AirVPN review

AirVPN operates a no-logs policy but this is not yet independently audited. This means that customers are required to trust the company does not store logs. A lot of information about how the system works is made publicly available, but customers need a lot of technical knowledge and ability to test that these claims are accurate. They do, however, use automatic systems in RAM, which cannot persistently store data. If it did, it would quickly run out of space and not be fit for purpose. When a device is restarted the data in RAM is reset to zero, so nothing can be stored here. Many versions of the Linux operating system such as Tails that have an emphasis on privacy are designed to boot from a USB stick and run in RAM because there will be no trace of them once the computer starts up again. This is proof that RAM can be trusted for the purpose of privacy, but what about other forms of memory like hard drives? AirVPN’s policy states that: ‘traffic and/or traffic content and/or IP addresses of the customers or users are not inspected, logged or stored into any mass storage device.’ According to AirVPN’s About us page the project started at a hacker festival in Rome in 2010, at which point it was a free service run by a collective with no corporation behind it. They give very little detail about the company they formed in 2012 in order to commercialise the service. The AirVPN Terms of Service gives an address for the company in Perugia, Italy. There are many legal consequences to having the headquarters in this location. The Terms of Service document describes itself as ‘governed by and construed… under the jurisdiction of the European Court of Justice and the courts in Italy.’ Italy is part of the Fourteen Eyes along with the US, the UK and many Western European nations. With the exception of Australia and New Zealand, all members of the alliance are also members of NATO. The existence of this alliance was made public by documents leaked by Edward Snowden which describe it as SIGINT Seniors Europe or SSEUR. Its existence seemingly hasn’t been officially acknowledged, but a 2018 parliamentary question by a UKIP MEP that mentioned it was given an answer by European Commission President Jean-Claude Juncker that did not deny that the alliance existed. Perhaps importantly it did state that Brexit would have no effect on whether these nations would continue to corporate on security matters. What does this mean for AirVPN customers? The problem with many of Edward Snowden’s revelations is that the security community routinely gathers data on a wide scale, making use of unpatched security vulnerabilities that they do not disclose to the companies that make the software that we use. As a member of the Fourteen Eyes, Italy has signed up to secretly spy on companies within its borders, which includes AirVPN, and share this data with the other members if they want to. Although providing information about how their services operate is good for transparency, AirVPN may be making it easier for spies to exploit their systems without ever needing to publicly disclose the vulnerabilities they discover. The AirVPN Terms of Service adds that ‘You hereby consent and submit to the personal and exclusive jurisdiction of such courts for the purposes of litigating any action’. No matter what country you’re located in, the Terms of Service asserts that you will be required to abide by the terms of the European Convention on Human Rights (ECHR). The first part of Article 8 of the ECHR specifies that everyone has ‘the right to respect for his private and family life, his home and his correspondence,’ which sounds very similar to the privacy purpose of VPNs. However it is somewhat contradicted by the second part, which says that no public authority can interfere with numerous exceptions for ‘national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.’ This is a pretty broad list of exceptional circumstances under which AirVPN users actually have no right to privacy, but this is why a no-logging policy should be audited. Customers have to make a choice about whether to trust that their internet traffic isn’t logged by AirVPN, and therefore cannot be used to prosecute them under the ECHR, or that AirVPN truly abides by the ECHR by checking for criminal activity and storing the evidence for later prosecution.