How to determine if a VPN provider respects data confidentiality?
Short answer: You can't.
Before you buy any service you should take a look at their Privacy Policy. For instance Hide My Ass:
What data we collect: We will store the stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN servers used by you . We do not store details of, or monitor the websites you connect to when using our VPN service.
Why we need this data: We do this so that we can monitor the performance of our Site, for example it enables us to sort server nodes by the number of users connected, to limit your account to one concurrent IP address per VPN connection (to prevent shared accounts), resource analytics (to carry out usage analysis for administrative purposes) and to prevent abuse and fraud. This data is stored on our system for between 2 and 3 months unless we are required, for legal reasons or under exceptional circumstances (including our own investigations of fraud or abuse), to retain this data for an extended period.
You have plenty more services but who can guarantee that they won't sell your data?
The scope of the answer is much larger (legal side, technical side, etc...). I hope someone can develop a better answer for you.
First off "using a VPN" and "using a VPN provider" are not the same thing.
The bottom line is you can't be sure that data exchanged with the public internet won't be spied on. Even if your provider doesn't spy themselves their upstreams may do so.
Using a VPN provider to access services on the public internet is just trading one potential spy (your ISP and their upstreams) for another (your VPN provider and their upstreams). Without knowing what your usecase and hence your threat model is it's not possible to determine whether that tradeoff is an improvement or not.
Using a VPN that terminates on the network where the server is reduces the number of entities who can potentially spy on the content. On the other hand your ISP can still see that you are connecting to the network in question which may have been what you were trying to hide in the first place.
This is a rather large issue that has received a lot of attention in the past (not just on Stack Exchange). This boils down to several subtopics:
- Trust;
- Legal responsibilities of the VPN service provider; and
- Legal responsibilities of the VPN's hosting providers and data centers.
There are many VPN services that claim to anonymize and protect your identity, but some of them are rather lousy at it, and some just blatantly do not follow through with that promise.
Trust (1) & Legal Responsibilities of the VPN Provider (2)
Your VPN can make promises all day long, but how much do you trust them? Are they a reputable, well known brand, that has good customer reviews and feedback? Most well known brands have been extensively tested on their promises of anonymity, and you can find write-ups and reviews about that through a simple search (albeit, usually in the form of blogs, not scholarly articles/papers).
Has there been any news about their users being de-anonymized by giving up logs/records?
This happened with HideMyAss about five years ago. Lulzsec (a group of savvy script-kiddies, in my opinion) were de-anonymized by HideMyAss (HMA), when HMA was issued a court order to turn over their logs for investigation. Their logs revealed information that allowed government agencies to figure out exactly who the Lulzsec members were that orchestrated random and chaotic attacks against many important and popular websites, services, and foundations. While I think in this case, de-anonymizing these malicious users was appropriate, it did ultimately defeat the purpose of using a VPN for anonymization. (Which the name "Hide My Ass" pretty much implies.) However, just because a VPN service has had a historical case of turning over logs does not necessarily mean they are bad. Many VPN services that have been scrutinized over issues like this end up changing using that as a "wake-up call," so to speak, and they change their data logging and privacy policies to better protect their users.
Next, you have to read over their privacy policy. Does it say they will log sensitive information about you, such as which websites you are visiting? To collect such information, they are legally supposed to state it in their Privacy Policy. After reading this, though, you must also question if you trust them to uphold and follow their policy. Sure, they may say they will not collect any data about you, but how do you know they will follow through on that agreement? If you choose a reputable, big brand, then this probably won't be an issue, but, for example, if you choose a fairly unknown brand based in Russia, do you trust that they will follow through with their promise?
You also need to consider the VPNs legal responsibilities. The VPN is bound to the laws of the countries they operate in/from. As such, the government of the country they are headquartered in may demand that certain logs/records be kept. Because of this, they are legally responsible to keep those records, or they risk legal action being taken against them, which could potentially result in their business being fined or even shut down.
Legal Responsibilities of the VPN's Hosting Providers & Data Centers (3)
Finally, we must consider the legal responsibilities of a VPN's data centers and hosting providers. The VPN servers are usually not hosted by the VPN service themselves. Instead, the VPN service usually outsources the VPN server hosting to data centers and hosting providers around the world. Because your VPN connection exists exclusively as a connection to that VPN server, your data may inadvertently be logged by that hosting service. A good proactive and attentive VPN company will avoid using hosting providers that will log traffic, but it is not always possible because the hosting providers may have their own legal obligations for the country they operate in. This an issue that could happen to any VPN service, though, so there is not one VPN service that is better when it comes to this.
The situation of a third-party data center logging traffic has definitely happened in the past. I cannot remember the exact details (and I could not find them when doing a quick Google search), but I read about a situation a few years ago where a VPN user was de-anonymized because a VPN's third-party hosting provider/data center logged traffic and they received a court order to turn over their records. The VPN user's IP address appeared in the records as being connected to the VPN server at the same time some malicious requests were made from the VPN server's IP address. While that should not necessarily deter your from using a VPN, it is something worth keeping in mind.