VPNs & Data Retention: What You Need to Know

TL;DR

VPNs aren’t completely useless if your device is in a country with data retention laws, but their protection is significantly reduced. Choosing the right VPN provider and understanding how they operate are crucial. This guide explains what to look for and how to mitigate risks.

Understanding the Problem

Data retention laws require internet service providers (ISPs) – including VPN servers located within those countries – to store user data like browsing history, IP addresses, and connection times. If a VPN server is based in such a country, that data could be legally compelled to be handed over to authorities, even if the VPN provider has a ‘no-logs’ policy.

Solution: Minimising Risk with VPNs

1. Choose a VPN Provider Carefully: This is the most important step. Don’t just pick the cheapest option.
   • Jurisdiction Matters: Select a provider based in a country without mandatory data retention laws or strong government surveillance. Popular choices include Panama, Switzerland, and the British Virgin Islands.
   • Independent Audits: Look for VPNs that have undergone independent security audits by reputable firms (e.g., Cure53, PricewaterhouseCoopers). These verify their no-logs claims and overall security practices.
   • Privacy Policy Review: Read the privacy policy thoroughly. Understand what data they collect (if any), how long they store it, and under what circumstances they might share it.
2. No-Logs Policy – What to Look For: A genuine no-logs policy means the VPN provider doesn’t record:
   • Your real IP address
   • Browsing history
   • Connection timestamps
   • Bandwidth usage
   • DNS requests
3. Server Location:
   • Avoid Countries with Retention Laws: As mentioned, steer clear of servers in countries that require data storage.
   • Multiple Server Locations: A wider range of server locations gives you more options and flexibility to connect through a jurisdiction you trust.
4. Use Strong Encryption Protocols: Ensure the VPN uses modern, secure encryption protocols.
   • WireGuard: Generally considered the fastest and most secure protocol currently available.
   • OpenVPN: A well-established and reliable protocol (use UDP for speed). Avoid older versions like PPTP which are known to be insecure.
5. Kill Switch Functionality: This is essential.

   A kill switch automatically disconnects your internet connection if the VPN drops, preventing your real IP address from being exposed. Most reputable VPN apps include this feature.

6. DNS Leak Protection:

   Ensure your DNS requests are routed through the VPN server and not your ISP’s servers. You can test for DNS leaks using online tools (see Resources section).

7. Consider Multi-Hop Connections (Double VPN):

   Some VPN providers offer double VPN, routing your traffic through two separate servers for added security. This makes it harder to trace your connection but can significantly reduce speed.

8. Combine with Tor: For extremely high anonymity (at the cost of speed), consider using a VPN in conjunction with the Tor network.

   Connect to a VPN server before connecting to Tor. This hides your real IP address from the Tor entry nodes.

Technical Checks

1. Check Your Public IP Address: Before and after connecting to the VPN, verify that your public IP address has changed.

   curl ifconfig.me

2. DNS Leak Test: Use a website like DNSLeakTest to confirm no DNS requests are leaking outside the VPN tunnel.
3. WebRTC Leak Test: WebRTC can sometimes reveal your real IP address even when using a VPN. Test for leaks at BrowserLeaks and disable WebRTC in your browser if necessary (instructions vary by browser).

Resources

• PrivacyTools: https://privacytools.io/ – A comprehensive resource for privacy-focused tools and information.
• VPNMentor: https://www.vpnmentor.com/ – Reviews and comparisons of VPN providers.