We have seen some services claim "We are anonymous too, this protects you because they can't find us to pressure us". First, federal agents set up stings and remain anonymous when they do so. So do criminals. Second, even if not a sting or a criminal operation, that anonymity doesn't protect you, it protects them. It protects them from accountability to you. It protects them from any responsibilty to you or anyone else.
It doesn't protect you at all. In fact, it is a detriment. They will not fight the system, they are anonymous. They won't even be able to be served, which means the authorities will get to act freely, without anyone challenging them and enforcing proper procedure (of course the jursidictions some of these places host servers have no legal protections at all anyway, most of them the authorities can walk in and tap the server without any legal writ because they don't need one to do so.)
Even if they claim their servers drive is encrypted, that is no protection. The running server has the encryption already opened, it has to for things to read and write. Crack that server and that encryption means nothing because it is already open. There are many ways into a machine when you have physical access. Plus, if it's boot level encryption then the local datacenter has to have the password if the server crashes.
If not boot level encryption and only file encryption, the key resides on the
server so that it comes back up if it crashes. Even if it was set up without the key being on the server, just
reboot it and wait, the owner will have to log in and enter the password to the encryption for the server to come
fully back up. With an anonymous owner you aren't protected at all, but he/she is protected from any responsibility
to you or anyone else.
With a known owner, you have someone to sue if your information is given out against policy. In our case we are fully accountable to you. We will make sure every T is crossed and every i is dotted legally should anyone come after our servers. We'll fight it too. And if we give out your info without a subpoena forcing us to and without proper legal procedure, you can sue us for that. With an anonymous owner, you have no recourse. No recourse if they hand out your info to anyone who asks. No recourse if they take your money and don't provide the service. No recourse if they suddenly vanish.
"No Logging! We don't even know what you do while using us." Another big marketing claim.
Think about this, if you just used stolen credit cards everywhere for everything you could order, and you spread viruses, and spammed mail and/or guestbooks, and initiated denial of service attacks against the FBI, and sent bomb threats to the secret service, and tried to hack into the pentagon, and tried to solicit the young daughters of FBI agents for sex, or did any of the myriad of other things that would cause pressure to stop it, how long do you think you would stay online? A month? You'd probably be taken off line in less time than that. Privacy services have the same issue.
Nobody can just allow anything and everything. Everyone has to have some control. Everyone must prevent abuse to stay online. To keep their internet connections and to stay financially solvent (you'll go broke letting people pay with stolen credit cards and forged money orders). So, everyone must make sure that their service doesn't become a haven thieves and abusers.
How does everyone handle it? Rules and account termination for violating those rules. They tell you so in their terms of service (don't do this, don't do that, or risk account term). Just the fact that they can prove you broke those rules after the fact means they are logging something. They can prove what you did after you did it. Really anonymous without any records would mean you could send continuous threats to fire missles at incoming planes to the FAA and never get caught nor would they even know what account to terminate for doing it no matter how hard they looked.
Besides all this, there are many things on a server that log. Account payment records and updates - everyone has to log those, what good is a service that doesn't know who paid for what and for how long. Plus server process and programs log when they start and stop. Errors are also logged. Error logs are critical to providing a reliable service and troubleshooting problems. Intrusion detection systems and firewalls log (an unsecured machine cannot even provide privacy, so they better have these and their logs). Many things keep logs.
I guess those that claim no logs really mean "No logs...except for these...oh and these...oh and those too...but they don't really count, what's important is that we don't log your datastream". We really do understand that they are using this term "no logs" to mean only the data stream. They don't log the data stream and probably not your ip when using the proxy (it's theirs or 127.0.0.1).
We don't log the datastream either and your IP in our SSH tunnels accessing the proxies is 127.0.0.1 and comes out as ours (these are standard setups and nobody is doing something special that others can't), but there are many other things that log on a system and to just ignore them all and say "No logs" is lying.
What is in our logs?
We have standard SMTP transaction logs for our e-mail, every service that provides e-mail has these. Ours roll (overwrite) every five days. A sample of what a standard SMTP transaction log looks like that would have user information in it is here:
Nov 18 13:25:23 www mta: AUTH=server, relay=domain.com [127.0.0.1] (may be forged), authid=account, mech=<type of auth>
Nov 18 13:25:23 www mta: XXXmpe12345: from=<firstname.lastname@example.org>, size=405, class=0, nrcpts=1, msgid=<messageID>, proto=ESMTP, daemon=TLSMTA, relay=domain.com [127.0.0.1] (may be forged)
Nov 18 13:25:23 www mta: XXXmpe12345: to=<email@example.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=12345, relay=receivingmachine.domain.com. [receivingmachineIP], dsn=2.0.0, stat=Sent (iAIIPOAb089975 Message accepted for delivery)
The content of the SMTP log is nothing different than what is already in the header of the message, sans authenticated username, that is how we tell which account to terminate if someone decides to try to spam through us or sends a death threat, etc. (we think that is better than putting that info in the header for all to see).
We also use them for support issues like "I sent/posted/etc this and it never made it". The logs are needed so we can go look at them to see if the remote server accepted it or not, and if not, why. Without them the only answer we could give would be "Sorry, can't help you", which isn't very good customer support.
We have standard apache logs for our web site. Every single web site has these logs. We use them to trace errors, to alert us to DoS and hacking attempts, and for website statistics. A sample standard apache log entry looks like this:
<connectingIP> - - [18/Nov/2004:13:22:47 -0500] "GET /index.html HTTP/1.1" 200 10210
Our proxy logs are standard too. We need them to trace errors, counter DoS and hacking attempts, etc. A sample of a proxy log:
127.0.0.1 - - [18/Nov/2004:13:42:05 -0500] "CONNECT www.domain.com:443 HTTP/1.0" 200 15088
(above is a https connection via a proxy, no target filenames, etc can be seen because the datastream is a direct connection encrypted.)
127.0.0.1 - - [18/Nov/2004:13:41:40 -0500] "GET http://www.domain.com/file.html HTTP/1.0" 200 361
(above is a plain http connection, unlike https this is not an encrypted direct connection and the proxy is told the filename to go retrieve)
Our proxy logs do not log your IP. The ip logged is ours because the requests all come from localhost.
Our SSH logs are also standard, a standard last log (last login from:). This is mostly for you, but allows us to also counter people attempting to guess their way into your account. A standard SSH log entry that would have user information in it looks like this:
accountname ttyp1 <connecting IP> Tue Nov 16 03:16 - 21:32 (1+18:15)
From the SSH logs we cannot tell what you did, where you went, or anything else, only that you connected to us and for how long. This allows you to see who last logged into your account (so you know someone else didn't break into your account) and enables us to autolockout repeated failed attempts at guessing passwords.
Identifiable/personal information that our VPN logs contain are the ip address
and port connected to, the time of the connection, and the local (10.x) address connected, which can be tied to
the account. Initial VPN login logs will also contain the IP address logging into the VPN server.
We have scripts monitoring all of our services for attacks, mostly anomaly and signature detection. We have scripts that monitor performance and the services and servers themselves. They will trigger automatic failover to backup servers in the event of system or service failure. They can and do automatically manage power as well, they are able to automatically powercycle a machine if it locks up. All of these scripts work with the logs above, to some extent, and those that have their own logs have absolutely no individual user identifiable information in them.
None of our logs record the datastream, as in contents of the email, web request, or SSH tunnel. We do not know what you do in the SSH tunnel or any communications, only that you set up a tunnel or sent a message. You'll notice that very little information is kept in the logs, only what is needed for the abuse issues, troubleshooting problems, and anomaly/intrusion detection. All but the proxies are on a five day rotation (due to the size of the logs, proxies are on a three day rotation). This means that at any given time we do not have any information in web and mail logs for six days ago and no information from proxy logs for four days ago.