Anything to hide? Why your VPN provider should be audited

Someone using a VPN on a PC.
Image credit: Shutterstock (Image credit: Shutterstock)
About the author

Sebastian is the founder of hide.me VPN and he has been working in the internet security industry for over a decade. He started hide.me VPN, 6 years ago to make internet security and privacy accessible to everybody.

Trusted by millions of freedom seekers across the globe, VPN services strive to offer their users the utmost in privacy but also, maximum security. On that basis you should rightly hope that your chosen VPN provider would be able to pass muster via some kind of information systems audit. Indeed it seems that more and more VPN providers are announcing the results of such audits to prove to the world that they have nothing to hide and that everything is above board.

Within the VPN industry, audits are certainly becoming a trend as providers look to legitimise their claims and market a holier-than-thou existence. In the last couple of years, independent auditing has proved to be an efficient way for VPN service providers to test their security features, as well as provide their customers with more than just promises. With organisations such as the likes of ISACA,  through to global professional services companies like PricewaterhouseCoopers offering their expertise, this type of auditing is certainly picking up speed and gaining awareness in the wider world.

(Image credit: Startup Stock Photos / Pixabay)

What your VPN provider shouldn't be recording

So what kind of information can a VPN provider potentially have on you if you decide to sign up for such a service? It might be easier here to highlight what they shouldn’t be doing; specifically, VPNs should NOT be keeping any record of the following activities;

  • Your browsing activities
  • Your connection logs
  • Records of the VPN IPs assigned to you
  • Your original IPs 
  • Your connection time
  • The history of your browsing
  • The sites that you visited 
  • Your outgoing traffic
  • The content or data you accessed
  • The DNS queries generated by you

Any VPN should be committed to the online privacy and security of its users and as part of that commitment, it should be reasonable for users to expect that any VPN perform a security audit of both its systems and its no-log policy. There have been a few announcements by VPNs outlining revisions to their privacy policies to proudly wear their, “we are a zero-log VPN company now”. VPN providers including Tunnelbear, NordVPN and ExpressVPN have all announced the results of such audits and now claim zero-log policies and no recording of their users' activity online. We actually had our audit done nearly 4 years ago which does beg the question: why has it taken others companies so long to catch up?

Using a no log VPN service should mean that your provider does not collect or log any of your activity online. That is, it doesn’t collect or hold any information transmitted through the VPN. That means browsing 100% anonymously, just as you should be if you’re using a VPN. But there are plenty of well-known VPNs that do keep logs of your browsing sessions - meaning that you’re not entirely secure or private. For peace of mind (and maximum privacy) it is sensible to choose a no log VPN provider.

Independent audits as a feature

Being able to point to the results of an audit should rightly be held in the same bracket as things such as speed, price, number of servers etc when people come to choose a VPN service. In fact, it is arguably the most important factor to consider. After all, if a VPN can’t prove to you that they are not recording your browsing activities, your browsing history or even your outgoing traffic, then why on earth would anybody sign up for such a service?

We should also consider the credentials of any such company carrying out these audits and how robust their reporting actually is. Any solid certification should rate VPN providers on both users security and privacy of users’ data. Each category should then have a set of criteria upon which these providers can be rated. Ideally, only providers who could fulfill all criteria should be certified. Security testing should determine that web application security levels are high and that no high risk or medium risk vulnerabilities are detected. Source code security analysis is also important here to determine that best security practices are being used in application development along with correctly implemented security measures.

It should form part of any VPN’s mission statement - to protect users’ privacy. On that basis ask to see a Transparency Report that should detail the number of requests to disclose individual users’ personal data received. If the VPN cannot respond to all these requests by stating, “We cannot and do not keep any logs and therefore we will not be able to provide you with any further information on this matter”, then perhaps you should be asking yourself why…

However, it is also worth sounding a word of caution - an independent audit is not a silver bullet and some announcements regarding VPN audits have to be taken with a pinch of salt. PureVPN were, after all, caught red-handed giving out user information to the FBI - so much for not keeping logs. After only a few weeks on from this scandal, PureVPN updated its privacy policy to reveal (in a transparent manner) just how much they were taking care of the privacy of their users. Caveat emptor! Also, there is nothing to stop a VPN to start to log user activity AFTER the audit is done. Any audit is a momentum picture capturing the very time of the audit - ultimately you still have to trust the provider. It is also worth pointing out that many VPN providers disclose how they process Personally Identifiable Information (PII) and there are a few that process more data than required to provision the VPN account and connection.

With many of the major VPN providers checking their services for potential vulnerabilities, independent audits look to be an effective way to back-up the security and privacy claims that such providers make. And with some of the high-profile logging cases eroding negatively impacting upon user trust ( e.g. PureVPN and IPVanish) it is more important than ever to verify that your VPN’s claims are actually true. With the number of VPN providers growing day by day, these audits could well become the de-facto consumer standard for choosing the best provider.

Sebastian Schaub, CEO of hide.me

  • We've also highlighted the best VPN services of 2019
Sebastian Schaub

Sebastian Schaub, CEO, hide.me