in the US. Our legal representation at the moment is comfortable with the current corporate structuring however we wouldn’t hesitate to move all operations internationally should the ground shift beneath our feet. We now offer VPN access in 23+ countries worldwide and maintain all customer billing servers well outside US borders.

We would only be forced to communicate with a third-party in the event that our legal team received a court ordered subpoena to do so. This has yet to happen, however if it did we would proceed with complete transparency and further explain the nature of TorGuard’s shared VPN configuration. We have no logs to investigate, and thus no information to share.

3. Our network team uses commercial monitoring software with custom scripts to keep an eye on individual server load and service status/uptime so we can identify problems as fast as possible. If abuse reports are received from an upstream provider, we block it by employing various levels of filtering and global firewall rules to large clusters of servers. Instead of back tracing abuse by logging, our team mitigates things in real-time. We have a responsibility to provide fast, abuse-free VPN services for our clients and have perfected these methods over time.

4. In the event of receiving a DMCA notice, the request is immediately processed by our abuse team. Because it is impossible for us to locate which user on the server is actually responsible for the violation, we temporarily block the infringing server and apply global rules depending on the nature of the content and the server responsible. The system we use for filtering certain content is similar to keyword blocking but with much more accuracy. This ensures the content in question to no longer pass through the server and satisfies requirements from our bandwidth providers.

5. Due to the nature of shared VPN services and how our network is configured, it is not technically possible to effectively identity or single out one active user from a single IP address. If our legal department received a valid subpoena, we would proceed with complete transparency from day one. Our team is prepared to defend our client’s right to privacy to the fullest extent of the law.

6. BitTorrent is only allowed on select server locations. TorGuard now offers a variety of protocols like http/socks proxies, OpenVPN, SSH Tunnels, SSTP VPN and Stealth VPN (DPI Bypass), with each connection method serving a very specific purpose for usage. Since BitTorrent is largely bandwidth intensive, we do not encourage torrent usage on all servers. Locations that are optimized for torrent traffic include endpoints in: Canada, Netherlands, Iceland, Sweden, Romania, Russia and select servers in Hong Kong. This is a wide range of locations that works efficiently regardless of the continent you are trying to torrent from.

7. We currently accept payments through all forms of credit or debit card, PayPal, OKPAY, and Bitcoin. During checkout we may ask the user to verify a billing phone and address but this is simply to prevent credit card fraud, spammers, and keep the network running fast and clean. After payment it is possible to change this to something generic that offers more privacy. No VPN or Proxy usage can be linked back to a billing account due to the fact we hold absolutely no levels of logging on any one of our servers, not even timestamps!

8. For best security we advise clients to choose OpenVPN connections only, and if higher encryption is called for use AES256 bit. This option is available on many locations and offers excellent security without degrading performance. For those that are looking to defeat Deep Packet Inspection firewalls (DPI) like what is encountered in countries such as China or Iran, TorGuard offers “Stealth” VPN connections in the Netherlands, UK and Canada. Stealth connections feature OpenVPN obfuscation technology that causes VPN traffic to appear as regular connections, allowing VPN access even behind the most strict corporate wifi networks or government regulated ISPs.

TorGuard website

PRIVACY.IO

1. We do not log any information on our VPN servers. The only scenario is if a technical issue arises, but we request permission from the user first, and we only do it for the duration of the job, and then it is removed.

2. We are in the process of moving jurisdictions away from Australia at present as we are unsure what our current government plans to do in regards to our privacy. We have not decided where yet.

3. Only SMTP port 25 is filtered to mitigate spam, but we are working on some tools to make it easier for users to send mail.

4. Any DMCA request is ignored, as we have no logs to do anything about them.

5. Same as above, as we do not log, so we are unable to provide any information. If the law attempts to make us do such things, we will move our business to a location where that cannot occur, and if that fails we will close up shop before we provide any information.

6. All protocols are allowed with our service, with the only exception of SMTP port 25 currently being filtered.

7. At present we only accept PayPal and CC (processed by PayPal), but we are looking into alternative types of payments. We go out of our way to make sure that PayPal transactions are not linked to the users, we generate a unique key per transaction to verify payment for the account is made, and then nuke that unique key. Bitcoin and Litecoin are also on the agenda.

8. At present we offer 128 bit for PPTP and 256 bit for OpenVPN, We plan to offer stronger encryption for the security conscious.

Privacy.io website

VIKINGVPN

vikingvpn1. No. We run a zero knowledge network and are unable to tie a user to an IP address.

2. United States, they don’t have data retention laws, despite their draconian surveillance programs. The only information we share with anyone is billing information to our payment gateway. This can be anonymized by using a pre-paid anonymous card. If asked to share specific data about our users and their habits, we would be unable to do so, because we don’t have any logs of that data.

3. That is mostly confidential information. However, we can assure our users that we do not use logging to achieve this goal.

4. In the event of a DMCA notice, we send out the DMCA policy published on our website. We haven’t yet received a VALID DMCA notice.

5. We exhaust all legal options to protect our users. Failing that, we would provide all of our logs, which do not actually exist. If required to wiretap a user under a National Security Letter, we have a passively triggered Warrant Canary. We would also likely choose to shut down our service and put it up elsewhere.

6. Yes. Those ports are all open, and we have no data caps.

7. We currently only take credit cards. Our payment provider is far more restrictive than we ever imagined they would be. We’re still trying to change payment providers. Fortunately, by using a pre-paid credit card, you can still have totally anonymous service from us.

8. A strong handshake (either RSA-4096+ or a non-standard elliptic curve as the NIST curves are suspect). A strong cipher such as AES-256-CBC or AES-256-GCM encryption (NOT EDE MODE). At least SHA1 for data integrity checks. SHA2 and the newly adopted SHA3 (Skein) hash functions are also fine, but slower and provide no real extra assurances of data integrity, and provide no further security beyond SHA1. The OpenVPN HMAC firewall option to harden the protocol against Man-in-the-Middle and Man-on-the-Side attacks.

VikingVPN website

IVPN

ivpn1. IVPN’s top priority is the privacy of its customers. We use non-persistent logs (stored in memory) which are deleted after 10 minutes. That tiny window gives us the ability to troubleshoot connection issues, whilst still making it practically impossible for any 3rd party to match an IP to a time-stamp.

2. IVPN is incorporated in Malta. We would ignore any request to share data unless it was served by a legal authority with jurisdiction in Malta in which case we would inform them that we don’t have the data to share. If we were served a subpoena which compelled us to log traffic we would find a way to inform our customers and relocate to a new jurisdiction.

3. We use a tool called PSAD to mitigate attacks originating from customers on our network. We also use rate-limiting in iptables to mitigate SPAM.

4. We ensure that our network providers understand the nature of our business and that we do not host any content. As a condition of the safe harbor provisions they are required to inform us of each infringement which includes the date, title of the content and the IP address of the gateway through which it was downloaded. We simply respond to each notice confirming that we do not host the content in question.

5. Assuming the court order is requesting an identity based on a timestamp and IP, our legal department would respond that we don’t have any record of the user’s identity nor are we legally compelled to do so.

6. We ‘allow’ BitTorrent on all servers except gateways based in the USA. Our USA network providers are required to inform us of each copyright infringement and are required to process our response putting undue strain on their support resources (hundreds per day). For this reason providers won’t host our servers in the USA unless we take measures to mitigate P2P activity.

7. We currently accept Bitcoin, Cash and PayPal. No information relating to a customers payment account is stored with the exception of automated PayPal subscriptions where we are required to store the subscription ID in order to assign it to an invoice (only for the duration of the subscription after which it is deleted). Of course PayPal will always maintain a record that you have sent funds to IVPN but that is all they have. If you need to be anonymous to IVPN and don’t wish to be identified as a customer then we recommend using Bitcoin or cash.

8. We recommend and offer OpenVPN using the strongest AES-256 cipher. For key exchange and authentication 2048-bit RSA keys are used (which RSA claims are sufficient until 2030).

IVPN website

PRIVATVPN

1. We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user our service. The only thing we log are e-mails and user names but it’s not possible to bind an activity on the Internet to a user.

2. We operate in Swedish jurisdiction. Since we do not log any IP addresses we have nothing to disclose. Circumstances doesn’t matter in this case, we have no information regarding our customers’ IP addresses and activity on the Internet. Therefore we have no information to share with any 3rd party.

3. If there’s abuse, we advise that service to block our IP in the first instance, and second, we can block traffic to the abused service.

4. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our response was to close P2P traffic in those countries.

5. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there.

6. Yes, we allow Torrent traffic.

7. PayPal, Payson and Plimus. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us.

8. OpenVPN TUN with AES-256. On top is a 2048-bit DH key.

PrivatVPN website

PRQ

1. No. Wo do not log anything and we only require a working e-mail address to be a customer.

2. Swedish. We do not share information with anyone.

3. Not disclosed.

4. Put it in the trash where it belongs!

5. None, since we do not have any customer information and no logs.

6. We host anything as long as it’s not SPAM related or child porn.

7. Visa/Mastercard, Bitcoin, PayPal. No correlation between payment data and customer data.

8. We provide OpenVPN services (along with dedicated servers and other hosting services).

PRQ website

TIGERVPN

tigervpn1. Absolutely not! We built tigerVPN to purge all data once the transmission of a IP package was completed successfully. Its impossible to trace back any customer. On top of that we decided to use shared IPs in order to further randomize and anonymize our customers. The combination of having absolutely no logs at all and multiple customers per IP, wipes our customers digital footprint

2. We are a limited liability company in Slovakia. Slovakia does not have any data retention programs and furthermore encourage ISP’s to protect their customers privacy on the net. We are not required to share any information with 3rd party hence it would be illegal thanks to the law of telecom secrecy.

3. Since we don’t keep logs, we can’t monitor abusive behavior, which is the price for building a customer secure environment!

4. We can’t comply since we can’t identify customers, therefore it’s pointless to follow any requests. We have a specific folder for these eMails 😉

5. Same as above. We seriously can’t tell which customer did what, when, where, at any given time.

6. It’s allowed on all servers although we gently ask our customers to use either Romania or Netherlands. Some infrastructure service providers do not want file sharing so it happened to us that we were asked to move our servers due to file sharing. We found some reliable partners in Romania and Netherlands which tolerate p2p so we kindly ask our customers to use these server parks.

7. Customers can pay with Visa, Mastercard and Debit. On top of that we also use PayPal. We use hash keys and tokens to identify a payment but it’s not logged or linked to the customer. We had to do this anyway hence we are a PCI Level 1 compliant merchant. Therefore we are not allowed to store any card or payment data with the records of our customers. These keys are pointless for anyone else so there is no chance to build a connection.

8. We offer PPTP, L2TP and OpenVPN, while out of nature OpenVPN comes with the highest encryption and algorithm. L2TP and OpenVPN are 256bit SSL encrypted while PPTP comes with a solid 128bit. Although our customers are individual and have their own sense of why and what to use, we recommend L2TP as solid protocol. It’s less geeky and more secure than PPTP, but our customers can pick any of them in all the 47 network nodes around the globe.

tigerVPN website

MULLVAD

1. No. This would make both us and our users more vulnerable so we
certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users share each address, both for IPv4 and our upcoming IPv6 support.

2. Swedish jurisdiction. Under no circumstance we will share information with a third-party. First of all we take pains to not actually possess information that could be of interest to third parties, to the extent possible. In the end there is no practical way for the Swedish government to get information about our users from us.

3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.

4. There is no such Swedish law that is applicable to us.

5. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our
users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.

6. Yes.

7. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.

8. We use OpenVPN. We also provide PPTP because some people want it but we strongly recommend against it. Encryption algorithms and key lengths are important but often get way too much attention at the expense of other important but harder to measure things such as leaks and computer security.

Mullvad website

BLACKVPN

1. Yes. When a user connects we log the time stamp of their connection plus the internal IP address assigned (which can be mapped to a shared external IP address). This information is kept for 7 days on our Privacy locations and 30 days on our TV locations (USA, UK, Canada & Singapore). We NEVER log a users real IP address however we cannot guarantee that this information is not logged by someone else (such as the data center, NSA or GCHQ).

2. BlackVPN operates under the jurisdiction of Hong Kong since it has no Mandatory Data Retention laws and a strong Bill of Rights which protects its citizens’ freedom of speech. China and Hong Kong care little about copyright enforcement or US/UK demands – which was tested recently when Hong Kong rejected demands for the extradition of Edward Snowden. The ancient proverb still holds true today: The enemy of my enemy is my friend.

Only once we receive a valid court order from a Hong Kong court will we share any information with a 3rd party.

3. We have no way of detecting abuse other than complaints from 3rd parties which contain a BlackVPN IP address and a time stamp. If the complaint relates to a Privacy location then it must be less than 7 days old for us to act on it. Otherwise our only solution is to temporarily blacklist that site/service for all BlackVPN users until the offender goes away.

This is why we’ve had to permanently block SMTP (for sending email) on all of our servers – we have no way of knowing which user is spamming so unfortunately we have to block it for everyone.

We host our own website analytics software (Piwik) which is configured to only log the first two octets of an IP address (e.g. 63.122.0.0) plus our own support system (OSticket) which always logs 0.0.0.0 as the IP address. Fraud is monitored and managed by our payment providers (PayPal and CardPay). No other tools or logging (such as WireShark) have ever been used to monitor or spy on our users.

4. These are ignored on our Privacy locations as we have chosen countries which do not enforce them or downloading for personal use is legal. On our TV locations we warn all customers who were sharing that IP address at the time and will ban repeat offenders from our TV locations.

5. We have NEVER received a valid court order to identify any user. We have received requests from various European law enforcement agencies asking us to assist them without even having a local court order. Our response has always been to ask for a valid court order from Hong Kong, but so far none of them have complied.

If and when we do receive a valid court order then we will immediately comply and hand-over any information that we have – including connection timestamps, payment records and email addresses. We’re not here to help anyone get away with a serious crime but we are here to help users evading unjust censorship or copyright violations.

6. Yes it is allowed on our Privacy locations but not ALL locations. In the USA and UK the data centers that we work with are also under extreme pressure from the copyright cartel and lawmakers, so if we don’t take action our servers will soon get cut off.

7. PayPal, Credit Cards and Bitcoin. For each transaction we record the BlackVPN user ID, time stamp, payment method and the payment providers transaction ID so that we can process refunds and fix errors when the automatic process fails. Our payment providers don’t know which transaction belongs to which VPN account – that would require a Hong Kong court order for us to divulge.

8. OpenVPN is the best choice when available on your device. It’s easy to check that your VPN provider is using strong encryption algorithms and keys (like 256bit keys and AES encryption) by looking at the OpenVPN configuration files supplied by your VPN provider. Also it can be configured to use TCP on port 443 which makes it harder to block as the traffic looks like standard SSL traffic.

OpenVPN is slightly more effort to set up than L2TP/IPsec or PPTP (download and install a client for Windows, OS X, Linux, Android 4+ and IOS 5+) but it should be the default way for most people to connect to their VPN. We have been using OpenVPN securely (2048 bit RSA keys and AES-256) since our beginning in 2009 so previous traffic should still be secure from decryption.

BlackVPN website

ANONYMIZER

anonimizer1. Anonymizer does not log ANY traffic that traverses our system, ever. We do log when a user connects, and the IP address they connected from(which is needed for customer support and ensure system optimization), but we purge that log every 24 hours. But that’s it. We don’t log when users disconnect, how much data they used, where they went, at anytime, ever. We would also like to point out that all of our customers exit out and share the same IP, which changes on a daily basis, and we don’t even track that. If asked what IP we used last week, we wouldn’t have any way to know for certain.

2. Anonymizer Inc operates under US jurisdiction. We never share information with third parties except those required to furnish services necessary to provide you with the products and services offered by us, and even then it is limited to the information needed for the third-party to furnish those services. The main example of this would be our credit card processor.

3. We can’t. We don’t monitor or log traffic or user activity. When we receive reports of abuse, we have no way to isolate or remediate it because we don’t monitor. It’s problematic at times, but we feel strongly about keeping our contract of ‘no monitoring’ with our customers, even when it’s inconvenient for us.

4. Since Anonymizer does not log any traffic that comes over our system, we have nothing to provide in response to DMCA requests. None of our users have ever been issued a DMCA take down notice or European equivalent. We’re over 18 years old now, and if not the oldest service out there, certainly one of the oldest, and we’ve never turned over information in a DMCA request.

5. Anonymizer Inc only responds to official valid court orders in which we comply with information that we have available. Since we do not log any traffic that comes over our system, we have nothing to provide in response to requests associated to service use. If a user paid by credit card we can confirm that they purchased access to our service only. There is, and would be, no way to ever connect a specific user to specific traffic.

6. BitTorrent and other file-sharing traffic is allowed on all of our servers. Due to not logging or monitoring any traffic on our system it would be impossible for us to know if any user were to be engaging in file sharing or BitTorrent activities on our service.

7. Anonymizer Inc. uses Stripe for any credit card payments. There is a record of the payment for the service and the billing information associated to the credit card to confirm the service has been paid for. We also offer Cash and will soon offer crypto-currancy options to include Bit-coin. Cash payment options will not store any details(e.g. Billing address and customer name) of the transaction beyond the account username and the service being payed for by cash; there would be no way for us to connect an individual to a specific account.

8. We would recommend OpenVPN for a user that is looking for the most secure connection. We feel it is the most reliable and stable connection protocol currently. Our OpenVPN implementation uses AES-256. We also offer L2TP, which is IPSEC.

Anonymizer website

IPREDATOR

1. We try to store the least amount of data legally possible anywhere. We keep a record of when you logged in for debugging, which happens encrypted and off-site in a different jurisdiction. IP addresses are encrypted and can only be decrypted by non-support staff to ensure a proper process. For example, to work around issues where the police ruffles up the support staff a bit to get data for an abuse report.

In the database we only store the details users give us on sign-up and a limited backlog of basic payment information (no PSP processor TX-IDs). We do not run a ticket system, all support emails are deleted after 3 months. Inactive accounts are deleted after 3 months. We do not track you on our website or keep any website logs. We do not rent servers and have control over our network infrastructure. Our primary objective is to protect your anonymity from legal abuse, but not to cover up ethically serious crimes. As stated in the past we are open to an audit of our infrastructure and processes by a trustworthy 3rd party.

2. We only operate servers in Sweden. This includes understanding jurisdictional limitations and engineering our environment according to them, not making claims we cannot hold when things get serious. Offenses penalized by anything less than prison time do not qualify for such a request.

For a valid request IPredator then has to hand over the subscription information entered by you, which is all that we are required to do.

3. We only use email to handle abuse related support issues. If a user decides to abuse one of our machines for a DOS attack we use rate limiters on the switches to mitigate this. So far no other tools are needed to deal with abuse.

4. For some reason they do not arrive, so we can’t tell you.

5. Please see question 2.

6. Besides filtering SMTP on port 25 we do not impose any restrictions on protocols our users can use on the VPN, quite on the contrary. We believe our role is to provide a net-neutral access.

7. We offer PayPal, Bitcoins, Payza, and PaySon fully integrated. OkPay, Transferwise, WU, PerfectMoney, Webmoney and Credit Cards on request. An internal transaction ID is used to link payments to their payment processors. We do not store any other data about payments associated with the users account.

8. At the moment OpenVPN with elliptic curve cryptography, ephemeral Diffie-Hellmann key exchange, and AES 128/256 seems to be the best default choice. Other configs are available on request.

Ipredator website

BOLEHVPN

bolehvpn1. No we do not keep logs. However as per our policy, if we do notice any unusual activity on our servers (high bandwidth loading, high number of connections or CPU usage) we may turn on logs temporarily to identify abuse of our services (such as DoS or spamming through our servers). Once the user is identified, we will terminate the offending user, issue him an e-mail for the reason of termination and wipe the logs from our system.

Turning on logs for troubleshooting is a very last resort and is necessary to ensure the integrity of our services. It has happened very rarely (only a handful of times in our 7 years of operation) and such information was not disclosed to third parties but merely used to terminate the offending user. In any case logs were usually enabled for not more than few hours and only for the particular server that was experiencing abuse.

2. We’re a Malaysian incorporated company which is not subject to any mandatory data retention laws. As we don’t keep logs, there is not much information to share even when requested.

3. Without disclosing too deeply into our methods, to identify abuse cases we generally look for abnormal activity in the traffic, sustained spikes in traffic, data packets and reports that we receive. It is always an evolving battle and a balance between maintaining our user’s privacy and preventing abuse.

4. In the event DMCA notices or similar are given to us, we normally respond that we don’t have such content hosted on our networks and if the provider is adamant, we will terminate our relationship with the server provider and find a new one. We will not reveal the user that generated that DMCA notice (nor can we with no logs taken). Over the years, we have identified server providers that we can work with who understand the nature of our business.

5. In the event there is a request for account data, BolehVPN’s policy is to notify members of requests for their data unless it is prohibited from doing so by statute or court order. In any case, as BolehVPN does not store any user identifiable data in relation to customer’s usage of the VPN, there is little data that can be given over and beyond the date that you paid and your payment details.

It is noted that we do not require you to specify a real name during account signup and only require a working e-mail address. For your protection, we may contact you to ask for further details should there be any disputes arising from your payment.

6. All P2P/file-sharing activities are allowed through our FullyRouted and Proxied servers, but not through our SurfingStreaming servers. SurfingStreaming servers are generally limited due to local laws or datacenter policy or have limited bandwidth capacity. These configurations are generally only there to help users access geo-restricted content as opposed to full-blown P2P.

7. We accept BitCoin, PayPal and MolPay (Malaysian online bank-ins) and also direct bank-ins for Malaysian users. Orders are merely marked as paid or not paid, the date and method of Payment. No other payment details are attached to the VPN account in our customer portal system. Depending on the payment provider chosen, the payment provider may of course retain certain details.

8. We believe that OpenVPN is the most secure VPN protocol available currently. Because of Snowden’s revelations, IPSEC may not be as secure as once thought. We also implement a modified version of OpenVPN that scrambles the packets (we call it xCloak) making it harder to identify as VPN traffic.

All our servers use the same encryption, 128 bit AES, as this provides the best blend of security and performance. Of course most experts consider 256 bit AES as more secure but we are confident that 128 AES is sufficiently secure. It is noted that 256 bit AES has a weaker key schedule than 128 bit AES. We are however currently evaluating CAMELLIA as an alternative to AES.

If we were to choose the most secure algorithm, we would pick either TwoFish or ThreeFish which are independently developed by Bruce Schneier and other well-known security specialists but this is not currently available in OpenVPN.

BolehVPN website

NORDVPN

nordvpn1. We do not keep any logs – no traffic logs, no timestamps, nothing. All of our logs are pointed directly to /dev/null so as much as third parties would want it is impossible to trace the user itself. In addition, our service has only a minimal configuration which does not give away any information about the user.

2. We operate under the jurisdiction of Panama. There is no data retention law in Panama hence we are allowed not to keep logs legally. We do not share any information with 3rd parties under any circumstances.

3. No tools are used to monitor our users at any case. However, we hope our users understand that any abusive action they perform through our servers could lead to the shutdown of the datacenter or the server in the particular country. At this point, we strongly believe our users understand what this could lead to and will not perform any abusive action on our servers.

4. All these notices are ignored as it has no law compliance with us. We are not a torrent hosting or promoting company. Furthermore, all our servers where P2P program usage is allowed operate in countries where there are no data retention laws. It is in our future plans to start announcing all these notices we receive just to prove our privacy policy. We care about the actual privacy of our users.

5. If we receive a valid court order at first it has to comply with the laws of Panama. In that case, the court should be settled in Panama and even if that happens we will not be able to provide any information because we keep exactly nothing about our users.

6. As stated above, the usage of BitTorrent and other file-sharing applications are allowed on certain servers. BitTorrent and other file-sharing applications are allowed on certain servers. We allow P2P traffic on servers that are located in the countries where there are no laws forbidding P2P traffic.

7. We accept payments via Bitcoin, PayPal, Paysera, WebMoney. Bitcoin is the best way of paying to maintain your anonymity as it has only the paid amount linked to the client. Users who purchase services via PayPal are linked with the usual information the seller can see about the buyer. Clients who subscribe to our services via Paysera are linked with their full name. However, even the VPN account is linked with the payment system account it is not linked with the performed activities on our servers.

8. Recently, we have added high anonymity solutions which we would like to recommend to everyone seeking real privacy. One of them is Double VPN. The traffic is routed through at least two hops and then reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays.

Both of these security solutions give a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Finally, our regular servers also have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP. Currently we are working on even higher security solutions which will be accessible through our software in the second quarter of 2014.

NordVPN website

TORRENTPRIVACY

1. We don’t store any logs, it’s impossible to track users’ activity through the TorrentPrivacy VPN.

2. We run our business as a Seychelles company. It is one of the safest and nicest places in the world. There haven’t been any lawsuits in Seychelles regarding online copyright infringement yet.

3. According to our Terms and Conditions it is not recommended to use the service for any illegal purposes, for example, for transmission or receipt of illegal material. But because we have a no logs policy we don’t monitor and store any information about users’ online activity.

4. If we receive a DMCA notice, our team of lawyers solves it immediately without blocking any servers or protocols. We don’t store any content on our servers, and users are anonymous. We promise our customers that they will not have DMCA related problems.

5. We have never received requests from any court. It is impossible to release personal information because we actually don’t have it.

6. BitTorrent and all traffic of such type is allowed on all of our servers.

7. CommerceGate and PayPal. We don’t store any information about user card details, all transactions are processed at the payment system side. The payment system just uses the username registered on our web-site and the filled in purchase form to link the payment to concrete user.

8. The most secure VPN protocol we provide for our service is OpenVPN. There are many benefits to using OpenVPN, one of them is an ability to use more bit count encrypted.
TorrentPrivacy website

PROXY.SH

proxy1. We do not keep any logs and we do not record any IP-address, headers or anything. In terms of time stamp, we only record those associated with support tickets creation and update (invoices and renewals are only recorded by date) for management purposes. The only personal information we do record is an email address and a payment type, that corresponds to either the word “Money” or “Bitcoin”. This is made clear in our privacy policy. Our system will also hold services credentials, namely the account password and network login/password pair. All this data can be permanently removed at any time on customer’s request. All other data and information involved in our operations (connections, traffic, etc.) is neither monitored nor recorded.

2. We operate from the Republic of Seychelles and our staff members are residents in the following countries: Germany, Bulgaria, Switzerland, Ukraine, Philippines, Laos, Seychelles, Argentina and Croatia. We will only share information we hold with a third party when we are obliged by the law to do so, and only if we are able to alert our users in advance or in real time through our Transparency Report. If we are told that we cannot disclose anything, we will attempt to circumvent this illegitimate censorship with our Warrant Canary and ultimately, cease operations in the concerned jurisdiction.

3. When we need to respond to an abuse that our network is provoking or being victim of, we will simply block the related ports or protocols and see if the problem has been resolved by doing so. If not, we might temporarily install on the specific node a Wireshark or a TCPDump instance and we will play with various settings, mostly involving iptables, to mitigate the problem. We will never keep any logs generated during such interventions. We will always let know our members about such interventions through our Network Alerts, either in advance of several days or in real time, depending on the urgency of the matter. Our system will also tweet in real time about such interventions.

4. When we receive a DMCA takedown notice or any other similar copyright-related abuse notice, we will shut down the port related to the infringement, reset our customers’ accounts in order to prevent them from forwarding this port any further and we will publish a public report about both the notice and our intervention in our Transparency Report (https://proxy.sh/report) as well as at the Chilling Effects Clearinghouse. Our system will also tweet in real time about such interventions.

5. When we receive a valid court order asking to identify an active user of our services, we explain that we are technically unable to do so and we provide in return an open access of the related server to the competent domestic authority who may have more adequate forensic capacities to undertake such identification. We also publish a notice to our users into our Network Alerts that this node is now open to inspection by local and (potentially) international authorities. Our system will tweet in real time these notices. We will also consider shutting down the node and eventually ceasing full operations from the concerned jurisdiction depending how the intervention is carried out and the level of guarantee to privacy that is left offered after the intervention.

6. We do not undertake any segregation of usage type among our servers. Users are completely free and responsible to do whatever they want, including BitTorrent and any file-sharing activity. They are only subject to the restrictions we put to our network, which are limited to ports blocking and IP/range/domain destination blacklisting, initiated by our responses to abuse.

7. We accept no less than 90 different payment methods, including but not limited to PayPal, VISA, Mastercard, Discover, American Express, Maestro, UnionPay, WebMoney, SMS and phone payments, PaySafeCard, Ukash, Neosurf, Allopass, clickandbuy, Alipay, giropay, iDeal, bank transfers and various additional OTR methods as well as e-wallets. Of course, we also support Bitcoin payments. There is no link between user accounts and their payments, except a simple nomination known as either “Money” or “Bitcoin”. Invoice numbers and timestamps have sufficient discrepancies to not permit any relationship between panel/VPN accounts and payments. Moreover, we do not hold and manage directly the various payment methods offered: we use administrative and financial third parties such as our incubator, Three Monkeys International, and our processor, PaymentWall.

8. While we always recommend our most tech-savvy customers to get in touch with us to try out our latest encryption experimentations (Serpent, ECC-curve25519, etc.), we recommend the generally security-aware customers to use SHA-512/AES-256-CBC/DH-RSA-4096 combination (4096-bit RSA with strong cypher and strong auth security) made available across most of our network. For all our ‘normal’ customers, we still enforce SH1/AES-256-CBC/DH-RSA-4096 combination (4096-bit RSA with strong cypher and sufficient auth security) on them, which provides decent security and optimal stability. Both our system and software are designed in such a way that we will continuously increase our encryption levels when necessary. We also provide TOR bridges, exit nodes and OpenVPN compatibility as well as OpenNIC log-free DNS, SSH and SSL tunnels, to leverage the power of the OpenVPN encryption schemes our customers may use.

Proxy.sh website

HIDEIPVPN

hideipvpn1. We do not log users’ IP addresses. Since we are a company registered in the US we are not required to maintain such logs. Our logs only check account name (this is chosen by the user) and if a connection was established with the VPN server. This is the only way for us to help users in case of technical problems (we can check if there was any connection), also this helps us to refund money if a new customer was not able to connect to any of our servers. This information is automatically overwritten with new data after 3 days.

There is no way for any third-party to match a user IP to any specific activity on the internet.

2. We operate under US jurisdiction. The only way we would share our information is under court order (as would any other company).

3. We would have to get into details of each individual point of our ToS. For basics like P2P and torrent traffic on servers that do not allow for such transmissions or connecting to more than 3 VPN servers at the same time by the same user account. But we do not monitor users’ traffic. Also, since our users use shared IP addresses, there is no way any third party could connect any online activity to a user’s IP address.

As it would put us and our other user at risk we do not comment on our internal policies in this regard.

4. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the data center or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which make it impossible to track who downloaded any data from the internet using our VPN.

5. We would reply that we do not have such measures that would us allow to identify a specific user.

6. This type of traffic is welcomed on our German (DE VPN) and Dutch (NL VPN) servers. It is not allowed on US, UK and Canada servers as stated in our ToS – the reason for this is due to our agreements with data centers. We also have specific VPN plans for torrent users.

7. We currently accept payments via PayPal, Credit/Debit card, PayPro. Bitcoin acceptance is currently being tested. If it proves popular with our users it will stay with us.

8. We would recommend OpenVPN and SSTP protocols.

HideIPVPN website

SLICKVPN

slickvpn1. We do NOT have the ability to match an IP address with a time stamp to derive the identity of any user of our service. We utilize shared IP addresses, so it is not possible to match a user to an external IP. In addition, all of our gateways operate from RAM, so no data is written to disc. In case of theft or forceful shutdown, all data is lost.

2. We maintain server locations in various countries but we are a US-operated corporation so therefore we are not subject to data retention laws.

3. We do not allow outgoing SMTP which could open us up to SPAM issues. We do not actively check our service for abuse at the account level, instead we check at the server level. The difference is checking a server for real-time abuse instead of checking logs for historical abuse.

4. We do not have logging, but if a DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session.

5. We obviously have to comply with valid court orders, but without logging we can not identify users of past activity. We also offer the ability to sign up anonymously using BitCoin.

6. Yes

7. We accept PayPal, Credit Cards, and Bitcoin. We only store the minimal billing information required to provide customers refunds. We suggest users most concerned about privacy should sign up with Bitcoins and use an anonymous email address.

8. OpenVPN with AES256

SlickVPN website

OCTANEVPN

octane1. No. We cannot locate an individual user by IP address and timestamp. There are no logs written on our gateways. Our gateways utilize shared IPs, so there can be more than one customer using an IP which further adds to privacy.

The gateway servers keep the currently authenticated customers in the server’s RAM so they can properly connect and route the traffic to those customers. Obviously, if a server is powered down or restarted, the contents of the RAM are lost. We keep gateway performance data such as CPU loading, I/O rates and maximum simultaneous connections so that we can manage and optimize our network.

Our business structure is divided into two independent companies that do not share information. One company manages the network and hardware. A separate independent company operates the website that customers use. Customer data is not shared between the two – only a token – so, in addition to not being able to locate a user by IP address and timestamp, the company that might receive such a request has no customer data to provide since customer data resides in another independent company.

2. We are US-based company. Our privacy policy prevents us from sharing customer confidential information with 3rd parties. The only situation where this occurs is in connection with supplying enough information for our fraud detection / payment processors to approve payment transactions. The US does not have laws requiring data retention.

3. Spam emails were our biggest issue and early on we decided to prevent outgoing SMTP. Otherwise, the only other abuse tools we use are related to counting the number of active connections authenticated on an account to control account sharing issues.

4. If we receive a DMCA takedown notice or its equivalent and the customer’s current session during which it was generated is still active, we put the account on hold and notify the customer.

5. As a US company, we would comply with a successfully executed subpoena issued by a court of competent jurisdiction in a request for specific information. There would likely be little useful information we could provide. The US does not have data retention requirements. If the subpoena were to be of a vague, general or fishing nature, we would likely push back and request specificity.

6. We operate with net neutrality, with the exception of outgoing SMTP.

7. Bitcoin, Credit/Debit Cards, PayPal. Our billing and account management systems are separate and use a token method. We are organized such that one company manages our network and another independent company with different beneficial ownership manages customer interaction. This divided arrangement provides another layer of anonymity. Bitcoin allows maximum anonymity since all that is needed is an email address. There are plenty of options for anonymous email addresses. Disposable/reloadable credit cards are another anonymity enhancing tool.

8. We recommend OpenVPN / AES-256. We offer IPsec as well, but typically OpenVPN offers more flexibility over IPsec. We also offer PPTP for compatibility with older devices, but would not recommend it if OpenVPN is an option. Our OpenVPN client also offers DNS leak protection.

OctaneVPN website

IPVANISH

ipvarnish1. IPVanish has a no-log policy. We keep no traffic logs.

2. IPVanish is headquartered in the US and thus operates under US law.

3. IPVanish has no monitoring in place. To elaborate, IPVanish does not sniff or monitor any user’s traffic or activity for any reason.

4. IPVanish keeps no logs of any user’s activity and responds accordingly.

5. IPVanish, like every other company, has to follow the law in order to remain in business. Only US law applies.

6. P2P is permitted. IPVanish in fact does not block or throttle any ports, protocols, servers or any type of traffic whatsoever.

7. PayPal and all major credit cards are accepted. Payments and product use are in no way linked. User authentication and billing info are help on completely different and independent platforms.

8. OpenVPN generally provides the strongest encryption algorithm, so that is the recommended encryption protocol. IPVanish also allows a choice between TCP and UDP, and UDP is generally recommended for better speed.

IPVanish website

LIQUIDVPN

liquid1. Absolutely not. We have customized our AAA (authorization, accounting and authentication) database so that there is very little data actually stored within the database. We have developed our own version of RADIUS for this very reason. Furthermore we use Mikrotik and our own heavily modified Gentoo kernel to completely silencing logging across all of our systems.

2. We operate from within the USA. There are only three instances where any information we collect would ever be shared. They are:

1. Billing Disputes (charge-backs/fraud) – Once a subscriber files a charge-back or billing dispute we will attempt to email them to verify and/or resolve the dispute. If we do not hear back from them within 7 days and they have an accumulated total of over 1GB of data transfer on our network then we will forward any information we have collected over to the credit card processor or PayPal in an attempt to resolve the dispute and to aid in any fraud investigation.

2. Court Order – If we receive a valid court order we will work closely with the law offices of McDonald Hopkins who specialize in Data Privacy and Network Security law and if applicable our ethics group. Then based on their evaluations make a decision on how to respond to the court order and publish it in a transparency report.

3. Ethics Violation – In the unlikely event that a complaint comes to us with a report from an attorney and an IT forensics analyst providing considerable proof that an ethics violation has taken place which will likely result in the harm of another human being our ethics team will publish the reports and original violation in a transparency report. They will review the complaint and if enough evidence exists to persuade them that an actual violation has indeed taken place they will update the transparency report with our intended course of action. We may start closing ports, creating null routes or adding layer 7 filters on the node in question. In some circumstances we may do nothing at all and in extreme cases we may even shut down the node to help mitigate the damage. The ethics group will then forward any information about the case to law enforcement agencies and qualifying NGOs.

Be it a court order, abuse report or ethics violation our code of ethics will be followed at all times.

3. Currently we use Zabbix to monitor the performance and load of our network it will notify us of anything it considers abnormal. We use OSSEC to monitor firewall logs, detect root-kits, login attempts and do system integrity checks. We use Layer 7 filters to mitigate most forms of abuse. Some filters are created on demand and are based on the type of abuse we are attempting to stop while others will run constantly searching for patterns.

4. When we receive take down notices we do the following:

– Verify that the claim is valid, not a duplicate and provides all of the required information laid out in 17 U.S.C. § 512(c)(3).
– Post the notice in a transparency report along with our intended course of action. Ranging from nothing, blocking ports, null routes, blocking files, rate limiting P2P or simply leaving the jurisdiction. We then create a layer 7 firewall rule that enables the step above.

Finally we respond to the take down notice letting the sender know that we do not condone the use of our VPN service to violate copyright laws and reassure them that we do not store any content our users upload or download on our servers and that our service is completely automated. We inform them that LiquidVPN is solely a transitory digital network communications provider as defined in 17 u.s.c 512(a) and that we are unable to delete any content that may be infringing or even identify a particular user that may be violating the copyrights of the media in question. We assure them that we have taken all of the steps within our power to stop the distribution of the media in question.

5. It really depends on the scope of the court order, reason for the order and jurisdiction the order is coming from. I would love to say it’s a black and white thing and that we would pull out of the jurisdiction no matter what but that’s just not true. If the court order is about an offence that violates our ethics policy and provides reasonable proof of the violation our ethics team will publish the order and any proof provided. The ethics team will be responsible for the decision to comply, fight or leave the jurisdiction. If they have determined the complaint is a violation and are able to comply by handing over the records of the offender then we will forward over all of the information we have regarding the user in question.

If the order does not know who the user is and they are asking for a more far-reaching type of access that will jeopardize the privacy of the users we contractually bound to protect and for the sake of argument have included a gag order then the ethics team will carefully go over the court order and decide if it is possible to fight it in court. If we must close down some or all of our network and relocate to another jurisdiction we are contractually bound to do so by our ethics policy. Users would either be directly alerted or indirectly alerted by the tripping of the warrant canary.

6. We do not believe in restricting P2P on our network because of how great of a file transfer service it is. So all servers are P2P-enabled but we only allow legal P2P in the USA and UK. Meaning we sometimes have to take measures in the USA and UK that render all P2P including legal P2P unavailable for a length of time. We allow ALL types of P2P in Romania, Netherlands, Germany and likely by the time anyone sees this Canada.

7. We accept Bitcoins, Cash, Check and PayPal. We only require an email address, password, first name and country to sign up for service so there is not a lot of information actually linked to a user’s account. With that being said, we do maintain a record of the data mentioned above along with the order #’s, total VPN logins and used bandwidth per account.

8. Well LiquidVPN has developed a technology called IP Modulation. It is a block of public IP addresses shared between all of the OpenVPN servers in a cluster (2+) that are handing out shared IP addresses. Everyone connected to these servers will share the same pool of public IP addresses and the IP addresses continuously and randomly rotate between users the whole time you are connected. It allows users to have all of the benefits of shared IP addresses, plus makes any kind of tracking from an external IP address much harder because there are potentially people from 2 or 3 servers grouped together and all broadcasting data on 30+ public IP addresses. I like to think of it as a game changer for privacy.

So if it were me I would connect to one of the modulating OpenVPN servers that offer AES-256-CBC cipher and SHA512. With the optional IPS firewall enabled. If I am on a Laptop or PC with a good processor I might elect to use one of the configurations that include TLS-DHE-RSA-WITH-AES-256-CBC-SHA but using TLS-DHE-RSA-WITH-AES-256-CBC-SHA with IP modulation requires a LOT of processor power so it is only really recommended for certain users.

LiquidVPN website

AIRVPN

airvpn1. No, we don’t keep any log that might be exploited to reveal customers’ personal data during connections, including real IP address. For example OpenVPN logs are sent to /dev/null (Air is based on OpenVPN). Our privacy policy is available here: https://airvpn.org/privacy

On top of that our VPN servers do not maintain any account database.

2. Italy. We do not share any information with any 3rd party.

3. Automatic triggering based on patterns to detect and if possible block as soon as possible various types of attacks (for example UDP floods) against or from our servers.

4. They are ignored. Now and then we reply asking for a more substantiated proof and asking to disclose the technical method according to which a takedown notice has been prepared, but so far none of the entities we queried disclosed such information, in absence of which the notices pertaining to p2p are simply vague and unproven claims from some private entity.

5. No help can be given about past connections because we don’t log, monitor or inspect our clients traffic, and we don’t and can’t require a proof of identity from our customers. However, if the court order pertains to presumed actions which infringe our Terms of Service and in particular that in any way violate, directly or indirectly, or aid the violation of, the ECHR, we can try to help the court in the best way we can with subsequent investigations and if possible with the help of proper and competent authorities.

6. Yes. p2p protocols are perhaps a set of the most exciting protocols invented in the last 12-13 years, so they are actively encouraged on every server. We do not discriminate against any application or protocol, in compliance with our mission and to stay a mere conduit of data.

7. We accept Bitcoin, many credit cards, PayPal. Each payment is linked to an account only in order to provide service delivery and to comply to our refund policy.

8. We put into practice the recommendations of security expert and best practices on our setup, based exclusively on OpenVPN with the following features:

RSA keys size: 4096 bit
DH keys size: 4096 bit
OpenVPN Data Channel: AES-256-CBC
OpenVPN Control Channel: HMAC SHA1
TLS Auth: Yes
Perfect Forward Secrecy: Yes (keys are re-negotiated at each new
connection AND every 60 minutes, through DHE)

The client key is used to authorize the access to the system, not to encrypt the data channel, so that even if an adversary catches the client private key, the client traffic can’t be decrypted.

AirVPN website

VPN.S

vpns1. We do log connections to the servers for providing troubleshooting support to our customers, but these logs are securely and automatically deleted once every 24 hours. Manual weekly reviews are done to ensure the automated process has been carried out as intended by our systems.

2. The company (VPNSecure Pty Ltd) is registered in Australia. The following customer information is stored “username / password / email address”, we do not share this information with any third party.

3. We mitigate SPAM email sending, we employ simple Port blocking to standard email ports, customers with Dedicated IPs can enable email sending. In extreme cases we may employ a simple “string” match in our firewall which does not Log any traffic it simply denies the forwarding traffic containing the string parameter in our firewall.

4. Requests in regards to DMCA are answered, unfortunately we are unable to determine which user is responsible for the DMCA notice and therefore cannot provide any further information to these notices.

5. Requests from law enforcement are sent directly to our Legal team. Requests are always different and are handled as per the request made, but generally we are unable to provide any definitive information due to the reasons outlined in questions 1 & 4.

6. Torrents are allowed over our network.

7. We provide PayPal / AlertPay / Perfect Money / Bitcoin / Cashu / Skrill / Credit Card.

We recommend that customers use anonymous payment methods such as Bitcoin (preferred) or Perfect Money. The Transaction ID is stored against the “username” to help mitigate chargebacks and reversals from main stream payment providers.

8. OpenVPN is recommended since it’s the most flexible and secure VPN protocol available, using 2048 bit Keys, available over both UDP and TCP. We have also planned a traffic obfuscation feature to further protect detection of VPN traffic for our customers.

VPN.S website

VPN.AC

vpnac1. We keep connection logs for one day only, in order to help us troubleshoot some common problems: invalid logins, router VPN pass-through issues, etc. These include source IPs, connection start/end time and bandwidth usage. However, we do not log any traffic data.

2. Our company is legally registered in Romania. We won’t share anything with any 3rd party unless we are forced to do so under a Romanian court order/subpoena, and this has not yet happened. EU Data Retention Directive (2006/24/EC), widely misinterpreted and used as a reference, does not apply to us, since we are not an ISP or a telecom provider.

3. We do not monitor anything, but we can obviously intervene to stop ongoing abuse, such as spamming, mass-scan etc, if demanded by our hosting partners. We can do this without logging or monitoring anything simply by blocking malicious traffic on affected servers using iptables.

4. We use shared IP addresses, so it is virtually impossible to identify users involved in copyright infringement – even if we wanted to do that. There is nothing to share both due to technical limitations and to our commitment to respect customers’ privacy. We reply that the content is not stored on servers.

5. This has not yet been the case, so we do not really know. Were such to happen, we would work closely with our lawyers and consider all options available.

6. We allow file-sharing only in certain locations. We don’t allow it everywhere, especially in US locations, because it would create some problems – not only for us, but to other customers expecting us to deliver a reliable service.

7. Mainly Paypal and Bitcoin, but also Credit/Debit and lots of prepaid cards, virtual currencies and other methods. Personally identifiable information, such as names, may be provided by customers upon placing an order.

8. We offer AES-256 cipher for data encryption, PFS (hourly rekeying), SHA512 HMAC with 4096-bit RSA keys, generated the right way: offline on a secure machine, using multiple sources of entropy.

DNS queries are encrypted between VPN nodes and DNS resolvers. Resolvers generate millions of DNS queries to existing domains, mixing this script-generated “noise” with legitimate queries of our VPN users, to ensure that potential wiretapping/monitoring against our DNS resolvers will be totally ineffective.

VPN.ac website

PERFECT PRIVACY

pp1. No. Our service and its infrastructure was designed in a way so that we can not possibly track users even if we wanted to. We keep no connection logs whatsoever.

2. Our servers are operated in accordance with the law of the respective country they are located in. If we are required by law (court orders) to cooperate we will do so to the extent that is possible: Since we do not store any data that can be used to track or identify users, this cooperation is usually limited to a brief correspondence.

3. We do not monitor any activity except for general usage and bandwidth of our servers so we can provide this information on our server status page. Should abuse occur it is dealt with on an individual basis.

4. Because we do not host any data related to copyright violations, DMCAs do not directly affect us. Should a company try to use a DMCA to get to our users we kindly explain that as a VPN we have no information about who is responsible for which traffic.

5. As answered above, we do comply with court orders when required by law. By experience, our initial reply explaining that we are an anonymizing service and do not have any data that could be used to identify our users, is enough to settle the issue.

6. Yes, BitTorrent and other file-sharing is allowed on almost all servers (some datacenters, especially US-based ones block torrent traffic).

7. We offer a variety of payment options ranging from anonymous methods such as sending cash, Bitcoin or PaySafeCard. However, we also offer payment with Credit Card and PayPal for users who prefer that option. We keep no data about the payment except for when the payment was received which is linked only to an anonymous account number.

8. While we offer a range of connection possibilities we would recommend using OpenVPN with 256 bit AES encryption.

Perfect Privacy website

UNSPYABLE

unspyable1. We keep no logs whatsoever.

2. USA and UK VPN services are provided via our USA offices which also includes our billing system. Our offshore VPN network (Cyprus, Czech Republic, Hong Kong, Iceland, Netherlands, Norway, Panama, Russia, Sweden and Switzerland) is physically isolated from our USA operations and shares no connection to it.

We will not provide any information to anyone unless they are an authority having jurisdiction, in which case we would cooperate with them. However, since we keep no logs of anything we have very little to provide them. Anything we have to provide them such as customer names can be gotten from the customer’s credit card company or the payment processor much more efficiently. Bitcoin is one of our payment options and can help minimize access to such information.

3. We don’t monitor anything. If we receive notice of criminal activities we will use non-invasive techniques (without logging) to try to determine who the user is and terminate their access. None of the previous paragraphs applies to P2P activities which are allowed on all servers except in the USA and UK where packet filtering is used.

4. Our offshore servers where P2P is allowed are in countries and datacenters that do not forward such notices. If we were to receive such a notice we would reply to it appropriately. Since we don’t log anything our reply would not include any information on the user.

5. If we were to receive a request from an authority having jurisdiction we would cooperate with them. However since we keep no logs of anything we have very little to provide them. Anything we have to provide them such as customer names can be gotten from the customer’s credit card company or the payment processor much more efficiently and without us even knowing about it. Bitcoin is one of our payment options and can help minimize access to such information.

6. It is allowed on what we define as our offshore servers (see question 2). It is not allowed on USA and UK servers due to the issues involved. There is no benefit to the user to use USA or UK servers over the offshore servers for P2P. Therefore we do not believe this to be any limitation to our users.

7. Bitcoin, Amazon Payments and PayPal. Our online authentication servers contain no customer personal information. We keep customer email addresses offline in case we need to contact the customer for some reason. We do not keep any other personal information regarding the transactions. Obviously the payment providers have a record of the transaction as well that is beyond our control.

8. We recommend OpenVPN with 256 AES and 2048 bit RSA. For maximum privacy we recommend our multi hop servers. However, due to the multiple hops they will not be the fastest for P2P or streaming applications.

Unspyable website

HIDE.ME

hideme1. We have developed our system with an eye of our customer’s privacy, so we created a distributed VPN cluster with independent public nodes that do not store any customer data or logs at all. Link: https://hide.me/en/legal#privacy

2. We’re a Malaysian incorporated company which is not subject to any mandatory data retention laws. We strictly do not log any personal data to avoid legal liability, and to ensure your online privacy. Furthermore we do not store any logfile on our VPN servers, it’s not our job to monitor or filter your data.

3. We only offer our services based on our ToS, and we have a zero tolerance on any kind of abuse. Nevertheless it is not our job to monitor or control our user’s activities, that’s also a main reason why we don’t throttle or block any kind of traffic.

4. Since we don’t store any logs and/or host copyright infringing material on our services, we’ll reply to these notices accordingly.

5. The company is incorporated in Malaysia. If a court order is received from a recognized legal authority with jurisdiction over hide.me then the company shall comply with that order. However, the company cannot be compelled to hand over information which it does not have. When a customer signs up we request as little information as possible; a valid email address. If it ever becomes required by law for us to keep a persistent log of our customers connections or any personal data relating to their network activity, we will immediately notify our customers and do everything in our power to move jurisdictions or close the service to protect those who entrust their privacy to us.

6. BitTorrent is allowed on all locations without restrictions. However, we encourage our users to avoid the US/UK locations for their filesharing activities.

7. We support over 80 international payment methods, including Paypal, Credit Cards, Bank transfer, PaySafeCard and UKash.
All payments are handled by external payment providers and are linked to a temporary payment ID. This temporary payment ID can not be connected to the users VPN account/activity. After the payment is completed, the temporary payment ID will be permanently removed from the database.

8. Our most secure VPN connection is IPsec over IKEv2 (AES-256 / SHA-512) and OpenVPN with AES-256 using a 4096-bit SHA-512 HMAC authentication. We strongly recommend IKEv2 since it’s performaning really fast and is more reliable than OpenVPN.
We are one of the few providers that support a wide range of protocols: OpenVPN, IPSec (IKEv1 & IKEv2), L2TP/IPSec and PPTP.
Link: https://hide.me/en/features/protocols

Hide.me website

SEED4.ME

seed4me1. We do not monitor or do DPI on user connections, but we store session information for 7 days in order to support network health. This data is not stored on VPN servers itself but rather sent to central secure server. It is not shared or used for any other purpose then debugging connectivity issues.

2. Servers are located in US, UK, Hong-Kong and Netherlands, but we operate under Taiwanese jurisdiction now. In general, the location of VPN servers is not important, since there is no data stored. Even if it is confiscated, there is nothing to see. Authentication and accounting is happening in another place. Regarding enforcement agencies. We do not welcome illegal activities like CP, SPAM, hacking, abuse, DDoS. Our service was made to promote freedom and security, rather then harm other people. I always like to compare it with kitchen knife, you can cook the food or kill people with that. We do not want it to be used for the second. But our rule is simple – we do not share data regarding our clients. When we handle the complain, we do everything to stay legit and stop malicious activity with firewall.

3. We use a firewall to stop the activity, we do not have any special traffic monitoring system.

4. In order to function properly and provide services to the most of our clients we had to be proactive in fighting DMCA notices. We already had to process several dozens of them and even one of our servers was null-routed. So finally we came up with following rules: if a DMCA complaint is related to a single case of violation on a single IP address. We stop this violation with firewall, when it occurs and redirect the rest of the traffic internally through our network to another exit IP. Since we can not identify the user, but have to push the notice further, we do mass-mailing or publish the complain in Facebook. There are no circumstances requiring us to disclose client information so it never happened. We advise our clients to use servers in countries where P2P traffic is not monitored by Copyright Agencies.

5. We are not aware of any legislation requiring to share client information and we are not aware of any precedents in Taiwan, where client information was disclosed. We do not hold much information anyway. But again, we are not welcome illegal activities which potentially harm other people.

6. Currently P2P and BItTorrent traffic is restricted with a firewall on US servers, users are welcome to use these protocols in Netherlands for instance. VPN gives an opportunity to change jurisdiction virtually, why somebody would want to violate the rules if it is possible not to?

7. We accept PayPal and Bitcoin straight from the website. We store the transaction ID in order to prevent double payments, the rest of information is handled by PayPal payment system. Bitcoin is fairly anonymous and we generate a new payment address for every transaction.

8. We use the best what’s possible from PPTP, it is MMPE 256-bit encryption. Our experiments show that PPTP is a good trade-off between performance, security and easy setup for the user. Recently L2TP has been launched in production mode on all servers and we are updating the website to provide automatic configuration support. L2TP/IPSec with 1024 key encryption would be the most secure option, but not necessary fastest one, since it requires a lot more computations from both sides.

Seed4.me website

SHADEYOU VPN

shadeyou1. ShadeYou VPN does not keep any logs. The highest level of privacy is a main mission of ShadeYou VPN. Everybody can read our Privacy Policy here – http://shadeyouvpn.com/privacy-policy . To use our service only a username and e-mail are required. No personal or real data is required.

2. ShadeYou VPN company operates under the jurisdictions of The Netherlands. There are no existing cases according to which we can share some information with 3-rd parties. Even if such situation will appear, we just don’t have any information that can shared with third-parties because we don’t keep any kind of logs.

3. We absolutely do not monitor any traffic or user activity. Even if we receive a serious abuse nitofication we can’t start monitor our users because it will violate main mission of ShadeYou VPN.

4. The abuse team of ShadeYou VPN answers as follows:

a) we do not store any illegal content on our servers;

b) every our user agrees with our privacy policy while registering, so we warned that illegal actions are prohibited and at this time we are not responsible.

c) we have no any personal data of our users or any logs of their activities that can be shared with third-parties because we simple do not store it.

5. Sharing any personal data of our users is absolutely impossible since we do not store it and do not keep any logs.

6. BitTorrent and any other file-sharing traffic allowed on all our servers. There’s only one exception, and that’s for users who use a trial version.

7. ShadeYou VPN uses payment systems including PayPal, Perfect Money, Webmoney, Qiwi, Yandex Money, Easy Pay, Ligpay, also accept payments via Visa, Master Card, Maestro. Bitcoin will be added soon.

8. ShadeYou VPN offers PPTP, L2TP and OpenVPN. Every user can choose the protocol he or she requires. We strongly recommend to use OpenVPN since it is the most safe and uses the strongest encryption.

ShadeYou VPN website

SECUREVPN.TO

SecureVPNto1. We do not log the IP, the source or destination of our costumers traffic or any other individually identifying information.

2. Each server is handled with the jurisdiction at the servers location. Since we do not log anything, we have no information to share with any authority.

3. There are no tools which monitor our costumers. If it comes to an abuse, we have techniques which don’t need any logging to prevent any further abuse.

4. As already mentioned, we keep no information about our costumers. We will reply to the DMCA takedown but we can’t provide information which we don’t have.

5. This didn’t happen yet but if we would be forced to identify one of our costumers at a specific server location, we are going to cancel this server. Under no circumstance we are going to log, montior or share any information about our costumers.

6. Yes it is allowed on all servers.

7. We are offering a wide range of anonymous payment methods like Bitcoin, Litecoin, Feathercoin, Worldcoin, Dogecoin, Megacoin, Perfect Money, Paysafecard and Ukash. All transactions are processed by our own payment interface. No third party payment processor receives information about any payment. We use a random transaction ID which will be deleted after the payment is completed.

8. We would recommend OpenVPN, available in UDP and TCP mode. We are using AES-256-CBC for traffic encryption, 4096 bit RSA keys for the key exchange and SHA-512 as HMAC. These settings offer you the highest grade of security available.

SecureVPN.to website