The phrase in the title is a common trope that comes up when VPN services are discussed. While this statement is technically correct, it can be misleading, as it implies that all providers handle law enforcement requests and prepare for worst case scenarios similarly, so their conduct cannot be a differentiating factor when you evaluate them.
Aggregate data doesn’t mean no client side data. It’s possible they’re collecting aggregate level client data too. They could go further and collect data on individuals that is not identifiable or useful to law enforcement in any way. I can think of a few ways to get anonymous usage data that allows you to improve your service while protecting your users. I don’t know their scheme but they clearly don’t need overly invasive forms of analytics as they have a solid service.
If your data is being collected then are you really private or anonymous? I can think of a lot you can infer simply from metrics in a client, time window of connection and a few metrics. That’s just removed.
Yes? I work in the identified healthcare data space, but work close to people in the unidentified space and even something as personal as health data can be obfuscated in such a way it’s impossible to trace back to an individual. Not to mention whatever they’re logging is surely many orders of magnitude less identifiable. They also have an entire page dedicated to answering these types of questions and concerns.
I worked directly for one of the two biggest log and search systems for big data for years and I can tell you that there is always a way to correlate data lol. And the data you don’t have you can always buy to help put the missing pieces together.