AFAIK basically all legal VPN providers keep logs.
If you're providing a service on the net, it is likely that you are required to log all access to your services.
The law inforcement officers or prosecutors can simply ask for the history of your traffic.
As it does not contain the content of your communication, in most legal systems they do not need any warrant to request this data.
The last paragraph under that heading says the directive was declared invalid 2014.
> On 8 April 2014, the Court of Justice of the European Union declared the Directive 2006/24/EC invalid for violating fundamental rights. The Council's Legal Services have been reported to have stated in closed session that paragraph 59 of the European Court of Justice's ruling "suggests that general and blanket data retention is no longer possible".[18] A legal opinion funded by the Greens/EFA Group in the European Parliament finds that the blanket retention data of unsuspicious persons generally violates the EU Charter of Fundamental Rights, both in regard to national telecommunications data retention laws and to similar EU data retention schemes (PNR, TFTP, TFTS, LEA access to EES, Eurodac, VIS).[19]
Due to the increasing amount of downvotes, I wanted to provide you with some EU legislation. [1]
There is also a reddit thread asking the same question [2]
DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 15 March 2006
on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
Some citations from the preamble showing the purpose of data retention
On 13 July 2005, the Council reaffirmed in its declaration condemning the terrorist attacks on London the need to adopt common measures on the retention of telecommunications data as soon as possible.
Given the importance of traffic and location data for the investigation, detection, and prosecution of criminal offences, as demonstrated by research and the practical experience of several Member States, there is a need to ensure at European level that data that are generated or processed, in the course of the supply of communications services, by providers of publicly available electronic communications services or of a public communications network are retained for a certain period, subject to the conditions provided for in this Directive.
The citations of the corresponding paragraphs:
Article 3 para. 2 (data necessary to trace and identify the source of a communication):
The obligation to retain data provided for in paragraph 1 shall include the retention of the data specified in Article 5 relating to unsuccessful call attempts where those data are generated or processed, and stored (as regards telephony data) or logged (as regards Internet data), by providers of publicly available electronic communications services or of a public communications network within the jurisdiction of the Member State concerned in the process of supplying the communication services concerned. This Directive shall not require data relating to unconnected calls to be retained.
Article 5 Categories of data to be retained
para. 1/a/2
concerning Internet access, Internet e-mail and Internet telephony:
(i)the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any communication entering the public telephone network;
(iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
Article 5 para. 1/b/2 ( data necessary to identify the destination of a communication):
concerning Internet e-mail and Internet telephony:
(i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;
(ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;
Article 5 para 1/c/2 data necessary to identify the date, time and duration of a communication:
concerning Internet access, Internet e-mail and Internet telephony:
(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
(ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;
Note: Legislation is said to be anulled in 2014 by the European Court of Justice. [3] I don't know how EU legislation works. But many countries adapted the regulation in their national law. The EU anulment doesn't automatically change the regulations in other legislations. For more info on how data retention is implemented in different countries, you could look at the wikipedia link jacquesm provided.
Yes, I know about the DRD. But it was declared invalid in 2014. If any EU member attempted to enforce national law requiring general data retention, I presume that the target could appeal to the CJEU.
I looked into this fairly carefully some months ago, consulting with Nick Pestell, IVPN's CEO. In writing for their blog.[0] And I got from him that data retention requirements are now rare in the EU.
Thanks again for the link, was very informative. I admit I didn't know much about the regulations outside of Turkey and to some extent EU. I just had a criminal procedure law class and I learned that in Turkey the prosecutors can request any communication logs without a warrant.
As we import our laws from other European countries (for example criminal procedure law was imported from Germany) I thought that this must've been the case in many law systems.
I didn't dowvote, but my guess for why some have would be:
> in most legal systems they do not need any warrant to request this data.
From a quick read of your law extract, it doesn't seem to cover that aspect of your original claim (and if it does, I'd warmly suggest you highlighted the controversial bit for those who like me have a hard time grokking through such a long text)
After the CJEU declared the DRD invalid in 2014, the UK enacted the Data Retention and Investigatory Powers Act (DRIPA).[0] The CJEU annulled that in 2016, and the UK proposed amendments.[1] However, in January 2018, the court ruled those amendments insufficient.[2] I'm not aware of further developments, and I expect that I'd have seen anything relevant on Wilders, but please do share if I've missed something.
Thank you for sharing the links. But as far as I can understand, the new regulations do not abolish the need to record the data. They only set up safeguards for which data can be used.
I think a VPN provider in this case is still obliged to keep logs, albeit only hand them over if the necessary conditions are met.
Coming from Turkey, I could not imagine a state, where the communication logs are not saved. But it seems the US does this only through intelligence agencies and does not force the ISPs to keep logs.
That's true, moreover in the legal systems I know, prosecutors also have the authority to request such documents that means the documents requested can be used as evidence. If you do not comply with it a judge can compel you to give up the document. In which case you also might get in legal trouble, because you refused the initial request of the prosecutor.
Furthermore, at least here in Turkey, communication records are also used in civil cases. For example, in a divorce case, the parties sometimes request the phone log through a judge and prove disloyalty by showing call history and duration of each call.
Are you saying that
- Google’s policy could unmask users behind a VPN, via an IP+time correlation attack[0]
or
- VPN providers who say they don’t keep logs, are actually keeping logs in secret, because of what you’ve seen at Google
?
I’m straining to make the connection you’re hinting at.
[0] You can now basically buy these from telcos as an identity verification measure, so a VPN seems useful here.