Many of us may know of or use a free VPN service called VPNBook based in Romania. It offers mind blowing speeds, unlimited bandwidth, and claims to delete connection logs after 7 days. Too good to be true, right?
I became suspicious so I decided to do a bit of research on this service. I first saw it pop up on TorrentFreak comments from accounts that had no previous comment history. There were also numerous forum posts discussing the possibilities of a honeypot, but no serious allegations emerged.
Next, I saw Web Archive records for their domain and saw something really suspicious. As their current privacy policy stands, they only collect IP addresses and connection time which are supposedly deleted after a week. This capture from October 2012 shows their old privacy policy at the very bottom of the page. Two parts from that policy caught my attention: “We are not required by law to hand any information over unless by court-order” and “Connection logs are automatically deleted every 3 days”. These two parts are not in their most current policy. If they were required to hand over data per a court order in 2012, why would they not be in 2013? Also, why did their connection log policy change so drastically?
The most discriminating evidence against VPNBook is this Google+ post from hacktivist group Anonymous. In it, they claim that logs from VPNBook have been used to incriminate their members in a federal investigation.
VPNBook doesn’t maintain much of a public presence except for their website, Facebook, and Twitter accounts. Their website shows signs of conflicting language and policy changes and they didn’t answer my concerns through their contact form. To anyone using this service or considering using it, stay far away from it. It is true that there aren’t any proven allegations against VPNBook. They may quite possibly be legit but all evidence says otherwise. In general, it is better to pay for VPN services to ensure security and privacy. With free products you are never the customer.
With free products you are never the customer.
This is the most important thing here
If something that normally costs $5-10 a month is free, then they are collecting something from you and selling it to make money
If i’m not paying for something, someone else is…
meh, some people will always complain and be suspicious even if a service is free. And by free it means “ABUSE ME PLEASE”. Free VPNs are like Tor and most of their traffic is illegal in all jurisdictions starting from USA to North Korea: hacking, fraud, child porn and so on. Was some skid from Anonymous incriminated with logs from a free service? Good (insertgrumpycat)! Maybe next time he will do his stuff like real hackers do: setting up their own vpn on hacked servers, connecting through several servers at once, deleting their tracks etc.
Regardless of their privacy policy and what happened, I don’t think it’s clear where they are based. They have 2 servers in Romania, in Voxility datacenter (where btw, most other VPN providers have servers starting with PIA, so if voxility is playing dirty, one can assume they are logging other providers as well). They make money from ads, donations and promoting a paid VPN. I don’t think they are running a honeypot service but rather keeping their business safe and anyone in his right mind would do the same. It’s common sense.
will my government go after me if i pirate?
this is not the case, since they monetize from donations and ads. Basically each of your visit to their site to get a new password will put some money in their pockets, so they don’t need your data but they need you as a regular visitor. I remember they had some donations tracker and there were many who donated from $1 to over $20
A VPN service cannot be funded purely from ads from web visits and donations, especially one which offers unlimited bandwidth and encryption (they don’t make it clear on their site whether it is AES-256 or AES-128). Keep in mind that the type of audiences VPNBook is attracting are the freeloaders. These are the people who have ad-blockers installed and ignore donation prompts.
I don’t care for Anonymous in general but their posting is significant because it allegedly proves that there were logs stored (beyond an IP Address and time-stamp) to assist an investigation.
yes, it can be funded. They are generating a lot of web traffic (thousands of visitors/day) so if they sell a few paid VPN account each day, they will cover hosting for all 4 servers and make a nice profit.
And like a said earlier: the donations tracker they had was showing plenty of donations. About anonymous: they do not say whether they used vpnbook only once or they used it on a regular basis. Because if they used it on a regular basis, it’s quite possible that there was a court order to log them starting from that day.
It doesn’t matter how often Anonymous used the service. The point is that VPNBook could have cooperated with authorities when they make it their selling point of living in a country with the best privacy laws. There were also more logs being stored. The FBI cannot use IP logs and time-stamps to prove anything. If VPNBook did give (or sell) logs to authorities, it proves that they are not loyal to their users and that they could be giving (or selling) logs to any number of entities.
Contact Us • 100% Free PPTP and OpenVPN Service “Our privacy policy is simple: We respect your privacy. We do not collect any personal information or store any user’s internet data. The only thing we log is the IP address and time the connection was made. … Connection logs are automatically deleted every week.”
Yes, that is their privacy policy. There is no way of telling if they really enforce it in this manner or not.
so the same as a provider who charges then?
Exactly, but paid VPN providers have more of a motivation to protect their users and stay loyal to their promises.