VPN privacy policies decoded: AirVPN
Privacy & Security Posted on June 21, 2013
This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.
EDIT AirVPN has disputed some of this review. You can read our responses at the end of the post
AirVPN is VPN service started by a “small group of activists” in 2010 and is based in the Italy. The company has servers across Asia, Americas and Europe. Lets take a look at its privacy policy.
Out of the three VPN privacy policies we’ve looked at so far in this series AirVPN takes the most sensible and privacy-orientated approach to its customer’s data. But while AirVPN seems to take user privacy seriously, it is let down by some vague language.
Logging practices
Here’s what AirVPN says about the data it logs:
“Air servers and software procedures acquire only personal data which are strictly necessary for the technical functioning of the service, for example IP address. These data are not collected to identify, through elaboration or any other technique, users’ personal identities. These data are not transmitted to third parties. "
We’re lacking specifics here. In particular, AirVPN does not say how the IP address is stored and if it is anonymised. The policy continues:
“Data transmission is performed between Air servers network exclusively in order to erogate efficiently the AirVPN service. Data are deleted as soon as they are no more necessary for such purposes.”
Again, AirVPN needs to be more specific and say exactly how long it retains data for. “Data are deleted as soon as they are no more necessary for such purposes” is far to vague to be taken seriously and there is no mention of data retention periods anywhere in the privacy policy. Someone who has little knowledge of how VPNs work also has no idea how long data is typically stored for troubleshooting.
Also, as the above quote shows, AirVPN’s policy uses somewhat broken English (what does “erogate” mean exactly in this context?). Any legally binding policy needs to be clearly written and easily understood. In this respect, AirVPN is lacking.
Missing info
As we mentioned, the biggest oversight in AirVPN’s privacy policy is its lack of info on data retention periods. But AirVPN also doesn’t mention how it responds to DMCA notices and, like most other services we’ve looked at, it also doesn’t mention what it would do if laws in its jurisdiction change. AirVPN also suggests that it doesn’t retain web logs, but because it’s not specific, the policy is left somewhat open to interpretation. Unlike some other VPNs we’ve looked at, AirVPN seems to be a privacy conscious service, but it’s let down by a badly-written policy.
EDIT : AirVPN’s rebuttal and our response
We wrote: “AirVPN is VPN service started by a “small group of activists” in 2010 and is based in the Netherlands.” However, AirVPN is in fact based in Italy. This is our oversight and has been corrected. We apologise to AirVPN for this error.
AirVPN writes: “These data are not collected to identify, through elaboration or any other technique” has an unequivocal legal meaning in the EU. It means that personal data, including IP addresses (regardless of the debate whether an IP address is a personal data or not), are not collected at all and in any way. Therefore not only we legally state that they are not stored when a client accesses a VPN service, but we also say that they are not even sent to third-parties WHILE a client is connected to a VPN server, which is a higher privacy condition. It seems, to say the least, bizarre that a higher privacy protection policy is interpreted as a lower one.
AirVPN is somewhat missing the point of these reviews, as stated in our guidelines. The vast majority of people reading such privacy policies do not have a grasp of the legal intricacies and directives being mentioned, and that this has led to false expectations around VPN services. We believe it’s the VPN’s job to state clearly and in plain English what their practices are. The main point of this review wasn’t to say AirVPN is guilty of logging data, but that its policy is not clear enough in this regard. The point still stands.
IVPN: “Data transmission is performed between Air servers network exclusively in order to erogate efficiently the AirVPN service. Data are deleted as soon as they are no more necessary for such purposes.”
AirVPN writes: Once again, the sentence has a very precise legal meaning in the EU. The service is erogated when a client is connected, therefore when a client is disconnected the service is not erogated, ergo when a client disconnects those data are no more on the servers and the data retention period is, in the worst case, the timeout period (up to 60 seconds), in the best case 0 seconds.
Same point as above.
IVPN “AirVPN doesn’t mention anything regarding cookies, affiliates and ad data.”
False. The Privacy Notice states, since three years ago:
Yes, this was a mistake by us. We’ve made the correction and offer our apologies to AirVPN.
IVPN: AirVPN also doesn’t mention how it responds to DMCA notices
That’s true and IT MUST BE SO. We will never mention how we “respond” to laws that are outside our jurisdiction and that are therefore inapplicable, simply because we are not forced to and we MUST NOT comply (and of course we must not even “respond”) to such laws. An USA Act “has jurisdiction” on the USA. We are not subject to every single law existing in the world and we will NEVER mention them as if we recognized their validity. Doing so would imply an utter incompetence on the legal field. Ironically, we would like to ask to IVPN staff why they do not state in their policy how they “respond” to every single law in the world which makes VPN business illegal.
DMCA notices are an issue that’s very important to individuals looking for a VPN service and those concerned with online freedoms. Acknowledging that DCMA notices exist, and are an issue customers want to know our stance on, is hardly legal incompetence. It’s about giving your users relevant information to help them make an informed decision about your service.
IVPN: AirVPN’s policy uses somewhat broken English (what does “erogate” mean exactly in this context?).
We recommend IVPN people to open a dictionary, for example the Webster dictionary, and search for “erogate”, which means “give, lay out, provide, deal out”.
“Erogate” is not a term that’s commonly used in English. There’s a dozen other words or phrases that could have been used that are better understood by the majority of people. One of the main criteria in our reviews is using plain English.
Suggest an edit on GitHub.
24 Comments
Steven
09.07.2013
I’m not sure why you expected them to give you reasonable responses. You start off the article by claiming the aim of your series is “to find out whether the VPN takes customer privacy seriously,” but instead you’re cherry picking things that are or are not missing in their policies.
This, along with various mistakes about them (including where they are based, cookies, affiliates), should have been enough for you to just apologize for advertising mistruths.
They spoke about DMCA when asked by Torrentfreak (https://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/) and their response was extremely reasonable:
DMCAs are just ignored: no private entity claim can be considered a proof of anything (even in light of the paper by the University of Washington “Tracking the trackers – Why My Printer Received a DMCA Takedown Notice”) and the details given in DMCA notices (pertaining to p2p) lack any substantial proof of any infringement. We sometimes ask for a proof of the alleged claim, just to try to see which methods are used to make up an infringement claim, but so far all private entities have poorly failed to respond with any proof or even with technical details on how such claims are fabricated.
And then you continue to insult them about their general English. For me personally, I’d much rather someone that is knowledgeable but has broken English as opposed to some commercialized company with great English.
Stop reviewing platforms with garbage journalism. Either address the topics you intended to (“find out whether the VPN takes customer privacy seriously”) or don’t write anything at all.
Dennis Kügler
09.07.2013
Thanks for the input Steve.
First re: cherry picking/address the topic: If you read our full guidelines for these reviews, linked to at the top of every post, you’ll see the aim is to see if a VPN takes privacy seriously - as you mentioned -and to try and educate readers about how to read VPN privacy policies for themselves (i.e. get them thinking about what questions they need to ask). However, the explanatory paragraph at the top of each review could be amended to better reflect the full guidelines. If you read this review of AirVPN, we say AirVPN “seems to take privacy seriously”, and that it has the best privacy policy out of all those we’ve reviewed so far, but it’s let down by being vague - we say this twice in the review. Clarity is one of the most important points of any privacy policy. I don’t think that’s unreasonable.
re the errors: Yes we completely apologise for these two errors and we’ve corrected them. The cookies/ad data error was a bad mistake to make - I hold up my hands on that one. But that doesn’t invalidate the whole series of reviews, nor is it a good argument for us to stop. No one’s really reviewed VPN privacy policies before and tried to educate people on them, so we think this is a valid endeavour. The criticism from AirVPN has been incredibly useful and will definitely affect the way we approach further reviews.
Re TorrentFreak/DMCA - I don’t think customers should have to search around other websites to find out a service’s policy on relevant issues.
John
15.07.2013
Joe Bones
21.07.2013
I’ve got a different take on your input, Steve.
I think the author’s errors were honest, I read his stance to be surprisingly objective, and I felt his were criticisms valid and worthy of being pointed out.
For just one example, the use of the word “erogate” works great in Poindexterland. But here in PlainSpeak, USA. it’s pretentious. Just saying “provide” works better for the average person. (In fact, legislation actually had to force credit card companies to abandon endless boilerplate and sesquipedalian jargon in favor of simpler easier-to-understand phrasings.) For me, whether it’s brain surgery or paying for a VPN service, I want simple words that convey lucid concepts.
And talk of insults and apologies is a bit silly. It’s an unemotional, academically-toned analysis, not “playing the dozens”.
The right of people to have privacy in conducting their affairs is being undermined and eroded on every side, on most continents, by most governments. When Delta Airlines fires a stewardess because she complains online about the company (a situation often repeated in the years that followed) it is high time to look closer and think more deeply. And as the “HideMyAss” fiasco proved (whose owners must have been prescient when they chose that rather crude name, as they promptly got “ripped a new one”), our level of protection is only as strong as individual VPN policies designate.
Personally, I have no interest in wading through seas of jargon to distill the vapor trails that define how well my privacy is being looked after. I consider it grand good luck to have a review that is done in such a methodical, incisive fashion. For my part, I am impressed by a service that is willing to raise the issue of privacy to a higher level of public scrutiny. It is revealing, and I hope it puts the feet of other VPN services to the fire.
Criticism is essential, Steve. I don’t argue that. However, groundless nit-picking is pointless and discouraging. And when it comes to important articles, I find it irritating because it may bring a premature and entirely unwarranted end to them.
I urge the author to keep up the good work, because he is definitely being read and considered — especially in the United States, where the ill-conceived Homeland Security Act is continuing to force privacy issues into the courts.
Dave
01.08.2013
This is a really good series, Dennis, and I look forward to your analysis of more privacy policies. You do the right thing by acknowledging any mistakes and rectifying them. I feel you’ve been very fair and objective.
As a layperson in these matters, I agree that clear and precise language is invaluable when choosing a VPN service.
Again, much appreciated and keep up the good work.
Krieg
20.09.2013
Complaining about their English is extremely lame considering it is a “foreign” (read non-US) company and the person’s first language is not English. People who speak ESL make those “mistakes” quite often when they have words in their languages that sound similar but unfortunately that word in English is not that common and they might sound pretentious. But anyone with some level of understanding would realize it is just the language barrier.
Considering what it’s happening to privacy in the first world English speaking countries the future of VPNing is most probably in “unfamiliar” countries, so better get used to “broken” English.
MODERATOR: The rest of this comment was edited due to the author’s use of homophobic insults
Laura
24.09.2013
Lucifer Stevenson
07.10.2013
Jabba
22.10.2013
Dennis Kügler
23.10.2013
Aurelio
17.04.2014
John G
26.06.2014
AirVpn is a scam. When I went to sign up they put my account on hold after debiting my credit card. They claim their processor is responsible. They sent an email claiming I need to send them banking information with my personal info and/or a copy of a drivers license or passport. I submitted a screenshot of the debit to my card showing the transaction ID and they refused to open my account until I showed them my personal ID and who I was.
Their response was they have the legal right to request all the information per terms of service agreement and under no obligation to protect privacy of its users. Definitely go to another service. A true company that protects your privacy would not be asking for state identification.
Topkek
03.09.2014
Anonymous Fr3@k
03.10.2014
Just a quick note I understand you are doing a review of only AirVPN’s Privacy Policy, However there is a flaw I never seen mentioned on AirVPN’s Website that should have been addressed. As a customer of AirVPN which unfortunately I paid for multiple months upfront and I am stuck with it. I recently decided to see if I could track back through the data I was receiving and transmitting. Well I was able to trace not only my personal IP instead of the IP I was Stealthed under, worse then that I could trace it all the way back to my Exact Location. To find out that I could be tracked so easily horrified me. I now use a free VPN with option to pay for more bandwidth and server connections I will not name it because I am not trying to advertise for the company. Needless to say this free VPN has Better then DoD Encryption as well and I was unable to track back past the IP I was Stealthed under. I also could not even get any data(Encrypted or Not). I just thought this would be the best place to address this after reading others comments as well as your review of AirVPN’s Privacy Policy.
I was a happy customer for a good bit of time, however I no longer am. I will not be renewing my subscription.
Eric
24.12.2014
jjolla
10.05.2015
Dont be fooled, Bitcoin is not as anonymous as you may believe.
The coins are identifiable and therefore traceable back to whoever purchased them. And please, don’t mention exchanges … they are being snooped big time: each swap is absolutely noted.
In fact, someone did a very detailed study and found that under certain situations Bitcoins provide LESS anonymity than your Credit Card.
Also, don’t ignore that the more suspect your activity (eg using Bitcoins) the more reason you are giving the NSA or whoever to snoop on you first.
tim
24.09.2015
tim
24.09.2015
tim
24.09.2015
nobody
29.06.2016
Their servers worked well enough for 2+ months, then connection problems started occurring more and more often. Today I posted a message on their forum telling that service is down again, and called it a “great service”. Do you know what happened? They instantly banned me on the forum, closed my VPN account (I paid for 12 months of service) and this is it!
Needless to say, they ignore all my emails and refund requests, so stay away from this “company”. Otherwise, your account will be closed and they will keep all your money in case you complain about their service.
Hopefully this post will save money of any person who has AirVPN account and thinks about making a complaint of their poor service. If you really want to send them a message about poor connections, be ready to get your account terminated in 15 minutes (this is how long it took for my account to be cancelled).
Per
24.08.2016
Great read! I love that you’re pointing out the dodgy language. I really don’t understand why people are getting butthurt over it.
I’ve spent a lot of hours reading about different VPN services, and there’s just too many with vague privacy descriptions and bad language. They should thank you for pointing that out. It probably saves them a lot of time answering e-mails and questions from people wondering what the hell they mean.
Stéphane
20.09.2016
Gary
01.01.2017
Nick
02.01.2017
What a said attempt from iVPN, at reviewing of anything. I would say the intention was good though.
As for some of the comments on AirVPN from the “haters”, let me just say that the reason you ran into issues and then got into trouble for it, was probably because you guys (@nobody, @Anonymous Fr3@k, @John G), was because you guys fall under the category called: “Complete *ffing *bleep bleep bleep* fools”, if you get what I’m saying. I won’t insult you further, in case this post gets moderated - so that it’ll be easy for the mods to cut out the insults, if it’s still over the top. But it just has to be said, that you 3 are probably your own worst enemies.
Judging by your posts, you’re the types who, when they run into trouble the first time, instantly go onto a forum and complain very loudly about it. Without being very polite and most definitely without saying what went wrong exactly or providing any “actionable intelligence” that the community or Air support can use to help you. Thus, when you act impatiently and aggressively, you just get banned and/or muted. As you should, really. Yeah, it sucks if you paid for 12 months, but how about checking out how to behave properly then? It stands to reason, that if Air always banned everyone who asks questions, they wouldn’t have a forum or indeed a company. But they do and it’s quite successful.
It’s still true that Air is one of the best VPN companies out there. Why? Because they make everything secure by default, as much as possible. They stick to secure protocols, follow best-practices in their client (it’s open-source for example) and the server infrastructure is superb; high-speed connections, quality data-centers, rock-solid policies regarding *where* they are willing to set up servers and much much more. In a VPN, you should look for: transparency, good security practices (using OpenVPN, 256-bit AES encryption, etc.) and general honesty, without being contradictory. For example, if a VPN claims they respect your security/privacy/anonymity, then check that they do! If they run Google Analytics or have Facebook plugins on their site for example, that’s directly contradictory to being respectful of your privacy, as those things track you. Air has no such things on their site, by comparison.
So, to those 3 critics, get your facts straight. Because you’re wrong. I mean really, one of you claim you now use a free VPN, as if it’s an upgrade! I LOL’ed at that. Thanks for a laugh. How do you think a free VPN pays the bills? Prayers to Jesus? No. Likely by several forms of spying/advertising - and you’re the product. You worry about Air leaking your IP address and then start talking about other places having better encryption? Okay, one problem there: those things aren’t related lol. You can have the best encryption in the world and still leak your IP address, because you’re incompetent. REMEMBER: AirVPN (or any VPN) try to secure your connection to their servers. They don’t try to fix your incompetent use of a computer. Thus, if you’ve got tons of malware installed, you’re doomed. But really, it’s simple - just check ipleak.net and if you leak, turn on AirVPN network lock :p. Done. As for all the credit card stuff and support tickets - pictures or it didnt happen.
ciao.