What Do VPNs Actually Log? The Truth Behind No-Logs Claims

The Problem with "No-Logs" as a Marketing Claim

Open any VPN's marketing page and you'll find "no-logs" prominently displayed. It's become such a standard claim that it has largely lost meaning. The reality is that "no-logs" covers an enormous spectrum of actual practices — from VPNs that genuinely store nothing, to VPNs that log extensive connection metadata while technically not logging your "browsing history."

Court cases have demonstrated that some VPNs that marketed themselves as no-logs services were quietly maintaining records that ended up in law enforcement hands. Understanding what VPNs can log, what they commonly do log, and how to distinguish genuine no-logs implementations from marketing claims is essential for anyone using a VPN for privacy.

What VPNs Can Technically Log

When you connect to a VPN, the service has access to a significant amount of information. Here's what a VPN provider could technically record:

Connection Data

• Your real IP address — the IP assigned by your ISP, visible to the VPN server when you connect
• VPN server IP — which server you connected to
• Connection timestamps — when you connected and when you disconnected
• Session duration — how long each VPN session lasted
• Bandwidth consumed — how much data was transferred per session

DNS and Traffic Data

• DNS queries — every domain name you looked up (reveals sites you visited, even without content logging)
• Destination IP addresses — the servers your traffic was sent to
• Traffic content — on unencrypted connections, the actual content of your communications
• Protocol and port data — what type of traffic you were generating (web, torrent, video, etc.)

Account and Device Data

• Account credentials — email address, payment information
• Device identifiers — MAC address, device fingerprinting data
• Number of simultaneous connections — how many devices are using the account at once

What "No-Logs" Typically Means (and Doesn't Mean)

Most VPNs that claim "no-logs" mean they don't log your browsing history, DNS queries, or traffic content. This is the minimum standard for a legitimate privacy claim.

However, many of these same providers still log what's called connection metadata: when you connected, for how long, and how much bandwidth you used. Some log the VPN server you connected to, or the number of simultaneous connections on your account. This metadata, while less sensitive than browsing history, is still potentially identifying.

Connection timestamps combined with ISP records can often identify a specific user. If a VPN logs that account X connected at 14:32 on Tuesday and an ISP records that user Y's IP appeared on a VPN server at the same time, the two records together identify user Y as account X.

The Logging Spectrum: From Most to Least

Full Logs (ISPs and Corporate VPNs)

Internet service providers in most countries are required by law to log connection data for months or years. Corporate VPNs — the kind your employer provides — are designed to log everything for network administration and security purposes. These are not privacy tools.

Connection Logs (Many Consumer VPNs)

Many consumer VPNs that market themselves as "no-logs" still maintain connection logs: timestamps, session duration, bandwidth. They genuinely don't log your browsing history or DNS queries, but the connection metadata they do retain could be used to identify users given external cooperation.

Minimal Metadata (Audited Providers)

Providers like NordVPN and Surfshark have undergone independent audits that verified their no-logs claims. These audits confirmed that connection metadata is not retained beyond what's needed for active session management. Nord's no-logs claim was also tested in practice: in 2018, a NordVPN server was seized by Finnish authorities — no useful logs were retrieved.

True No-Logs (Technically Enforced)

The highest tier of no-logs implementation isn't just policy — it's architecture. Providers like Mullvad, ProtonVPN, and LimeVPN use technical measures to make logging either impossible or immediately discarded:

• RAM-only servers — data never written to disk; a server seizure yields nothing
• No connection timestamps stored — session start/end times not retained after session closes
• No bandwidth accounting per user — aggregate network stats only, not per-account
• Anonymous account creation — no email required (Mullvad's model)

Court Cases That Revealed VPN Logging

IPVanish (2016): The Landmark Case

IPVanish was one of the first major VPN logging scandals. The provider explicitly marketed itself with "zero logs" claims and was popular precisely because of its privacy positioning. In 2016, Homeland Security Investigations (HSI) sent a legal request to IPVanish regarding an ongoing investigation.

IPVanish complied — providing the user's real IP address, connection timestamps, and session data. This data was used to identify and locate the target. The "zero logs" claim had been false: IPVanish was maintaining connection logs under its previous ownership, and the new ownership had not disclosed this change to users.

The case established a critical lesson: no-logs claims can be changed or falsified, especially after ownership transfers, and users have no way of knowing without external verification.

PureVPN (2017): FBI Cooperation

PureVPN, a Hong Kong-based provider that marketed itself as a no-logs service, provided connection logs to the FBI in 2017. The logs — including the user's real IP address and the time of connections — were used to identify a cyberstalker. The FBI stated that PureVPN's logs were "the key" to identifying the suspect.

PureVPN's privacy policy at the time claimed they did not maintain any logs. The actual data provided to law enforcement proved otherwise: connection metadata had been retained and was retrievable on request.

Windscribe (2021): The Vindication Case

In 2021, Ukrainian authorities seized a Windscribe server as part of an investigation. Unlike the IPVanish and PureVPN cases, the Windscribe seizure went the other way: no useful data was recovered. The servers ran without persistent storage, and the seized hardware yielded nothing that could identify users.

The Windscribe case is important because it demonstrated that the technical implementation of no-logs can genuinely hold up under law enforcement seizure — not just in marketing materials, but in practice.

Mullvad (2023): The Gold Standard

Swedish police raided a Mullvad data center in 2023. Officers arrived with the intention of seizing servers containing user data. They left empty-handed. Mullvad's RAM-only infrastructure and genuine no-logs implementation meant there was simply nothing to seize. Mullvad published a full account of the incident on their blog the same day.

How to Verify No-Logs Claims

Third-Party Audits

Independent security firms — Cure53, Deloitte, Securitum, KPMG — can audit a VPN provider's infrastructure and verify that logging systems either don't exist or don't retain the data claimed. Published audit reports (not just audit completion notices) are the most verifiable form of no-logs validation.

Important: audits are point-in-time. An audit from 2019 doesn't guarantee current practices. Recurring annual audits from reputable firms are significantly more credible than one-time audits from years ago.

Warrant Canaries

A warrant canary is a public statement, regularly updated, confirming that a company has not received any secret legal orders or gag orders. If the canary statement disappears or stops being updated, it signals (without technically disclosing) that a secret order may have been received.

Transparency Reports

Transparency reports document the number and type of legal requests received and how many were fulfilled. A VPN that has received 50 data requests and fulfilled zero is making a stronger case for genuine no-logs than a VPN that has published no such data.

Track Record Under Pressure

Server seizures, law enforcement requests, and subpoenas are the ultimate test. Providers that have faced these situations and produced no useful data have the strongest credibility — because their no-logs claims have been tested in reality, not just in marketing copy.

LimeVPN's Logging Approach

LimeVPN maintains no connection timestamps, no browsing history, no DNS query records, and no IP address logs. This is enforced architecturally, not just by policy. Quarterly transparency reports document every legal request received — and the number of data requests fulfilled (zero). LimeVPN operates independently, without corporate group ownership that could change privacy policies following an acquisition.

For users who need reliable no-logs guarantees backed by transparency and verified by track record rather than marketing claims, this approach provides genuine assurance.

The Bottom Line

When evaluating VPN no-logs claims:

• Look for third-party audits with published full reports, not just audit completion announcements
• Check whether the provider publishes transparency reports with actual data
• Verify jurisdiction — US-based VPNs face legal compulsion risks that providers in other jurisdictions don't
• Look for evidence of no-logs claims holding up under actual law enforcement pressure — real incidents, not hypothetical claims
• Check ownership history — ownership changes have preceded logging policy changes more than once

"No-logs" as a marketing claim is nearly meaningless without supporting evidence. The providers who deserve the claim are those who have proven it under pressure, published verifiable transparency data, and built their infrastructure to make logging technically difficult or impossible.