VPNs are well known because they are supposed to enhance your privacy and prevent you from being monitored.
In fact, "VPN" has become a word in itself, pronounced vee-pee-en, and is a busy marketplace with companies advertising on Internet, on TV and even in the print media and aim for your money.
Most VPNs are a free application that you can download from the internet, but you usually need a paid subscription to operate or unlock premium services.
The application will discover all the network traffic between your device and the company's servers and will "free" you on the internet by presenting that it is somewhere else - maybe even in a different country Which actually conceals the true source of packages data and therefore makes it difficult to locate you.
What is connected to privacy, we imagine, comes from the fact that VPN contains the word "private" in its name.
In fact, the "private" part of a VPN is not really about anonymity. P in VPN simply refers to the idea of using a public network to transmit traffic.
In fact, if you have ever used a corporate VPN you will be well aware that your corporate VPN fully identifies you, perhaps with a password and a 2FA badge so the company knows who you are before you connect.
Your traffic is private because VPNs use encryption to protect raw network packets from detection, but your traffic is not anonymous when you are on the company's virtual network.
In short, the VPN itself knows who you are and sees what you get, even if the servers through which the encrypted VPN packets travel do not.
And that's good because it means you only share this corporate network with other people who are supposed to be there and who can be held responsible for behavior rather than with a random group of strangers.
What about logs?
As mentioned above, consumer VPNs can arrange to decrypt your traffic and display it on the internet far away from where you are, so not only do they disguise your physical location (it does improve your privacy somewhat), but they also allow you to: to hide your country of residence.
For many people, this is the main value of a personal VPN service - it allows them to bypass the censorship that can be applied by ISPs in their country and also allows them to bypass the so-called geoblocking which helps them for example to watch TV shows and movies. abroad.
But it also means that you trust the VPN provider very much, because this provider becomes essentially your new ISP, so you need to know the extent to which (or not) it follows the laws in the various countries where it has its headquarters.
Many VPNs tell you that they "do not keep any logs", and therefore will have nothing for you to hand over to law enforcement, even if they wanted to.
However, many countries have legal mechanisms by which different authorities - with no warrant, depending on the jurisdiction - can force a service provider not just to start keeping records. recording for specific people, but also to be silent about the fact - in other words, they are very likely to keep your logs and not be able to tell you even if you ask them.
Of course, some VPNs will assure you that this can not happen because their companies are registered in countries where there are no such legal provisions.
But any VPN knows where you are and, to some extent at least, who you are while using the system and may need to keep the amount of logs in memory for some or all of the connections, just to make the service work reliably.
What you need to assume, then, is that everything they know about your traffic for handling purposes while you are connected to the internet is never stored anywhere permanently, either accidentally or by design.
And history shows that ephemeral data - things that should be permanently erased from memory when no longer needed and never written to disk or forwarded to another server - has a way of surviving when it should not.
After all, as you may recall recently, both Google and Facebook have admitted that, at times, the passwords you entered during the login process - data that had to be kept in memory only RAM and be cleaned after validation - were stored in logs in the respective systems their.
What happened this time?
According to a report published last week by VPNMentor, its researchers came across plenty of user logs from seven VPNs operating outside of Hong Kong.
VPNMentor reported that the affected services are: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN.
Looking above we see that all these seven products have been redefined by one major provider - software and IT services are often sold this way, with the same (or very similar) code and back-end systems that are the core of the offers from different licensees.
As you probably guessed, this data should not have been accessible to the public, but it was exposed through a cloud database - ElasticSearch, in this case - that was not properly configured.
According to VPNMentor, about 1 billion database entries were found related to about 20 million users, including various data fields such as the following:
Activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, technical specifications, account information, Paypal API direct links.
So it seems that these VPNs not only collect data that they should not keep at all, such as passwords, but also expose it publicly.