The Good: Surfshark has its headquarters in the Brittish Virgin Island, and therefore away from nosy governmental agencies. It also has a zero-logs policy, features a kill-switch, and uses the open-source OpenVPN protocol and top of the line AES-256 encryption.
The Bad: Surfshark does not operate its own DNS servers.
What privacy and security elements do we test for?
- Logging Policy
- Jurisdiction
- Protocol
- Encryption
- Own DNS Servers
- Kill Switch Test
- Leak Test
1. Logging Policy
What does “logging policy” mean and why is it significant?
VPN providers may gather information about your internet activity. This is called “logging.” Of course, everyone prefers those VPN providers that don’t gather or store user information, but not all of them can claim this.
Data collection is actually a way for your VPN provider to optimize its service. This improves service performance and helps prevent service abuse. Of course, the amounts of collected data vary from VPN provider to VPN provider.
VPN providers can gather and store 4 different “types” of information. Here they are listed from the least harmful to the most harmful:
- VPN service data: Data regarding which VPN server you’ve connected to, the operating system that you use, and version of the app you use.
- Connection data: Your login and logout dates and times, the duration of service usage, and the amount of downloaded and uploaded data.
- Original IP address: Your device’s real IP address. Using your phone or computer’s IP address, your location can be determined.
- Online activity: Webpages that you go to, your search queries, your services. Your entire browsing history, in essence.
VPN service data and the connection data isn’t considered harmful information to hold. After all, you are connected to your VPN anonymously and the data collected is all bundled together with that of other users. This data is used for optimizing and enhancing the VPN service’s performance. This data is generally considered fair game and most VPN providers gather it on a regular basis.
Although IP address collection isn’t really a huge offense, many users are still apprehensive about this, and for a reason. At the end of the day, VPN services are used to retain anonymity, which doesn’t go hand-in-hand with IP address collection.
Finally, your internet activity falls under data that really shouldn’t be collected by your VPN service. In fact, many users resort to VPN to prevent their ISPs from collecting such data. Therefore, this is something of a hefty red flag for a VPN provider.
Out of all the VPNs recommend here, none of them collect this data type, but some free VPN providers actually do. This is very dangerous as they may end up selling this info to data collectors, which is why free VPNs are generally frowned upon.
Despite the fact that the vast majority of VPN services claim zero-log policies, there isn’t an actual standard or a set of rules regarding what a “zero-log policy” actually means. This is why it’s important that you carefully read the privacy policy and google about the VPN provider before subscribing to it.
What is Surfshark’s logging policy like?
As with all top-performing VPNs, Surfshark collects some metadata on its users. As clearly stated in the privacy policy, Surfshark collects the following:
“To maintain a perfect quality of our Services and provide you with efficient support we collect diagnostics information and monitor crash reports on our apps. The information we collect contain aggregated performance data, the frequency of use of our Services, unsuccessful connection attempts and other similar information. As you probably already understood, the data collected for diagnostic purposes does not contain uniquely identifiable information.”
In short: It collects only that data needed to improve its service to you. It is not collecting your browsing behavior, IP address or other sensitive material.
On top of that, Surfshark announced in July 2020 that it has moved entirely to RAM-only servers. This is important, as these servers have no hard disk. As RAM is short-term memory, that is wiped regularly, Surfshark cannot store any data on its users, even if it wanted to.
2. Jurisdiction
What does jurisdiction mean and why is it significant?
Essentially, the country of a VPN provider’s incorporation is called a “jurisdiction.” Every country has its own regulations to abide by, so you should take jurisdiction into consideration when choosing your VPN provider.
For instance, certain countries like Australia, the USA, and some EU members are under strict data retention laws. Data retention laws actually require ISPs in that particular country to provide a wide range of user data. This data includes websites visited and emails sent.
One of the main purposes of VPN is encrypting data that is sent over an ISP network. This means that the ISP isn’t able to read and get its hands on your data. This is among the primary reasons why many people resort to VPN in the first place – to escape mass surveillance.
The word on the web is that the VPN services are bound by data retention laws to collect user information. This rumor is a myth, as VPN services are private network providers, unlike ISPs. This means that a VPN service isn’t bound by identical rules as your standard internet service provider. A VPN service isn’t required to collect data.
That being said, government agencies actually have ways of bypassing this rule. In the US, a federal agency can actually issue a secret subpoena, like a National Security Letter, which allows it to gain access to data logs of a VPN, even of entire servers.
Bear in mind that these aren’t folktales. Instead of letting the NSA get their hands on Edward Snowden, Lavabit, an email encryption provider was forced to close operations, back in 2013. Similarly, Private Internet Access had to close its servers in Russia to avoid the overly-strict data logging rules in 2016. This means that government agencies are constantly making efforts to seize VPN user data.
To avoid these issues, there are two main things that a private user can do:
- When selecting a VPN provider, pick a VPN location that isn’t a country that’s an international intelligence treaty member (for instance, the UKUSA agreement) and doesn’t have any data retention laws. NordVPN, for example, has its HQ in Panama, while Express VPN is seated in the British Virgin Islands. Both of these providers are immensely popular.
- Make sure that your VPN has a legitimate zero-logging policy and that vouches not to store your internet activity (visited websites, services used, searches made, etc.) If a VPN provider doesn’t store that information, it can’t give it, sell it, or surrender it to the government.
What is Surfshark’s jurisdiction?
Surfshark is based in the British Virgin Island, this not only is a tax-haven, but also a privacy-haven. There are no data retention laws, and it is not connected to any of the international data sharing arrangements.
On top of that, Surfshark features a warrant canary on its website. This means that it will publically display any data requests it receives from governmental organizations through National Security letters and gag orders.
3. Protocol
What does protocol mean and why is it significant?
A VPN protocol is essentially a set of rules on how the data is transmitted and formatted via a network (internet or local area (LAN)). Several protocols exist and they vary in terms of security and speed. OpenVPN is deemed as the one that’s the most secure, followed by L2TP, IKEv2, PPTP, and SSTP. Surfshark now also includes the Wireguard procol.
What protocols does Surfshark use?
Surfshark uses the opensource OpenVPN (TCP/UDP) and IKEv2/IPSec protocol.
4. Encryption
What does encryption mean and why is it significant?
Encryption is the “translation” of fully readable information into “coded gibberish.” In order to encrypt something, an encryption key is used. Naturally, only those that have key access can decipher and, therefore, read the information in question.
Advanced Encryption Standard (AES) is widely considered as the best one around. There are two main encryption key lengths: AES-128 and AES-256. AES-128 is generally considered to be unbreakable, while AES-256 is stronger. The former is 128 bit long while the latter is 256 bits long.
What encryption standard does Surfshark use?
Surfshark encrypts your data according to the highest possible standard: AES-256.
5. Own DNS Servers
What do DNS servers mean and why are they significant?
Web addresses, such as YouTube.com and Facebook.com are, in fact, long strings of numbers. These numbers are the above-mentioned IP addresses. Complex and seemingly illogical, they aren’t easy to remember, which is why domain names, such as Facebook.com, exist.
DNS-servers are basically the internet’s phone operators. Countless domain names are stored on DNS-servers and so are their respective IP addresses. These servers make sure that you always reach the IP address that you were looking for when you type a website’s name into the address bar.
If a VPN provider happens to have DNS servers of its own, this means that your movement is encrypted using the exact same VPN-tunnel like any other online activity that you perform. This further means that a third-party can’t log or intercept it and that the government agencies and organizations can’t censor it.
Does Surfshark use its own DNS servers?
Yes. Surfshark runs its own DNS servers.
6. Kill Switch Test
What does a kill switch mean and why is it significant?
The moment the VPN becomes inactive on your connection, a safety feature called the “kill switch” is triggered. It immediately kills your internet connection. Essentially, this means that if your VPN fails, your online activity will remain hidden.
Does Surfshark use a kill switch?
Yes, Surfshark features a kill switch.
7. Leak Test
What does a leak mean and why is it significant?
It can occur that a VPN fails to hide a certain data amount, despite it being continuously active. This is called a “leak.” The most common of the bunch are IP Leaks, DNS leaks, the Windows Credential Leak, WebRTC Leaks.
Does Surfshark leak your data?
No, Surfshark does not leak any of your data.
