When assessing VPN services, one of the most important things to take a look at is their logging policy. The best policy in this regard is no logging at all, but this isn’t an option for all providers. In some nations, the providers are required to keep logs of user activity and to hand over those logs upon a legal request. Of course, legal requests have become murky things over the years and, for some companies, this may mean being served with secret warrants that their users can never know about.
Another option is reporting to the public any requests for information and DMCA takedown requests that have been filed with the company. Proxy.sh has decided to do so, but reporting doesn’t eliminate all of the potential problems.
Good VPN providers will engage in no or at least very limited logging. The issue with these policies is that there’s really no way to verify that they’re being followed. The user essentially has to take the company’s word for it and, likely, if a warrant was ever served, the user wouldn’t even know it.
One way to get around this is to use companies that are based offshore. This allows users to take advantage of the fact that not all nations have the type of secret court and secret monitoring systems that are now in place in the US. Of course, there is still a measure of trust involved. It’s also known from the leaks that Edward Snowden published that the NSA can tap into overseas traffic by monitoring weak points along the connection and gathering the data.
For companies that do not log, the next step up in privacy policies is offering regular reports to users as to when and by whom they were served requests for information or takedown requests. Proxy.sh has started doing this. As was revealed in Ars Technica, however, the company’s reporting is a bit sketchy. The company is based in The Seychelles, which is well known and popular as a corporate tax haven.
The company doesn’t actually publish the full names of anyone involved with its operations, so there is still a lack of accountability to deal with. In the Ars Technica article, the “legal expert” who gave information on what the company might be required to do could not be found as a barred lawyer in his home nation and little other information was available about him.
What to Do?
Using warrant canaries, transparency reports and not logging traffic, combined, is the best policy for user privacy. There are few companies that offer this. With more consumer pressure on the companies, however, this could change in the future.