VPN privacy policies decoded: WiTopia

Privacy & Security Posted on June 28, 2013

VPN privacy policies decoded: WiTopia

This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.

WiTopia is a popular VPN service, which provides a wide-range of servers across Asia, Europe and the Americas. The company is based in the United States and therefore subject to US laws. So what does its privacy policy look like?

Data sharing

WiTopia has a very well-written and comprehensive policy. Nevertheless it contains some worrying elements that don’t sit well with a service supposedly designed to protect user privacy. For instance, when it comes to advertising-related data, take a look at this section on the information WiTopia discloses to “outside parties.”

“It may be necessary, at times, to share certain personal information with trusted third parties who assist us in conducting our business or providing our services. These companies are authorized to use information only as necessary to provide services to us.”

Also:

“If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer information to the acquiring company.

As we’ve pointed out before, this practice of willingly sharing data with companies, for non-essential purposes like advertising, is not uncommon. Most sites engage in such activity. But when it comes to a service that sells itself on protecting user privacy and data, you would expect it would stick to its values and keep data sharing to a bare minimum. As with HideMyAss, WiTopia uses the phrase “trusted third parties.” But who are they? Why are they trusted? None of this is qualified in the privacy policy.

Data logging

When it comes to logging data WiTopia says it does not “monitor, record or store the content of a customer’s internet activities.” It only stores the following:

"(1) the time and network location from which a VPN connection was made; (2) the duration of the VPN connection.”

However, it prefaces this with “during normal duties,” which is could be seen as a get-out clause to allow WiTopia to store your data whenever it, or other entities, sees fit. This is further expanded upon here:

“We may release personal information, when we believe in good faith that release is necessary, to comply with legal process (such as a subpoena or court order), to protect our rights or property, to enforce the Terms of Service, or protect your safety or the safety of others.”

It’s also worth noting that even during normal duties WiTopia stores your web logs (i.e. the sites you’ve visited, dates, times, etc) for 30 days. Storing this information for so long is not necessary to troubleshoot a network. The main reason for this 30 day data retention could likely be to track down and identify users if they break terms and agreements.

To sum up…

WiTopia has a very well-written policy that gets straight to the point. But WiTopia’s policy presents the same privacy issues that we saw with HideMyAss and, to a lesser extent, StrongVPN. WiTopia’s section on DMCA takedowns doesn’t really say how a user’s privacy will be affected. WiTopia also doesn’t say what will happen if laws in its jurisdiction change, although it does appear to suggest it will comply with law enforcement if they request data.  

Privacy
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.

2 Comments

Uwnthesis

02.07.2013

As Schneider states, the biggest cyber threat of our era is data collection - it’s potentially far more dangerous than cyber warfare or crime to us.

The “data collectors” harvest your data for “marketing purposes”, which is lightly regulated so you have no protection. This data is then resold on to third parties as a revenue stream. Data aggregators such as Acxiom bulk buy this data, and once multiple streams of data are combined, everyone from the tax man to your local council has an X-Ray view of your life. Did you know that Acxiom buys 3 billion data sets a day? And that’s only 1 company. The Rubicon project interacts with 97% of US internet users every month, and yet no-one knows about them (New York Journal).

Insurance companies are having success with reusing “marketing data” to assess obesity risk factors. One CEO of an insurance company always pays for his Macdonalds burgers in cash… to avoid an audit trail that links to “fast food” and higher medical premiums.

Marketing data is THE risk factor, so your comments on reselling marketing data to third parties is very valid.

Even Amazon has a clause that if it goes bankrupt, their databases can be resold as a revenue stream - even if you object.

So marketing data is the real menace, as Schneider identified :)

Dennis Kügler

02.07.2013

Great comment, thanks for the insight!
IVPN News

Independent security audit concluded

By Nick Pestell

IVPN News

IVPN applications are now open source

By Viktor Vecsei

Releases

Beta IVPN Linux app released

By Viktor Vecsei

IVPN TunnelCrack vulnerability assessment Privacy & Security

IVPN TunnelCrack vulnerability assessment

Posted on September 7, 2023 by IVPN Staff

Context TunnelCrack is the combination of two independent security vulnerabilities (LocalNet attack and ServerIP attack) that affect VPN applications. The research paper detailing these vulnerabilities was published and presented on 11 August 2023. IVPN apps were not tested by the researchers, and unlike other providers, we did not receive a vulnerability disclosure.
Most people don't need a commercial VPN to work from home securely Privacy & Security

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.
Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.