Nick Pearson, an EFF member and founder of IVPN.net, wrote a thorough article for TechDirt on precisely what sort of privacy VPN providers can and cannot offer customers.
I’ve been using AirVPN for a couple years now, and there are two basic forms of privacy I’m trying to achieve.
First, I do not want people who have access to the networks I’m using have the capability of monitoring what I amdoing. For example, I regularly connect my laptop to WiFi networks that I do not control, and want to ensure that no other users (including the operators of those networks) are able to see or record my activity.
Second, I do not want entities on the other end able to directly track my activity back to my actual IP address.
So for my case the most important thing was finding a VPN that doesn’t do any logging. As Pearson points out, a number of popular VPNs based in the United States — VyprVPN, HideMyNet, StrongVPN, etc. — actually keep logs of all activity through their systems so they can respond to DMCA requests. Pearson makes the case that not only is this the height of stupidity for a VPN, but that it is not even remotely required by US law.
The next most important thing, in my opinion, is to avoid any VPN based in the United States. With a lot of services, that option just isn’t there. With VPNs, many of them are based outside of the US and Europe, and the more obscure the jurisdiction the better.
Pearson raises a third use case for VPNs — avoiding monitoring by law enforcement.
So what happens if a law enforcement agency approaches a VPN, serves a subpoena, and demands a the company trace an individual, based on the timestamp and the IP address of one of their servers? VPN services, like all businesses, are compelled to abide by the law. However, there is no way of complying with the authorities if the data they require does not exist.
One of the few ways law enforcement could identify an individual using a privacy service, without logs, is if they served the owners a gag order and demanded they start logging the traffic on a particular server they know their suspect is using. We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same. So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react, your privacy would be protected.
While I appreciate Pearson’s activism, I wouldn’t count on that sort of activist mentality to shield me from law enforcement. If law enforcement monitoring were a serious concern, I’d use multiple VPNs, switch servers within those VPNs regularly, and cycle through the VPNs I was using on a regular basis (as well as use TOR and other anti-monitoring countermeasures)
Even then, there are ways beyond direct logging for a persistent-enough law enforcement agency to track Internet activity back to specific users given enough time.