VPN privacy policies decoded: WiTopia
Privacy & Security Posted on June 28, 2013
This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.
WiTopia is a popular VPN service, which provides a wide-range of servers across Asia, Europe and the Americas. The company is based in the United States and therefore subject to US laws. So what does its privacy policy look like?
Data sharing
WiTopia has a very well-written and comprehensive policy. Nevertheless it contains some worrying elements that don’t sit well with a service supposedly designed to protect user privacy. For instance, when it comes to advertising-related data, take a look at this section on the information WiTopia discloses to “outside parties.”
“It may be necessary, at times, to share certain personal information with trusted third parties who assist us in conducting our business or providing our services. These companies are authorized to use information only as necessary to provide services to us.”
Also:
“If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer information to the acquiring company.
As we’ve pointed out before, this practice of willingly sharing data with companies, for non-essential purposes like advertising, is not uncommon. Most sites engage in such activity. But when it comes to a service that sells itself on protecting user privacy and data, you would expect it would stick to its values and keep data sharing to a bare minimum. As with HideMyAss, WiTopia uses the phrase “trusted third parties.” But who are they? Why are they trusted? None of this is qualified in the privacy policy.
Data logging
When it comes to logging data WiTopia says it does not “monitor, record or store the content of a customer’s internet activities.” It only stores the following:
"(1) the time and network location from which a VPN connection was made; (2) the duration of the VPN connection.”
However, it prefaces this with “during normal duties,” which is could be seen as a get-out clause to allow WiTopia to store your data whenever it, or other entities, sees fit. This is further expanded upon here:
“We may release personal information, when we believe in good faith that release is necessary, to comply with legal process (such as a subpoena or court order), to protect our rights or property, to enforce the Terms of Service, or protect your safety or the safety of others.”
It’s also worth noting that even during normal duties WiTopia stores your web logs (i.e. the sites you’ve visited, dates, times, etc) for 30 days. Storing this information for so long is not necessary to troubleshoot a network. The main reason for this 30 day data retention could likely be to track down and identify users if they break terms and agreements.
To sum up…
WiTopia has a very well-written policy that gets straight to the point. But WiTopia’s policy presents the same privacy issues that we saw with HideMyAss and, to a lesser extent, StrongVPN. WiTopia’s section on DMCA takedowns doesn’t really say how a user’s privacy will be affected. WiTopia also doesn’t say what will happen if laws in its jurisdiction change, although it does appear to suggest it will comply with law enforcement if they request data.
Suggest an edit on GitHub.
2 Comments
Uwnthesis
02.07.2013
As Schneider states, the biggest cyber threat of our era is data collection - it’s potentially far more dangerous than cyber warfare or crime to us.
The “data collectors” harvest your data for “marketing purposes”, which is lightly regulated so you have no protection. This data is then resold on to third parties as a revenue stream. Data aggregators such as Acxiom bulk buy this data, and once multiple streams of data are combined, everyone from the tax man to your local council has an X-Ray view of your life. Did you know that Acxiom buys 3 billion data sets a day? And that’s only 1 company. The Rubicon project interacts with 97% of US internet users every month, and yet no-one knows about them (New York Journal).
Insurance companies are having success with reusing “marketing data” to assess obesity risk factors. One CEO of an insurance company always pays for his Macdonalds burgers in cash… to avoid an audit trail that links to “fast food” and higher medical premiums.
Marketing data is THE risk factor, so your comments on reselling marketing data to third parties is very valid.
Even Amazon has a clause that if it goes bankrupt, their databases can be resold as a revenue stream - even if you object.
So marketing data is the real menace, as Schneider identified :)
Dennis Kügler
02.07.2013