What "No-Log" Actually Means (And What Most VPNs Actually Log)
Open any VPN provider's website and you will find some variation of the same promise: "We keep absolutely no logs." It is the single most repeated claim in the VPN industry. It is also, for the majority of providers, a lie.
A true no-log policy means the VPN operator stores zero information about your activity. No record of which websites you visited. No record of when you connected or disconnected. No record of your real IP address. No record of how much bandwidth you consumed. Nothing. If a government agency showed up with a subpoena, the provider would have literally nothing to hand over.
That is the standard most VPNs claim to meet. In practice, the vast majority collect at least some of the following: connection timestamps, session durations, bandwidth usage, your originating IP address, the VPN server IP you connected to, and sometimes even DNS query logs. They bury these practices deep inside privacy policies written in impenetrable legalese, behind marketing pages that scream "ZERO LOGS" in bold type.
Many VPNs distinguish between "activity logs" and "connection logs" in their privacy policies. They claim "no activity logs" (meaning they don't record which sites you visit) while quietly collecting connection metadata — timestamps, IP addresses, session durations — that can be just as identifying. If a provider says "no activity logs" instead of "no logs," read the fine print very carefully.
Caught Red-Handed: VPN Providers That Lied
These are not hypothetical concerns. Multiple VPN providers that marketed themselves as "no-log" services have been caught handing user data to law enforcement. Every single one of these companies had a "no-log" policy on their website at the time of the incident.
IPVanish (2016) — Homeland Security
IPVanish, a US-based VPN provider, cooperated with the Department of Homeland Security in a criminal investigation by providing detailed connection logs of a suspect. Court documents revealed that IPVanish handed over the user's name, email, originating IP address, the VPN IP addresses they connected to, and precise connection timestamps. Their website at the time stated: "IPVanish does not collect or log any traffic or use of its Virtual Private Network service." That was a documented, provable lie.
PureVPN (2017) — FBI Investigation
PureVPN, headquartered in Hong Kong, assisted the FBI in identifying a cyberstalker by providing connection logs that linked the suspect's real IP address to specific VPN sessions. According to FBI affidavits, PureVPN's records showed the suspect's originating IP address, the times they connected, and which PureVPN servers they used. PureVPN's privacy policy at the time explicitly claimed they kept "no logs of your activities." After the case became public, PureVPN quietly updated their privacy policy — but the damage to industry trust was done.
HideMyAss (2011) — LulzSec Arrest
HideMyAss (HMA), a UK-based VPN provider, complied with a court order and provided connection logs that helped identify Cody Kretsinger, a member of the hacking group LulzSec. The logs included timestamps and IP addresses that directly linked Kretsinger to the attack on Sony Pictures. HMA had marketed itself as a privacy tool, but their terms of service contained carve-outs that allowed logging under certain conditions — conditions their marketing conveniently never mentioned.
The Four Types of VPN Logs
Not all logs are created equal, but all of them can compromise your privacy. Understanding what each type reveals is critical to evaluating any VPN's claims.
- Connection Logs — Timestamps of when you connected and disconnected, the VPN server you used, your originating IP address, and the VPN IP assigned to you. This is the most common type that "no-log" VPNs secretly collect. Connection logs alone are enough to identify you, even without knowing what you did online.
- Usage Logs (Activity Logs) — Records of which websites you visited, files you downloaded, and services you accessed while connected. This is the most invasive type of logging and functionally turns your VPN into a surveillance tool. Few reputable providers collect these, but some free VPNs absolutely do.
- Metadata Logs — Aggregated data like total bandwidth consumed, connection frequency, and device type. Providers often claim metadata is "anonymized," but research has repeatedly shown that metadata can be correlated to re-identify individuals, especially when combined with other data sources.
- DNS Query Logs — Records of every domain name you resolved while connected to the VPN. Even if a provider does not log your full browsing activity, DNS logs reveal every website and service you attempted to access. Some VPNs run their own DNS servers but still log queries for "performance optimization" or "troubleshooting."
A VPN provider's logging practices are only part of the equation. The jurisdiction where the company is incorporated determines what data they can be legally compelled to collect and hand over. VPNs based in Five Eyes countries (US, UK, Canada, Australia, New Zealand) and their Fourteen Eyes allies can be forced to log data through secret court orders — and may be legally prohibited from telling you about it.
How to Actually Verify a No-Log Claim
Marketing copy is worthless. Here is what actually matters when evaluating whether a VPN provider's no-log claim holds water.
Independent Security Audits
A provider that has submitted to an independent, third-party audit of their infrastructure and logging practices has significantly more credibility than one that simply claims "no logs" on a landing page. Look for audits conducted by recognized firms, and check whether the audit scope actually covered server infrastructure and logging — not just the client app.
Infrastructure Design
The architecture of a VPN service reveals more than any policy document. RAM-only servers, for example, physically cannot retain data after a reboot — there is no persistent storage to log to. If a provider runs its servers on standard hard drives with full operating system installations, they have the technical capability to log everything, regardless of what their policy says. Trust architecture, not promises.
Jurisdiction
Where a VPN company is legally incorporated determines which government agencies can compel data collection. Countries outside intelligence-sharing alliances, with strong privacy laws and no mandatory data retention requirements, provide the strongest legal protection. Estonia, Switzerland, Panama, and Iceland are among the jurisdictions considered most favorable for privacy-focused companies.
Open-Source Code
VPN providers that open-source their client applications allow independent security researchers to verify that the software is not secretly logging or exfiltrating data. Closed-source VPN clients are black boxes — you are trusting the provider's word that the software does what they claim. Open source is not a guarantee of safety, but it is a necessary condition for verifiable trust.
AkcaVPN's No-Log Architecture: Built to Be Unable to Log
At AkcaVPN, we took a fundamentally different approach. Instead of writing a no-log policy and asking you to trust us, we engineered our infrastructure so that logging is architecturally impossible. You should not have to trust your VPN provider. The system should make trust unnecessary.
RAM-Only Servers
Every AkcaVPN server runs entirely in volatile memory. There are no hard drives, no SSDs, no persistent storage of any kind. When a server is rebooted or powered off, every byte of data is physically destroyed. There is nowhere to write logs even if we wanted to. A government raid on our server infrastructure would yield exactly nothing.
No Accounts to Log
Most VPNs require an email address and password to create an account. That immediately creates a data point linking your identity to your VPN usage. AkcaVPN uses anonymous 16-digit serial numbers — no email, no name, no personal information of any kind. We have no idea who you are, and we have no mechanism to find out.
WireGuard: Minimal Attack Surface
We use WireGuard and AmneziaWG (our DPI-resistant variant) as our VPN protocols. WireGuard's codebase is approximately 4,000 lines of code, compared to OpenVPN's 100,000+. A smaller codebase means fewer places for logging code to hide, fewer vulnerabilities to exploit, and easier independent auditing. WireGuard was designed from the ground up with the principle that what does not exist cannot be compromised.
Estonian Jurisdiction
AkcaVPN is operated by Akca Network OÜ, incorporated in Tallinn, Estonia. Estonia is a member of the European Union, which means we benefit from GDPR's strong privacy protections. Estonia has no mandatory data retention laws for VPN providers, is not a member of any intelligence-sharing alliance, and has a legal framework built on digital privacy as a fundamental right. We cannot be secretly compelled to log data, and we cannot be gagged from disclosing such an order.
The difference between AkcaVPN and providers that were caught logging is not that we have a better privacy policy. The difference is that our infrastructure is designed so that we cannot log, even under legal compulsion. You should never trust a VPN provider's words. Trust their engineering.
Read Our No-Logs Policy
We wrote our no-logs policy in plain language, not legalese. It explains exactly what we collect (nothing), what we store (nothing), and what we can hand over to law enforcement (nothing). Read it yourself.
No-Logs Policy