A virtual private network (VPN) prevents your internet service provider (ISP) from seeing what you do online. However, in doing this, it takes over routing your internet connection to the websites you visit, so it can monitor what you do on the internet instead of your ISP.
Unlike your ISP, protecting your privacy is a core part of any reputable VPN service’s business model. That’s why a good VPN service will go to great lengths to ensure it knows as little about your internet activity as possible. However, the fact remains that you place a great deal of trust in your VPN service, so it’s vital to choose one that’s trustworthy.
- How a VPN works
- What can my VPN see?
- VPNs and logs
- VPNs and mass surveillance
- VPNs and targeted surveillance
- Proton VPN
How a VPN works
A VPN routes your internet connection from your device to a VPN server run by a commercial VPN service such as Proton VPN. The connection between your device and the VPN server is securely encrypted so that no one sitting between your device and the VPN server can see the contents of your data.
DNS queries, which translate human-friendly URLs into computer-friendly numerical values, are usually handled by your ISP. But when you connect to a VPN, it routes these DNS queries through the encrypted VPN tunnel and handles them itself.
Learn more about how a VPN works
Your ISP can see that you’re connected to an IP address belonging to the VPN server but can’t see which websites you connect to after that.
This means that connecting to a VPN prevents your ISP from seeing what you do online. And because most government mass surveillance programs rely on requiring ISPs to log their customers’ browsing activity, a VPN is effective at preventing untargeted government surveillance.
What can my VPN see?
When you connect to a VPN, the VPN provider can see the same kind of data that your ISP could when not using a VPN, including your real IP address and the websites you visit. Your data is encrypted between your device and the VPN server, but the VPN server decrypts the data as it leaves the VPN tunnel from your drive, and encrypts it as it enters the VPN tunnel to your device.
This means that your VPN service can see your unencrypted internet traffic. However, this is not a major concern, as almost all websites and other internet resources use HTTPS, the encryption standard that secures the internet.
HTTPS prevents both ISPs and VPNs from seeing the contents of your data and what you do on websites — including the individual web pages you visit (for example, with HTTPS, your VPN and ISP would see that you’re visiting proton.me, but not that you’re reading this blog post). HTTPS also prevents your ISP and VPN from seeing any data you enter on a web page (such as banking or payment details or your login credentials).
VPNs and logs
Privacy is one of the main reasons why people use VPNs, so unlike ISPs, reputable VPN services take robust measures to protect their users’ privacy. One of the simplest and most effective measures is not keeping any logs that could reveal your online activity or other personal information.
Many countries have laws that require VPN services to keep logs, so VPN services often base themselves in countries with no such laws.
However, you should examine these claims carefully. Many VPN services are legally registered in tax havens that have loose corporate regulation or places with no logging requirements but their staff and offices are physically located in countries with much stricter logging requirements.
Whether being based in another country on paper is sufficient to protect these companies from being forced to hand over their logs to their real government when enough pressure is exerted is usually an open question.
VPNs and mass surveillance
In our article on What is an internet service provider, we discuss how governments worldwide require ISPs to log their citizen’s internet activity. Surveillance laws often include VPN services in their data retention (logging) requirements, but this is not always the case.
As discussed above, many VPNs base themselves in countries that don’t require them to log their users’ browsing history. As long as such claims are genuine and fully legal, using a VPN is a highly effective way to evade blanket government surveillance.
However, many VPN services are based in the United States. It’s true that in the US, there are no laws that specifically require either ISPs or VPN services to log their customers’ online activities. However, evidence released by NSA whistleblower Edward Snowden shows that the US government uses national security letters (NSLs) on an almost industrial scale to force technology companies to spy on their own users.
Because NSLs are invariably accompanied by gag orders, it’s impossible to know for sure which companies have been served. But it’s entirely reasonable to assume that all or most US-based VPN companies have been targeted (it would be somewhat bizarre if they hadn’t).
VPNs and targeted surveillance
VPN services might not be required to keep logs of their users’ historic internet activity, but all VPNs are subject to legally binding court orders (and similar legal instruments). Courts can order VPNs to start logging In almost every country (Switzerland being a notable exception).
These court orders can usually only apply to named individuals and can’t be used for mass surveillance purposes or to target entire groups of people. But they can be used, for example, by the police to collect evidence on a named suspect.
When served a legally-binding court order, VPNs have no option but to comply. Usually, this means they will start logging the browsing history of the named individual from the moment they receive the court order.
Of course, genuine no-logs VPN services won’t be able to hand over historic browsing activity from before the court order because such logs don’t exist.
Proton VPN is a no-logs VPN. We are physically based in Geneva, Switzerland, and our office address can be found on the footer of this web page. Switzerland has among the strongest privacy laws in the world, and VPN services are not subject to mandatory logging laws.
Under Swiss law, we can’t be required to start logging any of our users’ online activities.
Any VPN service can monitor your browsing history, but reputable ones won’t and will ensure they have no logs of your browsing history that could be handed over to third parties. That way, if they receive a court order to share information, it’s impossible for them to comply. After all, they can’t hand over what they don’t have.
Many VPN services’ no-claims logs rely on questionable registrations that may not stand up to the scrutiny of the courts.
Even where a company can confidently claim to be no-logs service, it can also always be served with a legally binding court requiring it to start keeping logs on individual users when. Proton VPN is an exception to this rule, thanks to Switzerland’s unusually strong privacy laws.