Can AdGuard VPN be trusted?

Well, there’s no disadvantage compared to not using AG DNS:)

Compared to AdGuard apps, DNS has limited capabilities: no HTTPS filtering, no control on the app level, etc. etc. Not everyone needs all these capabilities though, you should decide for yourself.

One last thing to note, instead of using public DNS you may consider using the AdGuard Home or AdGuard Personal DNS where you can configure what’s getting blocked and see what it does in the dashboard.

2 Likes

Thank you for taking the time to address community concerns. Its quite disappointing to see credible organisations with decent track records are maligned because they originate in certain countries.

Hidden in between actual relevant questions were parts of this thread that were eerily similar to the discourse I saw in Privacy subreddits and communities when Ente Photos and Auth were asked to prove their passion for privacy and open source just because they originated in India, another country people are wary of in privacy spaces. Yet nobody is asking every US based privacy oriented company to prove their passion (especially when Patriot Act and National security letters exist). Very disappointed.

3 Likes

Thank you very much for all your posts and explanations, Andrey.

I feel relieved that there are still people and organizations that can be honest and transparent, even in these difficult times for Ukrainians, Russians, and many others affected by this war.

As I’ve mentioned in a post above, I’m often skeptical of services headquartered on Cyprus, so it feels good to be reassured. I’m a paid customer either way, but still.

Thank you for doing your part to help us protect our privacy, whoever we are and wherever we live.

2 Likes

These people could also be scared for all we know, as current Russian leadership will go beyond extortion to meet their demands (there is much evidence of this). Be safe you all, love from another Slav (descendant).

Also, yes people, all countries and their representatives are responsible for atrocities, this does not mean all countries are on the same playing field. To be honest, I think everyone in this thread is on the same thread regarding this last point, but confusion and misinterpretation has lead to questioning.

3 Likes

Thank you for taking time to answer so many questions. I am thinking this loud but why does AdGuard vpn website not mention things in plain text like:

  • we can’t trace back who connected to public IP of our servers at what times. -or-
  • we do not keep log of your real ip once you disconnect vpn -or-
  • provide a warrant canary or something similar for transparency

The reason I say this is because many activists (not linked to Russia) use VPN to communicate etc. If you want customers to trust a non-audited protocol like AdGuard, least you can do is explicitly commit to being on their side.

Your privacy policy talks about “our vpn server keeps no logs” but then you mention later that when one connects to vpn app, your server receives app authentication token and your server also records connection details (to monitor number of connections) - does any of these info link back to original user that you can identify?

If answer is yes, how long are these stored for and if asked, are you able to able to hand these over to the authorities? Alternatively if forced by authorities, will your seized server give this away?

2 Likes

I don’t want us to be inaccurate.

Theoretically, any VPN provider can:

  1. Connect to the VPN server.
  2. See the IP addresses connected to that server.
  3. Figure out who the user are. Depending on the protocol, it can be done using different ways, but nevertheless.

So if a VPN provider states that they “cannot trace” this can only be true about historical information, in real time when you’re connected it would be possible.

But we do state this on the website (in FAQ) and in the privacy policy.

Good idea actually. Transparency report is something that’s on our roadmap, adding some kind of a warrant canary there makes perfect sense.

Authentication token does link back to the user since it’s the way the user authenticates when connects to the VPN server.

It is used when the user connects to the server to check that they technically can use it. They’re not recorded anywhere on the server itself.

In the privacy policy we describe every piece of data the app can send to the server-side, but it does not mean that any of this data is recorded or stored.

Since this information is not recorded, a seized VPN server will not give this away.

Requesting this information by authorities would imply that the authorities already know the user they’re asking about. In this case if requested by Cyprus authorities we’ll be forced to hand over the information that we have which is not much: email, subscription details, you can export your data in AG personal account to see what’s there.

2 Likes

Thank you for being so active on here and spending time to answer questions even though some might feel like repeating yourself over and over.

Two last ones from me:

  1. Tracking “theoretical” scenario you mention - do you imply if query is for historical connection data, AdGuard VPN cannot give information to link back to users but if it was subpoenaed to, it will be able to in real time connect dots (like many others e.g. ProtonMail and French activist case).

  2. If authority did not know the user but knew they used one of your public IPs on a specific Sunday for 3 hours (just a wild example!), and demands you link back that public IP to all the 10 real IPs that connected between those 3 hours, could you?

1 Like

Correct. I’d only add that this is true for any VPN service, if forced any VPN provider is technically able to trace in real-time.

We don’t store historical information of this sort. Moreover, GDPR minimisation requirement actually prevents us from storing any information that’s not required for the service functioning.

2 Likes

I can’t find anywhere in their privacy policy about “we don’t collect IP address”. Can anybody please link me to what previous post said?
I remember Reddit posts from 3-4 years ago when their privacy policy said such information as “crucial” for operation of VPN.

“We do not collect logs on VPN servers and do not know what websites you visit.” is a stronger commitment than just not recording IP addresses.

6 Likes

Feels ambiguous to me as a layman. Looking at how Mullvad or Nord writes their terms it’s crystal clear but you have terms like “some data maybe personal data”. This can be many things. A account download like you suggested in earlier post shows all connected servers at exact time stamps of when I connected to them.

I agree with sentiments at start of this thread that an independent audit could be the only way to know for real. Because for anyone who is not a regular IT guy, simple privacy policy but comprehensive one makes more sense. I could be daft idk lol :joy:

1 Like

Does Cyprus law protect you against such a request by LE ? In other words, does Cyprus law, allow LE to compel you to log?

I think @fikko is not calling on the Russian citizens itself but on their authoritarian governmental regulations that exercise great control over all their citizens irrespective of whether they are decent or not. This is a valid concern of how AdGuard can differentiate itself from this?

Under normal circumstances, the answer is “probably they cannot”. Logging on the server will be against GDPR and can violate privacy of other users so the question is will this argument be good enough in court.

Even if ultimately forced (there are several magic govt security related words that unblock any law), this kind of pressure would be something unprecedented and it cannot go unnoticed or unannounced.

2 Likes

The statement is rather general and it’s just hard to respond when there’re no specifics in the question. I’ll have to give a general answer as well.

We moved the company specifically for it to be a subject of a law system that does not impose regulations which are not in line with the company’s policies. Regarding possible pressure on individuals, there’s one more check that we have. By the Cyprus laws the Director of the company holds control over it and even the owner is limited in what they can do, and in our case the company Director is a Cyprus national.

4 Likes

Blockquote

Wouldn’t it be easier to just not log at all? Not even when an account connected or logged in from what server?

With lack of RAM-only server you already do have the data there, albeit encrypted. But not unrecoverable by AdGuard if forced or willingly compromised.

This is exactly what is going on right now. But the question was is it possible to legally force a company to build that.

RAM-only server’s main idea is to prevent the VPN service configuration from being recoverable when the server is turned off. This “recoverability” liability itself stems from the fact that most VPN services use open protocols like OpenVPN or WireGuard which in turn rely on the file based configuration.

AdGuard VPN server software is different in that regard, it already keeps its “state” (information necessary to authenticate users) in RAM and if the server is turned off it won’t be available.

Not sure this is true. GDPR doesn’t do much against LE demanding logging. See how Tuta was forced to disable an account encryption by a German court. This meant that from the court ruling date, all emails received by the suspect weren’t encrypted anymore.

1 Like

I might be misunderstanding but… currently if I download what data AdGuard suggests it holds about me (from account > data download) it shows exactly at what times I connected and using what IP address/location. So if I connect using AdGuard servers, it shows with timestamp what server I was connected to. I’m not sure if this changes only when I log in or every time I change my server.

You might be correct here. GDPR allows for data logging in many circumstances too. The grey area being “it is necessary for legitimate purposes”. It even goes to an extent that a company is allowed to withhold information it holds about the subjects in circumstances such as above. So if that account holder on Tuta requested data download, Tuta could return back all personal info and withhold all unencrypted emails. This would make the person believe Tuta holds nothing but in fact it does hold more than what’s disclosed. LE involvement is one of many ‘circumstances’ that allows such practice under GDPR.

2 Likes