Millions of Internet users around the world use a VPN to protect their privacy online.
Another key benefit is that VPNs hide users’ true IP-address, making them more anonymous. This prevents third-party monitoring outfits from unwanted snooping.
Every year we ask VPN providers about their logging policies to confirm that they can’t connect a VPN IP-address to a specific user. In the past, we have seen that this is not always the case.
Today, most of the top providers pride themselves on their “no logging” policies. They go to extreme lengths to ensure that anonymity is taken seriously, and some have hired third-party auditors to back up this claim.
While we have no reason to doubt these results, not all VPN subscriptions are perfectly anonymous. Even companies with no-log policies can keep records that can link VPN IP-addresses to user accounts.
That is, when they also offer dedicated IP-addresses, which are different from regular VPN connections.
The Drawback of Decidated VPN IP-Addresses
With a dedicated IP-address, which is often sold as an add-on, users get a unique IP-address as opposed to a shared one. This can be very convenient as it reduces annoying captchas and can bypass regular VPN blacklists. However, it comes at an anonymity cost.
By connecting through a single IP-address, monitoring outfits can build up a profile of the user’s online activity. The real anonymity tradeoff, however, is that the VPN provider knows the user’s IP-address and can connect it to other account information it has on record. This sometimes includes an email address.
This may not be a concern for most people, but it’s certainly something to keep in mind for the small subset of subscribers that use a dedicated VPN IP-address.
VPN Providers Confirm Anonymity Tradeoff
Broadly speaking, we would say that the “no logs” policies of VPN providers don’t apply to dedicated IPs. That conclusion is backed up by several VPN providers we reached out to, which include VPNArea, NordVPN, CyberGhost, and Torguard.
These providers all have a no-logging policy for their regular VPN service, which relies on shared IP-addresses. However, they see dedicated IP-addresses as a separate and different service, which is treated differently anonymity-wise.
TorGuard stresses that there are different use cases for these two options and while both are private, dedicated IP-addresses are less anonymous.
“When a TorGuard user buys a dedicated IP add-on we need to know that IP address in order to assign it to the right user. If that user paid us with a credit card we will have only a billing name and postal code to bill the user for services. If that same user pays us with cryptocurrency, we hold nothing but an email address and cryptocurrency transaction ID,” Torguard notes.
NordVPN says that people often choose dedicated IP-addresses to have static IPs, that could be used only by the owner to access their remote systems. These users are the only ones that have access to it, but the IP-address is linked to their account.
“In order to provide such service, we link a specific IP to the account, there are disclaimers within our FAQ section and Help Centre articles, stating the same,” NordVPN clarifies.
VPNArea can also match a dedicated IP-address to an account holder. This includes past users until they ask for it to be removed, or once their IP-address has been put in circulation again.
“We can match a dedicated IP to its current or past owner and we can match a timestamp of ownership by its owner, unless the owner requested their account data be deleted under GDPR,” VPNArea informs us.
The anonymity tradeoff also applies to Trust.zone also confirmed that dedicated IP-addresses are static and can be connected to user accounts until the subscription expires. And the same is likely true for most, if not all of the other VPNs we didn’t reach out to.
CyberGhost, for example, had a similar setup. The company stands behind their no-logging approach on regular VPN connections, but up until a few weeks ago, it could connect dedicated IP-addresses to specific accounts.
“This is a potential tradeoff when it comes to dedicated IPs. In our marketing materials, we made sure to highlight this is an add-on, and it’s not meant to replace our core VPN functionality,” CyberGhost notes.
Transparency is Key
These answers shouldn’t come as a surprise to the technically-minded. However, for others, who don’t read the fine print, it may be a wake-up call.
After we reached out, CyberGhost informed us that it is planning to overhaul its dedicated IP-address system to remove the association with the user account. The company plans to have this ready in August and will share more details then.
While that change will be welcomed by some, it’s not a problem if dedicated IP-address users are logged, as long as these users are aware of it. Not everyone uses a VPN for anonymity, but those who do should be aware of any potential risks. Since VPNs have become associated with anonymity, disclosing these risks is essential.
We welcome the transparency and clarifications from the VPN providers. That’s key when it comes to trust. And users should always remain critical as well. Just this week, Comparitech showed that a breach at UFO VPN put doubt on the provider’s logging claims.
Disclaimer: NordVPN is a TorrentFreak sponsor but this article was written independently, as all our articles are.
Many thanks to TorrentFreak for the breaking news.