VPN audits: what do they mean and why are they important?

Features
By Contributions from published

Are VPN providers right to brag about their audits?

Businessmen studying a report
(Image credit: Shutterstock)

Install a VPN and you're asking that provider to protect all your most important online activities, so it's vital to pick a company you can trust.

How can you know who lives up to their privacy promises, though, and who might be secretly selling your browsing history on the side?

Providers used to hope you'd take their word for it, so if they said 'WE ARE A NO LOG VPN' on the website, in a really big font, you'd believe them and sign up.

Unfortunately, regular news stories about major VPN security failures have seriously damaged confidence in the industry, and user trust is in very short supply.

The top providers understand the problem, at least, and many now try to provide evidence of their honesty by putting themselves through an independent VPN audit. But what does this mean, and what can a VPN audit really tell you about how the software works?

What is a VPN audit?

A VPN audit is a process where a provider calls in an experienced independent company like PricewaterhouseCoopers to check an aspect or some aspects of its service.

Exactly which aspects are investigated depends on the scope of the report. 

Take Surfshark, for example. In its 2018 audit, only the service's browser extensions were audited. The results were good, but couldn't tell customers much about the VPN as a whole. And if you never use the VPN extensions, then the audit really told you nothing at all.

In May 2021, though, Surfshark had its servers audited, a much wider and more interesting test. 

ExpressVPN, on the other hand, had a full no log audit carried out that saw PricewaterhouseCoopers check its servers, source code, configurations, even interview its staff. And TunnelBear goes further than most, putting itself through a comprehensive audit of its servers, apps and backend systems every year. 

When you next read a VPN boasting about its latest audit, check the areas the auditor inspected, and the information they could access. If they looked at the mobile VPN apps, for instance, did they see the source code. Or were they only able to install and run the apps like regular users? 

Generally, the more areas put under the microscope and the more access given to internal systems, the more significant an audit should be, with TunnelBear's 'look at everything' approach the high watermark.

(Image credit: TunnelBear)

Where is the VPN audit report?

The best VPN audits result in a very detailed report about everything the auditor found, and this should ideally be available for everyone to download.

Sometimes the report is only available to customers, but that's usually a condition enforced by the auditors more than the VPN trying to be sneaky. It's not ideal, but as long as it's available somewhere, that's what counts. That's because if the audit report isn't accessible, you're left to rely solely on the VPN's interpretation of the results. 

The company might have published some really enthusiastic blog post about how brilliantly it did, for instance, but has it really listed everything the audit found? If it just says, 'the audit didn't uncover any serious problems', how can you be sure that's true? 

Without access to the report, all you can do is take the VPN's word on trust, which is the very problem the audit was supposed to solve in the first place.

Interpreting VPN audit results

If you can read the audit report or the VPN does accurately summarize it, then the results often seem alarming. We've seen reports which talk about finding 10, 15 or even more problems with a service, which sounds like it could be a very big deal.

Don't rely solely on numbers, though. The best independent audits often report on tiny details with minimal or no security impact. We've seen one report point out that an internal VPN function wasted a little memory by allocating 128KB of RAM when it only needed 64KB, for instance. That's an issue, but only a very small one, yet it was enough to get listed in the audit report.

What's more interesting is to see how many issues have been classed as critical - the most dangerous vulnerabilities. Usually, the report says the provider has fixed these, but that's not entirely reassuring. If a VPN made some big security blunders before the audit, it's entirely likely they'll make new ones after it.

Badge confirming that a VPN's no logging policy has been audited

(Image credit: VyprVPN)

How important are VPN audits, really?

The most impressive VPN audits cover all key areas of a service, including the apps, the servers, and the infrastructure that ties everything together. The more access the auditor was given, the more relevant the results should be.

Don't completely rule out smaller audits, though - they might still give you a general idea of what a provider can do. If an auditor only looks at Android VPN app but says they're amongst the best it's seen, that suggests this VPN has real expertise, and there's an above-average chance that's the case in other areas, too.

Always check the date of an audit, too. A provider might boast that it's 'fully audited', but if that was two or three years ago, it might not say much about how the service works now. 

Overall, though, we think every audit deserves some credit, no matter how narrow the scope, or whether you can read the report or not. At least the provider is making some effort to show you it's trustworthy, and that's more than you can say about many VPNs.

What about non-audited VPN providers?

After reading all this, you might be left wondering what the best advice would be if you choose to use the services of a non-audited VPN. As you’ll have seen from the providers included in the listings here, it’s many of the big names that tend to go for the full audit approach. 

That leaves plenty who don’t get audited, but you’ll probably err on the side of caution and go with a service that does. After all, using a VPN revolves around security and you’ll want to know that the service you’re using is right on top of that fact. What’s more, being audited means you’ve got that extra level of assurance that doesn’t come with using one of the lesser-known names that hasn’t bothered.

What about a cheap VPN?

If you’re still considering a cheap VPN though, there are plenty of services that will fit the bill. The fact that competition is fierce in the more affordable end of the VPN market also means that you shouldn’t have to put up with an inferior service either. While pricing is often at the top of the priority list for people looking at cheap VPN options, there is a surprisingly good level of service that comes with many of these budget bundles. 

You’ll frequently get all the main features and functionality that comes with a decent VPN, including easy to use encrypted internet connectivity, tools for tackling geo-blocked apps and the ability to stream TV shows, movies and your favorite sports from overseas, no matter where you happen to be situated.

Pay something for your VPN

Nevertheless, while there are free VPN options out there, and quite a few to choose from at that, it’s still best to spend at least something on a package. You can certainly pick from a dazzling number of free VPNs, but you can also expect to get rather less back than you would with one of the paid for options, let alone the more major players in the VPN marketplace. 

The other thing to remember is that there’s no such thing as a free lunch, so what you gain in not paying anything for your VPN, you might lose by being subjected to invasive advertising or, worse still, having your browsing data sold on - hardly the result you’re looking for with any VPN provider. There are usually limitations too, with many free VPN services unable to deliver streaming and torrent content. Again, trying the free route might actually end up being more trouble than it’s worth.

Stick with the VPN audit crew

All that brings us full circle and back to where we started off – VPNs that have allowed their services to be fully audited. While you might not be too bothered about who has, or hasn’t had an audit, the results outlined above speak for themselves. If you’re going to be using software that relates to security and is at the root of how, when and why you spend time online, there’s no getting away from the fact that a fully audited VPN is probably going to be the best way to go. 

Verified facts and figures speak for themselves, which means that one of the contenders listed in the best VPN services guide is likely going to be the optimal solution for your online needs.

Protect yourself with market-leading antivirus software.

TOPICS
Mike Williams
Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.

With contributions from