Why do VPN audits matter?

Features
By
published

The proof is in the pudding

A repeating pattern of pink magnifying glasses on a light blue background
(Image credit: Getty Images)

In an age of malware, intrusive advertising, and cyber-criminals trying to snoop on your browsing habits and steal your information, a lot of folks use VPNs to give their online privacy an extra boost.

Without a VPN, your internet provider can see everything you do online. They can see what websites you visit, the apps you use, and the files you download. When you use a VPN, you block that information from your ISP, but now the VPN provider could (if it wanted to) see all this information as it passes through the encrypted tunnel. An unscrupulous provider could use that information against you or, worse still, sell it to a third party like a marketing company or even to a cybercriminal.

For this reason, it’s imperative that any VPN provider you pick, such as one from our best VPN list, is a no-logs provider. This means the VPN provider doesn’t keep any information that could be used to identify its users – and an audit is a surefire way to prove that a provider walks the walk as well as talks the talk.

NordVPNThe best VPN overall

NordVPN – from $3.09 per month
The best VPN overall
NordVPN is our top VPN pick thanks to an unbeatable offering that includes an impressive set of privacy and security tools, unrivaled unblocking ability, and a wide network of servers all over the world. Last year, NordVPN had its no-logs claim audited and verified for the fourth time, so this is a VPN provider you can use with confidence. See for yourself with a 30-day money-back guarantee.

View Deal

What is a no-logs policy?

At the core, a no-logs policy is a promise from your VPN provider that it isn’t collecting and storing the data that passes through its servers. From a privacy standpoint, that would include things like real-world IP addresses, browsing history, downloads, and so on.

A no-logs policy is a promise from your VPN that it isn’t collecting your data

That isn’t to say that VPNs don’t collect any data at all – they do need to collect some information to be able to offer a service. This usually includes connection activity, logging when people connect to the VPN and when they log off, but these logs should be anonymized so no one user can be identified, or temporary so that they’re deleted after some time.

The problem is that, when you use a VPN, you really have no idea if it’s sticking to its own rules. You’ve got no way to confirm whether or not it’s logging what you’re doing online.

This is where a VPN audit comes in. The provider will bring in a third-party auditor, such as Deloitte, PricewaterhouseCoopers, or Cure53 to name but a few, who can confirm whether or not the provider is actually sticking to its no-logging claims. Ideally, an audit shouldn’t be a one-time thing either, and the best VPNs undergo regular audits to prove they’re still living up to their privacy and security claims. ExpressVPN, for instance, has 18 independent audits under its belt!

What happens during a VPN audit?

A VPN audit is a marathon, not a race, which is why some smaller companies might avoid undertaking them. It’s a huge investment of both time and resources, but it’s well worth it to a company that wants its customers to know it meets the highest standards of privacy and security.

The VPN provider has to open its system to outside experts who will work to ensure that the provider complies with its no-logs policy. The auditors will check for flaws in the provider’s systems, evaluate the measures the provider has taken to protect its users, what records it holds, and so on.

The provider may also decide that it wants to go for a full-on security audit, and that’s where the auditors test the provider’s security features and the overall health of the service, looking for any weaknesses that could leave the provider open to potential data breaches or cyber-attacks.

No two audits are exactly the same as it’s up to the VPN provider to decide how far they wish to go, and what they want to give the auditors access to. As well as looking at software, policies, and processes, the audit might even involve on-site visits to the provider’s headquarters or the data center where the servers are located. Other things the auditors look at can include -

  • Security and logging configurations
  • The provider’s apps and browser extensions
  • Backend systems
  • The source code for the apps
  • The auditor might even carry out interviews with a VPN provider’s staff

What are the benefits of a VPN audit?

We’ve established that a VPN audit can be quite disruptive to a VPN provider’s day-to-day activities, to say nothing of the costs involved in getting a third party in to examine the systems, but there are major benefits:

  • An audit will highlight any issues to the provider, and show ways that it can improve existing system security
  • The audit will ensure that the provider is compliance with all state, federal, and international regulations
  • It gives the provider a clear picture of how will its current systems would work to protect user data in the event of a breach or system failure
  • A successful audit helps promote trust with the provider users by proving that its no-logs claims aren’t just empty promises, but something it’s committed to upholding.

Where can you find audit reports?

Bringing in a third-party auditor is a time-consuming and costly proposition for a VPN provider, but it’s also an important marketing tool. An audit report can be used to reassure existing customers and potential new customers that their online activities are safe, and helps set a provider apart from its competitors that haven't been audited. Most providers will make an audit report available to the public or, at the very least, to their existing customers.

The provider will want to share the positive results as well as highlight their commitment to fixing any issues that the audit might have uncovered. Both NordVPN and ExpressVPN, for instance, publish their audit results on their respective blogs.

Shaun Rockwood
Shaun Rockwood
VPN Expert

After graduating from Stirling University with a qualification in Education, Shaun accidentally fell into the technology sector in the late 1990's and has stayed there ever since, working for companies such as PSINet, IBM and ProPrivacy in a variety of roles from Systems Administration to Technical Writer. Being around since the birth of the modern internet, he's seen the way that technology has expanded to become an integral part of everyday life, and how people's understanding and ability to retain any kind of privacy has lagged behind.

Shaun is a strong believer in the rights of the individual to have their personal data protected and their privacy respected – a belief made all the stronger in an age of surveillance from both governmental bodies and private companies all around the world.

He spends his spare time cooking, riding his motorbike and spending far too many hours in Star Trek Online hunting Klingons and Borg.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about vpn
Illustration of the shadow of a boss with a magnifying glass monitoring a worker at a desk

Can your workplace tell that you’re using a VPN?
Pirate key on computer keyboard

Italy to require VPN and DNS providers to block pirated content

A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."

UK private health services firm told to pay up $2m for ransomware hit
See more latest