VPN Audits: The Platforms That Have & Haven’t Published Theirs

Daniel Hall 13/07/2023

New research from the Independent Advisor reveals which Virtual Private Network (VPN) platforms have publicly published their security and data audits - and which platforms haven’t. 

The largest and most popular VPN platforms - including NordVPN, Surfshark and ExpressVPN - all passed their security and privacy/no-logs audits and published the reports. However, there are a number of well-known and widely used VPNs - such as StrongVPN, PrivadoVPN, and VPNSecure - that have not conducted and/or published their audits. 

Here’s the breakdown of published VPN audits:

VPN audits are a key part of consumer trust towards VPNs, showing that they run a secure service that doesn’t abuse customers’ data. Companies do not have to release the findings but most reputable VPN providers will publish results to boost the reputation of their service. Nick Seaver, Cyber Risk Partner at Deloitte, stated: 

“VPN providers are not obliged to release the findings of a privacy or security review to the public. However, many reputable VPN providers choose to publish the results of these reviews as a way to show potential and existing users that they are committed to maintaining high standards of security and privacy.”

With recent VPN data leaks, the question of VPN provider trust has become a central part of the online privacy debate meaning published VPN audits are more important than ever before. VPNs are used by around 1.5 billion online users for private and safe internet usage as well as bypassing restrictions and censorship. 

There are two types of VPN audits that external authorities conduct:

  • Security audits - conducted by a third-party auditor (see more on these below) - highlight whether a VPN platform has any vulnerabilities and what data it logs.

  • Privacy policy/no logs audit - the auditor will review a provider’s no-logs policy, looking at their connection and usage logs, as well as any data saved on their servers. They will then release a report detailing their findings, outlining whether the policy matches the data held on their server.

Audits are normally conducted yearly by external companies specialising in VPN privacy and security. These include the notable ‘big four’ consulting firms - Deloitte, KPMG, PwC, EY - as well as specialist cybersecurity firms such as Cure53, MDSec, VerSprite, Securitum, and Leviathan. 

Nick Seaver of Deloitte further states:

“Many VPN providers claim to maintain a no-logging policy, which generally means at a minimum they do not store any data relating to user internet activity. The data that is logged by some VPN services can include the time users connect and disconnect from the VPN, their real IP address and the address of the VPN server, the volume of data transmitted and connection information, such as your device, operating system and VPN software. 

For people who are using VPNs to keep their online activities confidential and secure, the provider’s logging policies are important and it’s a good idea to read the policy carefully. The policy should clearly explain what data the VPN does and does not log, for what purpose and the duration the logs are kept. Logging policies potentially enable the provider to track and store information about users’ internet activity.

If providers log your activities in detail, they can track your internet activity and potentially share it with others. If users want a VPN for privacy and security, it’s important to choose a provider with an appropriate no-logging policy.”

Share this article