VPN No-Logs Policy: What It Really Means — and Which VPNs Have Lied About It

When you sign up for a VPN, the privacy promise at the center of it all is simple: we don't store records of what you do online. That promise is called a no-logs policy. It sounds straightforward. In practice, it is one of the most frequently abused claims in the entire technology industry.

This article covers what a genuine no-logs policy requires, why it is harder to deliver than it sounds, and — critically — the documented cases where major VPN providers made no-logs claims they could not back up. Because when a VPN logs your data and hands it to law enforcement, the marketing language on their website does not protect you.

What Does a VPN No-Logs Policy Actually Mean?

A true no-logs policy means the VPN provider stores no data that could identify what you did online, when you were online, or where you connected from. Specifically it means:

• No browsing history. The websites you visit are never recorded.
• No connection timestamps. When you connected or disconnected is not stored.
• No IP address logging. Your real IP address is not associated with your session.
• No bandwidth or session duration logs. How long you were connected and how much data you transferred are not recorded.
• No DNS query logs. The domains you resolved are not stored.

The reason each of these matters: even one piece of data — a connection timestamp paired with an IP address — can be used in a time-correlation attack to identify exactly who did what online. Law enforcement agencies use this technique routinely. So does the phrase "no logs" on a company's website.

VPNs That Claimed No Logs — Then Got Caught Logging

The following cases are documented in public court filings, verified news reporting, and security research. These are not allegations — they are confirmed instances of VPN providers logging user data while simultaneously claiming they did not.

IPVanish: "Strict Zero Logs" — While Actively Logging

IPVanish was one of the most vocal no-logs VPN providers in its marketing. The company's website stated a "strict zero logs policy" for years. In 2016, a Department of Homeland Security investigation into a criminal case in Indiana sent a summons to Highwinds Network Group, the parent company of IPVanish, requesting subscriber information.

According to the publicly available court affidavit, IPVanish initially told investigators it did not have user data. After a follow-up request, however, the company provided detailed logs — including the suspect's source IP address, and the dates and times they connected to and disconnected from the service. That data directly contradicted the company's no-logs claims and was used to identify and locate the suspect via their real Comcast IP address.

The case was first reported by CyberInsider and confirmed by the publicly filed affidavit. IPVanish was claiming a zero-logs policy at the exact moment it was recording and retaining that data.

PureVPN: Logs Handed to the FBI in a Cyberstalking Case

In 2017, PureVPN's privacy policy stated that it only kept "connection logs." The company marketed itself as a privacy-first VPN. When the FBI came knocking in a cyberstalking case involving a Massachusetts man named Ryan Lin, PureVPN cooperated — and provided connection timestamps that tied Lin's real home IP address to the VPN IP addresses used in the harassment campaign.

As documented by ProPrivacy, PureVPN was able to provide the FBI with enough data to conduct a time-correlation attack. Even though PureVPN did not hand over browsing logs, the connection timestamps they retained — paired with IP addresses — were sufficient to identify the user with certainty. Lin was subsequently charged and prosecuted.

The case made clear that "we only keep connection logs" is not meaningfully different from "we keep logs." If timestamps and IP addresses are stored together, your identity can be reconstructed.

HideMyAss: A Court Order Was All It Took

One of the earliest and most cited cases in VPN logging history involves HideMyAss, a UK-based VPN service. A member of the hacking group LulzSec, known online as "Recursion," used HideMyAss while conducting hacks against Sony and News Corp. A single UK court order compelled HideMyAss to hand over stored IP address logs and timestamps. Those records directly identified Cody Kretsinger, who was subsequently extradited to the US and convicted.

The case, documented by IVPN, demonstrated that "no logs" marketing and actual technical architecture are two different things. HideMyAss stored what it needed to for business purposes — and that data became a liability the moment a court asked for it.

Seven Hong Kong VPNs: 1.2TB of "No-Logs" User Data Exposed

In July 2020, security researchers at vpnMentor discovered an unprotected server containing 1.2TB of data belonging to seven VPN services — UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN — all of which claimed to operate no-logs policies.

As reported by PCMag, the exposed data included user activity logs, plaintext passwords, email addresses, home addresses, and device identifiers for up to 20 million users. Researchers verified the logging in real time by creating a test account — their own activity appeared in the exposed logs immediately. Every provider involved had publicly claimed to never log user traffic.

NordVPN and Tesonet: The Questions That Still Get Asked

NordVPN occupies a different category from the cases above — no user data has ever been confirmed to have been logged or handed to authorities. But the questions raised about its corporate structure are worth understanding, because they illustrate exactly what informed VPN users should be asking.

NordVPN is owned by Nord Security, which has corporate ties to a Lithuanian tech company called Tesonet. In 2018, a lawsuit involving Tesonet and a company called Luminati Networks alleged that Tesonet operated residential proxy networks — systems that route internet traffic through real users' devices without their knowledge, monetizing their bandwidth. The lawsuit named NordVPN in its filings, as documented by Reddit's privacy community at the time.

NordVPN has consistently denied any connection between its user data and Tesonet's other business operations. Multiple independent audits — including a 2025 audit by Deloitte conducted under ISAE 3000 standards, as reported by TechRadar — have confirmed that NordVPN's servers do not retain user-identifying data. As of this writing, NordVPN has completed six independent no-logs audits since 2018 with no findings of logging.

The NordVPN case is instructive not because it confirms wrongdoing — it doesn't — but because it shows why corporate ownership structures matter. When a VPN's parent company operates other businesses that benefit from user data, the question of data independence becomes legitimate regardless of marketing claims. Independent audits are the answer to that question. The absence of audits is a red flag.

Separately, in January 2022, NordVPN updated its blog to acknowledge it would comply with lawful court orders, prompting a brief controversy. The company clarified it had always intended to operate within the law — but the incident highlighted the importance of reading no-logs claims carefully, as covered by PCMag. Even a genuine no-logs VPN cannot provide data it does not have — but a company that stores timestamps and IP addresses for any reason can be compelled to turn them over.

How to Tell If a VPN's No-Logs Policy Is Real

Based on the cases above, here is what separates a genuine no-logs architecture from a marketing claim:

RAM-only servers. If the VPN runs its servers entirely on RAM — with no persistent disk storage — there is nothing to seize or subpoena. When power is cut, all data is gone. This is the most technically robust no-logs implementation available.

Independent third-party audits. The audit must be conducted by a security firm with no commercial relationship to the VPN. It must include access to live server configurations, operating logs, and infrastructure review — not just a policy document review. The audit report should be publicly available or available to subscribers.

Verified jurisdiction. A no-logs claim only means something if the company operates under a legal framework that cannot compel secret data retention. US-operated VPNs are subject to US law. The critical question is whether the jurisdiction allows national security letters with gag orders — which could require a company to log data and prohibit disclosure.

Transparent corporate structure. Who owns the VPN matters. If the parent company operates data-intensive businesses — advertising, analytics, residential proxies — the independence of the VPN operation deserves scrutiny regardless of audit results.

CyberFence Strict No-Logs Policy: How It Works

CyberFence operates under a strict zero-logs policy. We do not store browsing history, connection timestamps, IP addresses, session durations, bandwidth usage, or DNS query data. There is nothing for us to hand over because we do not collect it in the first place.

Every server in the CyberFence network runs on US-based infrastructure under US jurisdiction. We are not owned by a foreign parent company, do not operate data resale businesses, and have no financial incentive to retain user data. Our policy is not a marketing claim — it is an architectural decision built into how the platform operates.

We are committed to third-party audit verification as CyberFence scales. In the meantime, the cases documented above are the standard we hold ourselves to — and the reason we built the platform the way we did.

What to Look for When Choosing a No-Logs VPN

A no-logs policy is the most important privacy claim a VPN can make. It is also the most frequently abused. IPVanish, PureVPN, HideMyAss, and seven Hong Kong VPN providers all made no-logs claims they could not support when tested by real-world legal demands or security research.

The questions around NordVPN's corporate structure — while not resulting in confirmed logging — illustrate why ownership transparency and independent audits are the only credible verification mechanism. Marketing language on a website has never protected a single user's data.

When you choose a VPN, ask three questions: Does the provider have a published, independently audited no-logs policy? Is the audit conducted by a firm with no financial relationship to the company? And is the provider's corporate structure free of businesses that benefit from user data? If the answer to any of those three is no, the no-logs claim on the website is just text.

For more on how to evaluate VPN privacy claims, see our guide on why a US-based VPN matters, our breakdown of what a VPN does not protect you from, and our comparison of CyberFence vs NordVPN on privacy and transparency.