Can a VPN Protect You From PRISM?

Following Edward Snowden’s PRISM revelations, the issue of online privacy has been thrust into the spotlight like never before. This media coverage appears to have led to more people signing-up to Virtual Private Networks. But will VPNs protect you from PRISM and do they offer any real privacy protections for their users?

PRISM certainly seems to have sparked a increasing interest in VPNs. Since the scandal broke IVPN (the VPN company I work for) saw a 56% increase in sign-ups (compared to the previous two months) and, in our survey, a majority of VPN users said PRISM was the main influence behind their decision to sign-up. TorrentFreak also did some research and found the VPNs Ipredator, Private Internet Access and to have all experienced an increase in sign-ups since PRISM was uncovered.

Bursting the VPN Bubble

But we need to burst our own bubble. Signing-up to a VPN is not going to protect you from the threat presented by PRISM. If the government has a “backdoo”‘ into Google, then it will be able to read your emails whether you’re connected to a VPN or not. Like the free-to-use TOR, VPNs help users mask their IP address, but your personal data is stored on Google’s servers and there’s not much you can do about that, other than avoiding Google (as well as Facebook, Yahoo, Hotmail and every other company implicated in the programme).

Nevertheless, the fact PRISM has encouraged more people to take online privacy seriously – and sign up to a VPN – is positive. But, once again, there’s another bubble to burst. Yes, VPNs are very effective at shielding your internet activity from potential evesdroppers, but not all VPN companies take online privacy seriously. In fact, some of the most popular VPNs on the market offer little protection above that of a regular ISP.

Data Retention

For instance, one of the key benefits of using a VPN is that you can avoid the data retention activities of your ISP. In the EU, it is currently mandatory for all ISPs to keep a log of every website you’ve visited, as well as email logs, for two years after you leave the service. While the US doesn’t have data retention legislation in place, most ISPs log data anyway to help law enforcement. VPNs allow you to circumvent this practice. Nevertheless, many VPN companies log your data in the same way an ISP does.

HideMyAss, arguably the biggest VPN on the market, states quite clearly in its privacy policy that data logs will be held for up to two years. Other popular VPNs, such as WiTopia, have less stringent polices, but still record data for one month. Most VPN services say they record this data to troubleshoot their network. But in reality there is little reason to record web logs beyond a few days if that’s your goal. The real reason for such data retention is likely to comply with requests, from private or public entities, to hand over user information. This was demonstrated rather pointedly with the arrest of Cody Kretsinger, who mistakenly relied on HideMyAss to protect his anonymity while a member of the hacking group Lulsec.

Always Check the Privacy Policy

So, firstly, VPNs will not protect you from the type of surveillance described in PRISM. But VPNs can definitely be used as part of wider set of best practices to protect your privacy. If you’re thinking of signing-up to a VPN you need to check the privacy policy first. Just because there’s a natural association between the technology behind a VPN and online privacy, doesn’t mean a VPN company has been set up to protect its users’ privacy. The key questions you need to ask are: What user data is the VPN storing? How long does the VPN retain user data for and will the VPN notify you if changing laws compromise its ability to provide a privacy service? A good place to start is this list compiled by TorrentFreak of VPNs that don’t log user data.