How to choose the best vpn service?

VPN services have become an important tool to counter the growing threat of Internet surveillance, but unfortunately not all VPNs are as anonymous as one might hope. In fact, some VPN services log users’ IP-addresses and other private info for months. To find out how anonymous VPNs really are, TF asked the leading providers about their logging practices and other privacy sensitive policies.

spyBy now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.

To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.

Unfortunately, not all VPN services are as anonymous as they claim, as several incidents have shown in the past.

By popular demand we now present the fourth iteration of our VPN services “logging” review. In addition to questions about logging practices, we also asked VPN providers about other privacy sensitive policies, so prospective users can make an informed decision.

 

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdiction(s) does your company operate?

3. What tools are used to monitor and mitigate abuse of your service?

4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened?

7. Does your company have a warrant canary or a similar solution to alert customers to gag orders?

8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

9. Which payment systems do you use and how are these linked to individual user accounts?

10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

11. Do you use your own DNS servers? (if not, which servers do you use?)

12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located?

Below is the list of responses we received from various VPN providers, in their own words. In some cases we asked for further clarification. VPN providers who keep logs for longer than 7 days were excluded, and others who simply failed to respond.

Please note that several VPN companies listed here do log to some extent. We therefore divided the responses into a category of providers who keep no logs (page 1/2) and one for who keep usage and/or session logs (page 3). The order of the VPNs within each category holds no value.

We are also working on a convenient overview page as well as dedicated review pages for all providers, with the option for users to rate theirs and add a custom review. These will be added in the near future.

VPNS THAT KEEP NO LOGS

PRIVATE INTERNET ACCESS

piavpn1. We do not log, period. This includes, but is not limited to, any traffic data, DNS data or meta (session) data. Privacy IS our policy.

2. We choose to operate in the US in order to provide no logging service, as there is no mandatory data retention law in the US. Additionally, our beloved clients are given access to some of the strongest consumer protection laws, and thus, are able to purchase with confidence.

3. We do not monitor our users, period. That said, we have a proprietary system in place to help mitigate abuse.

4. We utilize SendGrid as an external mailing system and encourage users to create an anonymous e-mail when signing up depending on their adversarial risk level. Our support system is in-house as we utilize Kayako.

5. We have a proprietary system in place that allows us to comply in full with DMCA takedown notices without disrupting our users’ privacy. Because we do not log our users’ activities in order to protect and respect their privacy, we are unable to identify particular users that may be infringing the lawful copyrights of others.

6. We do not log and therefore are unable to provide information about any users of our service. We have not, to date, been served with a valid court order that has required us to provide something we do not have.

7. We do not have a warrant canary in place at this time as the concept of a warrant canary is, in fact, flawed at this time, or in other words, is “security theater.”

8. We do not attempt to filter, monitor, censor or interfere in our users’ activity in any way, shape or form. BitTorrent is, by definition, allowed.

9. We utilize a variety of payment systems including, but not limited to, PayPal, Stripe, Amazon, Google, Bitcoin, Stellar, CashU, Ripple, Most Major Store Bought Gift card, PIA Gift cards (available in retail stores for “cash”), and more. We utilize a hashing system to keep track of payments and credit them properly while ensuring the strongest levels of privacy for our users.

10. The most secure VPN connection and encryption algorithm that we would recommend to our users would be our suite of AES-256, RSA 4096 and SHA1 or 256. However, AES-128 should still be considered quite safe. For users of Private Internet Access specifically, we offer addon tools to help ensure our beloved clients’ privacies including:

– Kill Switch : Ensures that traffic is only routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic would simply not be routed.
– IPv6 Leak Protection : Protects clients from websites which may include IPv6 embeds which could leak IPv6 IP information.
– DNS Leak Protection : This is built in and ensures that DNS requests are made through the VPN on a safe, private no-log DNS daemon.
– Shared IP System : We mix clients’ traffic with many clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.

11. We are currently using our own DNS caching.

12. We utilize third party datacenters that are operated by trusted friends and, now, business partners who we have met and completed our due diligence on. Our servers are located in: USA, Canada, UK, Switzerland, Amsterdam, Sweden, Paris, Germany, Romania, Hong Kong, Israel, Australia and Japan. We have over 2,000 servers deployed at the time of writing with over 1,000 in manufacture/shipment at this time.

Private Internet Access website

TORGUARD

1. No logs are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network because since day one we engineered every aspect of the operation from the ground up, permitting us full control over the smallest details. In addition to a strict no logging policy we run a shared IP configuration that provides an added layer of anonymity to all users. With hundreds of active sessions sharing a single IP address at any given time it becomes impossible to back trace usage.

2. At the time of this writing our headquarters currently operates from the United States. Due to the lack of data retention laws in the US, our legal team has determined this location to be in the best interest of privacy for the time being. Although TorGuard’s HQ is in the US, we take the commitment to user privacy seriously and will uphold this obligation at all costs, even if it means transferring services or relocating company assets.

3. Our network team uses a combination of open source monitoring apps and custom developed tools to mitigate any ongoing abuse of our services. This allows us to closely monitor server load and uptime so we can pinpoint and resolve potential problems quickly. If abuse reports are received from an upstream provider, we block them in real-time by employing various levels of firewall rules to large blocks of servers. Should these methods fail, our team is quick to recycle entire IP blocks and re-deploy new servers as a last resort.

4. For basic troubleshooting and customer service purposes we utilize Livechatinc for our chat support. TorGuard staff does make use of Google Apps for company email, however no identifying client information like passwords, or billing info is ever shared among either of these platforms. All clients retain full control over account changes in our secure member’s area without any information passing through an insecure channel.

5. Because we do not host any content it is not possible for us to remove anything from a server. In the event a DMCA notice is received it is immediately processed by our abuse team. Due to our shared network configuration we are unable to forward any requests to a single user. In order to satisfy legal requirements from bandwidth providers we may temporarily block infringing protocols, ports, or IPs.

6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of a shared IP configuration and the fact that we do not hold any identifying logs. No, we remain unable to identify any active user from an external IP address and time stamp.

7. No, at this time we do not have a warrant canary.

8. Yes, TorGuard was designed with the BitTorrent enthusiast in mind. P2P is allowed on all servers, although for best performance we suggest using locations that are optimized for torrents. Users can find these servers clearly labeled in our VPN software.

9. We currently accept over 200 different payment options through all forms of credit card, PayPal, Bitcoin, altcoins (e.g. dogecoin, litecoin + more), Paysafecard, Alipay, CashU, Gift Cards, and many other methods. No usage can be linked back to a billing account due to the fact that we maintain zero logs across our network.

10. For best security we advise clients to use OpenVPN connections only and for encryption use AES256 with 2048bit RSA. Additionally, TorGuard VPN offers “Stealth” protection against DPI (Deep Packet Inspection) interference from a nosey ISP so you can access the open web freely even from behind the Great Firewall of China. These options are available on select locations and offer excellent security due to the cryptography techniques used to obfuscate traffic. Our VPN software uses OpenVPN exclusively and features built in DNS leak protection, an App Killswitch, and a connection Killswitch. We have also just released a built in WebRTC leak block feature for Windows Vista/7/8 users.

11. Yes, we offer private, no log DNS servers which can be obtained by contacting our support desk. By default we also use Google DNS and OpenDNS for performance reasons on select servers.

12. TorGuard currently maintains 1000+ servers in over 44 countries around the world and we continue to expand the network every month. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by our in house networking team via a single, secure key. We have servers in Australia, Belgium, Brazil, Canada, China, Costa Rica, Czech Republic, Denmark, Egypt, Finland, France, Germany, Greece, Hong Kong, Iceland, India, Indonesia, Ireland, Italy, Japan, Korea, Latvia, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Norway, Panama, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Tunisia, Turkey, United Kingdom, USA, and Vietnam.

TorGuard website

IPVANISH

ipvanish1. IPVanish has a zero-log policy. We keep NO traffic logs on any customer, ever.

2. IPVanish is headquartered in the US and thus operates under US law.

3. IPVanish monitors CPU utilization, bandwidth and connection counts. When thresholds are passed, a server may be removed from rotation as to not affect other users.

4. IPVanish does not use any external support tools that hold user information. We do, however, operate an opt-in newsletter that is hosted at Constant Contact. Customers are in no way obligated to sign up for the newsletter.

5. IPVanish keeps no logs of any user’s activity and responds accordingly.

6. IPVanish, like every other company, follows the law in order to remain in business. Only US law applies.

7. No.

8. P2P is permitted. IPVanish does not block or throttle any ports, protocols, servers or any type of traffic whatsoever.

9. Bitcoin, PayPal and all major credit cards are accepted. Payments and service use are in no way linked. User authentication and billing info are also managed on completely different and independent platforms.

10. We recommend OpenVPN with 256 bit AES as the most secure VPN connection and encryption algorithm. IPVanish’s service and software also currently provide DNS leak prevention. We are developing a kill switch in upcoming releases of our software.

11. IPVanish does use its own DNS servers. Local DNS is handled by the server a user connects to.

12. IPVanish is one of the only tier-1 VPN networks, meaning we own and operate every aspect of our VPN platform, including physical control of our VPN servers. This gives IPVanish users security and speed advantages over other VPN services. IPVanish servers can be found in over 60 countries including the US, UK, Canada, Netherlands and Australia.

IPVanish website

IVPN

ivpn1. No, this is fundamental to the service we provide. It is also in our interests not to do so as it minimizes our own liability.

2. Gibraltar. In 2014 we decided to move the company from Malta to Gibraltar in light of the new 2015 EU VAT regulations which affect all VPN service providers based in the EU. The EU VAT regulations now require companies to collect two pieces of non-conflicting evidence about the location of a customer; this would be at a minimum the customer’s physical address and IP address.

3. We have built a number of bespoke systems over the last 5 years as we’ve encountered and addressed most types of abuse. At a high level we use Zabbix, an open-source monitoring tool that alerts us to incidents. As examples we have built an anti-spam rate-limiter based on iptables so we don’t have to block any email ports and forked a tool called PSAD which allows us to detect attacks originating from our own network in real time.

4. No. We made a strategic decision from the beginning that no company or customer data would ever be stored on 3rd party systems. Our customer support software, email, web analytics (Piwik), issue tracker, monitoring servers, code repo’s, configuration management servers etc. all run on our own dedicated servers that we setup, configure and manage.

5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we never store the IP addresses of customers connected to our network nor are we legally required to do so.

6. That would depend on the information with which we were provided. If asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and asked for the customer’s identity then we reply that we do not store any personal data, we only store a customer’s email address. If the company were served with a valid court order that did not breach the Data Protection Act 2004 we could only confirm that an email address was or was not associated with an active account at the time in question. We have never been served with a valid court order.

7. Yes absolutely, we’ve published a canary since August 2014.

8. Yes, we don’t block BitTorrent or any other protocol on any of our servers. We do kindly request that our customers use non-USA based exit servers for P2P. Any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.

9. We accept Bitcoin, Cash and Paypal. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin (See part 7 of our advanced privacy guides). With Paypal we store the subscription ID in our system so we can associate incoming subscription payments. This information is deleted immediately when an account is terminated.

10. We provide RSA-4096 / AES-256 with OpenVPN, which we believe is more than secure enough for our customers’ needs. If you are the target of a state level adversary or other such well-funded body you should be far more concerned with increasing your general opsec than worrying about 2048 vs 4096 bit keys. The IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible (DNS, network failures, WebRTC STUN, IPv6 etc.). It also has an ‘always on’ mode that will be activated on boot before any process on the computer starts. This will ensure than no packets are ever able to leak outside of the VPN tunnel.

11. Yes. Once connected to the VPN all DNS requests are sent to our pool of internal recursive DNS servers. We do not use forwarding DNS servers that forward the requests to a public DNS server such as OpenDNS or Google.

12. We use dedicated servers leased from 3rd party data centers in each country where we have a presence. We employ software controls such as full disk encryption and no logging to ensure that if a server is ever seized it’s data is worthless. We also operate a multi-hop network so customers can choose an entry and exit server in different jurisdictions to make the adversaries job of correlating the traffic entering and exiting our network significantly more complicated. We have servers located in Switzerland, Germany, Iceland, Netherlands, Romania, France, Hong-Kong, USA, UK and Canada.

IVPN website

PRIVATEVPN

privatevpn1.We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user of our service. The only thing we log are e-mails and user names but it’s not possible to bind an activity on the Internet to a user on PrivateVPN.

2. We operate in Swedish jurisdiction.

3. If there’s abuse, we advise that service to block our IP in the first instance, and second, we can block traffic to the abused service.

4. No. We use a service from Provide Support (ToS) for live support. They do not hold any information about the chat session. From Provide support: Chat conversation transcripts are not stored on Provide Support chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email according to the user account settings, and then destroyed.

5. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our response was to close P2P traffic in those countries.

6. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there.

7. We’re working on a solution where we publish a statement that we haven’t received legal process. One we receive a legal process, this canary statement is removed.

8. Yes, we allow Torrent traffic.

9. PayPal, Payson, 2Chrckout and Bitcoin. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us.

10. OpenVPN TUN with AES-256. On top is a 2048-bit DH key. For our Windows VPN client, we have a feature called “Connection guard”, which will close a selected program(s) if the connection drop. We have no tools for DNS leak but we’re working on a protection that detects the DNS leak and fixes this by changing to a secure DNS server.

11. We use a DNS from Censurfridns.

12. We have physical control over our servers and network in Sweden. All other servers and networks are hosted by ReTN, Kaia Global Networks, Leaseweb, FDCServers, Blix, Zen systems, Wholesale Internet, Creanova, UK2, Fastweb, Server.lu, Selectel, Amanah and Netrouting. We have servers located in: Sweden, United States, Switzerland, Great Britain, France, Denmark, Luxembourg, Finland, Norway, Romania, Russia, Germany, Netherlands, Canada and Ukraine.

PrivateVPN website

PRQ

1. No

2. Swedish

3. Our own.

4. No

5. We do not care about DMCA.

6. We only require a working e-mail address to be a customer, no other information is kept.

7. No.

8. As long as the usage doesn’t violate the ToS, we do not care.

9. None of the payment methods are linked to a user.

10. OpenVPN, customers have to monitor their service/usage.

11. Yes.

12. Everything is inhouse in Sweden.

PRQ website

MULLVAD

mullvad1. No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users sharing addresses, both for IPv4 and IPv6.

2. Swedish.

3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.

4. We do use external providers and encourage people sending us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

5. There is no such Swedish law that is applicable to us.

6. We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.

7. Under current Swedish law there is no way for them to force us to secretly act against our users so a warrant canary would serve no purpose. Also, we would not continue to operate under such conditions anyway.

8. Yes.

9. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.

10. OpenVPN (using the Mullvad client program). Regarding crypto, ideally we would recommend Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN. We therefore recommend and by default use RSA-2048, D-H (DHE) and AES-256-CBC-SHA. We have a “kill switch,” DNS leak protection and IPv6 leak protection (and IPv6 tunnelling).

11. Yes, we use our own DNS servers.

12. We have a range of servers. From on one end servers lovingly assembled and configured by us with ambitious physical security in data centers owned and operated by people we trust personally and whose ideology we like. On the other end rented hardware in big data centers. Which to use depends on the threat model and performance requirements. Currently we have servers hosted by GleSYS Internet Services, 31173 Services and Leaseweb in Sweden, the Netherlands, USA and Germany.

Mullvad website

BOLEHVPN

bolehvpn1. No.

2. Malaysia. This may change in the near future and we will post an announcement when this is confirmed.

3. We do monitor general traffic patterns to see if there is any unusual activity that would warrant a further investigation.

4. We use ZenDesk and Zopim but are moving to use OSTicket which is open source. This should happen in the next 1-2 months.

5. Generally we work with the providers to resolve the issue and we have never given up any of our customer information. Generally we terminate our relationship with the provider if this is not acceptable. Our US servers under DMCA jurisdiction or UK (European equivalent) have P2P locked down.

6. This has not happened yet but we do not keep any user logs so there is not much that can be provided especially if the payment is via an anonymous channel. One of our founders is a lawyer so such requests will be examined on their validity and we will resist such requests if done without proper cause or legal backing.

7. Yes.

8. Yes it is allowed except on those marked Surfing-Streaming only which are restricted either due to the provider’s policies or limited bandwidth.

9. We use MolPay, PayPal, Coinbase, Coinpayments and direct deposits. On our system it is only marked with the Invoice ID, the account it’s for, the method of payment and whether it’s paid or not. We however of course do not have control of what is stored with the payment providers.

10. Our Cloak configurations implement 256 bit AES and a SHA-512 HMAC combined with a scrambling obfuscation layer. We do have a lock down/kill switch feature and DNS leak protection.

11. Yes we do use our own DNS servers.

12. Our VPN servers are hosted by third parties however for competitive reasons, we rather not mention our providers (not that it would be hard to find out with some digging). However none of these servers hold anything sensitive as they are authenticated purely using PKI infrastructure and as long as our users regularly update their configurations they should be fine. We do however have physical control over the servers that handle our customer’s information.

BolehVPN website

NORDVPN

nordvpn1. Do we keep logs? What is that? Seriously, we have a strict no-logs policy over our customers. The only information we keep is customers’ e-mail addresses which are needed for our service registration (we keep the e-mail addresses until the customer closes the account).

2. NordVPN is based out of Panama.

3. No tools are used to monitor our customers in any case. We are only able to see the servers’ load, which helps us optimize our service and provide the best possible Internet speed to our users.

4. We use the third-party live support tool, but it is not linked to the customers’ accounts.

5. When we receive any type of legal notices, we cannot do anything more than to ignore them, simply because they have no legal bearing to us. Since we are based in Panama, all legal notices have to be dealt with according to Panamanian laws first. Luckily they are very friendly to Internet users.

6.If we receive a valid court order, firstly it would have to comply with the laws of Panama. In that case, the court settlement should happen in Panama first, however were this to happen, we would not be able to provide any information because we keep exactly nothing about our users.

7. We do not have a warrant canary or any other alert system, because as it was mentioned above, we operate under the laws of Panama and we guarantee that any information about our customers will not be distributed to any third party.

8. We do not restrict any BitTorrent or other file-sharing applications on most of our servers.

9. We accept payments via Bitcoin, Credit Card, PayPal, Banklink, Webmoney (Paysera). Bitcoin is the best payment option to maintain your anonymity as it has only the paid amount linked to the client. Users who purchase services via PayPal are linked with the usual information the seller can see about the buyer.

10. We have high anonymity solutions which we would like to recommend to everyone seeking real privacy. One of them is Double VPN. The traffic is routed through at least two hoops before it reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays. Both of these security solutions give a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Furthermore, our regular servers have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP.

In addition to that, we have advanced security solutions, such as the “kill switch” and DNS leak protection which provide the maximum possible security level for our customers.

11. NordVPN has its own DNS servers, also our customers can use any DNS server they like.

12. Our servers are outsourced and hosted by a third parties. Currently our servers are in 26 countries: Australia, Austria, Brazil, Canada, Chile, France, Germany, Hong Kong, Iceland, Isle of Man, Israel, Italy, Liechtenstein, Lithuania, Netherlands, Panama, Poland, Romania, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, United Kingdom and United States.

NordVPN website

TORRENTPRIVACY


1. We don’t keep any logs with IP addresses. The only information we save is an email. It’s impossible to connect specific activity to a user.

2. Our company is under Seychelles jurisdiction.

3. We do not monitor any user’s traffic or activity for any reason.

4. We use third-party solutions for user communications and emailing. Both are running on our servers.

5. We have small amount of abuses. Usually we receive them through email and all of them are bot generated. As we don’t keep any content we just answer that we don’t have anything or ignore them.

6. It has never happened for 8 years. We will ignore any requests from all jurisdiction except Seychelles. We have no information regarding our customers’ IP addresses and activity on the Internet.

7. No, we don’t bother our users.

8. Yes we support all kind of traffic on all servers.

9. We are using PayPal but payment as a fact proves nothing. Also we are going to expand our payment types for the crypto currencies in the nearest future.

10. We are recommending to use the most simple and secure way — OpenVPN with AES-256 encryption. To protect the torrent downloads we suggest to create a proxy SSH tunnel for your torrent client. In this case you are encrypting only your P2P connection when your browser or Skype uses your default connection. When using standard VPN in case of disconnection your data flows unencrypted. Implementing our SSH tunnel will save from such leaking cause traffic will be stopped.

11. Yes. We are using our own DNS servers.

12. We use third party datacenters for VPN and SSH data transmission in the USA, UK and Netherlands. The whole system is located on our own servers.

TorrentPrivacy website

PROXY.SH

proxy1. We do not keep any log at all.

2. Republic of Seychelles. And of course, every jurisdiction where each of our servers are, for their specific cases.

3. IPtables, TCPdump and Wireshark, for which their use is always informed at least 24 hours in advance via our Network Alerts and/or Transparency Report.

4. All our emails, panels and support are in-house. We host our own WHMCS instance for billing and support. We host server details, project management and financial management on Redmine that we of course self-run. The only third-party connections we have are Google Analytics and Google Translate on our public website (not panel), for obvious convenience gains, but the data they fetch can easily be hidden or faked. We may also sometimes route email through Mandrill but never with user information. We also have our OpenVPN client’s code hosted at Github, but this is because we are preparing to open source it.

5. We block the affected port and explain to upstream provider and/or complainant that we cannot identify the user who did the infringement, and we can therefore not pass the notice on. We also publish a transparency report and send a copy to the Chilling Effects Clearinghouse. If there are too many infringements, we may block all ports and strengthen firewall rules to satisfy upstream provider, but this may lead us to simply drop the server on short-term due to it becoming unusable.

6. We first post the court order to public and inform our users through our blog, much-followed Twitter account, transparency report and/or network alert. If we are unable to do so, we use our warrant canary. Then, we would explain to the court that we have no technical capacity to identify the user and we are ready to give access to competent and legitimate forensic experts. To this date, no valid court order has been received and acknowledged by us.

7. Yes, proxy.sh/canary.

8. We do not discriminate activity across our network. We are unable to decrypt traffic to differentiate file-sharing traffic from other activities, and this would be against our ethics anyway. The use of BitTorrent and similar is solely limited to the fact you can whether open/use the ports you wish for it on a selected server.

9. We support hundreds of payment methods, from PayPal to Bitcoin through SMS to Ukash and Paysafecard. We use third-party payment providers who handle and carry themselves the payments and the associated user information needed for them (e.g. a name with a credit card). We never have access to those. When we need to identify a payment for a user, we always need to ask him or her for references (to then ask the payment provider if the payment exists) because we do not originally have them. Last but not least, we also have an option to kill accounts and turn them into completelyanonymous tokens with no panel or membership link at all, for the most paranoid customers (in the positive sense of the term).

10. We currently provide Serpent in non-stable & limited beta and it is the strongest encryption algorithm we have. We also openly provide to our experienced users ECDH curve secp384r1 and curve22519 through a 4096-bit Diffie-Hellman key. We definitely recommend such a setup but it requires software compiling skills (you need OpenVPN’s master branch). This setup also allows you to enjoy OpenVPN’s XOR capacity for scrambling traffic. We also provide integration of TOR’s obfsproxy for similar ends. Finally, for more neophyte users, we provide 4096-bit RSA as default standard. It is the strongest encryption that latest stable OpenVPN provides. Cipher and hash are the strongest available and respectively 256-bit CBC/ARS and SHA512. Our custom OpenVPN client of course provides a kill switch and DNS leak protection.

11. Yes, we provide our own OpenNIC DNS servers as well as DNSCrypt capacity.

12. We use a mix of collocation (physically-owned), dedicated and virtual private servers – also known as a private/public cloud combination. All our VPN servers are running from RAM and are disintegrated on shutdown or reboot. About two-third of them are in the public cloud (especially for most exotic locations). Our network spans across more than 40 countries.

Proxy.sh website

HIDEIPVPN

hideipvpn1. We have revised our policy. Currently we store no logs related to any IP address. There is no way for any third-party to match user IP to any specific activity in the internet.

2. We operate under US jurisdiction.

3. We would have to get into details of each individual point of our ToS. For basics like P2P and torrent traffic on servers that do not allow for such transmissions or connecting to more than three VPN servers at the same time by the same user account. But we do not monitor users’ traffic. Also, since our users use shared IP address of VPN server, there is no way any third party could connect any online activity to a user’s IP address.

4. We are using Google apps for incoming mail and our own mail server for outgoing mail.

5. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the data center or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which make impossible to track who downloaded any data from the internet using our VPN.

6. We would reply that we do not have measures that would us allow to identify a specific user. It has not happened so far.

7. Currently not. We will consider if our customers would welcome such a feature. So far we have never been asked for such information.

8. This type of traffic is welcomed on our German (DE VPN) and Dutch (NL VPN) servers. It is not allowed on US, UK and Canada servers as stated in our ToS – reason for this is our agreements with data centers. We also have a specific VPN plan for torrents.

9. Currently HideIPVPN accepts the following methods: PayPal, Bitcoin, Credit & Debit cards, AliPay, Web Money, Yandex Money, Boleto Bancario, Qiwi.

10. We would say SoftEther VPN protocol looks very promising and secure. Users can currently use our VPN applications on Windows and OSX systems. Both versions have a “kill switch” feature in case connection drops. Also, our apps are able to re-establish VPN connection and once active restart closed applications.

Currently our software does not provide DNS leak protection. However a new version of VPN client is in the works and will be updated with such a feature. We can let you know once it is out. At this time we can say it will be very soon.

11. For VPN we use Google DNS servers, and for SmartDNS we use our own DNS servers.

12. We don’t have physical control of our VPN servers. Servers are outsourced in premium datacenters with high quality tier1 networks. Countries now include – US/UK/NL/DE/CA

HideIPVPN website

BTGUARD

btguard1. We do not keep any logs whatsoever.

2. United States

3. Custom programs that analyze traffic on the fly and do not store logs.

4. No, all data is stored on servers we control.

5. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.

6. We would take every step within the law to fight such an order and it has never happened.

7. No.

8. Yes, all types of traffic our allowed with our services.

9. We accept PayPal and Bitcoin. All payments are linked to users’ accounts because they have to be for disputes and refunds.

10. We recommend OpenVPN and 128-bit blowfish. We offer instructions for some third party VPN monitoring software.

11. We use our own DNS servers.

12. We have physical control over all our servers. Our servers we offer services with are located in the Netherlands, Canada, and Singapore. Our mail servers are located in Luxembourg.

BTGuard website

SLICKVPN

slickvpn1. SlickVPN does not log any traffic nor session data of any kind.

2. We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. We will not disclose the exact hierarchy of our corporate structures, but will say the main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.

3. We do not monitor any customer’s activity in any way. We have chosen to disallow outgoing SMTP which helps mitigate SPAM issues.

4. No. We do utilize third party email systems to contact clients who opt in for our newsletters.

5. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session, otherwise we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we ALMOST NEVER receive a VALID DMCA complaint while a user is still in an active session.

6. Our customer’s privacy is of top most importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. We would not rule out relocating our businesses to a new jurisdiction if required.

7. Yes. We maintain a passive warrant canary, updated weekly, and are investigating a way to legally provide a passive warrant canary which will be customized on a “per user” basis, allowing each user to check their account status individually. It is important to note that the person(s) responsible for updating our warrant canary are located outside of any of the countries where our servers are located.

8. Yes, all traffic is allowed.

9. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America and the other platform is operated out of Nevis. We offer the ability for the customer to permanently delete their payment information from our servers at any point. All customer data is automatically removed from our records shortly after the customer ceases being a paying member.

10. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and it uses the AES-256-CBC algorithm for encryption.

Our Windows and Mac client incorporates IP and DNS leak protection which prevents DNS leaks and provides better protection than ordinary ‘kill-switches’. Our IP leak protection proactively keeps your IP from leaking to the internet. This was one of the first features we discussed internally when we were developing our network, it is a necessity for any good VPN provider.

11. Yes.

12. We run a mix. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties until we have enough traffic in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We run an algorithm to randomly reboot each server on a regular basis so we can clear the ramdisk.

SlickVPN website

OCTANEVPN

octane1. No. We cannot locate an individual user by IP address and timestamp. There are no logs written to disk on our gateways.

The gateway servers keep the currently authenticated customers in the server’s RAM so they can properly connect and route incoming traffic to those customers. Obviously, if a server is powered down or restarted, the contents of the RAM are lost. We keep gateway performance data such as CPU loading, I/O rates and maximum simultaneous connections so that we can manage and optimize our network.

2. We operate two independent companies with different ownership structures – a network operations company and a marketing company. The network operations company operates out of Nevis. The marketing company operates under US jurisdiction and manages the website, customer accounts and support. The US company has no access to network operations and the Nevis company has no customer account data.

3. We are not in the business of monitoring customer traffic in any way. Spam emails were our biggest issue and early on we decided to prevent outgoing SMTP. Otherwise, the only other abuse tools we use are related to counting the number of active connections authenticated on an account to control account sharing issues. We use a NAT firewall on incoming connections to our gateways to add an extra layer of security for our customers.

4. No. We do use a service to send generic emails.

5. Due to the structure of our network operations company, it is unusual that we would receive a notice. There should be no cause for the marketing company to receive a notice. If we receive a DMCA notice or its equivalent based on activity that occurred in the past, we respond that we do not host any content and have no logs.

If we receive a DMCA notice based on very recent activity and the customer’s current VPN session during which it was generated is still active on the gateway, we may put the account on hold temporarily and notify the customer. No customer data is used to respond to DMCA notices.

6. Our customers’ privacy is a top priority for us. We would proceed with a court order with complete transparency. A court order would likely be based on an issue traced to a gateway server IP address and would, therefore, be received by our our network operations company which is Nevis based. The validity of court orders from other countries would be difficult to enforce. The network company has no customer data.

Our marketing company is US based and would respond to an order issued by a court of competent jurisdiction. The marketing company does not have access to any data related to network operations or user activity, so there is not much information that a court order could reveal. This has not happened.

7. We are discussing internally and reviewing existing law related to how gag orders are issued to determine the best way to offer this measure of customer confidence.

8. Yes. We operate with network neutrality except for outgoing SMTP.

9. Bitcoin and other cryptocurriences such as Darkcoin, Credit/Debit Card, and PayPal. If complete payment anonymity is desired, we suggest using Bitcoin, DarkCoin, or a gift/disposable credit card. Methods such as PayPal or Credit/Debit card are connected to an account token so that future renewal payments can be properly processed and credited. We allow customers to edit their account information. With our US/Nevis operating structure, customer payment systems information is separate from network operations.

10. We recommend using the AES-256-CBC cipher with OpenVPN, which is used with our client. IPSec is available for native Apple device support and PPTP is offered for other legacy devices, but OpenVPN offers the best security and speed and is our recommended protocol

We provide both DNS and IP leak protection in our Windows and Mac OctaneVPN client. Our OpenVPN based client’s IP leak protection works by removing all routes except the VPN route from the device when the client has an active VPN connection. This a better option than a ‘kill switch’ because our client ensures the VPN is active before it allows any data to leave the device, whereas a ‘kill switch’ typically monitors the connection periodically, and, if it detects a drop in the VPN connection, reacts.

11. Yes and we physically control them. You can choose others if you prefer.

12. In our more active gateway locations, we colocate. In locations with lower utilization, we normally host with third parties until volume at that location justifies a physical investment there. The hosted locations may have different providers based on geography. We operate gateways in over 44 countries and 90 cities. Upon booting, all our gateways load over our encrypted network from a master node and operate from encrypted ramdisk. If an entity took physical control of a gateway server, the ramdisk is encrypted and would vanish upon powering down.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdiction(s) does your company operate?

3. What tools are used to monitor and mitigate abuse of your service?

4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened?

7. Does your company have a warrant canary or a similar solution to alert customers to gag orders?

8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

9. Which payment systems do you use and how are these linked to individual user accounts?

10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

11. Do you use your own DNS servers? (if not, which servers do you use?)

12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located?

LIQUIDVPN

liquid1. The VPN servers do not store user authentication logs. Once a user logs off of our VPN network we have no way of knowing which IP they were assigned or which server they were using let alone the time of day they logged in at.

2. USA

3. The main tools in place at the network level are SNMP and Mikrotik Layer 7 firewall rules. At the host level its Zabbix and OSSEC.

4. LiquidVPN hosts everything on servers we control.

5. As much as I would love to toss these in the trash it would be impossible to keep the servers online if I did so. Most USA data centers require action to be taken within 24 hours or they automatically null route the IP until corrective action has been taken. In the UK and Europe many data centers that require any action at all give us 48 hours before an automatic null route of the IP address. When we are required to take action we will rate limit the port in question down to 5Kb/s for 24 to 48 hours.

Here is our exact process.
1. Post the DMCA notice to the Transparency Reports section along with the intended course of action if there is one.
2. Post a link on Twitter.
3. If we are required to take action and update the data center we will rate limit transfers on the offending port to 5Kbs

6. This has never happened. In the event that it does happen our attorney will post the court order and our intended action in the transparency reports section I linked above. If there is a gag order of some sort our Warrant Canary will stop being updated. We do abide by the law so in the end we would have to send over the information requested on a user.

7. Yes we do.

8. Yes it is.

9. PayPal, Credit Card, Bitcoin and Cash are accepted. Our payment data and VPN user data are completely separate. We only require a first name, country and email address to sign up unless you are paying by credit card. Due to the obscene number of charge backs we were getting on credit card transactions we had to begin collecting addresses and phone numbers for credit card transactions. When an order is placed the webserver logs the IP and time of order. Other actions on the website will also trigger the same logging event. These logs are purged after 6 months.

10. We have a very easy to use kill switch and also provide directions on setting up a full-fledged firewall to protect against leaks, drops and much more if the user is so inclined. Our client enables DNS leak protection by default. We provide private DNS servers, reverse proxies aka SMARTDNS (in beta) and of course IP Modulation. IP modulation shares a pool of IP addresses with dozens or even hundreds of other users and each connection has a random chance to modulate the IP. An average webpage makes 30+ connections for it to load completely. In theory on a modulating IP address your traffic could appear to be coming from 30 different IP addresses.

Currently the best encryption OpenVPN supports without being modified is AES-256-CBC. So this is what I would recommend for most people. I would recommend 2048 to 4096 bit RSA keys. I would tell users to make sure a TLS key is used and some form of server certificate verification is enabled in the configuration file. I would tell them to MAKE SURE there is an auth SHA256/SHA512 line in their configuration file and that tls-cipher is defined.

11. Of course and we are 90% finished converting them all to communicate on private subnets only.

12. We do not own the equipment it is on short term leases and collocated around the world. We do not like to be married to a data center in case a privacy issue comes up and we have to pull out quickly. We choose our data centers very carefully but things change very quickly politically in a lot of these regions. We currently have servers in Canada, UK, USA, Netherlands, Switzerland, Germany and Romania.

LiquidVPN website

AIRVPN

airvpn1. No, we don’t keep such logs.

2. Italy.

3. We use internally written tools to mitigate attacks against our VPN servers as well as DDoS attacks originating from clients behind our servers.

4. No, we don’t.

5. They are ignored, except when they refer to web sites running behind our VPN servers. Due to our service features, it is perfectly possible to run web sites from behind our servers: we also provide DDNS for free to our customers. For these specific cases, we can act similarly to a hosting provider and we verify that the web site is compliant to our Terms of Service. We have had web sites spreading viruses and other malware (verified without any doubt) and we intervened to quickly stop them when we were warned about the issue.

6. Since we can’t provide information that we don’t have, an “ex-post” investigation is the only solution, if and when applicable. So far we have had no court orders of this kind.

7. No, we don’t. While a warrant canary’s effectiveness is questionable, we recommend to use technical means to solve the problem at its roots. When a customer can’t afford to trust us for the sensitivity of his/her activities, he/she can simply use Tor over OpenVPN, or OpenVPN over Tor, to get an immediate protection which a warrant canary, not even if updated every day, will never be able to provide.

8. Yes, it’s allowed on every and each server. We do not discriminate against any protocol or application and we do not monitor traffic or traffic type.

9. We accept Bitcoin, a wide range of cryptocoins, PayPal and major credit cards. About PayPal and credit cards, the usual information pertaining to the transaction and account/credit card holder are retained by the financial institutions, and it is possible to correlate a payment to a user (which is good for refund purposes when required). When this is unacceptable for security reasons, then Bitcoin or some other cryptocoin should be used. Bitcoin can also be provided with a strong anonymity layer simply by running the Bitcoin client behind Tor.

10. Our service setup, based on OpenVPN, is the following: 4096 bit RSA keys size, AES-256-CBC Data Channel, 4096 bit Diffie-Hellman keys size, HMAC SHA1 Control Channel, TLS additional authorization layer key: 2048 bit.

Perfect Forward Secrecy through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client). Due to the serious doubts about NIST standard Elliptic Curves parameters being manipulated by NSA, we feel to share Bruce Schneier’s considerations to not use ECC.

Our free and open source client Eddie (under GPLv3) for Linux, Windows, OS X Mavericks and Yosemite, implements features which prevent the typical DNS leaks in Windows and any other leak (for example in case of unexpected VPN disconnection). Leaks prevention, called “Network Lock”, is not a trivial kill-switch, but it prevents various leaks that a classical kill switch can’t block: leaks caused by WebRTC, by programs binding to all interfaces on a misconfigured system and by malevolent software which tries to determine the “real” IP address. In the future, probably before the end of 2015, our client will be available, as usual free and open source according to our mission, for other VPN services too.

We provide guides, based on firewalls and not, to prevent leaks on various systems for all those persons who can’t or don’t wish to use our client Eddie.

11. Yes, we use our own DNS servers.

12. Our servers are housed in datacenters which we have physical access to, provided that the access is arranged in advance for security reasons. Datacenters must comply to some technical and privacy requirements. With rare exceptions, a datacenter must have a PoP to at least one tier1 provider. Without exceptions, datacenter must be network neutral, must provide bandwidth redundancy, minimum uptime of 99.8% and our servers must have a dedicated port and a guaranteed bandwidth. We have servers located in Canada, France, Germany, Hong Kong, Latvia, Netherlands, Portugal, Romania, Singapore, Spain, Sweden, Switzerland, Ukraine, USA. We work or have been working with big and small providers, such as Amanah, IBM, Leaseweb, Voxility, HugeServers, Serveria, YesUp, Teknikbyran, just to name a few.

AirVPN website

VPN.S

vpns1. We do not keep logs that could match time stamp of a user.

2. Australia

3. If there is a *serious* abuse that we have been alerted to, we may use string matching in the firewall to DROP packets containing the particular abuse, or block outbound traffic to a particular IP. We do not monitor for abuse, abuse alerts come from third parties such as fail2ban services.

4. We host our own Mail server along with a support system on our own Colocated equipment. Live chat system is Zopim, unfortunately we have not been able to find adequate self hosted software solutions that meet our requirements for live chat however we do review this option once to twice a year incase something becomes available

5. We do not track our users, therefore the notices cannot be acted upon, due to the fact the DMCA notices cannot be verified we respond to the notices in this manner.

6. We have yet to encounter this. Our policy is to adhere to the court order, however due to our no logging policy it would be impossible to provide in-the-past information on any user. If the user is active and the court order contains specific end point IPs it is possible by firewall matching the user could be identified.

7. yes.

8. Yes.

9. Bitcoin, Perfect Money, PayPal, Visa/MC,

10. We provide OpenVPN which can be used across multiple devices with our 2048bit keys, our Windows, OSX, Linux application provides DNS Leak and protection if VPN is dropped within the application settings, we can also provide tutorials to users to set these safe-guards up manually

11. Yes, each server pushes DNS settings which are within our own network, these servers are recursors so the source IP of all queries are that of our own servers.

12. We have physical control over our infrastructure that contains any user data such as email address and passwords – these do not reside on end point VPN servers. Our VPN endpoints are configured so they do not contain any sensitive user information, the only information is the username which is required for our key based authentication for OpenVPN. We currently have servers in 41 countries.

VPN.S website

PERFECT PRIVACY

pp1. We do not log or store any traffic, IP addresses or any other kind of data that would allow identification of our users or their activities. The anonymity and privacy of our users is our highest priority and the Perfect Privacy infrastructure was built with this in mind.

2. Perfect Privacy is a community of interests with a postal address in New Zealand. However, our servers are operated in accordance with the law of the respective countries they are located in.

3. Since it is impossible for us to determine which user causes specific traffic, we cannot identify individual customers responsible for abuse. If we receive abuse complaints we usually offer to block the destination IPs from our ranges so that no further abuse can take place. The only data we record is the total amount of traffic per server so we can check and publish our traffic capacities.

4. No user input or data is processed by any third party tools (no Google Mail, no ZenDesk, no ticket system, etc.). Users can contact us by email and a https contact form, both running with our own mail server. We also encourage users to use PGP when communicating with us. We also offer TeamViewer support for customers but this is completely optional and up to the user.

5. Because we do not host any data, DMCA notices do not directly affect us. However, we do receive copyright violation notices for filesharing in which case we reply that we have no data that would allow us to identify the party responsible.

6. The only step on our side is to inform the contacting party that we do not have any data that would allow the identification of a user. There had been incidents in the past where Perfect Privacy servers have been seized but never was any user information compromised that way. Since no logs are stored in the first place and additionally all our services are running within ramdisks, a server seizure will never compromise our customers.

7. Since we are not bound by U.S. law, gag orders like National Security Letters do not apply to us. We would outright disclose any information of a possible problem to our users. As a last resort we would shut down our service before allowing our users to be compromised (e.g. like LavaBit).

8. Yes, Bittorrent and other file sharing is generally allowed. However, at certain locations that are known to treat copyright violations rather harshly (very quick termination of servers) we block the most popular torrent trackers to reduce the impact of this problem. Currently this is the case for servers located in the United States and France.

9. We offer a variety of payment options ranging from anonymous methods such as sending cash, Bitcoin or PaySafeCard. However, we also offer payment with PayPal for users who prefer that option. We keep no data about the payment except for when the payment was received which is linked only to an anonymous account number.

10. While we offer a range of connection possibilities we would recommend using OpenVPN with 256 bit AES encryption. Additional security can be established by using a cascaded connection: The Perfect Privacy VPN Manager allows to cascade your OpenVPN connection over up to four freely choosable servers.

The client software also comes with an integrated firewall and DNS leak protection which are enabled by default: This prevents any traffic bypassing the VPN connection and the exposure of the user’s IP address by a DNS leak. This protects against attacks like the WebRTC IP leak vulnerability.

11. Yes. All Perfect Privacy servers run a Domain Name Server for the exclusive use of our customers. Users can choose to either use a randomly assigned DNS from our pool or choose a specific one. We are currently evaluating additional security features like DNSSec.

12. All management tools and internal systems are running in-house and are completely under our own control. Our VPN servers (and other user-reachable services like Proxies, DNS, etc.) run on servers hosted in different datacenters all around the world (currently in 25 countries). These servers do not log any kind of user data and are all running within ramdisks on dedicated servers.

Perfect Privacy website

UNSPYABLE

unspyable1. We keep no logs whatsoever.

2. USA and UK VPN services are provided via our USA offices which also includes our billing system. Our offshore VPN network (Cyprus, Czech Republic, Denmark, Egypt, Hong Kong, Iceland, Netherlands, Panama, Russia, Sweden and Switzerland) is physically isolated from our USA operations and shares no connection to it.

3. We don’t monitor anything. If we receive notice of criminal activities we will use non invasive techniques (without logging) to try and determine who the user is and terminate their access.

None of the previous paragraph applies to P2P activities which are allowed on all servers except in the USA and UK where packet filtering is used.

4. No.

5. Our offshore servers where P2P is allowed are in countries and data centers that do not forward such notices. If we were to receive such a notice we would reply to it appropriately. Since we don’t log anything our reply would not include any information on the user.

6. If we were to receive a request from an authority having jurisdiction we would cooperate with them. However since we keep no logs of anything we have very little to provide them. Anything we have to provide them such as customer names can be gotten from the customers credit card company or the payment processor much more efficiently and without us even knowing about it. Bitcoin is one of our payment options and can help minimize access to such information. This has never happened.

7. We believe announcing such a thing in advance would cause the effectiveness of such a plan to go to zero should the need arise.

8. It is allowed on what we define as our offshore servers (see question 2). It is not allowed on USA and UK servers due to the issues involved. There is no benefit to the user to use USA or UK servers over the offshore servers for P2P. Therefore we do not believe this to be any limitation to our users.

9. Bitcoin, Amazon Payments and PayPal. Our online VPN authentication servers contain no customer personal information. We keep customer email addresses offline in case we need to contact the customer for some reason. We do not keep any other personal information regarding the transactions. Obviously the payment providers have a record of the transaction as well that is beyond our control.

10. We use OpenVPN with 256 AES encryption, SHA512, 4096 bit RSA and TLS 256 AES which provides perfect forward secrecy. For maximum privacy we recommend our multi hop servers. However, due to the multiple hops they will not be the fastest for P2P or streaming applications.

We don’t recommend software kill switches as they are subject to failure. We recommend that users block all ports on their router except for 1194 OpenVPN and then use the VPN to provide access to the Internet. This creates the perfect “kill switch”. ISP DNS leaks are most easily eliminated by changing all DNS servers on the users devices to ones not associated with their ISP.

11. We pass DNS traffic through intermediate servers to Google DNS. We believe using our own DNS servers is less private than farming out the DNS requests via intermediate servers to Google and mixing them with the billions of other DNS requests Google handles daily. All requests to Google DNS appear to originate form one of our offshore servers and don’t correlate to the user.

12. No, we use trusted ISP’s in all the countries we prove service in. (Cyprus, Czech Republic, Denmark, Egypt, Hong Kong, Iceland, Netherlands, Panama, Russia, Sweden and Switzerland) Plus US and UK. In addition, server hard drives are encrypted to prevent tampering or any data recovery should the physical server be accessed.

Unspyable website

HIDE.ME

hideme1. No, we don’t keep any logs. We have developed our system with an eye on our customer’s privacy, so we created a distributed VPN cluster with independent public nodes that do not store any customer data or logs at all.

2. We are a Company based in Malaysia with no legal obligation to store any user logs at all.

3. We believe that it is not our responsibility to monitor user activities, consequently, we don’t throttle or block any kind of traffic.

4. Yes we use Zendesk and LivechatInc in which we do not store any customer data that could be mapped to our customer database. Furthermore this information cannot be linked to your VPN usage and online activities.

5. Since we don’t store any logs and/or host copyright infringing material on our services, we’ll reply to these notices accordingly.

6. Although it has never happened,in such a scenario we won’t be able to entertain the court orders because our infrastructure is built in a way that it does not store any logs and there is no way we could link any particular cyber activities to any particular user. In case we are forced to do so, we would prefer to close down rather than putting our users at stake who have put their trust in us.

7. Since we are not operating under US law, in Malaysia there is no such thing as the Patriot Act. So far we haven’t been served with a court order or any governmental request and if it was the case we would be transparent with our customers that might have been affected by such court order.

8. There is no effective way of blocking file-sharing traffic without monitoring our customers which is against our principles and would even be illegal. Usually we only recommend our customers to avoid the US & UK locations for filesharing but it is on a self-regulatory basis since these countries have strong anti-copyright laws in place.

9. We support over 200+ international payment methods, including Bitcoin, Paypal, Credit Cards, Bank transfer and UKash. All payments are handled by external payment providers and are linked to a temporary payment ID. This temporary payment ID can not be connected to the users VPN account/activity. After the payment is completed, the temporary payment ID will be permanently removed from the database.

10. Our users’ privacy is of utmost concern to us. Our windows client has the features such as kill switch, Auto Connect, Auto Reconnect etc which makes sure that the user is always encrypted and anonymous. Even though if one of our customer decides not to use the client, in our community there is a big variety of tutorials to help our customers to protect themselves against any sort of leaks.

After all, modern VPN protocols that we all support – like IKEv2, OpenVPN and SSTP, are considered secure even after the NSA leaks. We follow cryptographic standards and configured our VPN servers accordingly in order to support a secure key exchange with 4096-bit keys and a strong symmetric encryption (AES-256) for the data transfer.

11. We do not operate own DNS servers since all outgoing connections are already encrypted and free DNS servers like OpenDNS or Google Public DNS are not censored in any way, so we can ensure that our customers are still anonymous using these services and enjoy a censorship free browsing. Operating own DNS servers would put our infrastructure at risk since an attack could affect all our customers that are currently connected to our VPN servers.

12. We operate 27 server locations in 19 different countries. However we do not own physical hardware, there is an intrusion detection and other various security measures in place to ensure the integrity and security of all our single servers. Furthermore we choose all third party hosting providers very carefully, so we can assure that there are certain security standards in place (ISO 27001) and no authorized person could access our servers. Among our reputable partners are Leaseweb, NFOrce, Equinix and Softlayer.

Hide.me website

SHADEYOU VPN

shadeyou1. ShadeYou VPN does not keep any logs. The highest level of privacy is a main mission of ShadeYou VPN. Everybody can read our Privacy Policy. To use our service only a username and e-mail are required. No personal or real data is required.

2. ShadeYou VPN company operates under the jurisdiction of the Netherlands.

3. We absolutely do not monitor any traffic or user activity. Even if we receive a serious abuse notification we can’t start monitoring our users because it will violate the main mission of ShadeYou VPN.

4. Yes, we are using Google Apps as our email service provider. But we do not send or request any private or personal information via mail. Also the option of Live Support is available and works based on SiteHeart service where personal information isn’t required.

5. The abuse team of ShadeYou VPN answers as follows: a) we do not store any illegal content on our servers; b) all of our users agrees with our privacy policy while registering, so we warned that illegal actions are prohibited and at this time we are not responsible. c) we have no any personal data of our users or any logs of their activities that can be shared with third-parties because we simple do not store it.

6. Sharing any personal data of our users is absolutely impossible since we do not store it and do not keep any logs. Yes such kind of situation has happened but there is not even one existing case when we have shared any information about our users with any 3rd parties.

7. Warrant canaries are new to us. We have not used one before since we are sure that all our users are safe. But we can start using it as an additional option to make our users sure that they are totally secure while using our service.

8. BitTorrent and any other file-sharing traffic is allowed on all our servers. There’s only one exception, and that’s for users who use a trial version.

9. ShadeYou VPN uses payment systems including PayPal, Perfect Money, Webmoney, Qiwi, Yandex Money, Easy Pay, Ligpay, UnionPay, AliPay, MINT, CashU, Ukash also accept payments via Visa, Master Card, Maestro and Discover. Ofcourse Bitcoin is available.

10. We strongly recommend to use OpenVPN since it is the most safe and uses the strongest encryption (TLS Protocol with 1024-bit key length and AES-256-CBC crypto-algorithm). We do not support “Kill switch” at the moment but we will propose alternative solution when our new DNS servers will be launched.

11. At the moment we use Public DNS 8.8.8.8 and 8.8.4.4 and currently we are working hard on implementing our own DNS servers with a secured channel.

12. All our servers are collocated around the world in DC’s of different leading hosting companies. Our VPN network covers: USA, United Kingdom, Sweden, Ukraine, Netherlands, Russia, Spain, Hong Kong, Germany, France and Canada. Romania will be added soon.

ShadeYou VPN website

SECUREVPN.TO

SecureVPNto1. We don’t log any individually identifying information.

2. Each server is handled with the jurisdiction at the servers’ locations.

3. There are no tools which monitor our customers. We have techniques which don’t require any logging to prevent the abuse our service.

4. Our website has been completely developed by ourselves and we don’t use any external services.

5. We will reply to DMCA takedowns but we cannot be forced to hand out information, because we don’t log anything.

6. This hasn’t happened yet but if we were forced to identify one of our customers at a specific server location, we would drop this location immediately. Under no circumstances are we are going to log, montior or share any information about our customers.

7. No, we don’t offer something like that.

8. Yes, it is allowed on all servers.

9. We offer a wide range of anonymous payment methods like Paysafecard, Bitcoin, Litecoin, Dogecoin, Worldcoin, EgoPay and Perfect Money. All payments are processed by our own payment interface and therefore no third party payment processor receives any information.

10. We would recommend OpenVPN, available in UDP and TCP mode. We are using AES-256-CBC for traffic encryption, 4096 bit RSA keys for the key exchange and SHA-512 as HMAC. These settings offer you the highest grade of security available. We offer a tool called “VPN Helper” which provides security features like a DNS Leak Protection, IP Leak Protection and IPv6 Leak Protection. Some weeks ago the development of our own VPN client, which will also include those security features, started.

11. At the moment we are using the nameservers of OpenDNS. We will offer our own DNS servers soon.

12. We rent 24 servers in 19 different countries and are continuously expanding our server park. The server locations are France, Netherlands, Switzerland, United Kingdom, Canada, USA, Bulgaria, Costa Rica, Germany, Kosovo, Latvia, Lithuania, Moldova, Romania, Russia, Spain, Sweden, Taiwan and Ukraine. For us it is impossible to have physical control over all widespread servers.

SecureVPN.to website

HOTSPOT SHIELD

hotspot

1. AnchorFree and Hotspot Shield’s top priority is to provide privacy to our customers. We do not store any logs that can be used to associate a connection to a user.

2. Anchorfree operates in the US under US jurisdiction and outside the US under Swiss.

3. We have a security team dedicated to monitoring abuse, specific details are confidential, but we can assure our users that we do not use logs to monitor and mitigate abuse.

4. Yes, we do work with an external email service and support tool however, none of the user’s information can be tied back to their activities while using Hotspot Shield.

5. We do not host content and are unable to remove any of said content. Additionally, our top priority is the privacy of our users and therefore we do not log or monitor our users and are unable to identify any users of our service.

6. It is not technically possible to effectively identity or single out one active user from a single IP address. We have received a valid court order.

7. Since we don’t have the information to provide to the agencies we do not require to have it.

8. We believe in an open and uncensored internet, we do not discriminate against any kind of traffic.

10. We’re biased here, but for a good reason, we think the most secure VPN connection is Hotspot Shield VPN which uses proprietary VPN protocols. Our encryption algorithm favors AES-128 more than other standards for its cryptography properties, performance and hardware support which is available for consumer devices and server platforms. We have a patent pending solution for kill switches for Android clients and we are working to improve it and include into all of our applications. Our users never risks of DNS leak because all traffic (including DNS requests) are protected by the VPN tunnel.

9. In the US we accept Credit Cards and PayPal. Internationally we accept the most popular local payment methods like Mobile Payments, Prepaid cards, eWallets, Bank Transfers etc. Our users’ payment information cannot be linked to their individual user accounts.

11. Yes, we have hundreds of dedicated servers around the world.

12. We own all of our infrastructure. We do not outsource anything. We have virtual locations in the US, UK, Canada, Australia, Japan, Germany, India, Hong Kong and China.

Hotspot Shield website

RAMVPN

ramvpn1. We log absolutely nothing. Even without logs there can be small amounts of meta-data leftover in RAM memory of the TCP/IP stack on the server’s operating system. After seeing the rising trend of server seizures in 2014, it can no longer be assumed that simply not logging can protect the users. To mitigate this, we run the VPN service itself on a virtual machine within an encrypted RAM container, and combine this with physical tamper resistance just to be sure.

2. The business itself is under USA jurisdiction and as such we are not subject to any mandatory data retention laws whatsoever.

3. None. We have no way of monitoring traffic. If abuse is reported to our abuse department through the proper channels and is discovered to be a valid complaint, we may temporarily block outbound network traffic to the target being abused (usually the source of the abuse complaint) using basic firewall configurations. We would be completely unable to find the origin of such abuse in relation to one of our users. We can’t even revoke a user account if we want to.

4. We do not engage any third parties for email or support-related hosting at this time.

5. We do not host content there would be nothing for us to remove, plain and simple.

6. We are unable to identify an active user of our service to begin with. The service was inherently built from the ground up to make identification of a user impossible from a technical perspective, even for us. Due to consumer protection laws, we must abide by our advertised inability to track users. A request such as this has not ever happened.

7. We currently have no warrant canary.

8. We don’t block any traffic at all other than attack traffic (related to abuse complaints), and even those blocks are temporary.

9. PayPal, credit card, or Bitcoin. These are barely linked to an “account”, because the only thing we keep on file is an email address. The payment information itself is NEVER linked directly to any VPN authentication credentials. Users even have the option to use a non-billing email address to have their keys signed with and credentials delivered to. For those who are extra paranoid, we recommend using an anonymous email service and anonymous payment method (such as bitcoin) to ensure we have absolutely no details about you.

10. RSA2048 and blowfish encryption. No, we do not currently provide kill switches or DNS leak protection.

11 Our DNS servers run on the local VPN network and proxy to our host node. Our host node will then respond from its cache, or if it does not have the record, look the information up using Level3, OpenDNS, or OVH Canada.

12. We have firmware control over our physical servers, however we outsource our data-center usage through OVH hosting. While we currently only have servers based in Canada and US, our expansion plans include Germany, China, France, Italy, and more. We are adding new nodes frequently.

RAMVPN website

FROOTVPN

frootvpn1. FrootVPN takes the privacy of all of its users serioulsy and therefore we do not store any logs and we do not monitor any traffic in our network.

2. We operate in Sweden.

3. As we do not monitor any traffic and our system is built to protect the identity of our users. However if we do receive any legit abuse if it’s necessary we can block IP and port.

4. We have setup our own mail servers which we manage our self. Only our staff has remote and physical access to these servers. We use opensource helpdesk OTRS which is hosted on our own servers.

5. We do not host any content on our servers, therefore sending DMCA notices to us is kind of pointless as we cannot identify any customers. If we do receive such a request we just send back our privacy policy.

6. As we do not keep any logs or monitor any traffic, we are unable to identify any customer.

7. No.

8. We only block SMTP as we do not like spam and our providers do not like it either. All other traffic is allowed such as file sharing.

9. We use multiple payment system, such as PayPal, paysafecard, ukash and more. Each invidual payment system may require you to enter personal information to be able make a purchase from them. However we do not store any personal information or transaction number in our database.

10. We offer both PPTP, L2TP and OpenVPN. We recommend to use OpenVPN as it offer the highest encryption and is by today the most secure VPN. With OpenVPN you can use AES256 cipher and 2048 bit DH key.

11. We use our data center DNS servers, which is 80.67.0.2. We however do plan migrate to use our own DNS servers during this year.

12. We own all our hardware ourselves and they have all be installed and configured by our staff. We only lease rack unit and bandwidth from our Internet provider. Only our staff has physical access to our servers. All our servers are located in Sweden.

FrootVPN website

LOKUN

lokun1. We keep as little information as possible, both legally and technically. We do not store information that can map you to one of our IP addresses. In our database, we keep: usernames, hashed passwords and the corresponding salt, account status and email (if given). We keep a record of when a user connects and total number of connected users.

2. Icelandic jurisdiction.

3. No special tools have been needed to handle abuse so far, these issues will be dealt with on a case-by-case basis. We use email to handle abuse notifications.

4. Third parties storing plaintext emails isn’t a problem we can solve by picking email hosting providers. Instead, we prefer that users use encrypted emails to communicate with us. We use Zendesk and Google Apps because of technical merit.

5. We have never received such a notice.

6. We do not store the information required to do this and would be unable to comply. We would simply cease operations if placed under gag order or similar.

7. Yes.

8. Yes.

9. We currently accept: Credit cards, Icelandic bank transfers and Bitcoin. Other methods of payment can be requested. A payment is not linked to a user account. Payment processors do not know the username being paid for. We are legally required to store all sales receipts, in the case of a random tax audit. Sales receipts contain the date of purchase and the amount. We do not store what username the payment was made on behalf of.

10. We only use OpenVPN and we do not have our own client.

11. Yes.

12. All our servers are hosted in Iceland and we host with trusted parties; DataCell and GreenQloud. We have a mix of own hardware and virtual servers. Data is never saved to disk.

Lokun website

ASTRILL

astrill1. Our mission is to protect users privacy online, therefore we don’t keep logs.

2. Our company is registered in Seychelles so it’s virtually impossible or very complicated to get any data about our customers through legal system.

3. …

4. All the tools we use are proprietary. We use our own email servers and helpdesk software for communication with customers.

5. P2P applications are allowed on our network, on designated servers, where DMCA complaints from copyright trolls are trashed.

6. We have not received any properly filed legal request to date about disclosing information about our customers. The exact procedure is determined by our attorneys.

7. …

8. We provide servers with P2P applications support and on these servers P2P complaints are, as legally invalid, trashed.

9. We accept many payment methods, all credit cards, paypal, alipay, perfect money and bitcoin are just some of popular methods we support.

10. For best security we recommend OpenVPN protocol with AES-256 bit, Camellia 256-bit, Cast 512-bit and BlowFish 512-bit. We also offer StealthVPN as additional layer of security on top of Open VPN which makes it virtually impossible for ISPs to recognize OpenVPN protocol, throttle it or block. StealthVPN allows connections to any port of user choice (1-65535), both UDP and TCP. We support DNS leak protection and kill switches.

11. …

12. We run our own network of VPN servers in 54 countries which we have full control over.

Astrill website

NEXTGENVPN

nextgen1. No such logs are ever kept.

2. Rep. of Seychelles

3. In house custom tools that we will not disclose for obvious reasons.

4. None.

5. They are ignored.

6. Never happened.

7. Irrelevant in our case.

8. Yes. On selected destinations only.

9. Payments are handled by a different company without any direct links to users accounts.

10. OpenVPN – AES256. DNS leak protection and automatic reconnect are provided.

11. Yes, we maintain our own DNS services.

12. We have direct control of all infrastructure servers and most of VPN remote gateways. Some VPN gateways are third party hosted.
Gateways : US,NL,UK,BE,FR,ES,PT,UA,CH

NexTGenVPN website

EXPRESSVPN

expressvpn1. We never keep traffic logs, and we also don’t keep any logs that might enable someone to match an IP and timestamp back to a user. We work entirely on the basis of shared IPs, meaning that a single IP does not track back to an individual user. For the purpose of improving network resource allocation, we record aggregate data-transfer amounts and choice of server location, neither of which are data points that can identify a specific user as part of an investigation.

2. We are incorporated in the British Virgin Islands and operate according to BVI laws.

3. We block outgoing connections to port 25 to prevent SMTP abuse, and we use firewall rules to prevent some types of DOS attacks.

4. We use Zendesk for support tickets, and SnapEngage for live chat. We believe these to be secure, and if we had any indication that our customer communications were compromised on either of these channels, it would be straightforward to migrate to a different platform.

5. There is nothing to take down, as we are not a content host. We maintain the anonymity of our customers and would not attempt to identify users on the basis of DMCA notices.

6. This hasn’t happened to date, but we would need to receive a court order from the BVI.

7. Not yet, although we are trying to understand how it would be practical to implement one. We do strongly support Twitter’s lawsuit against the US Justice Dept. and their battle to allow greater transparency when it comes to publicizing secret government legal processes.

8. We allow BitTorrent and other file sharing traffic from all of our servers. We respect our customers’ freedom to use these services and their right to privacy from ISPs and other parties who attempt to monitor such traffic.

9. VISA, Mastercard, Paypal, American Express, Discover, JCB, Diners Club, Alipay, UnionPay, CashU, Webmoney, Yandex Money, Ukash, Giropay, Sofort, Maestro, Carte Bleue, Interac Online, Mint, FanaPay, OneCard, Tenpay, iDeal.
And most importantly for privacy focused users, Bitcoin via BitPay.

The information you are required to submit varies with the payment method selected. With Bitcoin we require only an email address so we can communicate with you, and no other personally identifying information.

10. This depends on the platform, but most of our apps use OpenVPN by default, and that’s also our recommendation for best security. Some of our apps have DNS leak protection and maintain VPN routes even when a connection has unexpectedly dropped. We’re actively working on making these features more complete and easier for customers to understand what they do and when they’re active.

11. This depends on the platform, but for most users DNS queries go through our own DNS servers. Sometimes we also recommend Google DNS.

12. We work with multiple data centers in 78 countries around the world. In our most popular server locations, we use only premium providers with strong security practices and wholly owned data centers. Our data center partners do not have access credentials to ExpressVPN servers, and because we don’t keep logs, we are able to mitigate the threat to our users’ privacy.

ExpressVPN website

STEGANOS

steg1. We do not store any user data, neither regarding IP-addresses nor time stamps.

2. We operate under German jurisdiction, where no data retention law is in force. Therefore, currently there is no legal basis in Germany that forces Steganos to store user data. This means that we do not have any information to share with third parties or court.

3. In order to protect our users from abuse we keep our servers safeguarded against malware and abuse-software, for example by constantly providing security updates and blocking unnecessary ports. We do not monitor any activities of our users, but retain the possibility to block ports which are reported to be used exceptionally often for abuse (e.g. spamming).

4. We use Google Apps within our company. Our support service additionally uses Zendesk, which logs some user information. As these are stored on different servers, they cannot be used for user identification though.

5. After receiving such a notification, Steganos takes seizure according to its own measures that we consider appropriate. In general, this would be the restriction of access to the copyright protected work, but not the blocking of a user.

6. Steganos has taken a strong stance for data security and protection for years and defended customer information against any disclosure. This means that we try to prevent the identification of our users and even go to court, if necessary, like in 2009. Back then the data retention law imposed by EU was in force in Germany. Nevertheless, Steganos refused to release the IP-address of a user to the lower regional court of Bamberg and successfully proceeded against this court order.

7. As our company is not based in the US, we do not need any warrant canary.

8. BitTorrent is not actively blocked as of now.

9. Our customers can pay easily and securely via Paypal, Credit Card (Mastercard, Visa), bank transfer, check or Giropay. All billing information is stored on different servers and cannot be linked to users by any means.

10. We recommend OpenVPN with 256-bit AES encryption and therefore work with it in our product “Steganos Online Shield VPN“. As we believe it to be the most secure option, we are also currently planning on implementing it in our VPN tool “OkayFreedom” (which uses 128-bit blowfish as encryption algorithm so far). We neither offer tools regarding kill switches nor DNS leak protection as of now.

11. We use Google Public DNS server, which we consider unproblematic. It is not only the biggest public server with over 130 billion requests per day and works fast, but also does not store personally identifiable information nor IP-addresses permanently and all temporary logs are deleted after 48 hours at the latest.

12. We offer servers located in 12 different countries, which are: Egypt, France, Germany, Great Britain, Japan, Mexico, Romania, Singapore, Spain, Switzerland, Turkey and the USA.

Therefore we collaborate with several third party providers that reside in these countries, for example 1&1 Internet AG in Germany, hosttech GmbH in Switzerland and SAKURA Internet Inc. in Japan. Despite we do not have physical control over the VPN servers there, we always take security measures like installing our operating system directly on these servers. It is to mention, that all login servers are placed in Germany where we have full control over them.

Steganos website

VIKINGVPN

viking1. No. Logging of that kind would be foolish for us. It would be a betrayal of our customer’s trust, and it would ultimately give us more legal liability than we want to have.

2. We currently have servers operating in the United States, Netherlands, and Romania. We chose these locations as sites that would honor our zero data retention policies for VPN services. The company was incorporated in the United States.

3. We don’t use tools to monitor and mitigate abuse. However, if credit card fraud is reported, we will immediately terminate the offending account.

4. We use Google Apps for email. We do not consider any email service to be secure at this time, and we advise privacy minded users to use PGP encryption with us, as that is currently considered the best method of email communication by the privacy community. Our PGP key is available on request.

5. We haven’t received a VALID DMCA notice yet. Anyone sending us a notice gets a fully copy-paste of our DMCA policy, reminding them of the conditions for a VALID DMCA notice.

6. It hasn’t happened. If it were to happen, we would be unable to comply because our infrastructure doesn’t allow us to collect that kind of information. If a court ordered us to modify our infrastructure in order to allow it to collect that kind of information, our warrant canary would activate.

7. Yes. We have a dead man’s switch warrant canary that is managed by two admins. If the canary is tripped, the front page of the site changes dramatically to warn users of a possible compromise.

8. Yes. We don’t block any ports.

9. Our payment gateway is TSYS for all credit card transactions. We also accept Bitcoin and Darkcoin. For the Credit Card transactions, we only retain the necessary data for the transaction. For Bitcoin and Darkcoin transactions, we only use an email address, which is for support purposes only.

10. We recommend only using Open Source VPN clients, as any closed source client could have backdoors or unknown security vulnerabilities.

For our users, the maximum security encryption is the default encryption, and users can’t change it. Most people can’t be expected to know which encryption schemes are going to keep them safe 30 years into the future, nor should they be expected to know that.

At VikingVPN we use RSA4096 for the handshake, AES-256-CBC for symmetric encryption, SHA1 for data integrity checks, and a 2048-bit HMAC cipher for hardening against man-in-the-middle attacks. For the session/control channel, we use 4096-bit DHE which renegotiates hourly with new keys, creating perfect forward secrecy.

11. We use OpenDNS in the US and FreeDNS in the EU. Utilizing a local DNS would not assist with privacy as all DNS requests are tunneled through our VPN and out to the public DNS servers, additionally, using a local DNS gives us a single point of failure for a DDOS attack, and would make the network vulnerable.

12. Our servers are leased by thoroughly vetted partners. We have tight control over the hardware, and we only allow our servers to be hosted in high quality datacenters with multiple layers of physical security such as 24 hour security staff, biometric scanners, and cabinet-level security. Most importantly, we do not use virtual servers or cloud services for hosting our VPN network. We operate with bare-metal servers only using our custom configuration.

VikingVPN website

OVPN.TO

ovpnto1. We have strict non-logging policy. All services and servers are running without any client identifying logfiles. You need a valid email for account registration, in order to restore your password. We encrypt your email with itself, so we can not restore it without knowing it.

2. oVPN is not a company, more like a community which exists since 2010. If we are forced to create any logfiles due to any jurisdiction, we will close this server/location instantly.

3. Our reaction depends on abuse. We will block traffic if our servers are used to flood or disturb any target/host and anybody complains about. Remote-Portforwards could be traced back to your account. We will send notice to your account for incoming DMCA and close your Remote-Portforward! We can not reveal your mail address, it is stored encrypted. So there exists no data to hand-out to any 3rd party.

4. We do not use any external services and we do not use any external scripts on our page, except for payment providers, more below on 9. We provide own Mailboxes, IRC-Chats and Jabber-Server. Those storages are encrypted and ddos protected through our own front/middle-nodes.

5. We will see if any Remote-Portforward is added, close the port and send notify to clients account. We did not receive any European equivalent, but DMCA is daily business.

6. Did not happen yet. We got some requests from german police years ago, but we can not trace a single user and we can not hand-out any data which we do not posses.

7. As we are not a company and none of our team is located within US, we do not feel responsible to US law in any way, even while we hold an US-server, we cancel contract immediatelly.

8. Use of BitTorrent and other file-sharing is generally allowed, but you should keep in mind, sharing of copyrighted materials is illegal in many country and we could loose servers dued to illegal sharing.

9. We offer quick and anonymous payments with Bitcoins, always with a nice discount rate and we accept other AltCoins via coinpayments too. Your id is removed from coins address after your transaction is confirmed. Payments with perfectmoney.is and webmoney.ru are possible, but we don’t use their api for automatic processing. We accept bank-transfers and (pre-paid) cards with an external provider. External payment provider may keep all information you enter. For automatic bank/card processing, mail-adress from account and order should match. But do not worry, if paying a VPN is not a crime in your country, nobody knows who’s behind your account. For payment with pre-paid cards/voucher, send us your voucher and user-ID and we load it within 24h without any more needed information. Using paysafecard is another anonymous option for Europeans, but we need many days to process paysafecard payments! Anyhow, we advice to use *Coins! Some say, bitcoin is not anonymous. For us, it is.

10. Our most secure VPN connection is openVPN based AES-256-CBC with HMAC-SHA512. Additionally we support TLSv1.2 for openVPN clients with 2.3.x branch (DHE-RSA-AES256-GCM-SHA384).
We distribute 4096 bit certificates from our CAs to clients, which are mostly updated to SHA512 signing as well, instead of basic SHA1. Most important, we do not offer any weak cipher by default. We have iptables to protect your linux clients, rules for windows are in development. Most of us use any linux, but we have simple windows commandline tool and another windows-GUI in development, to get your oVPN certificates and configs updated. Our Stunnel 4/5 Server use maximum encryption ECDHE-RSA-AES256-GCM-SHA384 with 5120 bit RSA-keys and our SSH Server use AES-256-CTR with 8192 bit RSA-keys. We have VPN connections between our servers too. You can chain multiple SOCKS5-Proxy connections through our encrypted virtual LAN between all servers, even randomized. Best practice for dns leak protection is DNScrypt!

11. We provide own internal and public DNScrypt servers.

12. We use rented root-servers from several companies. All data is kept securely (binaries and the configuration files for services are on ramdisk).

oVPN.to website

AZIREVPN

azire1. Nope, we keep no logs.

2. We operate under Swedish law.

3. Due to the nature of our service, we do not use any tools to monitor abuse of our services.

4. We use our own self-hosted ticket system and mail servers.

5. We politely tell all DMCA/EUCD requesters that due to the nature of the service, we do not have any possibility to track the content.

6. We inform the other party that we are unable to hand out any information since we do not keep any logs or monitor the traffic.

7. No

8. All traffic is allowed.

9. We support PayPal, Bitcoin (BitPay) and Credit Cards (Stripe).

10. We recommend our users to use our OpenVPN servers with SHA512 auth, AES-256-CBC cipher and tls-auth for maximum security.

11. Yes, we have our own DNS servers for both client recursor as well as authoritive NS for our domains.

12. Yes, we own all our hardware and have physical control. Our servers are located in Stockholm Sweden.

AzireVPN website

CRYPTOSTORM

cryptostorm1. None.

2. Under what jurisdiction(s) does your company operate?

We’re a decentralized project, with intentional separation of loosely-integrated project components. Much of our financial processing runs through a payments-focused sibling entity based on First-Nations sovereign territory geographically located within the province of Québec, itself loosely encased within the federal confines of the country of Canada. We own no intellectual property, patents, trademarks, or other such things that would require a corporate entity in which ownership could be enforced by the implied threat of State-backed violence; all our code is published and licensed opensource.

We’ve concurrency in financial operations and make use of parallel payment processes under distinct organisational control in two other jurisdicational locations: France and Iceland. Thus, we can walk away from 2 of the 3 simultaneously with no impact to ongoing financial operations for the network.

3. Um, never happened. Not sure what “abuse” would actually involve, and as we don’t have “users” we’d not have any way to block someone’s network access in functional terms. Here’s our Terms of Service.

4. This is an excellent question, and the answer is no. All such correspondence is self-hosted (with the obvious exception of bitmessage-based communications, of course).

5. Our choice is to reply to any such messages that are not obviously generated by automated (and quite likely illegal) spambots. In our replies, we ask for sufficient forensic data to ascertain whether the allegation has enough merit to warrant any further consideration. We have yet to receive such forensic data in response to such queries, despite many hundreds of such replies over the years. Silence speaks loudly.

6. See above

7. We have been involved in the technical and theoretical work of developing the concept and implementation of warrant canaries since prior to their currently-seen popularity as a marketing tool. Indeed, we coined the term “privacy seppuku” itself, which is a closely related subject.

Unfortunately, many implementations of “warrant canaries” we see recently are terribly flawed both in conceptual foundation and in real-world application. This topic is perhaps a bit long for an interview reply, but we can say that doing a flawed warrant canary is worse than doing nothing at all, as it provides mere “security theatre” and encourages false confidence.

8. Yes.

9. We don’t have purchasing/financial information connected in any way to real-life identity of our network members; our token-based authentication system removes this systemic connection, and thus obviates any temptation to “squeeze” us for private data about network membership. We quite simply know nothing about anyone using our network… save for the fact that they have a non-expired (SHA512 version of) token when they connect.

10. We only support one cipher suite on-net, per reply above. Offering “musical chairs” style cipher suite roulette is bad opsec, bad cryptography, and bad administrative practice. There is no need to support deprecated, weak, or known-broken suites in these network security models; unlike browser-based https/tls, there are no legacy client-side software suites that must be supported. As such, any excuse for deploying weak cipher suites is untenable. Everyone on cryptostorm receives equal and full security attention.

There are no “kill switch” tools available today that actually work. We have tested them, and until we have developed tools that pass intensive forensic scrutiny at the packetized/NIC level, we will not claim to have such. Several in-house projects are in the works, but none are ready yet for public testing.

We take standard steps to encourage client-side computing environments to route DNS queries through our sessions when connected. However, we cannot control things such as router-based DNS queries, Teredo-based queries that slip out via IP6, or unscrupulous application-layer queries to DNS resolvers that, while sent in-tunnel, nevertheless may be using arbitrary resolver addressing. Once again, we’re working on tools to mitigate these risks, but no currently tools or frameworks are 100% effective in doing so. We are saddened to see others who claim they have such “magical” tools; getting a “pass” from a handful of “DNS leak” websites is not the same as protecting all DNS query traffic. Those who fail to understand that are in need of remedial work on network architecture.

As we run our own mesh-based system of DNS resolvers, “deepDNS,” we have full and arbitrary control over all levels of DNS resolution presentation to third parties. Indeed, on-cstorm visitors to “DNS leak” websites see a message directly from cryptostorm, embedded in the results presented… this is the level of expertise we are employing as we work towards improved member security.

11. Do you use your own DNS servers? (if not, which servers do you use?)

We have constructed a mesh-topology system of redundant, self-administered secure DNS resolvers which has been collected under the label of deepDNS. Rather than simply forwarding DNS resolution queries on to other outside layers for reply, deepDNS is a fully in-house mechanism that keeps all query data (and metadata) within cryptostorm exclusively.

12. We deploy nodes in commodity datacentres that are themselves stripped of all customer data and thus disposable in the face of confirmed attacks on their kernel integrity. We have in the past “downed” such nodes based on alert from onboard systems and offsite, independently maintained kernel logs that confirmed a kernel-level violation was taking place. It is important to note that such “downing” does not explicitly require us to even have physical (or root) control of the machine in question: we push nameserver updates, via our HAF (Hostname Assignment Framework) out via redundant, parallel channels to all connected members and by doing so we can “offline” any node on the network within less than 10 minutes of initial commit.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdiction(s) does your company operate?

3. What tools are used to monitor and mitigate abuse of your service?

4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened?

7. Does your company have a warrant canary or a similar solution to alert customers to gag orders?

8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

9. Which payment systems do you use and how are these linked to individual user accounts?

10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

11. Do you use your own DNS servers? (if not, which servers do you use?)

12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located?

VPNS THAT KEEP SOME LOGS

IPREDATOR

ipredatorvpn1. We try to store the least amount of data legally possible anywhere. We keep a record of when you logged in for debugging, which happens encrypted and off-site in a different jurisdiction. IP addresses are encrypted and can only be decrypted by non-support staff to ensure a proper process. These are saved for three days. For example, to work around issues where the police ruffles up the support staff a bit to get data for an abuse report.

In the database we only store the details users give us on sign-up and a limited backlog of basic payment information (no PSP processor TX-IDs). We do not run a ticket system, all support emails are deleted after 3 months. Inactive accounts are deleted after 3 months. We do not track you on our website or keep any website logs. We do not rent servers and
have control over our network infrastructure. Our primary objective is to protect your anonymity from legal abuse, but not to cover up ethically serious crimes. As stated in the past we are open to an audit of our infrastructure and processes by a trustworthy 3rd party.

2. We only operate servers in Sweden. This includes understanding jurisdictional limitations and engineering our environment according to them, not making claims we cannot hold when things get serious. Offenses penalized by anything less than prison time do not qualify for such a request.

For a valid request IPredator then has to hand over the subscription information entered by you, which is all that we are required to do.

3. We only use email to handle abuse related support issues. If a user decides to abuse one of our machines for a DOS attack we use rate limiters on the switches to mitigate this. So far no other tools are needed to deal with abuse. Abuse cases that are not covered by that are forwarded to the BOFH.

As long as the BOFH does not wake up or considers the abuse to be substantial all is fine. Imagine Bilbo wading through Smaugs gold. Once awake anything can happen … (in terms of mitigation)

4. No, since those systems tend to be data graves and we do not trust 3rd parties with our users data.

5. The staff forwards them to the BOFH. Notices sent via paper are usually converted into energy by combustion … to power the data center in the basement where the BOFH lives. Digital SPAM^WDMCA notices are looped back into the kernel to increase the VPNs /dev/random devices entropy.

6. Please see 2).

7. Yes we do, for the newest canary see here.

8. Besides filtering SMTP on port 25 we do not impose any restrictions on protocols our users can use on the VPN, quite on the contrary. We believe our role is to provide a net-neutral access.

Every user is free to share his/her/its files. We are conservative people and firmly believe in the heritage of our
society, which was built upon the free exchange of cultural knowledge. This new age patent system, and the idea that we need companies who milk creators are simply alien to us.

Imagine the world going to hell tomorrow … how much will be lost if we do not make sure that there are backup copies. In kopimism we firmly believe that to copy is ones sacred birth right. After all we are all imperfect copies of our parents. The act of copying is natural … without it we would not be here in the first place …

9. We offer PayPal, Bitcoins, Payza, and PaySon fully integrated. OkPay, Transferwise, WU, PerfectMoney, Webmoney, Amazon Giftcards, Cash and Credit Cards on request. An internal transaction ID is used to link payments to their payment processors. We do not store any other data about payments associated with the users account.

10. At the moment OpenVPN with Elliptic Curve Cryptography (brainpoolP512r1 curve), ephemeral Diffie-Hellmann key exchange, and AES 128/256 along with seems to be the best default choice. In our current default VPN configurations we encourage the use of TLS 1.2, but we provide backwards compatibility in case certain VPN clients have issues with such configurations. Other configs are available on request. We also provide guides on how to limit traffic to just the VPN connection and provide different DNS servers for the occasion: Public resolvers and internals for use when connected to the VPN, since lately there is also the possibility of using DNScrypt if you are into that.

11. We do provide our own DNS servers and also separate between public resolvers and those only accessible from inside the VPN.

12. We run our service on our own hardware and have complete control over our network. There are no third parties involved in our setup which is run out of Sweden.

Ipredator website

TIGERVPN

tigervpn1. Since hundreds of people share the same IP, our accounting data (start time – end time, & generated Traffic) does not allow any further breakdown. We save those records for 3 days (in line with our 3 day money back guarantee) and only keep the traffic per month value until the next billing cycle starts.

2. Tiger At Work is a Limited Liability Company with operation in Slovakia.

3. We don’t use any tools for monitoring or mitigation.

4. We use Freshdesk as Support Software, however no data is stored in that 3rd party app as it’s a read only tool for us. E.g. when a customer submits a ticket via our App we reply and he gets that message within the app. The only thing stored in the “cloud” is the conversation itself. We aim to keep all data inhouse, which is what we did for hardware, software and infrastructure.

5. We’ve never received a DMCA takedown notice, however, our architecture won’t allow us to single out a customer. We hope that our premium product does not attract too many “issues” and we hope that our customers keep within the safe range.

6. This has never happened, so let’s not paint the devil on the wall.

7. As we can’t single out our customers, we can’t notify or warn them.

8. We usually allow torrents, but not in Amsterdam and the US.

9. We are one of the few PCI complaint merchants, so we can handle all payment data for credit card transactions ourselves on our own servers. Meaning that we don’t use tools like Chargify or other POS systems. We only save a token which is a system to system key and it does not link any card data to our customers. A similar token system is used with PayPal, but here the payment is processed with them. We also allow Bitcoin transactions, that’s the ultimate secure payment source, we also roll out prepaid cards which you will be able to buy in shops and internet cafes in cash soon.

10. Our Apps are set per default in OpenVPN mode, which is the algorithm we approve and recommend. Our Win + Mac + Android apps are equipped with kill switch functionality, however we need to fine tune them a bit over the next couple of weeks.

11. Yes we use our own DNS servers

12. We are in full control of our equipment, hardware and upstream. We operate 55 locations in 40 countries from Australia to Emirates, HongKong to Denver, London to Serbia. We have a lot of locations covered.

tigerVPN website

SWITCHVPN.TO

switchvpn1. SwitchVPN does not monitor, record, store any kind of users activity or IP addresses so it’s impossible to pin point any user at any time.

SwitchVPN uses Shared IP address, which means the same Public IP is being used by other users too making it further inpossible to track any user. In order to maintain our top notch service, troubleshoot any performance issues and protect the service from getting abused, we log only the duration of VPN connections, bandwidth consumed and VPN server connected. This by no means allow us to match an IP address and a time stamp. These logs are regularly recycled and destroyed automatically.

2. SwitchVPN operates under Indian jurisdiction.

3. We have firewalls and filters in place to block spamming and filters on US servers to block P2P activity to prevent DMCA notices.

4. We use Zopim Live Chat for Live Support and Ticket system.

5. SwitchVPN does not keep logs and assigns its customers with Shared IP address which makes it impossible to indiviually identify an indiviual with copyright abuse or other online activity.

6. As we do not hold any logs and also we use shared IPs, its impossible to identify any user at any time.

7. We are Indian based company, so not applicable.

8. We allow BitTorrent on all servers except VPN servers based in US. However we request our clients to use Netherlands, Romania, Russian and other servers which tolerate P2P and are specially optimized for P2P usage.

9. We accept all the leading payment methods like Bitcoin, Perfect Money, PayPal, Credit Card, PaySafeCard, Skrill, WebMoney and AliPay.

10. We recommend our clients to use OpenVPN with 256 AES, 2048bit RSA, SSTP ( 2048bit Encryption) and L2TP Over IPsec which also uses 256bit AES Encryption for most secure VPN connection

11. Yes, we have started implementing our own DNS Servers on some of our servers which is in beta and we would apply it on all of our servers in future.

12. We have full control over our VPN Servers and network. We own our hardware with multiple datacenters and we only outsource servers where there is complete privacy and no logging. We have servers located in 29 Countries ie. USA, United Kingdom, Germany, Netherlands, Canada, Sweden, Czech Republic, Singapore, Malaysia, Hong Kong, Latvia, Luxembourg, Switzerland, France, Italy, Romania, Russia, Japan, Belgium, Spain, Denmark, Poland, Australia, Brazil, Ireland, Iceland, India, Chile and Austria.

SwitchVPN.to website

VPN UNLIMITED

vpnunlim1. We do not keep the logs of the websites our customers visit, we only store the data related to the amount of traffic downloaded by the user. This information is available to be viewed in his account only. Also, it is crucial to point out that every time a customer logs into VPN Unlimited, the system assigns dynamic IP-addresses. They are not static and there is no way that we can log the exact IP-addresses or particular time stamps of VPN Unlimited customers.

2. VPN Unlimited is owned by New York based company, Simplex Solutions Inc.

3. As we have mentioned before, we do not keep any visited websites but we keep traffic data logs. However, if we notice any spam related activities or other illegal actions, the user’s account will be blocked without any extensive or preliminary warning.

4. Our support team uses Zendesk to address the issues from our customers, but we do not store or give the users’ personal information to third parties.

5. All our servers are located in datacenters, operated under jurisdictions of countries they are located in. We use Bittorrent and SMTP traffic filters to minimize such threats. But in any case, we do not provide information about our customers to copyright holders or any other third parties.

6. To this date, we have not received any court notices; therefore, no actions were done. As we do not log any of the customers’ information or session data, VPN Unlimited customers are protected by legal definition. Also, there are consumer protection laws in the US that can be used to protect our customers too.

7. We do not have any system such as a “warrant canary” for our users. There has been no situation that has required such measures.

8. The primary goal of VPN Unlimited is not to download torrents, but to offer online security. There are limited cases when our technical team had to decrease the connection speed because of torrenting.

9. We accept PayPal payments as our primary payment system as well as using your Apple or Amazon ID account from the Purchasing tab inside the app. Soon we will be able to accept Bitcoins and process the payments via some national payment systems. We ensure that all the mentioned above payment system offer 99.99% security.

10. VPN Unlimited uses the best security options via a high level of data encryption. The most secure VPN connection and encryption algorithm lies in transmitted data through iOS or Mac Os X’s built-in IPSec client using strong AES-CBC-128 encryption. Windows users are protected with the use of AES-256 with SHA1 and OpenVPN protocol. We are working on such tools as “kill switches” and plan to implement them into VPN Unlimited in one of the upcoming updates.

11. We use our own DNS servers that forward domain data from Google DNS. Forwarding makes any kind of user tracking impossible, but Google DNS is uncensored, fast and stable.

12. We rent our servers from numerous well-known companies like LeaseWeb, OVH, RedStation, ServerCentral, IBM SoftLayer, etc. Servers are located in 13 countries which are: Canada, France, Germany, Luxembourg, Netherlands, Romania, UK, USA, Panama, Hong Kong, Singapore, Japan, Ukrain and Finland.

VPN Unlimited website

FACELESS

faceless1. For each user we keep only number of sessions, and bandwidth use (uploaded and downloads). Those logs are kept for one week. It is possible to match an IP and time stamp during one day.

2. The company operates under Cyprus jurisdiction.

3. There are no any specific tools. We just react on any possible reports from our hosting provider.

4. No. We use our internal server email system for supporting our customers.

5. We block an activity for an IP and a port specified in the notice.

6. We will provide an email address and logs we physically have at the
time an order arrives. It will be done only if the order is in force in the country where the server is located.

7. No, we don’t have any kind of warrant canary.

8. Yes, file-sharing traffic is allowed on all our servers.

9. VISA, MasterCard, and PayPal via Plimus.com. Payments are linked to user accounts via order IDs.

10. We recommend RSA-1024. It’s more than enough for everybody. Nobody will be able to decrypt it before the whole universe collapses.

11. No, we use Google public DNS.

12. They are hosted by a third party: Leaseweb, IWeb and Infobox in the USA, The Netherlands and Russia.

Faceless website

BLACKVPN

1. Yes we keep connection logs which contain the time of connection and the internal IP address assigned. This information is kept for 7 days on our Privacy VPNs and 30 days on our TV VPNs (USA, UK & Singapore). We NEVER log a user’s real IP address, only the shared BlackVPN IP address they were assigned.

2. BlackVPN operates under the jurisdiction of Hong Kong which has no mandatory Data Retention laws. This helps to impede the requests from international law enforcement and spy agencies like NSA/GCHQ. China is not interested in policing the internet outside its Great Firewall and does not interfere with Hong Kong in this regard.

3. Since we do not monitor or log any VPN activity we have no internal tools for detecting abuse on our VPN servers. Instead we respond to abuse complaints from 3rd parties (which usually contain an hostname/IP + port) by temporarily blocking access to that hostname/IP or port.

In rare cases we may monitor a specific IP/port that is being abused via the traffic going through our VPN firewalls (using iptables) in order to warn or ban the offending user. The last time this happened the user responsible found that their computer was infected with malware which was causing the abuse without their knowledge.

4. We run our own mail servers for @blackvpn.com, host our own support systems (osTicket and Live Helper Chat – which have both been configured not to log IPs), plus host our own website analytics (Piwik). We use a 3rd party email service only for sending generic emails in bulk (such as security alerts, renewal reminders, updates from blackVPN, etc.) which contain no identifying information. We also use a 3rd party system for our blog (medium.com/@blackVPN) and of course our social media.

5. On our Privacy VPNs these are ignored because they are located in countries which do not enforce DMCA notices (or equivalent copyright alerts). On our TV VPNs we warn any customers who were sharing that IP address at the time and will ban repeat offenders from the TV VPNs.

6. To identify an active user of our service we legally require a valid court order from a Hong Kong court. So far this has never happened. We have received requests from various international law enforcement agencies asking us to assist them, however our response has always been to ask for a valid court order from Hong Kong. Recently we were asked by Hong Kong police to come to Hong Kong in person to make a statement regarding an investigation by the UK authorities. With the help of the EFF we found new legal counsel in Hong Kong who quietly resolved the issue with the Hong Kong police, resulting in the UK authorities withdrawing their request. Any future requests from international authorities will be handled by our lawyers in a similar way.

7. Hong Kong does not have an equivalent to America’s NSLs and is unable to legally issue a gag order. Since none of the BlackVPN team are in Hong Kong it’s difficult for them to intimidate us that way.

We do not have a warrant canary as we’ve never seen one used effectively. In the worst case scenario we would simply “do a Lavabit” and hit the kill switch to shutdown all our systems until the authorities or the offender went away.

8. Yes it is allowed on our Privacy VPNs but not allowed on our TV VPNs (USA, UK and Singapore). Extreme pressure is being applied to the network providers in these countries to minimise copyright infringement so if we don’t take action our servers will soon get cut off.

9. We accept PayPal, Credit Cards (via CardPay) and Bitcoin (via BitPay). All payment information is stored by our payment providers and is linked to a blackVPN account via their own transaction IDs.

10. OpenVPN is the only protocol that can be considered secure after recent leaks show the NSA can decrypt PPTP and IPSec protocols (source). Since our beginning in 2009 all openVPN connections have been forced to use the AES-256-CBC cypher for maximum security and after the recent Heartbleed bug we switched to new 4096-bit Diffie-Hellman keys too. We encourage the use of open source software such as OpenVPN and Tunnelblick, neither of which have a kill switch or DNS leak protection. Our VPN routers use firewall rules to only allow internet access while the VPN connection is established, which is a more reliable solution than a “kill switch”.

11. Yes we run our own DNS servers however we use censurfridns.dk (which does not log or censor DNS queries) as a DNS forwarder.

12. We do not have physical control over our VPN servers and network since we lease bare-metal dedicated servers in various data centres around the world for our VPNs and infrastructure. Management of these servers is performed ONLY by the blackVPN founders – no employees of the company have access to the VPN servers or infrastructure. Our VPN servers are located in the USA, UK, Canada, Netherlands, Switzerland, Luxembourg, Estonia, Lithuania, Russia, Ukraine, Panama and Singapore. Other infrastructure servers (such as databases, mail servers, etc) are hosted in places with strong privacy protection laws such as Iceland, Switzerland or the Netherlands.

BlackVPN website

ANONYMIZER

anonimizer1. Anonymizer does not log ANY traffic that traverses our system, ever. We do log when a user connects, and the IP address they connected from (which is needed for customer support and ensure system optimization), but that log purges every 24 hours. We don’t log when users disconnect, how much data they used, where they went, at anytime, ever. We would also like to point out that all of our customers exit out and share the same IP, which changes on a daily basis, and we don’t even track that. If asked what IP we used last week, we wouldn’t have any way to know for certain.

2. Anonymizer Inc. operates under US jurisdiction. The US is still one of the best countries to operate privacy services out of due to a lack of mandatory data retention laws.

3. We can’t. We don’t monitor or log traffic or user activity. When we receive reports of abuse, we have no way to isolate or remediate it because we don’t monitor.

4. Anonymizer uses a ticketing system for support tracking but does not request verification of a user actually having access with us unless it is needed specifically in support of the ticket. Anonymizer uses a bulk email service for our email marketing system but does not store any details about the users account beyond their email address.

5. Since Anonymizer does not log any traffic that comes over our system, we have nothing to provide in response to DMCA requests. None of our users have ever been issued a DMCA take down notice or the European equivalent. We’re over 18 years old now, and if not the oldest service out there, certainly one of the oldest, and we’ve never turned over information of that kind.

6. Anonymizer Inc. only responds to official valid court orders in which we comply with information that we have available. Since we do not log any traffic that comes over our system, we have nothing to provide in response to requests associated to service use. If a user paid by credit card we can confirm that they purchased access to our service only. There is, and would be, no way to ever connect a specific user to specific traffic. There has been instances were we did receive valid court orders and followed our above procedures. We have never identified details about a customer’s traffic or activities.

7. Anonymizer does not use a warrant canary or similar solution to gag orders as we feel they are largely ineffective and offer a false sense of security.

8. Any traffic is allowed on our servers. Due to not logging or monitoring any traffic it would be impossible for us to know if any user were to be engaging any specific kinds of activity on our service.

9. Anonymizer Inc. uses a payment processor for our credit card payments. There is a record of the payment for the service and the billing information associated to the credit card to confirm the service has been paid for. We also offer Cash and will soon offer crypto-currency options to include Bitcoin. Cash payment options do not store any details (e.g. Billing address and customer name) of the transaction beyond the account username and the service being paid for by cash; there is no way for us to connect an individual to a specific account.

10. We would recommend OpenVPN for a user that is looking for the most secure connection. We feel it is the most reliable and stable connection protocol currently. Our OpenVPN implementation uses AES-256. We also offer L2TP, which is IPSEC. Anonymizer’s client software has the option to enable a kill switch that prevents any web traffic for exiting your machine without going through the VPN.

11. Yes, we operate our own DNS.

12. We own ALL our hardware, and have full control of our servers. No third party has access to our environment. We don’t leverage VPS or third party hosts, which we feel would be compromising our customer’s security.

Anonymizer website

IRONSOCKET

ironsocket1. We keep limited session logs for all of our services which include VPN, HTTP, SOCKS5 and Smart DNS Proxy. Session logs record the time and date of the user’s session connection and disconnection, the IP address used for the session, and a numerical representation of how many bytes were transferred. These logs are typically kept for 72 hours, usually less, after which they are purged. The main reason we retain this data is to prevent fraud and abuse. Since we use Shared IPs on our servers, and do not log activity, it is very hard, if not impossible, to know what a user is doing.

2. We operate under the laws of the SAR of Hong Kong, which has no data retention law whatsoever.

3. For reasons of security, we don’t disclose our exact security systems and processes. Additionally, we do not monitor what activity users do when using our services, regardless of the service used (VPN, HTTP, SOCKS5, Smart DNS Proxy).

4. No. We do not use any external email providers. We also do not use any third party support tools. We utilize Facebook and Twitter as a means of social contact with users and we provide light support for general questions however any account specific issue must go through our ticket system. At no time do we ever link a user’s social media account to an IronSocket account.

5. IronSocket is not subject to the DMCA or its European equivalent. We do NOT host any user uploaded content on any of our servers. While IronSocket is not subject to DMCA, some of our hosting partners are. If they receive and escalate a DMCA notice to us, we reply to the provider that we do not log our user’s activity, we utilize shared IP addresses, and it is next to impossible to determine any activity of our users. We then confirm P2P is not being used on servers where P2P is not allowed.

6. We cooperate with proper legal processes valid under Hong Kong jurisdiction. The first step is to determine the validity of the court order, and if valid, determine if we have any data available to identify the active user of our service. Because of our privacy policy, terms of service, and anonymous payment methods, it would be almost impossible to identify any user engaging in any specific activity while using any one of our services. This situation has never happened.

7. As of February 2015, IronSocket has never been compelled by court order, secret or otherwise, to share any business or customer information with any government or law enforcement agency. We do not currently have this posted on our website but it will be included in our transparency report section which is scheduled to be published to our website later this year.

8. We allow Torrent/P2P file-sharing traffic on specific servers that have been optimized for file sharing performance. The list of servers that allow P2P file sharing can be found here. We do not allow BitTorrent/P2P on all of our servers due to the legal pressure on the data centers we use in the US, UK, Canada, and other countries.

9. We accept payments in cash, credit cards via PayPal, Bitcoin via BitPay and gift cards via PayGarden. We do not retain specific payment information, such as credit card information, linked to individual user accounts. That is maintained by the payment processor, not us. If you wish to pay in an anonymous fashion we recommend paying by cash, Bitcoin, or gift card. These methods provide the highest levels of anonymity for users.

10. We recommend the IronSocket VPN network; based on OpenVPN, a full-featured SSL VPN. Our users are given the encryption options of Strong, Light and None. We recommend using the default Strong encryption setting, which utilizes AES 256-bit Data Encryption with SHA256 Message Authentication, using a 4096-bit key for secure authentication.

11. Yes, we use our own DNS servers. We currently provide DNS servers in 8 different regions for increased redundancy and improved query speeds. We push our own DNS server IP addresses to our VPN clients.

12. Our global network of VPN and Proxy servers are all self-managed and are hosted in a number of third party datacenters. We vet all datacenter relationships prior to engaging in business, and regularly re-evaluate them to assure security practices, personnel, and policies are established, trained, and enforced. We have servers located in the following countries: Argentina, Australia, Brazil, Canada, Cyprus, Denmark, Egypt, France, Germany, Hong Kong, Iceland, India, Indonesia, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Panama, Philippines, Romania, Russia, Saudi Arabia, Singapore, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Ukraine, United Kingdom, and United States.

IronSocket website

VPN.AC

vpnac1. We keep connection logs for 1 day to help us in troubleshooting customers’ connection problems but also to identify attacks (e.g. bruteforce). This information contains IP address, connection start and end time, protocol used (including port) and amount of data transferred.

2. Our company is incorporated in Romania since 2009. Data retention has been declared unconstitutional in our country and even before of Constitutional Court’s decision, it wasn’t applying to VPN service providers.

3. We do not monitor traffic. We monitor bandwidth usage per server but that’s a different topic. Abuse issues are solved effectively by adding firewall rules on-the-fly, even automatically, without monitoring or logging actual traffic.

4. Support (ticketing, livechat) is operated in our own environment. Email is not used to transmit information provided by users, such as part of ticketing conversations. We only provide a notice that a reply has been made and is available in our online ticketing system, after logging in. We also don’t use any 3rd party tracking services like Google Analytics. Backups, APIs and everything else related to our service are hosted in our own environment and we make use of strong encryption for storing them.

5. We are handling DMCA complaints internally without involving the users (i.e. we are not forwarding anything). We use shared IP addresses so it’s not possible to identify the users.

6. It never happened. In such event, we would rely on legal advice.

7. No. We may consider using one at a later date, but at this moment we believe its effectiveness and legality are questionable, and we don’t want to have one just as “yet another feature” for marketing & PR purposes. Having a warrant canary or not, the customer still has to trust the provider for using the service.

8. Yes, it is allowed.

9. Mostly PayPal, bitcoin, credit/debit cards, pre-paid cards (including anonymous vouchers).

10. OpenVPN using Elliptic Curve Cryptography for Key Exchange (ECDHE) is used by default in most cases. We also provide support for ECC keys (secp256k1) and RSA-4096, SHA256 and SHA512 for digest/HMAC. For data encryption we use mostly AES-256 and AES-128. Yes, we provide tools and instructions for setting up “kill switches” and solving DNS leaking issues.

11. We use our own DNS resolvers, outside of USA for good reasons. We also generate millions of DNS queries artificially on a daily basis and they are mixed with the queries coming from users.

12. We have physical control of our servers in Romania. In other countries we rent or collocate our hardware. We have some measures in place to prevent and alert us in case of unauthorized physical access – but that’s realistically limited, though. Some of the hosting providers we host with are LeaseWeb, Voxility, Private Layer, Softlayer, UK2, QuadraNet, Root SA, Ecatel, NForce, Sweden Dedicated, OVH, Online.net in the following countries: Netherlands, Germany, Romania, Luxembourg, Switzerland, Sweden, France, USA, Canada, UK, Mexico, Japan, Australia, Singapore and Hong Kong.

VPN.ac website

SEED4.ME

seed4me1. We do not analyze or DPI traffic. We also do not keep logs on VPN nodes. General connection logs are stored on a secure server for 7 days to solve network issues if there are any. These logs are deleted after seven days if there are no network problems.

2. Taiwan. We are not aware of any legislation requiring us to share client information and we are not aware of any precedents in Taiwan where client information was disclosed. We do not hold much information anyway. On the other hand, we do not welcome illegal activities which potentially harm other people.

3. We use simple firewall rules to block peer-to-peer file sharing on servers where the DMCA applies. Still, users can use torrents in Russia and Ukraine.

4. Currently we utilize Google Apps. We do not store any sensitive information there, only support issues.

5. In case of abuse we null route the IP to keep ourselves in compliance with the DMCA. Currently we use simple firewall rules to block torrents in countries where the DMCA applies.

6. We will act in accordance with the laws of the jurisdiction, only if a court order comes from a jurisdiction where the affected server is located. Fortunately, as I said before, we do not keep any logs on VPN nodes, on the other hand – we do not encourage illegal activity. This has never happened.

7. No.

8. Yes, torrents are allowed in Russia and Ukraine.

9. We accept Bitcoin, PayPal, Visa, MasterCard, Webmoney, Yandex.Money, Bank transfer and In-App purchases in our iOS App. We do not store sensitive payment information on our servers, in most cases payment system simply sends us a notification about successful payment with the amount of payment. We validate this data and top up the VPN account.

10. L2TP (2048 bit) for Desktop and 2048 bit IPSec in our App will be a good choose. Our App (https://bitly.com/seed4me) has Automatic protection option that guarantees for example that all outgoing connections on open Wi-Fi will be encrypted and passed through secure VPN channel. We don’t provide a kill switch for Desktop. We are still compatible with free software that prevents unsecured connections after VPN connection goes down.

11. We use Google and users can override these settings with their own.

12. We have VPN clusters in the US, UK, Hong Kong, Singapore, Russia, Netherlands and Ukraine. All servers are remotely administered by our team only, no outsourcing. No data is stored on VPN nodes (if the node is confiscated, there will not be any data). We prefer to deal with trustworthy Tier-3 (PCI-DSS) data centers and providers to ensure reliable service with high security.

Seed4.me website

BLACKLOGIC

blacklogic1. We keep logs only for payment fraud prevention reasons. We do not monitor what our clients do online. We keep port mapping logs for 72 hours.

2. Canada

3. SMTP/S ports are closed. All ports which could be used for P2P are closed on the US servers. Port mapping logs can trace back to the specific user account.

4. We have our own email system, and don’t outsource email hosting. For online chat we use Zopim.

5. The port in question is closed for 48 hours.

6. We know our clients and don’t accept any suspicious clients. No court orders were ever received

7. As mentioned above, we haven’t received any court orders since 2007.

8. We don’t allow P2P on American servers. Other servers are still fine.

9. Credit Cards, PayPal, WebMoney and Western Union.

10. OpenVPN (256 symmetric AES encryption, and 2048 bit certificates). VPNWatcher app is one of the recommended tools for “kill switches.”

11. Yes, we have our own DNS servers

12. All Canadian VPN servers are owned and controlled by our company. Other servers are dedicated servers rented from multiple datacenters.

Blacklogic website

IBVPN

ibvpn1. We do not spy on our users and we don’t monitor their Internet usage. We do not keep logs with our users’ activity. However, in order to avoid abuses that may occur during the 6-hour trial we record and keep for 7 days the time, date and location VPN connection was made, connection duration and bandwidth used during the connection.

2. We are located in Romania, which means we are under EU jurisdiction.

3. Due to security concerns and in order to avoid servers’ attacks, we cannot disclose these tools.

4. We do not use external e-mail providers. To provide quick support and a user friendly service experience, our users can contact us via live chat but activity logs are deleted on a daily basis. There is no way to associate any information provided via live chat with the users’ account.

5. So far we have not received any DMCA notice or other European equivalent for any P2P server from our server list. For the rest of the servers, we have filtering systems that prevent P2P and file sharing activities in order to protect us and our users from DMCA notices. In case such a notice is received we simply reply that measures have been taken in order to prevent future abuses.

6. As stated in our TOS, we do not support criminal activities, and in case of a valid court order we must comply with EU law under which we operate and provide the limited information we may have. It would be illegal not to. So far, however, we have not received any valid court order.

7. As we are located in the EU we do not have a warrant canary or a similar solution to alert customers to gag orders.

8. We allow BitTorrent and other file-sharing traffic on specific servers located in the Netherlands, Luxembourg, Sweden, Russia, Hong Kong and Lithuania. Based on our legal research, we consider that it is NOT safe for our users to allow such activities on servers located, for example, in the United States or United Kindgom.

9. We accept various payment methods like Credit cards, PayPal, prepaid credit cards, Payza, SMS, iDeal, Ukash, OOOPay and many more. Payments are performed exclusively by third party processors, thus no credit card info, PayPal ids or other identification info are stored in our database. For those who would like to keep a low profile we accept BitCoin, LiteCoin, WebMoney, Perfect Money, PaySafeCard, CashU, Ukash.

10. The most secure VPN connection is Open VPN, which provides 256 bit Blowfish algorithm encryption. Yes, Kill Switch has been implemented with our VPN Clients. When enabled, the Kill Switch closes all applications (that are running and have been added to the Kill Switch app list) in case of an unwanted VPN disconnection.

11. At this time we use a combination of public and private servers. To improve our service, we have started the process of switching to our own DNS servers (few months ago) and our goal is to complete this process by the beginning of March.

12. We do not have physical control over our VPN servers, but we have full control to them and all servers are entirely managed personally by our technical staff. Admin access to servers is not provided for any third party.

ibVPN website

VPN BARON

vpnbaron1. Our users share the server IPs making it impossible to link any user to a particular action. On the server, no traffic logs are recorded. We monitor only the number of simultaneous user connections on our network as whole, and do not link the user to a particular server. This helps us avoid infinite simultaneous connections from a single user.

2. We’re under Romanian jurisdiction, inside of the European Union. EU takes privacy issues more seriously than the US, as many already know.

3. We’ve implemented strict firewall/traffics shaping rules or our Linux servers in order to avoid abuses. If any abuses go through, we just add a new rule that deals with the new issue. This security does not affect the regular VPN usage in any bad way.

4. Our VPN network is separated from the administrative part. As any service that deals with customers, we use emailing software that uses our local server (not a 3rd party server). The information that can be provided by/to users has no incriminating value, being mostly standard OpenVPN troubleshooting, install help and various enquires.

5. None of our users have ever been issued a DMCA notice, being unable to detect which user has caused it due to our no traffic logging policy. On our end, if the issue is persistent and our server provider insists that we deal with it, we wipe that particular server and replace it with a new one from a different provider. Rinse and repeat.

6. This didn’t happen so far. Court orders usually imply something serious and we’re requested by law to assist. We don’t have much to offer. We can answer if a particular email address name (could not be a real name, we don’t check) has an active account on our administrative part.

7. We do not. As we haven’t received any warrants or court orders there was no need. However, we’ll certainly do our best to protect our users.

8. Yes. All P2P traffic is allowed.

9. We use Bitcoins, PayPal and Credit Cards (processed by PayPal). Again, the administrative part is very separated from our VPN service. With each paid invoice the administrative part updates the subscription’s expiration date on the VPN service. We recommend using Bitcoins for the most anonymity a payment method could offer. Bitcoin payments cannot be traced to a particular individual.

10. OpenVPN protocol offers by default excellent security on any type of encryption, and after a certain point, adding more encryption has diminishing returns while making a huge impact on user’s internet speed. It makes little difference if a package is cracked in 10,000 years or 20,000 years. We currently use by default BF-CBC 128 bit key, TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA. In the future update, we’re allowing users to select their preferred type of encryption. We regularly check for DNS leaks. If the VPN connection drops, all traffic will be halted.

11. We’re using Google DNS. It’s fast, secure and google does a great job keeping it safe against any type of attacks. There is a huge list of Security Benefits on their page that might be of interest to anyone who’d like to find out more.

12. We’re big fans of cloud servers. They can be created or destroyed in seconds. We feel that the ease of replacing a server is essential to any privacy service, adding an extra bump to anyone trying to track the activity of our users. Our servers located US and Europe and our main providers at this time are Digital Ocean and Vultr.

VPN Baron website

ACEVPN

ace1. We do not log established accounts nor log traffic. We respect their privacy. We do not store any personal information on VPN servers. IPs are shared among users and our configuration makes it extremely difficult to single out any user. To mitigate abuse and fraud, we log time of connect and disconnect for new signups from certain IP ranges. This information is purged after two weeks.

2. We are registered in the US.

3. We use a proprietary pattern and rules based risk management system to screen for fraud and to mitigate abuse.

4. We use Google apps for email. Emails are deleted regularly.

5. If we receive DMCA takedown, we block the port mentioned in the complaint. IP’s are shared by other users and our configuration makes it extremely difficult to single out any user. We do not share any information with 3rd parties.

6. To date we have not received court order. We only store billing information which the payment processor or bank or credit card issuer has.

7. We publish transparency report quarterly.

8. We have special servers for P2P that are in datacenters that allow such traffic. These servers also have additional security to protect privacy when P2P programs are running. There are several legal uses of P2P.

9. We use Paypal, Google, Stripe and Square for processing payments. We store billing information on a secure server separate from VPN servers and do not store any financial information.

10. For high security needs we suggest using our IPSEC IKEv2 VPN. Our IPSEC IKEv2 VPN servers use Suite B cryptographic algorithms. Yes, we do provide kill switches if a connection drops. Our servers are tested for DNS leak. Encryption varies depending on VPN protocol. We support the following protocols and encryption. IPSEC IKEv2 – 384 bits ECC (Equivalent to RSA 7680 bits) and AES 256 bit encryption. OpenVPN – We have servers running on port 53, 80, 443, 1194, 8292. RSA 4096 bit and AES 256 bit encryption supported. L2TP VPN – AES 256 bit encryption. Stealth VPN – RSA 2048 bit and AES 256bit encryption. Makes VPN traffic look like https traffic. PPTP VPN – Avoid if you can!

11. We operate our own DNS servers (Smart DNS) for streaming videos. For VPN, we use Google and Level3 DNS.

12. We control our servers and network. We have servers in 18 countries and over 36+ locations / datacenters. USA, Canada, UK, France, Germany, Italy, Netherlands, Spain, Sweden, Switzerland, Latvia, Luxembourg, Romania, Denmark, Ireland, Hong Kong, South Korea and Australia.

Acevpn website

NOLIMITVPN

nolimit1. At NolimitVPN, we have developed a custom activity tracker. We only log the user authentication on the network, the P2P activity and the SMTP activity (to avoid any kind of abuse). The activity tracker is based on “magic IDs” (temporary and rolling IDs) so we are able to match a server IP to a customer account during 48 hours. We do not log the traffic content of our VPN users.

2. We are currently based in Singapore and we plan to move the company to Hong Kong in a near future for more convenience.

3. We have developed custom tools (mainly parsers) based on tcpdump.

4. We use Zopim for the live chat on the website and we use Mandrill to send automatic emails to our VPN users. Every other emails are processed through our mail server.

5. At NolimitVPN, we do everything we can to protect the anonymity and the privacy of our customers, in case of complaint we do not transmit any information. But we warn the user about the complaint and we suggest him to use a private tracker to download torrent files. If too many DMCA complaints are received and if the user has been warn many times (more than 3 times), we can suspend his account (this never occurred).

6. This has never happened. Anyway, if a legal court order is received, we would be forced to give them the logs of our activity tracker. But as mentioned above our activity tracker does not log any legal information (IP address and timestamp) that could be valid for authorities.

7. No.

8. We allow torrents as long as we do not receive a DMCA complaint. If too many DMCA complaints are received and if the user has been warned many times (more than 3 times), we can suspend his account (this has never occurred).

9. We use Stripe but we do not record the billing address on our servers, every information linked to the payment is stored on Stripe servers. We do the maximum to store the minimum information about our customers.

10. Currently we support two protocols, PPTP (with 128bits encryption over MPPE) and L2TP (with 256bits encryption over IPsec). Thus, we recommend to use the L2TP protocol (which provides the same encryption level than OpenVPN). We provide to our users a Windows script that automatically connect and reconnect you if your connection drops. We plan to integrate OpenVPN protocol before the end of the year.

11. We do not have our own DNS for now, instead we use OpenDNS. We plan to integrate our custom DNS before the end of the year.

12. As our company is young (only 1 year old), we currently have two servers provider: DigitalOcean and Vultr. We have the following servers locations: Netherlands, France, United Kingdom, Germany, Singapore, Japan, United States and Australia.

NolimitVPN website

Is your favorite VPN not listed? Feel free to ask them to get in touch. We will gladly add any VPN provider with limited or no logs and a good privacy policy.

Note: several of the providers listed in this article are TorrentFreak sponsors.

Click to rate this post!
[Total: 3 Average: 4.3]

Специалист в области кибер-безопасности. Работал в ведущих компаниях занимающихся защитой и аналитикой компьютерных угроз. Цель данного блога - простым языком рассказать о сложных моментах защиты IT инфраструктур и сетей.

5 comments On How to choose the best vpn service?

Leave a reply:

Your email address will not be published.