Data Retention, Copyright, and Logging Regulations in the United States

Though European users have to use the Internet under the EU’s Data Retention Directive, the United States doesn’t have such invasive data retention laws. But if that’s true, then why do so many US based VPN providers keep some amount of log files, and what’s up with the NSA? Even though the US doesn’t have harsh data retention regulations, there are some stiff laws such as the Stored Communications Act, which sets forth guidelines defining when a communications company can and can’t forfeit customer transmission records.

In the name of public safety and national security, law enforcement, investigators, and prosecutors can demand that a VPN service provider forfeit any and all records of the user in question. This information could contain payment card data, usernames and passwords, and any metadata the company logged. But there seems to be a lot of confusion regarding what’s legal and illegal in the United States. If you’re the type of user who’s concerned about privacy and security, you need to know what the laws are and how they affect VPN service providers.

The Digital Millennium Copyright Act (DMCA)

First created in 1998, the DMCA defines copyright infringement and makes it a criminal act to circumvent copyright restrictions. In the late nineties, this act sent shockwaves of fear through P2P communities and people downloading copyrighted materials for free via LimeWire, Napster, and Bit Torrent.

In addition to criminalizing these activities, the DMCA also requires a Takedown Notice be posted for sites and services providing access to copyrighted materials. This helps ISPs avoid liability when their users directly violate the DMCA and their terms of use. However, as you may well know, the DMCA was a colossal failure at stamping out the downloading of free content, even if it was copyrighted.

Now think about what this could mean for a VPN service that allows BitTorrent traffic on their networks. Ideally, law enforcement would first need to obtain a court order before knocking on the VPN service’s door and demanding access to information, but it doesn’t always work out that way. Even without a court order, many VPN services will comply because they don’t want to waste time and money in a lengthy legal dispute, making it even more imperative that you choose a VPN service that doesn’t log data.

US Based VPN Companies and Logging

NSA HeadquartersEven though the vast majority of VPN services claim that they don’t keep any logs whatsoever, this claim is really just a marketing tactic and remains partially true at different degrees. In reality, just about every service is going to log metadata at the very least. It’s rare for a VPN to log user activity and data, but they do keep logs for the following reasons:

  • Cooperating with data regulations keeps their nose clean, helping them avoid drawn out and expensive legal battles
  • Identifying criminal and forfeiting any information they have shifts liability from the VPN service to the individual in question
  • Internet service and tech companies aren’t guaranteed to be exempt from prosecution, even if they are operating within the confines of the law
  • Federal US agencies are notorious for eavesdropping and wiretapping scandals, such as the NSA

Because there’s so much at stake, most VPN providers want to stay on the government’s good side. Failing to do so could mean that their business will be shut down, or they could run the risk of losing their customers’ trust, thus reducing profits. But the end goal is to have absolutely no data logged on their servers, ensuring that there is no browsing data that can be retrieved and traced to any specific account.

Bit Torrent and Logging Considerations

Despite all the legal bills and acts that regulate Internet communications, US VPN providers aren’t technically forced to keep log files. Furthermore, these same providers can make use of shared IP addresses, which are used among multiple users to obfuscate their identities.

As such, it makes it extremely challenging (nearly impossible) to track down users who are abusing copyright laws, like BitTorrent users. The beauty of shared IP addresses in conjunction with a no logging policy is that the VPN provider may not have any data to hand over to the government, even in the face of a court order.

However, to avoid any potential trouble, it’s becoming more common for US based VPN services to restrict Bit Torrent traffic to servers in areas where there’s no copyright infringement laws against P2P services.

For example, PIA VPN made the following statement, “We are regretful to inform our subscribers that any BitTorrent activity must now be conducted on our Swiss and other offshore gateways. We have received too many abuse and copyright infringement complaints on our US and UK gateways which has forced us, in order to protect our customers, to this policy change. We do not log our users’ network traffic in any way, shape, or form.”

Furthermore, offshore VPN services take similar precautions to comply with US laws and regulations. Some of them don’t permit P2P or Bit Torrent traffic to flow through any of their US based servers. For example, PureVPN supports P2P in a similar manner by blocking torrent traffic and websites on servers prone to takedown notices.

Negative Effects of the Protecting Children from Internet Pornography Act of 2011

In a noble effort to stamp out child pornography, the PCFIPA was enacted in 2011. And I think most people admire efforts to prevent child pornographers from making the world a terrible place. However, there were some negative drawbacks of the act, especially regarding people’s rights to privacy.

Part of the legislation made it mandatory for ISPs to gather and log information about users connected to their networks, such as IP addresses, payment card data, bank accounts, dynamic IP addresses, DNS requests, phone numbers, and tabs on which websites a user visits. The idea is to raise a red flag should a user feel inclined to visit a nauseating child pornography website.

Unfortunately, privacy advocates feel like they’re being punished for the wrong doing of a criminal minority. I think most people would forfeit a bit of privacy to help stop criminal activity, but consider the numbers. The US has about 287 million Internet users, of which, only about 10 thousand engage in the despicable activity of child pornography.

That means only .00348% (that’s 3.5 thousandths of one percent) of Internet users effectively destroyed Internet privacy for the rest of us. Now consider that police and law enforcement personnel have the ability to further invade privacy.

Due to the Protect Our Children Act of 2008, law enforcement only needs probable cause and a warrant to gather personal information. Though I’m in favor of anything that stops a tragic crime, here’s where things get really ugly: data listed in the act doesn’t necessarily need to be collected under the guise of preventing pornography. It can be collected for any issue.

You can’t judge a book by its cover, and you can’t judge legislation by the name of the act. Many similar governmental bills include provisions that aren’t directly related to the issue at hand, and this act forecasts a dark future for internet privacy in the US.

But here’s the bottom line: Internet freedoms and privacy are steadily transitioning towards a state of less privacy. For now, we can use VPNs to protect our identity, privacy, and data, but who knows what future bills will affect the use of VPN tunnels?

The CISPA

The Cyber Intelligence Sharing and Protection Act was originally created as a means of combating and thwarting threats to national security. But just like the NSA’s wiretapping scandal (PRISM), some people feel it did more harm than good.

NSANot only is the language vaguely worded, but there’s no accountability system in place to ensure citizens’ rights aren’t infringed upon. In turn, this act has caused many domestic US firms to share information and personal data with the government. And these companies’ (Google, Microsoft, Apple, and many others) hands are tied, there’s not much they can do to deny a governmental agency like the NSA from coercing them into forfeiting customer data.

And even though the CISPA was thrown out in 2012, it was later passed. And with the current political climate and change of office at the end of this year, there’s no telling which bills will be changed.

Final Thoughts

Clearly, the United States is floundering in turmoil and confusing laws that don’t draw clear lines between permissible data regulations and invasions of privacy. Just look at one nominee’s email scandals. Given all the legislation and regulation that allows the government and law enforcement to acquire your personal data, it’s more important than ever before to use a VPN tunnel in the US.

For now, VPN service providers can legitimately opt out of logging their customer’s data, though they do log metadata. To ensure that you’re not the next victim of an unlawful invasion of privacy, use VPN tunnels and browser extensions to increase your privacy and security. If you don’t, your data may end up on a governmental database server without your consent!

As a quick guide, check out our list of some of the best log-less VPN providers.

Leave a Reply

Your email address will not be published. Required fields are marked *