VPN privacy policies decoded: Boxpn
Privacy & Security Posted on July 28, 2013
This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.
Boxpn is a VPN service owned by Cakinberk Telekom, a company based in Turkey. The platform has a wide range of servers across the US and Europe. But how does its privacy policy stack-up?
Boxpn has a straightforward and very short privacy policy, which covers the basics relatively well and suggests the company does take its users’ privacy seriously. Boxpn says it “does not collect any information of it’s clients activities on any network [sic]. Hence no information is collected, there is no information to provide any 3rd parties.” which is clear and to the point.
Logging
However, as we’ve seen with other VPN privacy policies, Boxpn is also a bit vague on its logging practices. Here’s what it says:
“boxpn global network firewalls and security softwares only collect network utilisation data which is strictly necessary for the technical functioning of the service, for example IP address and hardware utilisation.”
As we’ve explained previously, collecting and storing network data is a very common practice for VPNs, because it allows us to optimise the network and troubleshoot any problems. So it’s fine that Boxpn is doing this. However, the key issue is what data is being stored and – more importantly – how long is that data being stored for?
For example, with Hide My Ass we found out server connection times were being stored for two years. Such a long period of data retention is not really necessary for troubleshooting a network and only really makes sense if you want to provide a third party with historical information to track users’ web activity. Most VPNs serious about privacy will not store this data for any more than a week or so and ideally less than 24 hours. We can give Boxpn the benefit of the doubt, but on this point, it should be clearer.
Cookies and ads
When it comes to advertising data and cookies Boxpn says this:
“boxpn will not sell, rent, or give away any of your personal information without your consent. It is our overriding privacy principle that any personal information you provide to us is just that: private. We do not presume that you are granting us permission to share your personal information with third parties wanting to sell you products or services that you have not requested.”
Unlike some of the other VPNs we’ve looked at, this paragraph shows Boxpn is serious about the collection of ad data. However, we did run Ghostery on Boxpn’s site and found a couple of ad trackers present, such as Doubleclick, which collects anonymous data. Doubleclick does not necessarily share data with third parties, but it can if the publisher (i.e. Boxpn) is part of an ad network. The Guardian sums this up pretty well here.
When it comes to entities trying to obtain user data Boxpn says this:
“Pressure from private actors to obtain any data (including but not limited to IP address of users) if it’s an illegal act and boxpn, in order to protect its business and the users’ privacy, reserves the right to inform the competent authorities and prosecute the private entities responsible for such illegal acts [sic].”
Due to the grammatical errors this paragraph isn’t very clear. As we point out in our guidelines, clear English is essential for any privacy policy. The paragraph appears to be copied from AirVPN’s privacy policy and should read:
“Pressure from private actors to obtain any data (including but not limited to IP address of users) is an illegal act and Air, in order to protect its business and the users’ privacy, reserves the right to inform the competent authorities and prosecute the private entities responsible for such illegal acts.”
So despite the grammatical inaccuracies Boxpn’s policy, once understood, is on the side of its users.
To sum up…
Overall Boxpn does seem to take privacy seriously, but it could be more clear with regards to how long it logs data and in other sections. There’s also no information on what happens if laws change in Boxpn’s jurisdiction regarding VPN services.
Suggest an edit on GitHub.
1 Comments
Wong
29.01.2015
I will say about my experience .
Earlier, I tried a lot of VPN including paid . Connection problems , low speed were commonplace. but by far the best in my case , was the boxpn . Not without problems, but it’s the best of what I’ve tried, with best cost/quality ratio.