When VPN providers claim “no-log” policies, users expect complete privacy—yet the reality is more nuanced. Understanding what VPN logs actually contain, how they’re used, and the technical differences between logging types is essential for making informed privacy decisions. This guide breaks down the technical details of VPN logging practices.
Types of VPN Logs Explained
VPN services categorize data collection into distinct log types, each with different privacy implications:
Connection Logs (Metadata)
Connection logs record technical metadata about your VPN session without tracking actual content:
- Connection timestamps: When you connected and disconnected
- Bandwidth usage: Total data transferred during session
- IP addresses: Your original IP and VPN server IP
- Server selection: Which VPN server and location you chose
Most “no-log” VPNs actually keep some connection logs. For example, ExpressVPN states it collects “connection dates, choice of VPN server location, and total data transferred daily.” This metadata helps with network troubleshooting and preventing abuse but can still be subpoenaed.
Usage Logs (Traffic Logs)
Usage logs are far more invasive—they track your actual internet activity:
- Browsing history: Websites you visited
- DNS queries: Domain names you resolved
- Connection contents: Actual data transmitted
- Session duration details: Exactly how long you spent on specific sites
These logs defeat the purpose of using a VPN for privacy. Pure no-log VPNs should never store this data.
No-Log Claims: What They Actually Mean
A true no-log VPN theoretically keeps zero records of user activity. However, the term is often marketing:
- Strict no-log: No connection or usage logs retained whatsoever
- No usage logs: Connection metadata OK, browsing activity not tracked
- No individual logs: Aggregated data only, can’t identify specific users
- Self-hosted or audited: Third-party verification of claims
The gold standard is independent security audits that verify no-log claims. Providers like NordVPN, ExpressVPN, and ProtonVPN have undergone public audits confirming their practices.
Technical Implementation of Logless VPNs
How do privacy-focused VPNs actually operate without logs?
RAM-Only Servers
Leading VPNs use servers that run entirely from RAM:
- All data wiped on server reboot
- No hard drives storing user activity
- Impossible to physically retrieve logs
- Providers like Mullvad and ExpressVPN use this approach
Distributed Architecture
Privacy-focused VPNs minimize data collection by design:
- No user accounts required (Mullvad uses account numbers only)
- Payment systems separated from VPN infrastructure
- Registration timestamps not retained
- Each session completely isolated
Protocol-Level Privacy
Technical protocol choices affect logging capabilities:
- WireGuard: Simpler protocol, less metadata generated
- OpenVPN: Proven technology, configurable logging levels
- IKEv2: Fast reconnection, moderate metadata
What Law Enforcement Can Actually Request
Understanding legal boundaries helps evaluate real privacy:
Subpoena vs. Warrant
- Subpoena: Easier for authorities to obtain, limited user data available with no logs
- Warrant: Higher bar, but can compel testimony
What Exists vs. What Can Be Shared
With true no-log VPNs:
- No browsing history to share
- No connection timestamps tied to users
- Nothing to identify specific activity
- Provider can honestly state “we have no data”
Court Cases Proving No-Log Claims
Several cases have tested no-log policies:
- PureVPN Case: FBI successfully identified user despite no-log claims (provider was logging)
- IPVanishwood: No logs were indeed retained when law enforcement requested data
- ExpressVPN: Servers physically seized in Turkey, no useful data recovered
Evaluating VPN Log Claims
Use these criteria to assess privacy claims:
Red Flags
- Vague “no-log” language without specifics
- No third-party audits
- Located in Five Eyes countries (US, UK, Canada, Australia, New Zealand)
- History of sharing data with authorities
Green Flags
- Publicly audited by independent firms
- RAM-only server infrastructure
- Bug bounty programs
- Clear, detailed privacy policy
- Proven court cases testing claims
Questions to Ask
- What specific data do you retain?
- How long is data kept?
- Have you ever been compelled to share user data?
- Can you be forced to start logging?
Common Misconceptions
“My VPN Says No-Logs, So I’m Completely Private”
Reality: Claims vary widely. Always read the privacy policy in full.
“Paid VPNs Don’t Need to Log”
Reality: Some paid VPNs still collect connection metadata for business intelligence.
“All European VPNs Are Private”
Reality: EU data retention laws may require some logging. Swiss VPNs often best for privacy.
“Logs Are Always Bad”
Reality: Minimal connection logs for troubleshooting are acceptable. The key is what gets logged and who can access it.
Best Practices for Privacy
- Choose audited providers: NordVPN, ExpressVPN, ProtonVPN, Mullvad
- Use RAM-only servers: Check provider infrastructure
- Enable kill switch: Prevents IP leaks if VPN drops
- Use own DNS: Avoid VPN-provided DNS to prevent logging
- Multi-hop connections: Route through multiple servers for enhanced privacy
- Review settings: Disable any optional logging features
# Verify your VPN is not leaking DNS outside the tunnel
# Run while connected to check what IP is visible
curl -s https://ifconfig.me
# Check which DNS server is active
cat /etc/resolv.conf
# Test for DNS leaks — should resolve through VPN server's DNS
dig +short whoami.akamai.net @ns1-1.akamaitech.net
# Linux with systemd-resolved: confirm active DNS
resolvectl status | grep "DNS Server"
# WireGuard: check AllowedIPs in config
# Full tunnel: AllowedIPs = 0.0.0.0/0, ::/0
# Split tunnel: AllowedIPs = 10.0.0.0/8
grep "AllowedIPs" /etc/wireguard/wg0.conf
VPN Provider No-Log Verification Checklist
Use this checklist to evaluate VPN no-log claims:
| Criteria | What to Look For | Red Flag |
|---|---|---|
| Company jurisdiction | Switzerland, Iceland, Malaysia, Romania | Five Eyes countries (US, UK, CA, AU, NZ) |
| Third-party audit | Annual audit by reputable firm (Cure53, Deloitte) | No audit or outdated (3+ years old) |
| Court test | Provider tested in court, claims verified | No court cases or provider refused access |
| Transparency reports | Regular disclosure of law enforcement requests | Silent on requests or “we don’t keep data” |
| Technical implementation | RAM-only servers or destructive logging | Persistent storage on disk |
| Bug bounty program | Active rewards for finding security issues | No security researcher engagement |
Demonstrating No-Log Claims
Some providers publish transparency reports that support their claims:
# Example: NordVPN transparency report analysis
# https://nordvpn.com/transparency/
# Data shows:
# - How many law enforcement requests received (3,400+ in 2023)
# - How many were actually fulfilled (0 in most cases)
# - Why most requests were unfulfilled (no data to provide)
# This pattern supports genuine no-log claims
Compare provider behavior against their stated policies. If a provider claims no-logs but compliance reports show fulfilled requests, the claims are suspect.
IPv6 and Split Tunneling Leaks
Even with no-log policies, technical configuration can leak data:
# Test for IPv6 leaks (common with no-log VPNs)
curl -6 https://ifconfig.me # Should fail if VPN has IPv6 support
# Test split tunnel leaks
# Split tunnel: selective traffic through VPN, some local
# This allows attackers to infer behavior from non-VPN traffic
# Verify complete tunneling
netstat -tuln | grep ESTABLISHED
# Should show no connections outside VPN tunnel
If split tunneling is enabled, locally routed traffic is visible to your ISP despite VPN claims.
Geolocation Verification and Spoofing
VPNs claim to hide your real location, but verification varies:
# Check multiple geolocation sources
curl -s https://ifconfig.me/json | jq .ip
curl -s https://geoip.example.com # MaxMind GeoIP database
curl -s https://api.ipify.org?format=json | jq .ip
# Results should show your VPN server location, not real location
# Discrepancies indicate leaks
Some VPNs use anycast networks where apparent location varies by query source. This is acceptable if actual IP belongs to VPN provider.
Payment and Logs Correlation
Your payment method represents a log, even if VPN claims zero logs:
Payment correlation attack:
1. You purchase VPN with credit card
2. Law enforcement subpoenas payment processor
3. Credit card timestamp matched to traffic timestamp
4. Timeline connects you to activity even without VPN logs
Mitigate this by paying with cryptocurrency:
# Better: Pay with Monero through CoinJoin
# Reduces payment-to-usage correlation
monero-wallet-cli
(wallet): transfer [address] [amount] [ring-size]
True privacy requires privacy across all layers—encryption, no-logs policy, AND anonymous payment.
Related Articles
- What VPN Logs Actually Mean: No-Log Policy Explained.
- Best VPN for Using WhatsApp in China 2026 — Actually Works
- How To Test Vpn Kill Switch Actually Works Properly Guide
- How to Verify a VPN Is Actually Encrypting Your Traffic
- Verify That Your VPN Is Actually Working and Not Leaking
Built by theluckystrike — More at zovo.one