What Does the VPN Privacy Policy Really Mean?

finjanmobileBlog, Mobile Security

VPN Privacy Policy

By now, you’ve probably heard a lot of good things about how using a Virtual Private Network or VPN is the best way of ensuring your security and privacy online. In a digital environment where service providers, websites, online platforms and resources of all kinds are taking increasing liberties with the privacy rights and civil liberties of the consumer, a VPN can be an extremely valuable tool.

But the assurance of privacy that a VPN gives is itself dependent on a number of factors – not least of which are the data-handling, storage, and usage practices of the VPN service provider or app vendor. These practices should be laid out in a formalized policy statement – and as we’ll discover in this article, the way in which such a Privacy Policy is stated can have serious implications.

VPN Basics

Very much as its name suggests, a Virtual Private Network or VPN is a digitally crafted private network that keeps you remote from the internet at large. It does this by encrypting all the information that passes between your device and the internet, using high-strength encoding that would make it very difficult to decipher for anyone who intercepts the data stream.

A VPN also masks the true location of your connecting device when it makes contact with websites and other online resources. It does this by redirecting your data traffic to the web servers of your VPN provider or application vendor. The IP addresses of the VPN servers will appear, instead of that of your home location – and these servers may be located in any part of the globe.

In fact, giving VPN subscribers their choice of locations to virtually connect from is part of the appeal of Virtual Private Networks. It’s this option that enables users to connect to streaming media servers and other online content which might otherwise be denied to them due to website policies, copyright law, or censorship and restrictions imposed by regional and national authorities.

VPN Privacy Policy and Private Data Collection

To mask your IP address, online transactions, and browsing history, a VPN provider first requires access to all of these things, before they can work their magic of secure encryption. And of course, VPN apps and subscription-based services require some form of operating capital, in order to stay in business – especially the free ones.

They may not go as far as the “free” VPN service which was discovered in 2015 to have been selling off bandwidth from its free customers to paying subscribers, but the less scrupulous operations may call upon several assets, based simply on the information you provide.

Before setting up an account with a VPN provider, you’ll typically need to supply a basic set of identifying data: Your name, email address, phone number, PayPal or credit card details, and the like. Personally Identifiable Information (or PII) like this is not only a valuable asset to fraudsters, identity thieves, and cyber-criminals – it’s also marketing gold for advertising networks, pollsters, government departments, and investigators.

Privacy Policies

The private data which a VPN provider collects – and the manner in which they collect it – should be spelled out in the Terms & Conditions of your service contract, and more specifically in their Privacy Policy document. But here again, there can be room to maneuver, for the less scrupulous operators.

Besides not drawing your attention to their Privacy Policy at all, presenting you with a policy that’s been so couched in legalese that you can barely understand it is another way of ensuring that you remain unaware of the type of information that’s being collected from you, and what’s being done with it.

If you’re reading this article, you may be aware of the fact that Finjan Mobile has developed an integrated VPN and secure web browser known as InvinciBull. You may also be pleased to know that the company has published an open link to its Privacy Policy – a document which goes out of its way to spell out in great detail exactly what data the service collects from you, and how that information is treated. Specifically, InvinciBull collects:

  • Account Setup Credentials – Name and Email Address
  • Billing and Payment Information to subscribe to the service
  • IP Address
  • Location
  • Language Settings
  • Unique Device ID
  • Mobile Device Brand, Model and Operating System
  • Bluetooth Versions
  • Network Provider
  • Geographical data based on the GPS/Wi-Fi Network position
  • Safe Scan feature of the App saves URLs you visit
  • Tell a friend feature collects the name and email address of the friends you refer

Anonymization and “No Logs” Privacy

Anonymization – or the process of stripping out entries from Personally Identifiable Information so it can’t be traced back to a specific individual – is one guarantee often made by VPN providers and the developers of “incognito” web software such as the Tor anonymous browser. It’s a powerful privacy protection in theory – but recent security research has revealed that it’s fairly easy to reconstruct a persona from anonymized data, with the right tools and information sources.

Anonymized data is also used as a revenue stream by some VPN providers, who make this information available to third parties such as marketing networks or researchers. How anonymized data is treated should be spelled out clearly in your VPN vendor’s Privacy Policy (as it is for InvinciBull) – and if it isn’t, they may have something to hide.

Caution should also be exercised with VPN providers who claim that they keep no logs at all, of their customers’ data usage. In fact, many providers will do this, but it’s not a strictly valid claim. Most VPN services log metadata: Connection details, time spent on a particular server, timestamps for VPN tunneling sessions, and other similar variables.

The Privacy Shield

With cross-border transactions an integral part of the online economy, a VPN provider’s Privacy Policy really should take account of international factors, as well. For example, Finjan Mobile has certified itself under the terms of the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, which are administered by the US Department of Commerce.

Collectively known as the “Privacy Shield”, the policy applies to Personally Identifiable Information received in the US from customers in the European Economic Area (EEA) or the independent principality of Switzerland, and covers principles relating to “notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability.”

It’s also a very conscious nod towards the impending rules of the General Data Protection Regulation (GDPR) – consumer privacy legislation which comes into effect in May 2018 and is intended for the protection of EU (European Union) residents, but whose terms apply to all individuals and business entities having dealings with the personal data of consumers or subscribers in Europe.

In fact, the GDPR is empowered to impose significant penalties on companies found not to comply with its terms – among which are the inclusion of communications with customers and contract documents (including Privacy Policies) which are written in clear and unambiguous terms.

So the kind of clarity and transparency demonstrated by the InvinciBull Privacy Policy and Privacy Shield Policy illustrate the kind of policy model that VPN providers will have to adopt in the years ahead.

Secure All of Your Devices for One Low Monthly Fee!
Get InvinciBull™ now!

Share this Post