VPN audits: why do they matter?


When trusting their most sensitive data to VPNs, users rightfully expect developers to safeguard that information as their own. Audits help to evaluate the promises that VPN providers make to attract customers.

ADVERTISEMENT

Virtual private networks (VPNs) are used by 1.5 billion users worldwide, the Independent Advisor estimates, for privacy as well as for bypassing censorship.

While VPN providers aren’t obligated to publish results of their audits, many choose to as a way of showing commitment to user privacy and data security.

There are two kinds of VPN audits conducted by external auditors, namely:

  • Security audits: which highlight whether a VPN platform has any vulnerabilities and what data it logs.
  • Privacy policy/no logs audit: where the auditor reviews a provider’s no-logs policy, looking at their connection and usage logs, as well as any data saved on their servers. They’ll then release a report detailing their findings, outlining whether the policy matches the data held on their server.

According to recent research by the Independent Advisor, the most popular VPN platforms, including NordVPN, Surfshark and ExpressVPN, have all passed audits and shared findings publicly. However, a number of other widely used VPNs, including StrongVPN, PrivadoVPN, and VPNSecure, have yet to do so.

VPNs are audited by the ‘big four’ consulting firms – Deloitte, KPMG, PwC, and EY – as well as other auditors.

VPN app audits
By the Independent Advisor.
ADVERTISEMENT

For people who are using a VPN for privacy and security reasons, it’s extremely important that a provider maintains a no-logging policy – meaning that they don’t store any data related to user activity online.

“The data that is logged by some VPN services can include the time users connect and disconnect from the VPN, their real IP address and the address of the VPN server, the volume of data transmitted and connection information, such as your device, operating system and VPN software,” Nick Seaver, Cyber Risk Partner at Deloitte, stated.

Since logging policies enable providers to track and store information about user activity, it’s recommended that you read them carefully.

“If providers log your activities in detail, they can track your internet activity and potentially share it with others. If users want a VPN for privacy and security, it’s important to choose a provider with an appropriate no-logging policy,” Seaver added.